A friend of mine and I were recently looking into setting up the Unifi SDWAN between our Homelabs, his in Sydney, mine in Perth. We discovered that the Unifi Security Gateway line of Unifi Routers was not supported and a Unifi Cloud Gateway or Dream Machine was required. Being a little trigger happy, he immediately ordered 2 UCG Ultra’s! I had a mild panic as my Homelab is very tightly integrated into the Unifi Security Gateway and the config.gateway.json way of managing the non-supported config (BGP routing, Custom DNSMasq entries being the main ones). After a little digging around, I found that the UCG Ultra, if using the Unifi Early access firmware branch, could do everything that I needed and would probably make support easier and my network faster.
For a while now I have been relying solely on the Unifi built in DNSMasq resolver for my internal DNS. It’s great and I like that it runs independantly of my Proxmox lab cluster setup to ensure that maintenance on that cluster doesn’t interrupt Prod YouTube for the household. Recently, however, I have come across a couple of use cases that I can’t accomodate with DNSMasq on Unifi; Proxmox SDN integrated DNS and ACME.sh Challenge handling which both require an HTTP API.
I’ve been looking for a way to get an Internal CA Certificate onto my TrueNAS WebUI. I also had the idea that this would allow me to setup and use the inbuilt S3 service from TrueNAS however I have now learned that this is being depricated. Proxmox makes this quite easy and integrates seamlessly with Step CA using ACME. Unfortunaately the builtin ACME client on TrueNAS is a bit limited and using the default http-01 challenge for ACME is not possible. ACME.sh provides quite a few alternatives now, including DNS alias challenge handling (which I may still look into) but for now, I have landed on the following solition/workaround/hack:
My background is as a systems dude. I’ve always wanted to be a network dude and I certainly know layer 2 stuff, IPv4 stuff, pretty well. When it comes to layer 3 networking though, my knowledge has always been vague. Probably fair to say the same for IPv6.. vague! So this “lab” is an opporuntity to learn a bit more about both of these topics. I guess like anything in this field, once you know a little bit about a piece of technolgy, you come to realise how much more there is to know. For me, BGP is that piece of technology.
I think it would be nice to get rid of the pesky certificate warnings on my Proxmox and PBS GUI’s. There will be other benefits too that I can’t think of right now.