Peplink Balance One in Front of Ubiquiti UniFi Network

Trying to get outbound policy working correctly on my Balance One and need a little help/confirmation on a few suspicions:

My Goals:
I have currently two WANs, WAN1 which is a WISP that fails for anything from a few seconds to minutes several times a day which is 30/3. WAN2 is a cellular 4G connection that for reliability I have bandlocked to a band where it generally gets 3/3. Latencies are pretty comparable, but both being wireless connections vary depending on the weather, etc.
In my house there are three teachers that can be teaching on Zoom/Meet/Teams/etc. throughout the day. Stability is key, and Speedfusion Cloud (Or Fusionhub Solo as well) provide that stability. Now I am trying to manage data usage as well on top of it. I would like all typical video streaming (Youtube, Amazon Prime, ABC, CBS, etc.) to NOT go through the Speedfusion Cloud so I don’t need to pay money for the bandwidth. This would ideally be a Priority WAN1 with fallback to WAN2. Obviously stability on these is far less critical. For right now I would like all other traffic to go through the Speedfusion tunnel.
As much as possible I would like to continue managing as much of the network as possible on UniFi, using the Balance One only to do the load balancing of the connections and Speedfusion as it’s capabilities blow away the non-existent UniFi capabilities for this. In my plans once I get everything working I am likely to set up PiHole as well for local DNS/Ad-Blocking.

A brief description of my physical setup

I currently have both WAN1(Bridged, Static) and WAN2 (NAT, Dynamic non-public IP so really double NAT) running into WAN1 and WAN2 on the Peplink Balance. It is currently in Drop In Mode with the Static IP passed through to the UniFi Router. The UniFi Router is providing Firewall, NAT, etc. and down from that is a UniFi Switch, that distributes out over Ethernet, MoCA, etc. throughout the house to wireless APs and wired devices. I am using external DNS (1.1.1.1, 1.0.0.1, 8.8.8.8, 8.8.4.4 in that order)

My Issues:

My problem is I can’t get the Balance One Outbound Policies to affect things. I currently have a default rule to send all traffic out Speedfusion. Before that I have outbound policies, either enforced or priority matching the MAC addresses of the various Rokus, Chromecasts, Apple TVs, etc. to send them out WAN1 first and WAN2 as a fallback on the priority, or just WAN1 on the enforced. All the traffic from these devices is still going out Speedfusion though. I also have rules set up on the Balance One for traffic destined to Speedfusion, Protocol: All Known Video Streaming to go out WAN1 (Have tried both the Priority and Enforced rules) and these don’t seem to work. This is confirmed by checking under Status>Active Sessions>Netflix (Or other protocol) and seeing only SF-NY listed as the destination, and checking the realtime usage of Speedfusion vs the WANs and seeing that they line up as if SF is used.

Which brings me to my questions:

1. I assume the Peplink is not matching MAC addresses because NAT is happening on the UniFi and the layer2 info is not being transmitted past that? This is a bit weird because while it has been a long time since I remembered IP routing, I was thinking MAC addresses always remained in the packet, and just the IP address was changed for routing purposes. Even beyond this though I HAVE had Mac address matching work for my iPad (The rule is disabled in the screenshot, but I confirmed it was working at one point) which is still going through UniFi as the WiFi on the Peplink is turned off and I have never bothered to look up the SSID or password much less type them in.
2. If I disable NAT on the UniFi (Not possible on the current Dream Machine Pro, but I have a Security Gateway Pro 4 that I just replaced for a client I can drop in place instead if needed) would this allow the Peplink to then follow the MAC addressing rules? It means I need to get a new controller, which I can do but I am just not anxious to run out and spend money on it immediately (CKG2 and Rackmount is about $300) without hearing that I am on the right track.
3. Am I missing something to get the outbound Speedfusion destination policies working correctly?

I think that is it for now, thanks in advance for the help!

Forgot to upload a screenshot of the Outbound Policies:

Screen Shot 2020-08-22 at 12.50.19 PM815×658 80.4 KB

I’m sorry you didn’t get a reply on this. unusually high quality, well-articulated question. I have a similar issue with similar equipment, so I’m hoping someone with some skills and some spare good-will will see this and respond.

The workaround for disabling NAT on UniFi Dream Machine Pro is described here:
https://community.ui.com/questions/disable-NAT-in-UDM-pro/f5a97c47-e6bf-4ebf-a899-0c4271e8e6a2
I have not personally tested the instructions, but several people have gotten it to work. As of 4/2021, the UniFi UI does not yet support disabling NAT in the UDMP.

I have ordered a Peplink Balance 20X, and I need to be able to make it work for SpeedFusion Cloud in front of my UDMP. I am concerned about having the same issues described here, if I am not able to disable NAT. With NAT, it should appear that all traffic going up to the Peplink is coming from the MAC / IP of my UDMP.

Thank you for the heads up on the workaround, I will give this a shot, it may solve the issue. In the meantime I had worked around it using other methods, so I am probably going to wait till the school semesters are out (Three teachers in this house, one secondary and two uni so lots of zooms right now) but will give it a shot and see how it works!

Don’t use the ‘above the line’ functionality. Just put all of you rules in the same tier. For all of your rules, make sure you specify to fall through to the next rule - your MAC/IP/Domain based rules will ‘catch’ and fire. Put you Speedfusion/Fusionhub rule second from the bottom with fall through, then have the last rule specify Fastest Connection with whatever reliable WANs you have available.

It will work fine.

Again, don’t use expert mode in your circumstance.

I assume you are referring to the Speedfusion/Fusionhub rules indicator here?

For the record, the MAC rules don’t fire when NAT is involved, that is part of the problem and why I asked the question.

That seems like it would be appropriate if I wanted the default behavior to be SF/FH, which is not the case. I want specific things to go that route, and most things to NOT go that route.

Thankfully the latest firmware which came out since I posted the OP improved things with the Speedfusion Cloud rules, which are handling Zoom, etc. and I have gotten things in a pretty usable state with that, but I am still curious about disabling NAT as mentioned in the link above to see if that gets things like MAC rules routing etc.

 Seablade

Yes. I had nothing but fits trying to use the SF rules functionality, until Peplink told me not to.

I don’t understand why NAT would cause a rule not to fire based on a client’s MAC/IP. Doesn’t make sense - I’ll wait to see more about this.

If you don’t want SF/FH as the default, then put whatever default rule you want at the bottom. As you know, you’ll then have to specify with OP when to use SF/FH.

I have a rule for every device/service that doesn’t like VPNs. Unfortunately this is ALL of my streaming devices and several web domains, so almost everything is an exception and very few things use bonding with SF/FH anymore. Kind of a waste until services stop filtering for VPN usage… which will be never. Sad that we have to deal with this.

Glad you got things to where it’s working for you. Follow up on the NAT issue if you will. Thanks.

I am new to Peplink, but it makes sense to me. Here’s what I believe is happening in my case:

WAN1 = LTE router in IP-Passthrough mode, not doing NAT.
WAN2 via USB = T-Mobile 5G Router doing NAT, with no way to turn NAT off
Peplink Balance B20X – Doing NAT because it should
UniFi Dream Machine Pro – Doing NAT because it always has…

So, while local traffic on your network is tagged with a MAC address, and has a local IP, your router between “local” and “the world” should be doing NAT (translating local IP to public) and stripping off the MAC address. In my case, that is happening 2 or 3 times, but the one that matters is the UDMP, which is between my computer (and TV) and the Peplink which is trying to decide how to treat the traffic.

My options seem to be:

• Turn off NAT on the router that is between my devices and the Peplink router.
• Remove the router that is between my devices and the Peplink router.
• Define all of my rules in ways that don’t depend on the MAC address, IP Address, Address Range, Subnet, or VLAN as all of that is currently stripped off before my outbound traffic reaches the Peplink.

Since I prefer not to remove the UDMP at this time, it is it is good that I found a way to disable NAT on the UDMP. I guess this means that the Peplink will also be handing out DHCP, unless I can let the UDMP hand out addresses in a different range.

From what I understand about IP routing, the mac address is always manipulated when leaving a network boundary. The mac address of the client device is only known to other devices on it’s layer 2 network. With the Ubiquiti managing the layer 2 broadcast domain - only it knows the actual client mac address. Any traffic that goes out the WAN interface on the Ubiquiti will have the mac address of the WAN interface as well as the IP of the WAN interface. Basically every packet coming to the LAN side of the Balance has the same source IP and mac address. It is as if the Ubiquiti is the ONLY client on the LAN of the Balance.

I have very little experience with the Ubiquiti stuff, so please forgive my ignorance. But what you might be able to look into is assigning multiple IP addresses to the Ubiquiti WAN interface, and then use a 1:1 NAT mapping between them and the client on the LAN side of the Ubiquiti. You wouldn’t be able to use mac address routing, but you could leverage IP based routing rules. Double NAT is a real pain. It breaks quite a few things. UPnP is typically bound to a single layer 2 broadcast domain.

Another option would be for IP-Passthrough if the Ubiquiti gear supports it.

Honestly, I bought some of the Ubiquiti gear. It worked well, but was far too limited in feature set for me to use. The best approach is dedicated access points – not a wireless router. Just wire them in on the LAN side, and then you have a single layer 2 broadcast domain and everything just works.

I do like the Ubiquiti (UniFi line) Access Points, but they require a UniFi controller to configure them. You can run a controller temporarily on a PC to set them up, but you get some of the cooler features only if you have a controller constantly running.

I went with the UniFi Dream Machine Pro in part because it had two WAN interfaces, but they do failover only. The VPN I use for work, and Video conferencing that works on top of that VPN glitches when there is a failover. That’s why I am adding a Peplink.