Creating my config.gateway.json provisioning file for my USG

As described in a few previous blog posts I needed to set some configuration through the command line for my USG. But every time you provision the USG the changes will be lost. This can be solved to store the changes in the config.gateway.json file on my cloud key. Since the cloud key is running Ubuntu I can find that file in /usr/lib/unifi/data/sites/default (your site can be named differently, but mine is the default).

This is my current configuration, it both contains the IPV6 configuration for Comcast and my VPN routing information. Line 74-89, Line 135-173 are the lines specific to my source address based routing setup.

{
    "firewall": {
                "ipv6-name": {
                        "wan_in-6": {
                                "default-action": "drop",
                                "description": "wan_in",
                                "enable-default-log": "''",
                                "rule": {
                                        "1": {
                                                "action": "accept",
                                                "description": "Allow Enabled/Related state",
                                                "state": {
                                                        "established": "enable",
                                                        "related": "enable"
                                                }
                                        },
                                        "2": {
                                                "action": "drop",
                                                "description": "Drop Invalid state",
                                                "log": "enable",
                                                "state": {
                                                        "invalid": "enable"
                                                }
                                        },
                                        "5": {
                                                "action": "accept",
                                                "description": "Allow ICMPv6",
                                                "log": "enable",
                                                "protocol": "icmpv6"
                                        }
                                }
                        },
                        "wan_local-6": {
                                "default-action": "drop",
                                "description": "wan_local",
                                "enable-default-log": "''",
                                "rule": {
                                        "1": {
                                                "action": "accept",
                                                "description": "Allow Enabled/Related state",
                                                "state": {
                                                        "established": "enable",
                                                        "related": "enable"
                                                }
                                        },
                                        "2": {
                                                "action": "drop",
                                                "description": "Drop Invalid state",
                                                "log": "enable",
                                                "state": {
                                                        "invalid": "enable"
                                                }
                                        },
                                        "5": {
                                                "action": "accept",
                                                "description": "Allow ICMPv6",
                                                "log": "enable",
                                                "protocol": "icmpv6"
                                        },
                                        "6": {
                                                "action": "accept",
                                                "description": "DHCPv6",
                                                "destination": {
                                                        "port": "546"
                                                },
                                                "protocol": "udp",
                                                "source": {
                                                        "port": "547"
                                                }
                                        }
                                }
                        }
                },
                "modify": {
                        "SOURCE_ROUTE": {
                                "rule": {
                                        "10": {
                                                "action": "modify",
                                                "description": "traffic from eth1.100 to VPN NL",
                                                "modify": {
                                                        "table": "1"
                                                },
                                                "source": {
                                                        "address": "192.168.2.0/24"
                                                }
                                        }
                                }
                        }
                },
                "source-validation": "disable"
        },
        "interfaces": {
                "ethernet": {
                        "eth0": {
                                "dhcpv6-pd": {
                                        "pd": {
                                                "0": {
                                                        "interface": {
                                                                "eth1": "''"
                                                        },
                                                        "prefix-length": "64"
                                                }
                                        },
                                        "rapid-commit": "enable"
                                },
                                "firewall": {
                                        "in": {
                                                "ipv6-name": "wan_in-6"
                                        },
                                        "local": {
                                                "ipv6-name": "wan_local-6"
                                        }
                                }
                        },
                        "eth1": {
                                "ipv6": {
                                        "dup-addr-detect-transmits": "1",
                                        "router-advert": {
                                                "cur-hop-limit": "64",
                                                "link-mtu": "0",
                                                "managed-flag": "true",
                                                "max-interval": "600",
                                                "other-config-flag": "false",
                                                "prefix": {
                                                        "::/64": {
                                                                "autonomous-flag": "true",
                                                                "on-link-flag": "true",
                                                                "valid-lifetime": "2592000"
                                                        }
                                                },
                                                "reachable-time": "0",
                                                "retrans-timer": "0",
                                                "send-advert": "true"
                                        }
                                },
                                "vif": {
                                        "100": {
                                                "address": [
                                                        "192.168.2.1/24"
                                                ],
                                                "firewall": {
                                                        "in": {
                                                                "modify": "SOURCE_ROUTE",
                                                                "name": "LAN_IN"
                                                        },
                                                        "local": {
                                                                "name": "LAN_LOCAL"
                                                        },
                                                        "out": {
                                                                "name": "LAN_OUT"
                                                        }
                                                }
                                        }

                                }
                        }
                }
        },
        "protocols": {
                "static": {
                        "table": {
                                "1": {
                                        "route": {
                                                "0.0.0.0/0": {
                                                        "next-hop": {
                                                                "10.0.0.1": "''"
                                                        }
                                                }
                                        }
                                }
                        }
                }
        }
}
What I did to create this file was login to my USG, via configure set 1 configuration file. Entered the command mca-ctrl -t dump-cfg to see what the config looked like and copied the correct node into the file. After saving I did a forced provisioning of the USG from the UI and checked if it worked (show configuration).

Comments

Comment by Konstantin Špadijer on 2018-12-12 05:30:35 -0800

Can you tell me the path where to put that .json configuration file in the contoller?

Comment by zug on 2019-12-05 15:45:58 -0800

/var/lib/unifi/sites/xxx where xxx is a random string (or the name “default” if you only have one site). You can get the random string by going in to the GUI and reading it off after the /manage/site/ part of the URL. If that folder does not exist in the CLI you can make the controller service create one by making a change that needs to be stored on the server like adding a map.

Comment by Moka on 2019-12-08 09:14:34 -0800

Is very strange. I don’t see the the folder sites.

Comment by Matthijs Hoekstra on 2019-12-08 09:17:23 -0800

Did you try adding a map to your site like zug above commented?