As I started to use the new setup, I realized more and more that I needed access to my lab (outside of plain rdp), especially with my laptop and phone. I tried several ways to solve this. Without any knowledge about the USG I had to try and error for some time before I found a reasonable solution.
The best option would be to make site-to-to IPsec to make use of all my old rules, but I could not get that working what ever I did. The USG still routed the traffic to the lab through wan and not through the tunnel. Anyway, next up was straight up static routes. Which is some what successful.
But, and this is a big one. Since the UniFi Controller does not expose any NAT rules in the UI there is no way (yes there is) to disable masquerading whenever an packet is leaving the wan interface. I have read by now that there are ways to manually add rules, but I feel that is for next time.
I read up on this article about how the firewall in the USG works (IN/OUT/LOCAL) and made all the necessary rules and finished with a deny rule for the rest. At the lab end there is simply an allow rule from the USG’s address. I found posts from Ubnt officials from back i 2017 saying NAT will be exposed in the Controller any time. We’ll see. For now this is OK.
Please feel free if there is anything I should do differently about this setup (or anything else).