Unifi for Wifi management but gateway protection by Watchguard T35 - is it possible?
Posted by pedad@reddit | sysadmin | View on Reddit | 14 comments
Site "A" has an existing network with a Watchguard Firebox T35 as the gateway. It does DHCP and routing but the DNS is performed by an on-prem Windows DC, with 20 odd desktops and laptops on the network.
The wifi AP's of this network are all basic consumer APs with no SSID roaming or cohesion, so I'm looking at using Unifi equipment to manage a new wifi network.
At other client sites ("B, C etc."), I've just setup the UDR7 as the gateway/router, adopted the APs and switches and everything works great...
Is it possible to introduce the same gear into the abovementioned existing network and still use the T35 for DHCP and routing, and use the Unifi console functions of the UDR7 purely for wifi management?
Or, should I put the UDR7 in the network and use it for all DHCP and routing? Effectively ditching the T35.
Note that this site of 25 users has reduced the on-prem server reliance over the years and now uses primarily cloud-based systems (RingCentral, M365 etc.)
pdp10@reddit
It's always possible to keep WiFi and Ethernet infrastructure separate. Generally, the only thing they need to keep in common is VLAN assignment.
If all WiFi APs are bridging into the same sitewide designated LAN/VLAN, then they can keep their IP address while roaming between APs. This is usually the foundation of fast roaming. Then there are other 802.11-family standards to bring down the time between APs.
Most users who aren't doing VoIP over WiFi, shouldn't need to do anything special for roaming as long as the IP subnet is shared across all APs. Most everything but realtime media streaming will be cut off for a couple of seconds, then resume.
Note that this means that even modestly-featured APs, when properly configured, can be used in big shared-SSID, roaming, environments. You may be missing features for debug and management, but it's all workable.
ZAFJB@reddit
TLDR: Yes it is
SudoZenWizz@reddit
yes it is possible, T35 as router (dhcp and gateway), access point are in the network and only providing access to the network.
Unify controller is managing the APs, wireless settings.
For WG T35, have at least the warranty enabled and make sure all PC's have good Antivirus if no security subscription on WG and traffic scanning.
Haunting-Prior-NaN@reddit
yes. You will need a controller for the APs though
Do the numbers:
Scenario A: renew the T35 watchguard + Unifi controller + extra layer of management
Scenario B: UDR7
Adventurous-Cat8847@reddit
yes keep the watch guard as gateway and just run UniFi APs in bridge mode for wi-fi management, no need to replace routing if it is stable.
bbbbbthatsfivebees@reddit
Totally possible, but I'd caution against it if the Watchguard subscription is expired.
If you want to go with Unifi for switching/WiFi, you just need something to host the Unifi controller application on the network. It can run as a VM on any existing servers, or it's also possible to run it in the cloud through something like AWS if you manually configure each AP via SSH and use the set-inform command to tell it where the controller is.
Since the Watchguard subscription is expired, I would personally rip that out and replace it with a UDR7. Or bring up renewing licensing for the T35 if they want the web/application firewall features, as that's the other option. You CAN always leave the T35 in place, but I'd probably have the client get you that choice in writing so that if any future issues do occur, you at least have it in writing that they've acknowledged the expired/EOL hardware.
Competitive_Run_3920@reddit
I do pretty much this across 35 sites. WG firebox at the edge at every site, BOVPN from every site to crop, conditional DNS forwarding running on every firebox and pointing to internal DNS servers at corp. then corp has a self hosted unifi controller managing the WAP’s and switches at every site. Works great.
ensum@reddit
If the watchguard is expired you may as well dump it and just put a UDR7 in there. Otherwise you need to adopt the AP's to a controller. Cloud key is an option, but you can self-host it with any device on the network if you want to be cheap.
seriously_a@reddit
You can use the Watchguard for gateway and Unifi for WiFi and switching. We do it for lots of sites.
But you’ll either need a cloud key to manage unifi or self hosted controller or something like hostifi (what we use).
pedad@reddit (OP)
So, something like WAN > T35 > UDR7 > UAPs and USWs > client devices.
How would I hand all the DHCP and routing to the UDR7 but retain firewall functions of the T35?
And would this really be necessary if there aren't any security subscriptions on the T35 anymore?
seriously_a@reddit
Sorry wasn’t clear. Ditch the unifi gateway. Just use APs
Or ditch the Watchguard and use udr. Just don’t do both together
sryan2k1@reddit
Aruba InstantOn
rodder678@reddit
Sir, this is a Wendy's
vrtigo1@reddit
If you already have routing, dhcp etc. handled you don't need a UDR. Just buy a cloud key to manage the APs, or run the unifi app on an existing server/VM.
FYI, this is probably more of a r/networking question.