Getting to UDM Pro Setup Behind PFSense ~ No Internet

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Unifi | Dream Machine Pro | Ubiquiti | pfSense | Network Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here’s a summary of where we’re at getting UDM Pro working behind PFsense.

• First of all — why?

• I somehow got into the UDM Pro a while back. I don’t remember how but it might be in this post. I did that in this post a while back:

• I started looking at what domain names the UDM Pro was trying to connect to via my pfSense logs here, but I figured out at this point I had a routing problem. The traffic was getting out but not back to the UDM Pro.

• Many months of being super busy finally got back to this. I further mapped out my network setup, in part to remember what in the world I had done before and was trying to do now.

• I wrote about administering devices here. Luckily I had documented IPs and passwords. I started thinking about the no route to host isuse again.

• Now about that NO ROUTE TO HOST issue. I configured the PFSense and proved that it was correctly routing certain traffic to a specified gateway here:

• I then tried to simply log into the UDM Pro. If it’s not connected to the Internet, you can’t. You can’t get past the setup so you can’t get in and look at the logs. The setup requiers you to login on the Internet and so if you can’t get to to the Internet you can’t login. If you can’t log in you can’t see what’s wrong with your configuration to resolve why you can’t get to the Internet. It’s a catch 22. I do not like this. At ALL.

• But eventually I figure out at least how to get to the setup page, and I’m going to explain what I did in this post, if it helps anyone.

LAN traffic reaching the pfSense

One thing I noticed was that lan traffic was reaching the pfSense. Something was definitely wrong. Now I mentioned in my prior post about No Route To Host that some people suggested setting up a VLAN across the two devices and I didn’t think that was a good idea. However, at some point I had started testing that — and I think maybe that LAN traffic from the UDM Pro on the pfSense was a result of that nonsense. Further evidence that is not a good solution. I want two separate networks and to keep the LAN traffic for the UDM on the UDM.

And perhaps this is why I randomly see traffic for 10001 ports hitting my firewall? Is someone else’s device misconfigured and spewing that port all over the Internet? Or are attackers trying to find misconfigured devices? That port should not be on the WAN.

At some point I did a factory reboot and that went away so must have been something I did before while messing around. Luckily I never let that traffic reach the Internet.

Update: Spoke too soon. After getting to the end of this post — I am seeing port 10001 hit my pfSense AND port 5060 — SIP?

https://community.ui.com/questions/UDM-Pro-generating-SIP-traffic-out-its-WAN-interface/a64c1ac8-c97a-4d61-9163-2fd3fd57833e

Advanced options with a static IP on the UDM setup page

So once I set up the routing in the manner I thought was correct and tested that traffic was properly routing to the gateway, I fired up the UDM Pro. But when I fired up the UDM Pro it was configured from the past to use different IP addresses. I thought, no problem I’ll just login and change them.

Yeah, right.

Even though I had logged into this UDM Pro in the past many times I could not login to it now. I kept getting a setup screen. And I couldn’t get past the setup screen because it said the device wasn’t on the Internet.

When you log into the UDM the first thing you see is the ability to use some “Advanced Options” where you can choose static IP and fill in the gateway, IP of the UDM Pro (I presume) and override whatever the UDM Pro is currently configured as (I guess?)

Setting up static IP addresses never worked for me.

Trying to match the previously configured IP addresses on the UDM in the pfSense conrigurion

Maybe, I thought wishfully, if I allow the blocked traffic and match the pfSense configuration to what the UDM is expecting, it will all just work.

But no. That didn’t work either.

A Clue. DHCP traffic even when selecting a static IP

At some point I just factory reset the UDM Pro. Multiple times, actually. What I noticed was that even when I chose “static IP” using the “advanced” option, I was still seeing DHCP traffic in my pfSense logs on port 67 and 68. Now why was the UDM Pro sending DHCP traffic when I was telling it to use a static IP? Clearly it was ignoring me.

Hence, the factory reset, which it probably needed anyway.

Get a DHCP address via the UDM Pro

Finally, I went into pfSense and added DHCP to my gateway. If it’s still using DHCP when I tell it not to then I’ll just give it DHCP.

The first thing you need to do in pfSense to use DHCP is add a range of IPs, not a single IP for the interface associated with the port that is supposed to serve up addresses via DHCP. Otherwise you can’t see the interface when you go to configure your DHCP server. The pfSense interface really gives you no clue why you can’t set up DHCP for a gateway but that’s why.

Edit the interface you are using for the UDM. Add a range instead of a single IP with /32 at the end (if you did what I did). Once you set up a range of IPs ( and I am confused by why certain ranges are not allowed there) then head over to:

Services > DHCP Server

Once you have a range on your gateway, the gateway will show up here and you’ll be able to configure a DHCP server.

Click on your interface (UDM_NET in my case).

Enable DHCP.

Scroll down and you will see the subnet associated with your Interface, and the subnet mask, along with the available IP range. Configure the Range within you want to use to assign dynamic IP addresses.

Now, if you are reading my subsequent post, this is not the actual range that matches my gateway. You would use a range that matches your gateway and Interface. This is just an example above not the actual values you will probably use, unless you set up your gateway with and interface with these above values. Maybe I’ll do a summary post with all the settings in one place later.

Get a DHCP address via the UDM Pro

Anyway, once I had DHCP running on my interface, I went into the advanced settings on the UDM Pro and it picked up an IP address in the appropriate range from the DHCP server.

Then I could see that the UDM Pro was actually sending DNS traffic to the UDM_NET gateway on PFSense.

Progress.

Double-checking the routing configuration

But I still had a routing issue. I looked at my state table on PFSense and all the traffic from the UDM Pro showed up as:

SINGLE:NO_TRAFFIC

I guess the state for traffic came in but it didn’t get back to the right place.

I double checked the router configuration. Becuase I had monkeyed with the routing I had inadvertantly forgotten to change one value, which I fixed.

The other thing was that I had a question mark at the end of my routing post about this part of the interfaces page — do I select a gateway or not here? Is it a WAN because it’s connecting to a different network, or is it a LAN type network? Well I guess it’s a LAN with a gateway to another network. I didn’t select a gateway and seems to work.

Gateway not picked up from DHCP

Finally, I remembered the teeny tiny screen on the UDM has some info. Does it have the version? Nope. But it showed me the IP was picked up from DHCP but not the gateway.

So back to the admin page. I chose static IP set up with the DHCP assigned IP address and manually set the gateway. And FINALLY. It seems like it was getting DNS responses. But what about HTTPS on 443? I wasn’t seeing any.

Ping the UDM Pro — is this necessary?

Now at this point I can’t see the problem. Everything seems right. I’m looking at the traffic and the state table and the DNS traffic seems to be OK. I was about to go in and do a packet capture on the DNS to make sure the queries were getting responses.

But before doing that I decided to make sure the traffic was routing correctly by running a command in the pfSense command line like I did in my post on fixing the NO ROUTE TO HOST issue. And magically, when I ran that ping command, I started seeing requests on port 443 from the UDM Pro.

Coincidence? I don’t know. But now I am finally back to the setup page.

It says:

Internet Connected!

Now, I got to the setup page, but I cannot complete it. Even with all the domains I already added, I am still seeing some blocked traffic. I’ll deal with that in the next post.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab