Ubiquiti Unifi Site Magic

11/11/23 11:54 Filed in: Network Administration

Site Magic



I was going to write a long article about the Site Magic feature on the Unifi Gateway devices. But I can't. And the reason is particularly rare and satisfying. If you are using this product for what it is designed and marketed to do.

It is easy to set up

It just works.


So if you want to

Allow full connection between two or more non-overlapping networks located behind Ubiquiti Unifi gateways


and provided

At least one those gateways having a public IP address

The gateways have a communication path between them

Don't need to deal with more than 5 gateways (apparently this limit will change)


A half dozen mouse clicks will get the job done. So far it seems to manage IP address changes and restore itself after network loss with no intervention and has replaced a rather complex IPSec VPN setup.

The Steps



It is ridiculously easy
  1. Log in to UniFi Portal
  2. Click on the 'Site Magic Icon'
  3. Click the 'Plus' icon to create a site magic group
  4. Click on the networks you want to allow to talk
  5. Click connect
2023-11-11_12-42-28
2023-11-11_12-50-25

One thing you will discover is that some networks won't let you connect them. You can't connect networks with overlapping addresses this typically happens for two reasons:
  • You already have a site-to-site VPN connecting them (remove the VPN as you are replacing it)
  • They could not talk directly anyway as devices in the network can't name devices in the other network

The Good



This eliminates a lot of IPSec site-to-site VPN configuration which is to put bluntly hard and with the way Unifi works
  • hard to make work with redundant network connections all on static IP Addresses
  • very unfriendly to any end point with a dynamic IP address

Is all based on WireGuard

The Bad



Nothing so far

The Ugly



It only works between Unifi Gateway products. So my connection to my virtual machine network at a data centre still needs all the IPSec complexity.

Ubiquiti currently only expose a single IP VPN endpoints for their WireGuard end points so at the moment you can't roll your own equivalent service for connecting a 3rd party network via WireGuard. (Apparently there are hacks that let you load the CLI tools, but that negates much of the point of using a commodity gateway)

Conclusion



A rare case of a product that did just work, that really deskilled a very complex and reasonably common network problem. While there are other things one could like (hint Ubiquiti how about a virtual gateway appliance so that I can drop it in at my cloud supplier or even a linux package I could drop onto a VM at my cloud supplier that shows up in site magic) it does what it says on the box.

(Please note that the images have been edited to remove sensitive information and to improve presentation in a blog format)

Tags: ,