How to enable IPV6 from Comcast on your UniFi Security Gateway

Since a while I run my home network on Unify hardware. I have got the UniFi security Gateway 3P, 1 (but soon 2) UniFi AP-AC-Pro and a UniFi Switch 8 POE-150W. Of course a Cloud key to manage it all (so I don’t need to install Java on my PC).

Update (11/22/2017) for Unifi 5.7.7 or higher which added ipv6 support in the UI.

FInally ubnt added IPv6 support to the UI of Unifi. This was introduced in the 5.7.7 release. I removed the changes below from the config.gateway.json file. Provisioned the USG and confirmed all IPV6 settings were gone. My clients on the network didn’t get an IPv6 address anymore either. If you check your interfaces on the USG you should see an ipv6 address from Comcast. Your eht1 interface will only have a ipv4 address.

First open your USG device in your Unifi Dashboard and enable ipv6 as follows, for Comcast I filled in 64 as the Prefix Delegation Size

Next you have to configure ipv6 for all your networks. Go to Networks. open LAN (edit) and select the IPv6 interface type. Click save and your are set. You can enable this on other networks you have configured as well of course.

Now check your clients if they get an iIPv6 address and you can test at to see if everything works. Way simpler than with the config file. Cool new feature is you have IPv6 firewall rules in the UI as well under the Routing & Firewall chapter.

Information for Unifi below 5.7.7

So far there is no way to configure IPv6 through the UI, it’s on the roadmap though. But you can very easily set it up through the command line or through provisioning a configuration file. I have been searching in the forum and found several posts explaining how to do it but neither seemed to work 100% or perhaps I did something wrong.

The easiest is go through the command line. Make an SSH connection to you USG. I use Bash on Windows to be able to use SSH.

ssh adminname@ (type yes if this is the first time you connect) enter your password to login to your gateway. You can enter show configuration to see what the current configuration is.

run the configure command and than run the following commands (I assume eth0 is your WAN connection with Comcast and eth1 is your internal LAN):

set interfaces ethernet eth0 dhcpv6-pd pd 0
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 64
set interfaces ethernet eth1 ipv6 router-advert prefix ::/64
set interfaces ethernet eth1 ipv6 router-advert managed-flag true
set interfaces ethernet eth1 ipv6 router-advert send-advert true

then enter the command commit

You will see some messages about Re-generating radvd config file for eth1… and Re-starting radvd: radvd.

type the command save

The next thing you might want to do is setup some firewall rules so you won’t expose all your machines with an ipv6 address directly to the internet. The following commands need to be entered in configuration mode again:

set firewall ipv6-name wan_in-6 default-action drop
set firewall ipv6-name wan_in-6 description wan_in
set firewall ipv6-name wan_in-6 enable-default-log
set firewall ipv6-name wan_in-6 rule 1 action accept
set firewall ipv6-name wan_in-6 rule 1 state established enable
set firewall ipv6-name wan_in-6 rule 1 state related enable
set firewall ipv6-name wan_in-6 rule 1 description “Allow Enabled/Related state”
set firewall ipv6-name wan_in-6 rule 2 action drop
set firewall ipv6-name wan_in-6 rule 2 log enable
set firewall ipv6-name wan_in-6 rule 2 state invalid enable
set firewall ipv6-name wan_in-6 rule 2 description “Drop Invalid state”
set firewall ipv6-name wan_in-6 rule 5 action accept
set firewall ipv6-name wan_in-6 rule 5 log enable
set firewall ipv6-name wan_in-6 rule 5 protocol icmpv6
set firewall ipv6-name wan_in-6 rule 5 description “Allow ICMPv6”
set firewall ipv6-name wan_local-6 default-action drop
set firewall ipv6-name wan_local-6 description wan_local
set firewall ipv6-name wan_local-6 enable-default-log
set firewall ipv6-name wan_local-6 rule 1 action accept
set firewall ipv6-name wan_local-6 rule 1 state established enable
set firewall ipv6-name wan_local-6 rule 1 state related enable
set firewall ipv6-name wan_local-6 rule 1 description “Allow Enabled/Related state”
set firewall ipv6-name wan_local-6 rule 2 action drop
set firewall ipv6-name wan_local-6 rule 2 log enable
set firewall ipv6-name wan_local-6 rule 2 state invalid enable
set firewall ipv6-name wan_local-6 rule 2 description “Drop Invalid state”
set firewall ipv6-name wan_local-6 rule 5 action accept
set firewall ipv6-name wan_local-6 rule 5 log enable
set firewall ipv6-name wan_local-6 rule 5 protocol icmpv6
set firewall ipv6-name wan_local-6 rule 5 description “Allow ICMPv6”
set firewall ipv6-name wan_local-6 rule 6 description “DHCPv6”
set firewall ipv6-name wan_local-6 rule 6 action accept
set firewall ipv6-name wan_local-6 rule 6 destination port 546
set firewall ipv6-name wan_local-6 rule 6 protocol udp
set firewall ipv6-name wan_local-6 rule 6 source port 547
set interfaces ethernet eth0 firewall in ipv6-name wan_in-6
set interfaces ethernet eth0 firewall local ipv6-name wan_local-6

commit and save again and you should be all set.

You can check if you received an ipv6 address by typing show interfaces

matthijs@ubnt:~$ show interfaces
Codes: S – State, L – Link, u – Up, D – Down, A – Admin Down
Interface    IP Address                        S/L  Description
———    ———-                        —  ———–
eth0                  u/u
eth1                    u/u
eth2         –                                 A/D
imq0         –                                 u/D
lo                        u/u

And if you have an ipv6 address you can test the connection by using ping6

matthijs@ubnt:~$ ping6
PING 56 data bytes
64 bytes from 2620:108:700f::3425:db06: icmp_seq=1 ttl=44 time=30.7 ms
64 bytes from 2620:108:700f::3425:db06: icmp_seq=2 ttl=44 time=33.3 ms
— ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 30.740/32.035/33.331/1.307 ms

Another way to provision your USG is by creating a config.gateway.json file with your settings and place it in the /srv/unifi/data/sites/default directory on your cloudkey. (or equivalent directory when you are using the management software on another system like Windows or your Mac). You need to trigger a provisioning of your USG to make this configuration happen. This can be done by changing the HDCP lease range from to for example and save the configuration change. The provisioning will merge the USG configuration with the configuration in the json file.

This is the configuration file with the changes done through the command line:

“firewall”: {
“ipv6-name”: {
“wan_in-6”: {
“default-action”: “drop”,
“description”: “wan_in”,
“enable-default-log”: “””,
“rule”: {
“1”: {
“action”: “accept”,
“description”: “Allow Enabled/Related state”,
“state”: {
“established”: “enable”,
“related”: “enable”
“2”: {
“action”: “drop”,
“description”: “Drop Invalid state”,
“log”: “enable”,
“state”: {
“invalid”: “enable”
“5”: {
“action”: “accept”,
“description”: “Allow ICMPv6”,
“log”: “enable”,
“protocol”: “icmpv6”
“wan_local-6”: {
“default-action”: “drop”,
“description”: “wan_local”,
“enable-default-log”: “””,
“rule”: {
“1”: {
“action”: “accept”,
“description”: “Allow Enabled/Related state”,
“state”: {
“established”: “enable”,
“related”: “enable”
“2”: {
“action”: “drop”,
“description”: “Drop Invalid state”,
“log”: “enable”,
“state”: {
“invalid”: “enable”
“5”: {
“action”: “accept”,
“description”: “Allow ICMPv6”,
“log”: “enable”,
“protocol”: “icmpv6”
“6”: {
“action”: “accept”,
“description”: “DHCPv6”,
“destination”: {
“port”: “546”
“protocol”: “udp”,
“source”: {
“port”: “547”
“interfaces”: {
“ethernet”: {
“eth0”: {
“dhcpv6-pd”: {
“pd”: {
“0”: {
“interface”: {
“eth1”: “””
“prefix-length”: “64”
“rapid-commit”: “enable”
“firewall”: {
“in”: {
“ipv6-name”: “wan_in-6”
“local”: {
“ipv6-name”: “wan_local-6”
“eth1”: {
“ipv6”: {
“dup-addr-detect-transmits”: “1”,
“router-advert”: {
“cur-hop-limit”: “64”,
“link-mtu”: “0”,
“managed-flag”: “true”,
“max-interval”: “600”,
“other-config-flag”: “false”,
“prefix”: {
“::/64”: {
“autonomous-flag”: “true”,
“on-link-flag”: “true”,
“valid-lifetime”: “2592000”
“reachable-time”: “0”,
“retrans-timer”: “0”,
“send-advert”: “true”

So now you got IPv6 running on your network. You can test if it’s all working (after renewing your ip addresses) here.

This is the post in the forum which helped me fix this in the end.

How to set configuration in your Universal Windows Application through MDM

One thing I hear over and over again when talking to (enterprise) developers is that they struggle with configuration management for UWP applications. In the past they just edited a app.config (or web.config) file on the machines to point an app to a test, acceptance or production environment. In UWP we have a app.config file as well but it’s hidden away in some obscure directory protected by some more restricted ACL.

We do have a solution to configure applications through MDM. It’s pretty bad documented though (which is something we will improve) but I needed to figure this out anyway so I thought I should share my findings.

As you might know we have this concept of data or settings folders in UWP. This is a special place in isolated storage where you can store settings, temporary files, settings which roam, but also configuration. The last one isn’t documented anywhere on MSDN but it does exist. There is a folder called “Managed.App.Settings” which will be created by the system if the MDM server sends out the configuration. I will talk about how to do that a little bit later.

This is how the code looks like to retrieve the configuration inside of your application:

So the code is pretty simple. You try to open up the configuration container. If it is available you retrieve the value, in our example it is ‘Welcome’.

But how do I get this configuration in my system? I got it to work through InTune but every MDM tool should be able to do this. This is done through our EnterpriseModernAppManagement CSP

If you login at you go to Policy, Configuration Policies. Click Add, Select Windows\Custom Configuration.


You can specify a name and description in the next screen. Save the policy. The next piece is adding the configuration part. So at the OMA-URI Settings section click add. The screen looks like this:


You specify a name and a data type. The OMA-URI string needs to be the following for configuration: ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/3441ffd3-6b54-48b0-ac86-accdd148ea0f_f6s3q6fqr0004/AppSettingPolicy/Welcome

And specify a value of your setting in the Value textbox.

The last part if the name of you setting which you use in your code as well. In this sample it’s called Welcome. That translates back to the value we try to get in the Managed.App.Settings container.
The string after the /AppStore/ is the familypackageID you can get from your manifest. That’s how the system knows for what app it needs to store the settings data and in what location.

That’s all. You can have different type of settings, if you need a lot of data you can select the XML value type.

So next step is to try to get this working through the WMI bridge as well. Once I got that to work you should be able to run a powershell script or console app on your desktop to set this configuration as well. I believe that will help you when you have automatic builds, and test deployments in your environment.

Interesting shortcut on Windows: Windows+Ctrl+Shift+B

The advantage of working inside the Windows engineering group is you stumble upon some cool or weird new and old features you never knew about.

One of this nuggets is the keyboard shortcut Windows+Ctrl+Shift+B. So what does it do? It resets the graphics subsystem on your machine (and makes your machine say Beep!).

Apparently this was introduced in the Vista timeframe where we introduced the new Desktop Windows Manager (DWM) in Vista.

Also makes you wonder what other shortcuts are hidden in Windows Winking smile

Auto updater for my side loaded UWP apps

As I described before, i have a few tasks to solve for my home automation project. One of the things I wanted to do is to be able to update my application on the different devices easily. I could publish my home automation app to the store, but it’s hard to provide a test environment for the store testers and it takes a while when the app gets certified before i can roll it out to all my devices. Of course I can sign up for an Intune account and use regular MDM to manage my apps, but 1st i need to have this Intune environment which I think is a bit over the top, and 2nd I would be depending on an internet connection. This is also a topic which comes up with some of my customers so I thought I could solve this differently.

Since the app is going to be side loaded I am allowed to use restricted capabilities. The store app uses these capabilities to be able to download and update apps from the store so what APIs are used by this app? It uses (among others) the PackageManager class. This API is protected by the restricted capability packageManagement.

So the first experiment I tried was to build an update button in a test app and I tried to update myself. I created a version (Project, Store, Create App Package and set the version to, I also created a version In my code I added the following line in the click event:

Where the packageLocation pointed to a file on my disk (but could also be a URL to a website). But updating yourself didn’t work. So the next idea I had was to write a little app which I could call with app2app communication and the only thing that little app would do was update the calling app. This works perfectly. So I created a new project called AppUpdate (Blank App). I added another project to the solution called AppUpdaterService (Windows Runtime Component).  I defined 2 parameters (I only use 1 currently) to be passed to this background service and that’s the package family name and the package location.

The entire code of this class looks like this:

Make sure you add the reference to this project to your AppUpdater project.

Inside my dashboard app I call the following code to update myself through the updater app:

The cool thing that happens is my app is closed when the update starts and automatically restarted after the update. This works on both Desktop as Mobile. I still need to test this on my RPI3 and in combination with Assigned Access/Kiosk mode on mobile.

So what’s left? I need to implement something which checks for a new version regularly. I am still debating if I am going to use the updater app to get registrations from other apps and checks if there is an update and if it finds one starts updating the app, it is more generic this way. On the other hand, the app might know better when it should be updating or not and implement the logic itself and just uses the appupdater to do the update.

I was also thinking about using some kind of broadcast in the app to send an update command to the apps on all devices to be able to force an update after I published a newer version on my internal website.

How I need to check for a newer version could be as simple as providing a little text file on the webserver with the latest version number. If the app has a lower version it will update. Or perhaps I should test what happens if I call the update command and the version of the app on the server is the same. If the update is ignored i don’t need to write any specific code to handle this. It might not be the most optimal solution, although we only download the changes in packages.

How to use any app in assigned access mode in Windows 10

As I wrote before, by default when you setup assigned access the UI only shows app which have the aboveLockScreen extension registered. I talked to the PM who owns this feature to ask why and the reason is because we changed the behavior of how assigned access works (lock the screen and launch the app above the lock screen) we found out a lot of existing apps crash when running on the lock screen, so we changed the UI to only show apps which are designed to run above the lock screen.

Although the UI might not show your existing apps anymore you used to run as kiosk app, you can still use those. Obviously you need to test if they work when running above the lock screen.

Besides using MDM or a provisioning package to configure assigned access you can also use PowerShell to setup your app to run. You  can find the documentation over here.

You will also find interesting documentation how to setup auto login and how to make a classic windows app the default app on that page as well.

This experience is something MS wants to improve in the future but for now you have to use this trick to setup your old app as assigned access app.

How to debug DirextX on Windows 10 Mobile

Another one of these little ‘gotchas’. Morten asked the question why he couldn’t debug DirectX on mobile, but it was possible on desktop and the IOT version of windows 10. I am not a DirectX expert at all, but this was weird. So I asked around internally what was going on.

First, if you want to do this on Desktop you need to install the graphics tools as an additional feature before you can do this.

This is something you need to do for Mobile as well, although it happens a bit different. You can do that by hitting ALT-F5 in Visual Studio or use the menu:


btw, you can also use ALT-F5 on desktop and make Visual Studio install the graphic tools for you.

After that you will be able to debug. The following line will return true instead of false:

Why do I only see OneNote and Skype when setting up assigned access in Windows 10?

edit; this now just works for any application in the latest version of Windows 10. So the manifest is not needed anymore.

If you are trying to setup assigned access in Windows 10, you go to settings, accounts, Other Users and there is a link to ‘set up assigned access’. First you need to create a local account you can use for assigned access. You can do that at this ‘Other users’ dialog as well.

On the Assigned access page you can choose an account and the app you want to run in ‘Kiosk’ mode.


The thing is, it only shows 2 apps in my list, OneNote and Skype Video, where are the rest of my apps?


We changed this behavior in Windows 10, once I figured that out it’s easy to spot in the documentation as well. You can find the documentation how to build an app which works in assigned access mode here:

So what’s different in Windows 10 is, once you login with the assigned access account. It starts the app, locks the device and runs the app above lock.  The reason you only will see OneNote and Skype video is because the apps have the ‘abovelock’ extension defined. It’s mentioned in the Appendix

The following is a sample application manifest, you can see the windows.aboveLockScreen uap extension. You must use this extension in your Windows 10 Universal Windows Platform (UWP) app in order for it to display in the Assigned Access app list in Settings.

So once you add this to your app manifest:

It will show up in the list as well.

Screensaver for my app

One of the things my Home Automation app needs to do is run forever. But I don’t want the screen to burn in either. I can allow the phone to lock the screen but at that time my app isn’t running. I could run some background tasks but there is no way to wake up the app and dismiss the lock screen automatically. Therefore I want an app which runs all the time but has some kind of build in screensaver.

First of all I need the app to prevent the lockscreen appearing. I can of course also configure the phone never to show the lockscreen, but I can also solve this in code. It took me some searching and help at twitter (thanks Neil) to figure this out. The useridlemode from Windows Phone isn’t there anymore. You now need to use Windows.System.Display.DisplayRequest().

So when trying to figure out how to determine how long a user is inactive I could only found some win32 API’s. Unfortunately these don’t work on Windows 10 Mobile (the ones I need that is). So I decided I needed to add a timer on every page. Whenever a user does something on the screen I reset the timer. If the timer fires I navigate to the screensaver.xaml page (and do the screensaver magic) and when the users hits the screen the app will return back to the MainPage.xaml.

Since this needs to be done from every page I created a new baseclass every page (except the screensaver page) is going to inherit from. I created a class called DashboardPage.cs

The constructor creates a timer (in this sample set to 5 seconds). Whenever the timer fires I redirect to the Screensaver page. Whenever PointerMoved event is fired the timer is reset. I found out that with the PointerMoved it works on desktop and mobile. You might need to add more events to make it foolproof, but for my scenario on the phone it works.

The only thing you need to change is in your XAML and the code behind. Your page needs to inherit from DashboardPage instead of page like this:

And you need to modify your XAML a bit as well. It needs to look like this:

You can find the complete solution over here.

Of course after I build this Morten Nielsen posted on Twitter he already build a solution. I think his solution is much easier to use.

Create a new project and add a new usercontrol to your project called Screensaver.xaml

The codebehind looks like this:

To get this working you need to add a single line to App.xaml.cs. Add the line after the Windo.Current.Activate()

What happens in the Screensaver code behind is a timer is started. Whenever the timer ‘ticks’ the popup with the screensaver is shown. A tap on the screen removes it again. Every time something happens on the screen the timer is reset. This works really well and you don’t need to modify every single page. So I think I will end up using this solution instead.

You can find a complete working sample here.

List of tasks I need to figure out for my home automation project

As I described before I am working on a little project to use some Lumia 640s in the house to control the home automation. Besides figuring out how to configure and roll out the devices, and figuring out how exactly I am going to put them in the walls, I also have a laundry list of items I need to figure out for the app on the device. Instead of waiting before everything is done I thought it might be useful to take you along the ride. It might even result in some people mentioning to me some of the things I need to figure out are already out there.

So this is the current list of ‘issues’ or tasks I want to figure out before bringing everything together in an app.

  1. App needs to Run forever (embedded mode in mobile like on RPI2)
  2. Dim screen when not used for x minutes (Windows.System.Display.DisplayRequest() helps preventing the lock, need a screensaver to prevent burn in)
  3. Resume app or display screen when movement is detected by using the camera as sensor
  4. Hey Cortana/speech integration in app (dim the lights, goodnight, increase temperature etc)
  5. Walkyie-Talkie or intercom functionality between rooms and broadcast (alljoyn?)
  6. Other device discovery to connect to for the walkie-talkie functionality etc.
  7. App is a Bluetooth beacon in every room (
  8. Self-updating via update app
  9. IP Camera integration so I can watch the cameras from every room
  10. Alljoyn temp control for my Nest and perhaps per room when I add that future system as well
  11. Goodnight command to smartthings so i can turn off all lights in the entire house
  12. Alljoyn light control
  13. Motion sensor in garage and at frontdoor switches on security view on phone
  14. Wakeup time
  15. Radio/music/speaker in room control

Fixed my Bryant two stage furnace with my NEST

When we bought the house we learned it had a fairly new Bryant furnace installed. The previous owner upgraded from an electric furnace a few years ago. When we had an HVAC guy over for an AC quote he mentioned it was a good two stage furnace, better than the one we had in Bothell. Ok, I didn’ really think about until a recent discussion with some colleagues at Microsoft.

When inspecting my connections of my NEST, I assumed the R, G, C and W1 wires needed to be connected. C is for power, the other ones for the fan and heater. In my previous home the Y was used for the airconditioning. I don’t have one in this house yet. Although if you connect the wire to the Y on the backplate of the NEST, the nest assumes you have a AC connected.

Since you need to hook up the W2 on your thermostat to work with a two stage furnace to make it work. I connected the spare wire to the W2 on the backplate. The NEST gives you a message the wiring is changed and now a two stage heating system is connected. That looked promising. One of my colleagues mentioned it might not be smart to just randomly connect wires and he was correct of course. So disconnected the W2 wire from the NEST and took a better look at my furnace. (In the picture below the W2 connector is lefr from the blue wire)


Great thing about internet is you can find all kinds of information. I happen to have a Bryant 355MAV042080F model. Some googling on Bing pointed me to the user manual and the installation instructions. Cool.

Also on the inside there are some schematics of the furnace.


After some reading and inspecting the furnace after opening it up I saw the yellow wire wasn’t connected at all. So i hooked it up to the W2 connector, checked if the SW2 switch was on (which was). Hooked the wire up on my NEST and voila, two stage furnace worked. Yellow light came on when HIGH HEAT was switched on (just cranked the NEST up to 90) and the green light came on when in LOW HEAT mode (when I switched the NEST to 1 degree more than the current temperature).


No idea why the W2 wire wasn’t hooked up. The original Honeywell thermostat supports this system as well. I took some pictures before I installed the NEST and it wasn’t connected when I removed the old thermostat.

So I am kinda proud of myself I increased the efficiency of our thermostat.