So I already know I’m going to get asked why Im doing this, to make a long story short I had a home network breach while only using my UDM Pro and it was catastrophic. So essentially what I’m trying to accomplish is using my PFsense box as my firewall/VPN and and use my UDM Pro for everything else. In the current configuration everything works wonderfully, but Im trying to work out how to forward my Plex media server through both machines and around the VPN. I’m currently double NATed. I’m extremely well versed on Unifi’s hardware but not so much on the PFsense side, and I’m curious as to whether or not I can maintain the firewall/VPN functionality as well as DHCP on my UDM and accomplish this. Or in more simple terms only route ports around the VPN and not the single IP of my UDM sorry if this is asking too much or I’m asking to much of this config. Ubiquiti really needs to get there ish in gear and use there killer hardware to it’s full advantage IE: ovpn support/a proper firewall 
Ditch the UDM. Less complexity, and you’ll be better off.
I just did this with pfsense.
- Create a new physical interface.
- Put a /30 network on it that is outside all your other networks
- Put a dhcp server on that to serve the other address
- Connect that to the UDMPRO wan
- Set UDMPRO wan to dhcp and put an any/any rule on the wan port
- Create a new gateway on pfsense, the gateway IP is the interface up you created in step 1/2
- Create a new static route, point to the LAN network in unifi, using the gateway you just created
That should be all you need. My cameras and APs come into pfsense on vlans and had no issue re-adopting into the controller running on the UDMPRO through this static route.
The only thing I am still having issues with is unifi access, I cant get the devices to see the controller.
Would a system like that be capable of routing 10gig? Those CPUs are old as dirt but 8 cores 16 threads still ain’t shabby.
I’m moving to another country and am wondering about a similar configuration. I currently run a UDM as my primary router. I have many Apple TV clients, etc. that I want to run YouTube TV and other services on from the US. I want to setup OpenVPN at the PFsense and maintain my current network configuration downstream. I’m running multiple UniFi switches, AP’s and a UniFi Cloud Key Gen 2 for Protect. I’m just looking for a hardware solution to go between the modem and the UDM to give me OpenVPN so that all the clients won’t have to connect individually.
Thoughts?
But I loveeeee it, I’m opening up an electronic repair shop soon and I’m using UniFi for my infrastructure, maybe I’ll repurpose the UDM Pro in the future but for now it’s staying in the rack.
sorry this reply is on a 6mo post; but im at this stage of setup and having difficulties.
pfsense > udmpro > clients
from the udmpro-network, i can ping everything in my house, in both networks; but from pfsense, i cant ping a damn thing into udmpro, including the fkn interface WAN ip of the udm.
i set the gateway, i set the static route, and all i get is this:
$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
From 10.0.0.1 icmp_seq=1 Redirect Host(New nexthop: 102.0.0.10)
10.0.0.102 is the WAN IP of the udmpro; idk why the route is reflected in reverse octets.
trying you first before i rePost to the sub. thanks
x media server through both machines and around the VPN. I’m currently double NATed. I’m extremely well versed on Unifi’s hardware but not so much on the PFsense side, and I’m curious as to whether or not I can maintain the firewall/VPN functionality as well as DHCP on my U
Were you able to connect from outside via VPN to your pfSense, and access your network behind the UDM (via the initial VPN)?
Leave it in the rack if you like, but everything you want to do can be accomplished easily by pfSense. You can use an old potato of computer, a VM, or a nice small low power fanless Linux box.
I think you can still use it as a network controller and for Protect/Access if you’re using those. Unless there’s a bridge mode on the UDM no one knows about, or you can disable DHCP on the UDMP and hook both LAN sides from pfSense and the UDM into the same switch, or change the gateway on the UDMP DHCP server and disable the DHCP server on pfSense, you’re going to be Double-NATting.
My PF box is currently a dell r610 with 48 gb ram and 2 xeon 5550 
I know it’s extremely OP but I got 3 r610s, a 1000va ups, and a 24u 19 inch rack off of craigslist for $300 gotta get some use out of it. I’d ideally like to sell them and use the scratch to get something more reasonable. Lucky the r610s arnt nearly as loud as r410s.
That works! Hope you don’t pay for electricity though! My pfSense box runs on 10-15 watts.
I would run pfSense in a VM on that guy to be able to leverage its resources for other tasks too. It would be waste as just your router/firewall.
I’ll probably end up throwing proxmox or ESXi on 2 of them and expanding knowledge base, that would probably be more ideal throwing it in a VM and running a windows server, That’s been something I’ve been trying to teach myself recently so when I eventually branch into managed services I will be able to offer a wider range of services. I currently work with a MSP but I’m kinda limited to what I can offer as of right now.