Help Center Help Articles Professional Support Professional Integrators Community RMA & Warranty Downloads Tech Specs

UniFi Gateway - Setting Up SD-WAN with UniFi Site Magic

Site Magic SD-WAN simplifies the setup of Site-to-Site VPN tunnels between UniFi Gateways, enabling seamless resource and application sharing across multiple sites.

Comparing Topologies

Site Magic supports both Hub-and-Spoke and Mesh topologies. The table below highlights the key differences between these configurations.

 

Hub & Spoke

Mesh

Description

Centralized architecture where all branch sites connect through a central hub or multiple hubs.

Decentralized architecture where all branch sites connect directly to one another.

Best Use-Cases Ideal for organizations with centralized data centers or resources and those needing IP-based whitelisting for cloud access. Suited for organizations with distributed resources that require direct sharing between all locations.
Scalability Supports up to 1,000 tunnels.

Supports up to 20 sites.

Security Centralized traffic management at hubs with isolation options. Direct traffic flow between sites; requires individual firewall rules at each site.
Redundancy Each spoke supports up to 4 active VPN tunnels with the hub; failover hubs can be added for even more redundancy. Each site has only one active tunnel per connection. Failover tunnels require time to re-establish during Internet outages.
Flexibility Highly customizable with features like NAT for overlapping subnets, custom routing advertisements, and load balancing across hubs. Limited customization; NAT is unsupported, meaning overlapping subnets cannot exist within a Site Magic group.

Hub & Spoke

Requirements

  • Hub: At least one device with a public IP address:
    • Cloud Gateways: EFG, UDM Pro Max, UDM SE, UDM Pro, or UDW.
    • Independent Gateways: UXG-Enterprise, or UXG-Pro managed with a CloudKey or Official UniFi Hosting.
  • Spoke: Most Cloud Gateways (excluding Express) or Independent Gateway managed with a CloudKey or Official UniFi Hosting.
  • All hubs and spokes must share the same UI Account Owner.
  • UniFi Network Application version 9.0.108 or newer.
  • UniFi (Cloud) Gateway version 4.1.3 or newer.

Configuring Hub & Spoke

  1. Navigate to Site Magic on the UniFi Site Manager.
  2. Select Hub & Spoke as the deployment type and name the SD-WAN group.
  3. Choose the Hub Topology:
    1. Single: All spokes connect to the same central hub.
    2. Failover: All spokes connect to the same central hub with failover to a backup hub.
    3. Distributed: Manually specify which hub each spoke connects to.
  4. Select the Spoke-to-Hub VPN Architecture:
    1. Max Resiliency: Up to 4 simultaneous VPN tunnels (independent tunnels between each Hub and Spoke WAN). No interruptions during failover.
    2. Redundant: Supports up to 2 simultaneous VPN tunnels (each Spokes’ Primary and Secondary WAN connects to the Hub Primary, and Secondary, respectively). There will not be any interruptions during failover events.
    3. Scalable: One tunnel per spoke. Temporary interruption during failover.
  5. Add Networks and/or Routes to each hub:
    1. Networks: Automatically advertise routes for the specified networks.
    2. Routes: Share non-local subnets (e.g., other Site-to-Site VPN connections) or manually define summary routes.
  6. Assign the Primary VPN WAN and (optional) WAN Failover for each hub.
  7. Configure Spoke Networks and WANs:
    1. Auto-Scale and NAT Spoke VPNs: Enable when spokes have overlapping subnets. This automatically creates a Source NAT rule to translate traffic from a spoke into a unique /24 subnet before routing it to the hub. When enabled, sessions can only be initiated by the spoke. See Overlapping Subnets and NAT below to learn more.
      1. If disabled, select the Networks you want to share with the Hub.
    2. Isolate Spokes: Blocks all traffic between spokes by auto-generating Firewall rules on the hub. Disable this option and Auto-Scale if spokes need to communicate with each other.
      1. Note: This requires Zone-Based Firewalling to be available on your gateway. View more details here.
    3. Standardize WAN Settings: Makes it so all Spokes use the same WAN interface as the Primary or Failover VPN interface.
    4. Specify the Primary VPN WAN and the WAN Failover for each hub.

Overlapping Subnets and NAT Configuration

Overlapping subnets typically prevent communication because traffic cannot be differentiated by origin or destination. Auto-Scale and NAT Spoke VPNs solves this by automatically applying a Source NAT rule, translating traffic to appear as if it originates from a unique, non-overlapping subnet. By default, this enables one-way communication from the spoke to the hub, allowing clients on a spoke to access hub resources, download files, or proxy to cloud resources. However, spoke resources will not be sharable unless you manually configure a Destination NAT rule on the spoke.

As an example, consider a spoke assigned the 172.16.1.0/24 route with Auto-Scale and NAT Spoke VPNs enabled, and a server at 192.168.50.5 on the local 192.168.50.0/24 subnet. You can make it accessible with the following DNAT rule applied to the Spoke

  • Name: DNAT from Hub-and-Spoke to LAN
  • Protocol: All
  • Interface: Site Magic VPN Tunnel
  • Destination: 172.16.1.5
  • Translated IP Address: 192.168.50.5

A similar rule must be created for each resource on the spoke that needs to be accessible. If you need to expose a large number of local resources, we recommend designing subnets to avoid overlap. View instructions here.

To learn more about NAT rules, visit Network Address Translation.

Hub VPN Tunnel Capacity

Click to view a list of VPN tunnel capacity by model.
Model Site Magic VPN Tunnels
Enterprise Fortress Gateway (EFG) 1,000
Gateway Enterprise (UXG Enterprise) 1,000
Dream Machine Pro Max (UDM Pro Max) 200
Dream Machine Special Edition (UDM SE) 100
Dream Machine Pro (UDM Pro) 100
Dream Wall (UDW) 100
Gateway Pro (UXG Pro) 100

Mesh

Requirements

Configuring Site Magic

  1. Navigate to Site Magic on the UniFi Site Manager.
  2. Select Mesh as the deployment type and name the SD-WAN group.
  3. Choose up to 20 site to be a part of the mesh connection.
  4. Select the networks from each site that will be shared.
    1. If networks have overlapping subnets, follow the instructions here.
  5. Click Connect.

Frequently Asked Questions

Can I use Site Magic to connect with third-party gateways or cloud providers (AWS, Azure, GCP)?
Although Site Magic is a dedicated solution for connecting UniFi Gateways, we support OpenVPN and IPsec for interoperability with other third-party gateways and cloud providers.
Can I add more admins to manage Site Magic settings?
No, Site Magic can only be managed by the Owner.
Is IPv6 supported?
Not yet. We plan to add support in a future release.
Is the USG family supported?
No, legacy USG models are not supported.
How can I maximize performance for the Mesh deployment?
If more gateways have public IPs, the network will be more resilient, and the additional routes between gateways should help with performance.
Are there any site limitations for the Mesh deployment?
There is a limit of 20 sites for the Mesh topology. 
Will Site Magic connections drop during cloud issues?
Site Magic will not drop during a cloud issue. However, you won’t be able to update the configuration if, for example, there is a WAN/LAN change. This requires the Cloud to be available.
Will Site Magic VPN work even if a Gateway's WAN IP Address changes?
Yes. If a gateway changes its WAN IP Address, the new IP address will be automatically updated on the other gateways, and Site Magic will stay connected. This is true for both gateways with public IPs and gateways behind NAT.
What happens if there's an ownership transfer?
All participating consoles must have the same admin. If an ownership transfer is initiated on a console that is part of a Site Magic Group, the connections to that site will automatically close while the other sites will remain up and running.
Was this article helpful?