Is site-to-site with Ubiquiti UDM Pro + USG + ERPro-8 behind ISP routers possible

site-to-siteubiquiti

Evaluating the capabilities of the UniFi Dream Machine Pro all-in-one enterprise security gateway & network appliance (UDM Pro), I was wondering whether this site-to-site setup is possible:

Setup context

Router on site 1: Ubiquiti EdgeRouter ERPro-8 (ERPro-8)
Router on site 2: Ubiquiti UniFi Dream Machine Pro (UDM Pro)
Router on site 3: Ubiquiti UniFi Security Gateway (USG)
All three routers are behind ISP routers, which do support port-forwarding to the ubiquiti routers, but might not support bridge mode.
All three sites have dynamic IPs, referenced by dynamic DNS.

Setup goals

The three networks behind the Ubiquiti routers should be connected via site-to-site VPN, e.g. IPSec.
All UniFi devices, i.e. the Access Points (APs), the UDM Pro, and the USG, should be controlled by the UniFi controller on the UDM Pro.

Some observations

IPSec between several EdgeRouters only (without ISP routers, without UniFi routers) does work, but the UDM Pro interface did not allow to enter dynamic DNS names as IPSec peers.
When adding the ISP routers with port forwarding (UDP 500 and 4500), I think I would need to tell the EdgeRouters to use their dynamic public IPs when establishing IPSec for authentication, but I'm not sure if I can do this in the GUI.
From what I've seen, the USG and the UDM Pro would support dynamic DNS when using OpenVPN rather than IPSec, but the EdgeRouter does not support OpenVPN from the GUI.
The most uncertain thing to me is whether I can use the UDM's UniFi controller through the tunnel, especially because the UDM Pro is an appliance and I'm unsure whether it would support controlling multiple sites, or be controlled by an external UniFi controller.

Best Answer

It's possible, but first you need static IP addresses. You can ask your ISPs to give you static addresses (for a fee, of course).

The most uncertain thing to me is whether I can use the UDM's UniFi controller through the tunnel...

Once you establish the tunnels, they essentially become transparent to the devices. Baring latency problems, your controllers can't tell the difference if you're using VPN tunnels or not.

Related Solutions

Cisco Small Business SG300-10P and Ubiquiti Wireless APs, is is possible to enable IP Source Guard

That is what source guard is supposed to do. It protects the network by making sure that each address is only coming from one port on the switch. This prevents someone from spoofing to receive traffic destined for a different port. IP source guard doesn't do this by MAC address, but by IP address, so it isn't locking your MAC to a single port, it is locking the IP address to a single port to prevent spoofing. It uses DHCP snooping to lock the IP address to the port. To use the same device from a different port, you would need to pull an address from DHCP on the new port.

You seem to want it to work only for static addresses, but that is not how IP source guard works or what it is designed to do. It require DHCP snooping to allow an IP address on a port, and that is how it blocks statically assigned IP addresses, but there is no feature that only blocks statically assigned addresses; it is sort of a side effect which you can get around by putting a static binding on a port to allow a statically addressed device to work on a port.

Cisco has a document, IP Source Guard, which explains this:

Overview of IP Source Guard

IP source guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host's ability to attack the network by claiming a neighbor host's IP address. IP source guard is a port-based feature that automatically creates an implicit port access control list (PACL).

Router – Ubiquiti EdgeRouter Pro ERPro‑8 as BGP 1 Gbps endpoint

This router run EdgeOs which is a fork of the community (open source) Vyatta software. Vyatta was bought by Brocade and the community edition discontinued. It was then forked to EdgeOs and VyOs

I'm not an Ubiquity / EdgeOs user but I do use VyOs intensively, including for BGP (full table, multiple ISP, 10Gbs links), for years in production environments and it run perfectly stable.

As commented by @Ron Trunk you have to check if the hardware and throughput specifications meet your needs. From this datasheet we get:

Layer 3 Forwarding Performance 
Packet Size: 64 Bytes
Packet Size: 512 Bytes or Larger
2,400,000 pps
8 Gbps (Line Rate)

Processor     Dual-Core 1 GHz, MIPS64 with Hardware Acceleration for Packet Processing
System Memory    2 GB DDR3 RAM
On-Board Flash Storage    4 GB