DHCPOFF by default, but same as Ultra when enabled
192.168.4.1 (When Ultra fails)
N/A
DHCP Range
Assigned by Ultra or Tplink
192.168.4.6 — 192.168.4.254
N/A
Key Takeaways
✅ No conflicts, as only one DHCP server runs at a time.
✅ Stick PC (if static) remains accessible even when Ultra fails.
✅ Devices reconnect seamlessly during failover.
• Swish LAN Port 1 → 5-port switch/hub
2-port switch/hub → Ultra WAN Port New
2-port switch/hub → tpLink WAN Port New
• Ultra LAN Port 1 → Switch Existing
• tpLink LAN Port 1 → Ultra WAN2 Existing
• tpLink LAN Port 2 → Switch New
Since Stick PC runs Windows 11, we can assign two IP configurations for the same Ethernet connection:
• Go to: Control Panel → Network and Internet → Network Connections
• Right-click Ethernet adapter → Properties
• Select: Internet Protocol Version 4 (TCP/IPv4)
• Click Properties
• Set the first (Ultra) IP manually
• Click Advanced
• Add a second (tplink) IP address
• Add the second gateway as well
✅ Benefits:
• The Stick PC will always have an IP, regardless of which router is active.
• No manual intervention needed to change IP addresses when Ultra fails.
• You can still enable tplink DHCP in emergencies and everything will work automatically.
Revised Dual IP Setup for the Stick PC
If tplink’s LAN range is 192.168.40.0/24 (matching Ultra’s WAN subnet):
• When Ultra is active, the Stick PC uses 192.168.4.x and Ultra’s gateway.
• If Ultra fails, tplink’s 192.168.40.x subnet kicks in, and the Stick PC can reach tplink.
• This works because tplink’s LAN is Ultra’s WAN subnet, so the Stick PC is always in a routable network.
✅ No manual changes needed! The Stick PC will have a usable IP in both scenarios.
Key Points to Confirm
1. Is tplink’s LAN subnet definitely 192.168.40.0/24? Yes
2. Does Ultra get a WAN IP from tplink in this range? ?
• If Ultra’s WAN is on 192.168.40.x, this plan works perfectly.
🚀 What This Solves
✔ Stick PC never loses access, even if Ultra dies.
✔ No need to manually enable tplink DHCP in an emergency.
It is a client’s system, though I say “I” and “my”.
The key fix that made the double nat compromised Teleport VPN work was setting up the correct NAT (Masquerade) rule on UniFi Ultra, ensuring that VPN traffic from 10.10.0.0/24 was properly routed to the WAN (eth4) and forwarded through the ISP.
✅ The Key Fixes That Made It Work
Here’s a step-by-step breakdown of what I changed that led to success:
1️⃣ Found the Issue: VPN Clients Had No Internet Access
• I noticed that when connecting via VPN, internet traffic wasn’t working.
• I checked the UniFi Ultra’s WAN IP (192.168.40.229) and found that it was behind an ISP router (212.132.163.x), creating a Double NAT setup.
• UniFi Ultra was missing a NAT rule to handle VPN client traffic (10.10.0.0/24) and send it through its WAN (eth4).
2️⃣ Added a Correct NAT (Masquerade) Rule on UniFi Ultra
• I tried to modify an existing NAT rule, but the VPN network wasn’t listed.
• Instead, I created a new NAT rule in UniFi Ultra’s GUI:
• Source Network: 10.10.0.0/24 (VPN Clients)
• Destination: 0.0.0.0/0 (Internet)
• Interface: eth4 (WAN, 192.168.40.229)
• Protocol: ANY
• Translated IP: Left Blank (or “Use WAN Address”)
• Action: Masquerade (NAT)
✅ This rule ensured that VPN users’ traffic was NAT-ed and forwarded to the ISP router.
3️⃣ Verified That the ISP Router Allowed NAT Traffic
• Since my ISP router didn’t allow a DMZ setup, I had to make sure:
• It wasn’t blocking outbound NAT traffic from 192.168.40.229.
• NAT was open enough to allow VPN traffic out through 212.132.163.x
4️⃣ Persistent NAT Fix
• Since UniFi Ultra doesn’t use /etc/network/interfaces, I made the rule persist:
• By using startup scripts (/etc/rc.local):
• This ensured the NAT rule remained active after rebooting.
5️⃣ Final Verification: Your Swiss Laptop Showed a UKIP!
• I reconnected the VPN and ran:
curl ifconfig.me
• Expected Result: The UK public IP (212.132.163.2xx) appeared.
• Confirmed that ALL traffic was being routed via the UK! 🎉
🚀 Summary of the Fix
✅ Created a new NAT rule for VPN users (10.10.0.0/24).
✅ Masqueraded VPN traffic on eth4 (192.168.40.229).
✅ Ensured outbound NAT worked via ISP router (212.132.163.x).
✅ Made the NAT rule persistent using startup scripts.
✅ Verified the fix when VPN users got a UKIP (curl ifconfig.me).
💡 Why It Took So Long to Solve
• UniFi Ultra didn’t list the VPN network in the GUI, forcing me to manually add a NAT rule.
• The ISP’s router blocked DMZ etc, so I had to work around double NAT issues.
• UniFi Ultra doesn’t use /etc/network/interfaces, so I had to use an alternative method to persist NAT rules.
🔧 It was a complex networking issue, but several days and nights (!) persistence and methodical troubleshooting paid off. 🎯
🚀 What’s Next?
• ✅ Check stability after a reboot.
• ✅ Run a speed test to check performance.
• ✅ Test sites to confirm UK location is consistent.
• ✅ If needed, optimise MTU settings for best performance.
🎉 Now the client has built a bulletproof, always-on UKVPN solution! 🔧🚀
Network Wiring Plan, incorporating the small switch at the lower floor to split the Fibre Router’s connection.
Ultra Network Wiring Plan
The network consists of a Fibre Router, a UniFi Ultra Router, a Backup Router, a 24-port Switch, and a Small Switch. The Fibre Router provides the primary internet connection, while the Backup Router serves as a failover (and balancing) solution for the Ultra.
Network Overview
• The Fibre Router connects to a Small Switch in the "Ultra cupboard", which then splits the connection to both the Ultra’s WAN Port and the Backup Router’s WAN Port, ensuring both routers have a direct internet connection - albeit with double NAT.
• The Ultra serves as the primary router for the LAN, with its LAN ports connecting to the 24-port Switch, distributing the network to connected devices.
• The Backup Router is connected via LAN Port 1 to the Ultra’s WAN2 (Failover), allowing the Ultra to switch over to it in case the Fibre connection fails - which by definition relies on its 5G internet connection, so it will itself have failed over to 5G.
• Additionally, the Backup Router’s LAN Port 2 is connected to the Switch, ensuring that devices on the LAN can communicate with the Backup Router when necessary.
Network Wiring Plan
Device
Port Used
Connected To
Purpose
Fibre Router
LAN Port 1
Small Switch (Port 1)
Extends Fibre connection to both routers
Small Switch
Port 1
Fibre Router LAN Port 1
Receives internet from Fibre Router
Small Switch
Port 2
Ultra’s WAN Port
Ultra gets internet from Fibre
Small Switch
Port 3
Backup Router’s WAN Port
Backup Router gets direct internet
Ultra
LAN Port 1-2
24-Port Switch
Main LAN Network
Backup Router
LAN Port 1
Ultra’s WAN2 (Failover)
Ultra uses Backup Router if Fibre fails
Backup Router
LAN Port 2
24-Port Switch
Backup Router provides LAN access when active
Key Benefits of This Setup
✔ Eliminates the need for a second Ethernet run from the Fibre Router to the lower floor.
✔ Ensures both the Ultra and Backup Router get direct internet from Fibre for independent operation.
✔ Allows seamless fail-over—if the Ultra loses Fibre, it switches to the Backup Router’s WAN2 port.
✔ LAN devices can always communicate—whether the Ultra or Backup Router is in use.
✔ A small unmanaged Gigabit switch ensures plug-and-play operation with no complex setup.
Failsafe Considerations
• Use a high-quality unmanaged 5 port Gigabit switch (e.g., Netgear GS305, TP-Link TL-SG105).
• If the Fibre Router enforces MAC address binding, reboot it when changing devices.
• Confirm the Backup Router’s DHCP doesn’t interfere with the Ultra’s network - done by scope and reservations.
• The Ultra’s failover settings are set to automatically switch when Fibre goes down.
What Happens in a Failure?
• If Fibre goes down, the Ultra switches to WAN2 (Backup Router).
• If the Ultra fails completely, the Backup Router can still provide direct LAN internet via its LAN Port 2.
• Devices on the LAN remain connected regardless of the active internet source.
This setup keeps both routers online at all times while ensuring the failover works automatically.
There is a way to keep the backup router directly online while also being the Ultra’s failover device. The key is to ensure both routers have separate internet access and the Ultra can fail over to the backup router automatically. Here’s how I propose:
Dual Router Setup: Keeping Backup Online & Ultra as Primary
💡 Goal:
• Primary Router (Ultra) handles main traffic.
• Backup Router stays online for direct use and as failover.
• Failover works automatically when the Ultra goes down.
Revised Wiring Plan:
Device
Port Used
Connected To
Purpose
Fibre Router
LAN Port 1
Ultra’s WAN Port
Ultra gets internet from Fibre
Fibre Router
LAN Port 2
Backup Router’s WAN Port
Backup Router gets direct internet
Ultra
LAN Port 1-2
Switch
Main LAN Network
Backup Router
LAN Port 1
Ultra’s WAN2 (Failover)
Ultra uses Backup Router if Fibre fails
Network Settings:
• Ultra: Uses Fibre as primary WAN, Backup Router as WAN failover.
• Backup Router: Remains online, providing a separate Wi-Fi & Ethernet network.
• LAN Devices: Stay connected to Ultra unless switched to Backup Router manually.
Failover Behaviour
• Normal Mode: Ultra gets internet from Fibre Router, Backup Router stays separate.
• Fibre Fails: Ultra automatically switches to Backup Router’s internet.
• Ultra Fails: LAN devices can manually switch to Backup Router’s Wi-Fi or LAN.
Steps to Fix Ultra & Keep Backup Online
Step 1: Restore Ultra Connectivity
1. Connect Ultra’s WAN to Fibre Router.
2. Connect Ultra’s LAN back to Switch.
3. Check Ultra’s IP in the Backup Router’s DHCP list.
4. Access Ultra’s Web UI or SSH & verify it’s online.
Step 2: Restore Jump Box
1. Revert Ethernet settings to “Obtain IP automatically.”
2. Verify connection through Ultra’s network.
3. Confirm remote access to Ultra works.
Step 3: Configure Ultra for Failover
1. Login to Ultra → Set Backup Router as WAN2 Failover.
2. Ensure Failover Policy is enabled in Ultra settings.
3. Test failover by disconnecting Ultra’s primary WAN (Fibre).
4. Ensure it switches to the Backup Router automatically.
Key Benefits
✅ Ultra is the primary router but fails over to Backup Router automatically.