null

website@flyteccomputers.com

Mastering UniFi Gateway: Unlocking the Power of Shadow Mode for High Availability

Published by Juan David Ramirez on 26th Nov 2024

Hello, tech enthusiasts and networking pros! Juan David here, your Tech Support Lead & UniFi Networking Expert at Flytec. Today, we’re diving into the world of UniFi Gateways, focusing on a powerful feature known as Shadow Mode High Availability (HA). This game-changing setup leverages Virtual Router Redundancy Protocol (VRRP) and advanced firewall state tracking to minimize downtime and ensure your network stays operational even in the face of unexpected hardware failures. But first, let’s start with the basics.

What is a UniFi Gateway?

A UniFi Gateway is a versatile networking device designed to provide routing, security, and VPN functionalities. UniFi offers two types of gateways—Cloud Gateways and Independent Gateways, each catering to different needs.

UniFi Cloud Gateways

These all-in-one solutions include the required UniFi management software, making them ideal for simplified deployments.

Compact Form-Factor Options:

Rack-Mounted Options:

Independent Gateways

These require external management via UniFi software running on a CloudKey, self-hosted network server, or Official UniFi Hosting.

Compact Options:

Rack-Mounted Option:

Key Features of UniFi Gateways

  • Advanced Routing and Security: Includes VPN, firewall, and other essential network features.
  • Management Flexibility: Cloud Gateways have integrated management, while Independent Gateways require external management solutions.

Now that we’ve covered the basics, let’s dive into Shadow Mode, a revolutionary feature that takes High Availability to the next level.

What Is Shadow Mode?

Shadow Mode ensures High Availability (HA) by creating a backup gateway (the Shadow Gateway) that mirrors the configuration of your Primary Gateway. Leveraging Virtual Router Redundancy Protocol (VRRP), this setup provides a reliable failover mechanism, minimizing downtime and maintaining network stability in case of hardware failure.

Two Types of Shadow Mode:

1. Shadow Mode (Manual Failover):

  • The Shadow Gateway’s WAN port connects to the LAN on the Primary Gateway.
  • If the Primary Gateway fails, cables must be manually swapped to the Shadow Gateway.

2. Shadow Mode with Automatic Failover:

  • The Shadow Gateway mirrors the Primary Gateway's cabling.
  • Both devices synchronize via a dedicated High Availability (HA) link.
  • In the event of hardware failure, the Shadow Gateway takes over automatically, with minimal downtime.

  Requirements for Shadow Mode

Before configuring Shadow Mode, ensure you meet the following requirements:

  • Compatible devices: UDM-Pro-MaxUDM-ProUDM-SE, or EFG.
  • Both gateways must be the same model.
  • Managed from a UI Account with Owner or Super Admin privileges.
  • Shadow Gateway must be in a factory-default state.
  • Software requirements:
    • UniFi OS 3.2 or newer for Shadow Mode.
    • UniFi OS 4.0.6 or newer for Shadow Mode with Automatic Failover.

Configuring Shadow Mode with Automatic Failover

Follow these steps to set up Shadow Mode with Automatic Failover:

  1. Update Primary Gateway: Ensure it is running UniFi OS 4.0.6 or newer.
  2. Connect Shadow Gateway:
    • WAN port to port 1-6 or 8 on UDM-Pro-Max / UDM-Pro / UDM-SE.
    • WAN port to port 3-6 on EFG.
  3. Set Shadow Mode:
    • Go to UniFi OS > Applications Settings on the primary gateway.
    • Assign the secondary gateway as the Shadow Gateway.
  4. Sync Configuration:
    • The Shadow Gateway will upgrade to match the UniFi OS version of the primary.
    • Synchronize configurations automatically or manually via Sync Now.
  5. Enable Automatic Failover:
    • Establish a high availability link:
      • Connect port 7 on both gateways (for UDM-Pro-Max / UDM-Pro / UDM-SE).
      • Connect port 2 on both gateways (for EFG).
  6. Mirror Cabling:
    • Replicate the Primary Gateway’s WAN and LAN cabling on the Shadow Gateway.
    • If using a single ISP uplink, split the ports via a UniFi switch or unmanaged switch.
  7. Verify and Finalize:
    • Check the connection and set up the high availability cluster.

Failover Scenario: What Happens When Things Go Wrong?

When the Primary Gateway fails:

  1. The Shadow Gateway automatically takes over, ensuring minimal downtime.
  2. Firewall and connection state tables are synchronized, preventing client disconnections.
  3. If applicable, remove the HDD from the Primary Gateway and insert it into the Shadow Gateway.
  4. Promote the Shadow Gateway to Primary via UniFi OS > Applications Settings.
  5. Install a new gateway and repeat the setup process.

Configuring Shadow Mode Without Automatic Failover

For a simpler setup without automatic failover:

  1. Connect the Shadow Gateway’s WAN port to any LAN port on the Primary Gateway.
  2. Assign the Shadow Gateway via the UniFi Control Plane.
  3. Sync configurations as needed.

In a failover event:

  • Manually move cables from the Primary Gateway to the Shadow Gateway.
  • Use the Shadow Gateway’s touchscreen to finalize the switch.

Frequently Asked Questions

Q: What triggers failover?
Failover is triggered when the Shadow Gateway detects loss of connectivity through the Primary Gateway.

Q: Should I insert an HDD into both gateways?
No, only insert an HDD into the Primary Gateway to ensure seamless data transfer during failover.

Q: What if the Shadow Gateway isn’t detected?
Use the UniFi mobile app to update the Shadow Gateway. If necessary, factory reset and reconfigure it.

Q: Can I use Automatic Failover with a single ISP connection?
Yes, use a UniFi switch or unmanaged switch to split the ISP uplink into separate ports for both gateways.

Final Thoughts

Shadow Mode High Availability is a must-have for mission-critical networks. Whether you choose manual or automatic failover, you’ll gain peace of mind knowing your network can withstand unexpected failures. If you need assistance setting up Shadow Mode, Flytec Computers is here to help.

Stay resilient,

Juan David, your Flytec Tech Lead Support