Creating my config.gateway.json provisioning file for my USG

As described in a few previous blog posts I needed to set some configuration through the command line for my USG. But every time you provision the USG the changes will be lost. This can be solved to store the changes in the config.gateway.json file on my cloud key. Since the cloud key is running Ubuntu I can find that file in /usr/lib/unifi/data/sites/default (your site can be named differently, but mine is the default).

This is my current configuration, it both contains the IPV6 configuration for Comcast and my VPN routing information. Line 74-89, Line 135-173 are the lines specific to my source address based routing setup.

What I did to create this file was login to my USG, via configure set 1 configuration file. Entered the command mca-ctrl -t dump-cfg to see what the config looked like and copied the correct node into the file. After saving I did a forced provisioning of the USG from the UI and checked if it worked (show configuration).

Configuring source address based routing on my Unifi USG

Updated 10/24/2018 since routing didn’t work anymore. You have to disable source-validation, thanks to Roelf for the comment with the correct command.

For some time now I wanted to be able to test some network stuff. I want to be able to connect certain devices over a VPN to the Netherlands but without the need to configure every client with VPN connections.

With this scenario it is possible to test different geo stuff accessing my network from different places in the world, it also helps me test the different latencies when going across the ocean and back. It also could be used to access certain video services in another country or access a different Netflix catalog, but I would never use it for something like that obviously Smile

After reading up on the different forums and asking some questions I was able to configure my USG in a way which gives me the most flexibility possible for my scenario. This is the step by step guide how to configure your USG and network so all your network on that special network will be routed over the VPN connection to the Netherlands.

The first step is to configure my ‘hoekstraonline NL’ network as described in this blogpost. Connecting through my ‘hoekstraonline NL’ wireless network and specific ports on my router (tagged with the same VLAN 100) will be the basis of my configuration. I want all that network going over the VPN connection to NL. All me regular traffic will go over my Comcast connection as usual but machines connected to that wireless network and specific ports on my routers will be routed over the VPN connection.

So lets create the VPN Client network first. Nowadays this can be done through the UI (I am running Unify version 5.6.20 stable candidate when I am writing this)


After you create this network you can check on your USG how the routing table looks like. It should have added the VPN NL network. Enter the following command on your USG (via SSH):

ubnt@USG:~$ netstat -r

My routing table looks like this:


the pptpc0 interface is the VPN connection I just defined, you can see from the flags the connection is up (U). The eth1.100 is the virtual network which was added in the previous blogpost.

The next step is to change the routing depending on the source address. Unfortunately this can’t be done through the GUI from Unifi. They add more and more functionality every month, but this has to be done through the command line. so fire up your bash shell or putty and connect to your firewall (USG in my case).

In the shell type; configure

ubnt@USG:~$ configure

We have to define a new routing table we call table 1 which will route traffic to my VPN connection on the network.

ubnt@USG# set protocols static table 1 route next-hop

Now we have to define the modify policy. A modify policy allows us to modify various items when the rule matches. So if the source address came from, then we want to use routing table 1:

ubnt@RTR# set firewall modify SOURCE_ROUTE rule 10 description ‘traffic from eth1.100 to VPN NL’
ubnt@RTR# set firewall modify SOURCE_ROUTE rule 10 source address
ubnt@RTR# set firewall modify SOURCE_ROUTE rule 10 modify table 1

Now we need to apply this policy to the interface. When it comes to applying a policy to an interface, it needs to be done on the input interface before the routing lookup takes place.

ubnt@USG# set interfaces ethernet eth1 vif 100 firewall in modify SOURCE_ROUTE

A last step which you need to add (this changed so this step was added 10/24/2018) is to disable source validation (thanks to Roelf for the comment and help)

ubnt@USG# set firewall source-validation disable

After this you can give the commit and save command and you can test your network routing. From a client in the 192.168.1.x range nothing should be different. But when you test it from a 192.168.2.x client you see the traceroute change to the hop and than off to the Netherlands.

The first tracert is from a machine in the 192.168.1.x range. You see the first hop is my USG gateway and than it goes out to the internet.

The second tracert is from the machine when it’s in the 192.168.2.x range. You see the second hop goes through the VPN gateway and you also see the response times go up since it’s traveling the ocean now.

Mission accomplished!.

The last step is to add these settings to the provisioning script stored on my cloudkey, so when I reset the USG the settings won’t be lost.

One of the sources I used to write this article.

Creating 2nd network with seperate IP range on my Unifi network

Some time ago I bought new network gear for my home from Ubiquiti. The Unifi range of hardware is very nice. It’s a bit pricy but you can do so much interesting stuff with it and the hardware is rock solid.

At home I have the following hardware running:

I am configuring my network to be able to use a VPN connection to The Netherlands depending on what wireless network or what physical network port the client is using. To be able to do that I first needed to add a network which operates on a different IP range. My network is by default configured to use the range. But for this network I need to add a range. The following steps is what I used to configure this.

Fortunately all steps can be done through the UI. I am running Unifi version 5.6.20 stable candidate when writing this. Depending on the version you are running the screens might look a bit different since they are adding more and more functionality every month.

First I created a new network with the following settings:


I tagged the network with VLAN value 100. This value we need in the next part of the setup. I also configured the DHCP server for the range. When you fill in these numbers it will automatically calculate the subnet mask etc.

Once that is done I needed to configure the new wireless network. I called my network Hoekstraonline NL so it’s easy to identify. By itself this network would get the same IP addresses as my other wireless networks. But since I needed a seperate network which is also by default blocked through the firewall from my other networks, I tagged this network with the VLAN value 100 as well.


That was all. When I connect my devices to this wireless network they receive an IP address in the 192.168.2.x range. When I tag a network port on my switch with VLAN 100 the devices connected to that port will also get an IP address in that range.

Next step is configuring source address based policies.