Cilium BGP and a UniFi UDM-SE as the Lab iBGP Router

You can get MetalLB-style service IPs without MetalLB. Cilium includes a BGP control plane that advertises LoadBalancer addresses on the LAN. The lab peers worker nodes with a UniFi UDM-SE as the default-gateway iBGP peer so phones, laptops, and the tailnet can reach Envoy Gateway VIPs without NodePorts.

Without BGP (or something like MetalLB), a LoadBalancer Service on bare metal often sits Pending forever. Advertising routes into the LAN gateway fixes that: the UDM learns /32 (or the pool) and forwards traffic to the node Cilium chose for the Service.

Topology

LAN: UniFi UDM-SE (iBGP peer, ASN 65535)
  iBGP to Talos workers (ASN 64512, bgp-policy=worker)
  workers advertise LoadBalancer pool 10.103.0.0/28
  .0.1 external gateway, .0.2 internal, .0.3 tailnet, ...

Controllers are not BGP speakers (bgp-policy: controller); only workers export routes. That matches how the lab uses workers for ingress dataplane traffic while keeping the control plane off the BGP session.

Cilium objects (upstream docs)

Helm enables bgpControlPlane and l2announcements; GitOps overlays add the CRs and substitute ${CLUSTER_LOAD_BALANCER_CIDR} per cluster.

UniFi side

On the UDM-SE, configure BGP to accept ASN 64512 and install learned routes (often /32 or the advertised /28 — steps depend on firmware; see UniFi’s BGP documentation). Cilium auto-discovers the peer via each worker’s default gateway, using CLUSTER_BGP_ROUTER_ADDR in cluster config instead of a static neighbour list per node.

Why it matters in this lab

• Envoy gateways keep stable .0.1 / .0.2 / .0.3 addresses from one pool.
• Headscale advertises the same /28 to the tailnet (tag:fabric) so mesh clients reach those VIPs.
• ARM64 Talos nodes on Turing Pi speak BGP like any other Linux host.

Related

• Envoy gateways — services on those IPs
• Tailscale mesh — tailnet route approval
• Lab GitOps — Cilium in the common layer

More: Cilium BGP v2, Talos with Cilium.