Unifi Fabric Site Magic SD-WAN VPN Only Works One Way Fixed

A while back, Ubiquiti introduced something within their Unifi ecosystem called "Site Magic" which was a cloud based way to create an SD-WAN Mesh or Spoke VPN tunnel between two different sites.

You choose whether you want a mesh style or hub/spoke style setup, enable the subnets on both ends that need to talk to each other and that's basically it.

The primary site will create a new firewall rule called Allow Identity Sync Service Connection to allow port 9543 through the firewall and that's that.

The IP scope is setup as 192.168.0.0 on one end and each site increments its VPN IP as 192.168.0.1, 192.168.0.2 and so-forth.

Cool. Some background knowledge you probably already knew or don't really care about.

So what's the fix to get the Site Magic SD-WAN to work both ways? I can help but the fix has a specific requirement which is the newer Zone Based Firewall that was introduced in Network 9.0.x at the beginning of 2025.

When the Site Magic SD-WAN VPN is setup, it's pretty automated but chances are, if you're using the ZBF and running into the traffic going from the primary site to the secondary, but not in reverse, it's all because the firewall is blocking it.

It took me a while to come to this conclusion but after I figured out the reason it wasn't working the solution became pretty obvious.

In my situation, I had a custom Firewall Zone, and anything on that zone couldn't see the primary site. I had to create a firewall rule to give it access to the VPN zone. Kind of obvious after you realize custom zones block everything by default.

What threw me for a loop was that the primary site had all of the shared VLAN's in the "Internal" zone. By default this zone can already talk to the VPN zone. But when you create a custom zone... You have to tell it to talk to the VPN zone.

I'll share some steps and hopefully it will send you down the right path to get your going:

1. Create a new firewall policy
2. Name the policy something like [Zone name] to SD-WAN (ex CORP to SD-WAN)
3. Source Zone = [Zone] (The zone that needs to communicate)
   1. Feel free to leave at Any or narrow down by device, network IP, etc
4. Destination Zone = VPN
   1. Narrow down which VPN by using Site-to-Site and choosing the other end of the tunnel.
5. Action = Allow + Allow Return Traffic
6. The rest of the options can be left at their defaults

Save the rule and test it out.

If this is what got it going for you and you have other custom zones that also need to go back to the primary site, you'll need to create a new rule for each respective zone.

In my quest to find a fix, I saw a LOT of people with this problem and very few solutions. Most people gave the all-too-common "Me too" response which is unfortunate.

In my personal, humble opinion, it's a bug with how the Unifi SD-WAN is created. Normally, I would agree that it works as designed, but Ubiquiti wants their system to work with the least pain-points as possible which is why I call it a bug. When the Site Magic SD-WAN is created, it should automatically create the necessary rule on the spoke or mesh sites for the subnet gateways chosen when setting it all up, but it doesn't, leading some folks who use custom zones to scratch their heads trying to figure out why it doesn't work out of the box because that is the exact experience we are sold on.

As always, hope this helps someone and feel free to leave a comment if it did.