Creating VPN or Bridge between Balance 2 and Unifi Security Gateway Pro 4

Hello I am setting up a clients network with a USG Pro 4 gateway. The client has a IPSec VPN with a cloud based software site. The connection for the VPN is established on the Balance 2 and I can ping the software server if i connect to a LAN port on the Balance 2. I I use the Balance 2 to provide Internet access to WAN 1 on the USG. How can I pass though access to the remote server to the internal LAN/VLANS of the USG?

I have tried many different configurations with out success.

Any help would be greatly appreciated.

Hi, to check you have a client with a network connected to a USG Pro 4 as their gateway, then the WAN of the USG is connected to the LAN of the Balance 2 and the balance 2 has an IPSEC to the remote cloud based location where there are servers.

By default the USB will be doing NAT between the LAN and WAN, this will stop the server in the cloud communicating directly with the IPs on the LAN of the USG, however a device on the LAN of the USG should be able to access the IPs of the remote cloud based servers over IPSEC via NAT.

So you have a couple of options. You could move the IPSEC from the balance to the USG, or you could disable NAT on the USG (use IP routing instead) and add a static route to the balance for the USG LAN range with the USG WAN IP as the next hop.

Thanks for your Response. So from what you are saying if I leave the NAT enabled on the Balance 2 and disable the NAT on the USG (WAN1) , I should be able to connect to the cloud server as well as the have connectivity between the devices on the LAN and VLANS I created on the USG.

Lets look at the path.

  1. The client talks to the USG on its network (eg
  2. The USG WAN is connected to the Balance 2 on its network (eg
  3. The balance 2 is connected to the internet
  4. The Cloud firewall is connected to the internet.
  5. The Cloud Server is behind the cloud firewall on its network (eg

For the server to connect to the client:

  • It needs to have a default (or static) route to send traffic via the cloud firewall.
  • The cloud firewall needs to know that the remote client network ( is at the other end of the IPSEC tunnel which currently likely just shows the balance LAN ( so we need to add the client network ( as a remote subnet on the IPSEC config.
  • When traffic for arrives at the balance, the balance will need a static route set to know to forward the traffic via the WAN of the USG.
  • The USG then needs to forward the traffic from its WAN to LAN.

That make sense?