Hi all, I am not very familiar with IT and networking and am having a technical issue I’m not sure how to resolve myself. Please forgive what is likely to be a very noobish set of questions.
I have a UCG Ultra set up behind and AT&T BGW320 in passthrough mode.
I need some sort of way to VPN into my own network when I’m on cellular network away from home, so that I can access Home Assistant, mostly.
I had Teleport working fine but then it randomly stopped. So I used Identity and set up a Wireguard VPN (all defaults) and that worked great. Then today it stopped working and I got the message that “Configure the remote or local authentication ID as the UniFi Gateway is behind NAT. UDP port 500 and 4500 need to be forwarded on the upstream router if the remote gateway is also behind NAT.”
Additionally, I have “The WAN IP address is dynamically assigned and may regularly change. We recommend enabling Dynamic DNS and configuring the remote gateway to connect to the hostname.”
If I’m understanding this correctly, my AT&T router is occasionally changing my IP and when it does my VPN breaks? Is that correct? I don’t understand what I need to do to change this. The “DynamicDNS” info sounds like really overkill for my setup, and requires a third party account with a DNS provider, which I’m not interested in setting up unless absolutely necessary.
I started looking at some of the other VPN options in the Control Plane, but I’m not sure any of them are what I need either. Is a site-to-site IPSec a good solution? It seems like maybe it’ll suffer from the same issue…
Or, is asking AT&T for a public IP a workable option?
Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Ubiquiti makes a great tool to help with figuring out where to place your access points and other network design questions located at:
If you see people spreading misinformation or violating the “don’t be an asshole” general rule, please report it!
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
There is a bug currently with At&t BWG 320-500 and 505’s in passthrough. Essentially they revert from passthrough and will handout a 192.168.1.x to your router. Rebooting the UCG, UDM or whatever normally fixes it. Happens usually overnight 1-3am for me . Started a few weeks ago and each morning I usually have 4 to 5 sites with IPSEC tunnels dropped because of this. If At&t is going to force bullshit RG’s on us it would be nice if they made them reliable. Sites with BWG-700 or static IP blocks are unaffected. For what’s it’s worth At&t DSL and GPON Fiber IPV4 ip’s don’t change as long as your account is active. Even if you swap RG’s etc it won’t change. Unless you need more than one IPV4 there is no point in paying for static IP’s.
I have a similar setup. Wireguard working for a year. Recently it stopped working. Client said authentication issue, so not exactly the same. I rebooted my ucg ultra and it is now fixed. No idea.
You mentioned you are not very familiar with networking. Do you have a static up? Did you setup some dynamic dns? If not your ip may have changed from your isp.
I use Tailscale and subnet routing to access my home network from anywhere. You could probably just get away with installing Tailscale on the same server you’re using for Home Assistant and whichever devices you’re going to be using to access that server remotely (no subnet routing needed). It’s fairly easy to set up. I’ve even written a systemd service to automatically connect to my Tailnet as part of the startup process.
I did figure out how to go into my BGW320 and set up UDP ports 500 and 4500 for the UCG, but that didn’t fix it.
One weird thing I noticed is that in the BGW320’s IP Passthrough page the device that used to say UCG Ultra now says “Google, Inc.” but the MAC address is still the UCG’s. In the Control Plane the IP address the UCG thinks it has is 192.168.x.x whereas the true Public IP is visible in the BGW320’s dashboard.
Restarting didn’t work, but yeah, what you said is definitely what happened–I’m showing 192.168.x.x as my WAN IP in the UCG.
Let’s say I don’t care about having to manually update the IP if it changes, what would I change it to if I wanted to just fix it manually? In my BGW admin panel I can see my public IP. It’s a number x.x.x.133 for Broadband IP and the same number but x.x.x.1 for Gateway IP. Is that the address I need to put somewhere? If so, where? In the Wireguard VPN setup through the Unifi Control Plane?
Like I said, total noob here, sorry.
I found a setting under Network → Internet where I can choose Static IP.
My wife is working right now so I don’t want to screw up our internet, but would I set:
IP Address: x.x.x.133
Subnet Mask: 255.255.255.0
Gateway IP: x.x.x.1
Would that work?
I also found additional settings in the BGW admin panel where I can see Public Subnet as an option and also Cascaded Routers as an option. Would either of those potentially solve my problem?
I’m following up one more time. Thank you in advance if you take the time to read and reply to this.
Based on your comment “AT&T DSL and GPON Fiber IPV4 don’t change” and doing quite a bit of googling to confirm this, I went ahead and set up my UCG Ultra as a Static IP with the information I saw in the Home Network tab on my BGW admin panel, and internet and VPN are working just fine now.
What do I need to be concerned about now that I’ve made this change, if anything? If AT&T does decide to change my Public IP I assume that means I will lose all internet connectivity until I log into my BGW admin panel, look up the new IP, then connect physically to my UCG and update the info there (or just switch the UCG back to DHCP, but again this would require physically connecting to it onsite,) correct?
So if it happened while I’m out of town I wouldn’t be able to speak to, say, my security system, until I got back home. Correct?
I did not setup Dynamic DNS. Do you recommend I do that? It seems kind of unnecessary, but if it works…
I’ll try rebooting when my wife isn’t working. 
I personally use ip passthrough on the bgw320 and DHCP on my WAN to grab the public IP. There is not really any need to set a static IP on the WAN side.
Your Wireguard needs to be able to find your server. If you don’t pay for a static ip your isp can change it whenever they feel like it. This is where dyndns comes in. You tell Wireguard the hostname instead of the ip and dyndns makes sure you can always resolve your home server.
That’s how I had it and after a month the UCG started complaining about double NAT and VPN stopped working. Bgw320 passthrough appears to be bugged for some people.
Sounds like you didn’t do passthrough correctly if you were double nat’d. You should be getting a publicly routable ipv4 via dhcp + a ipv6 block if you have things set up properly.
I had it set up coorectly. It worked. Then it stopped working. And lots of people have had the same problem. Since I don’t feel like factory resetting the bgw every time it happens, I tried this instead.
