Skip to content

Instantly share code, notes, and snippets.

@nasirhafeez

nasirhafeez/unifi-usg-json-templates.md

Last active April 9, 2024 14:22
Show Gist options
  • Save nasirhafeez/fd6b8e41256569fc7e2790c082622f78 to your computer and use it in GitHub Desktop.
Save nasirhafeez/fd6b8e41256569fc7e2790c082622f78 to your computer and use it in GitHub Desktop.
Download ZIP
Unifi USG config.gateway.json Templates
Raw
unifi-usg-json-templates.md

Unifi USG JSON Templates

Contents

Notes

DNAT with Hairpin

Using PBR to route some traffic via WAN2

Exclude some traffic from using backup

Route some traffic through PPTP VPN

Notes

Documentation of config.gateway.json

Command to get USG config in json format:

mca-ctrl -t dump-cfg

Website for JSON validation

DNAT with Hairpin

eth2 is the primary WAN interface and eth0 is the LAN interface on USG-PRO-4 (on USG-3P eth0 is WAN and eth1 is LAN); 58.65.175.8/29 is a public IP pool assigned on WAN; these IPs are being mapped using 1-1 DNAT to 192.168.1.x IPs on the LAN subnet

{
	"interfaces": {
		"ethernet": {
			"eth2": {
				"address": [
					"58.65.175.10/29",
					"58.65.175.11/29",
					"58.65.175.12/29"
				]
			}
		}
	},
	"service": {
		"nat": {
			"rule": {
				"1": {
					"destination": {
						"address": "58.65.175.10"
					},
					"inbound-interface": "eth2",
					"inside-address": {
						"address": "192.168.1.6"
					},
					"protocol": "all",
					"type": "destination"
				},
				"2": {
					"destination": {
						"address": "58.65.175.11"
					},
					"inbound-interface": "eth2",
					"inside-address": {
						"address": "192.168.1.3"
					},
					"protocol": "all",
					"type": "destination"
				},
				"3": {
					"destination": {
						"address": "58.65.175.12"
					},
					"inbound-interface": "eth2",
					"inside-address": {
						"address": "192.168.1.144"
					},
					"protocol": "all",
					"type": "destination"
				},
				"4": {
					"destination": {
						"address": "58.65.175.10"
					},
					"inbound-interface": "eth0",
					"inside-address": {
						"address": "192.168.1.6"
					},
					"protocol": "all",
					"type": "destination"
				},
				"5": {
					"destination": {
						"address": "58.65.175.11"
					},
					"inbound-interface": "eth0",
					"inside-address": {
						"address": "192.168.1.3"
					},
					"protocol": "all",
					"type": "destination"
				},
				"6": {
					"destination": {
						"address": "58.65.175.12"
					},
					"inbound-interface": "eth0",
					"inside-address": {
						"address": "192.168.1.144"
					},
					"protocol": "all",
					"type": "destination"
				},
				"5000": {
					"destination": {
						"address": "192.168.1.6"
					},
					"outbound-interface": "eth0",
					"source": {
						"address": "192.168.1.0/24"
					},
					"type": "masquerade"
				},
				"5001": {
					"destination": {
						"address": "192.168.1.3"
					},
					"outbound-interface": "eth0",
					"source": {
						"address": "192.168.1.0/24"
					},
					"type": "masquerade"
				},
				"5002": {
					"destination": {
						"address": "192.168.1.144"
					},
					"outbound-interface": "eth0",
					"source": {
						"address": "192.168.1.0/24"
					},
					"type": "masquerade"
				}
			}
		}
	}
}

Using PBR to route some traffic via WAN2

/28 is the LAN subnet that's being routed through WAN2; 192.168.8.1 is the gateway for WAN2

{
	"firewall": {
		"modify": {
			"LOAD_BALANCE": {
				"rule": {
					"2500": {
						"action": "modify",
						"modify": {
							"table": "5"
						},
						"protocol": "all",
						"source": {
							"address": "192.168.0.224/28"
						}
					}
				}
			}
		}
	},
	"protocols": {
		"static": {
			"table": {
				"5": {
					"route": {
						"0.0.0.0/0": {
							"next-hop": {
								"192.168.8.1": "''"
							}
						}
					}
				}
			}
		}
	}
}

In case of PPPoE the next-hop should be specified using interface instead of IP address

{
	"firewall": {
		"modify": {
			"LOAD_BALANCE": {
				"rule": {
					"2500": {
						"action": "modify",
						"modify": {
							"table": "5"
						},
						"protocol": "all",
						"source": {
							"address": "192.168.0.224/28"
						}
					}
				}
			}
		}
	},
	"protocols": {
		"static": {
			"table": {
				"5": {
					"interface-route": {
						"0.0.0.0/0": {
							"next-hop-interface": {
								"pppoe1": "''"
							}
						}
					}
				}
			}
		}
	}
}

In case the DHCP gateway IP is dynamic we should use load-balance groups

{
	"firewall": {
		"modify": {
			"LOAD_BALANCE": {
				"rule": {
					"2500": {
						"action": "modify",
						"modify": {
							"lb-group": "wan2"
						},
						"source": {
							"address": "192.168.0.240/28"
						}
					}
				}
			}
		}
	},
	"load-balance": {
		"group": {
			"wan2": {
				"flush-on-active": "disable",
				"interface": {
					"eth0": {
						"failover-only": "''",
						"route-test": {
							"initial-delay": "20",
							"interval": "10"
						}
					},
					"eth2": {
						"route-test": {
							"initial-delay": "20",
							"interval": "10"
						}
					}
				},
				"lb-local": "enable",
				"lb-local-metric-change": "enable"
			}
		}
	}
}

To route some traffic to WAN2 based on destination IPs defined in an address-group (can be checked using 'show firewall group' command)

{
	"firewall": {
		"modify": {
			"LOAD_BALANCE": {
				"rule": {
					"2500": {
						"action": "modify",
						"destination": {
							"group": {
								"address-group": "5f2ce7a327d9877756412672"
							}
						},
						"modify": {
							"table": "5"
						},
						"protocol": "all",
						"source": {
							"address": "192.168.0.0/24"
						}
					}
				}
			}
		}
	},
	"protocols": {
		"static": {
			"table": {
				"5": {
					"route": {
						"0.0.0.0/0": {
							"next-hop": {
								"192.168.8.1": "''"
							}
						}
					}
				}
			}
		}
	}
}

Exclude some traffic from using backup

Configure some IPs to only use 1 WAN and not the backup one - for example if backup is LTE and its volume usage needs to be restricted

{
	"firewall": {
		"modify": {
			"LOAD_BALANCE": {
				"rule": {
					"2500": {
						"action": "modify",
						"modify": {
							"lb-group": "wan2"
						},
						"source": {
							"address": "192.168.1.224/27"
						}
					}
				}
			}
		}
	},
	"load-balance": {
		"group": {
			"wan2": {
				"flush-on-active": "disable",
				"interface": {
					"eth0": {
						"route-test": {
							"initial-delay": "20",
							"interval": "10"
						}
					}
				},
				"lb-local": "enable",
				"lb-local-metric-change": "enable"
			}
		}
	}
}

Route some traffic through PPTP VPN

Configure a subnet to be routed through VPN - in this way a separate SSID can be created for VPN. Source validation has to be disabed in this case. Note: eth0 here refers to the LAN interface

{
	"firewall": {
		"modify": {
			"VPN_ROUTE": {
				"rule": {
					"2500": {
						"action": "modify",
						"modify": {
							"table": "5"
						},
						"protocol": "all",
						"source": {
							"address": "192.168.20.0/24"
						}
					}
				}
			}
		},
		"source-validation": "disable"
	},
	"protocols": {
		"static": {
			"table": {
				"5": {
					"interface-route": {
						"0.0.0.0/0": {
							"next-hop-interface": {
								"pptpc0": "''"
							}
						}
					}
				}
			}
		}
	},
	"interfaces": {
		"ethernet": {
			"eth0": {
				"vif": {
					"20": {
						"firewall": {
							"in": {
								"modify": "VPN_ROUTE"
							}
						}
					}
				}
			}
		}
	}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment