xand

Ubiquiti USG with proper Internet

My home ISP, Andrews and Arnold, is pretty awesome, and as well as providing IPv6 connectivity for many years, also gives me an IPv4 /28 block, routed behind my WAN address. I recently purchased a Unifi Security Gateway and matching managed 24-port switch (and a second 8-port one for my PoE devices) to replace the collection of various 8-port switches I've been using before. This means that I can have different VLANs for different purposes e.g. my home servers, IoT devices, general wifi etc. The Unifi controller gives a rather nice way of managing the VLANs across the different switches and Unifi Security Gateway (USG) router.

Unfortunately while the management of VLANs and other features is nicely doing through the controller software, it lacks a few things that I'm used to, namely IPv6 support and non-NAT'ed IPv4 subnets - when I added my /28 of public IPv4 address space, the USG insisted on doing NAT on outbound traffic, rendering the public addresses useless.

You can however create a JSON configuration file that will add extra settings to the USG, for those missing from the controller UI. From what I can tell, it supports all options provided by EdgeOS. The process for putting the JSON file on the controller is documented on Ubiquiti Networks' website.

IPv4 with selective NAT

In my case, I also have some RFC1918 address space which I do want to NAT, so this has been enabled for 172.16.0.0/12 and 192.168.0.0/16. In this example, pppoe0 is my WAN interface. Rules 6001 to 6003 are the built-in NAT rules, which will be disabled by this.

"service": {
    "nat": {
        "rule": {
            "5999": {
                "description": "MASQ 172.16.0.0/12 to WAN",
                "log": "disable",
                "outbound-interface": "pppoe0",
                "protocol": "all",
                "source": {
                    "address": "172.16.0.0/12"
                },
                "type": "masquerade"
            },
            "6000": {
                "description": "MASQ 192.168.0.0/16 to WAN",
                "log": "disable",
                "outbound-interface": "pppoe0",
                "protocol": "all",
                "source": {
                    "address": "192.168.201.0/24"
                },
                "type": "masquerade"
            },
            "6001": {
                "disable": "''"
            },
            "6002": {
                "disable": "''"
            },
            "6003": {
                "disable": "''"
            }
        }
    }
}

IPv6 without prefix delegation

I prefer to manually configure my routed IPv6 prefixes and thus don't use prefix delegation (which would allow for automatic allocation of addresses to the LAN). The following will enable IPv6 support for pppoe0, adds addresses to eth1 (and enables router advertisements) and then configures basic firewalling (default deny for inbound packets).

You might notice that I have specified the IPv4 address for eth1 as well. Without this, the IPv6 address will replace it and your USG will get stuck in a provisioning loop until you fix it!

I've also added addresses on VLAN interface eth1.201 without router advertisements. Hosts on this subnet will need manual IPv6 configuration.

"interfaces": {
    "ethernet": {
        "eth0": {
            "pppoe": {
                "0": {
                    "ipv6": {
                        "address": {
                            "autoconf": "''"
                        },
                        "enable": "''"
                    },
                    "firewall": {
                        "in": {
                            "ipv6-name": "wan_in-6"
                        },
                        "local": {
                            "ipv6-name": "wan_local-6"
                        }
                    }
                }
            }
        },
        "eth1": {
            "address": ["172.31.2.1/24", "2001:db8:1234:2::1/64"],
            "ipv6": {
                "dup-addr-detect-transmits": "1",
                "router-advert": {
                    "cur-hop-limit": "64",
                    "link-mtu": "0",
                    "managed-flag": "true",
                    "max-interval": "600",
                    "other-config-flag": "false",
                    "prefix": {
                        "2001:8b0:193:2::/64": {
                            "autonomous-flag": "true",
                            "on-link-flag": "true",
                            "valid-lifetime": "2592000"
                        }
                    },
                    "reachable-time": "0",
                    "retrans-timer": "0",
                    "send-advert": "true",
                    "radvd-options": [
                        "RDNSS 2001:db8:1234:2::1 {};"
                    ]
                }
            },
            "vif": {
                "201": {
                    "address": ["192.168.99.1/24", "2001:db8:1234:99::1/64"]
                }
            }
        }
    }
},
"firewall": {
    "ipv6-name": {
        "wan_in-6": {
            "default-action": "drop",
            "description": "wan_in",
            "enable-default-log": "''",
            "rule": {
                "1": {
                    "action": "accept",
                    "description": "Allow Enabled/Related state",
                    "state": {
                        "established": "enable",
                        "related": "enable"
                    }
                },
                "2": {
                    "action": "drop",
                    "description": "Drop Invalid state",
                    "log": "enable",
                    "state": {
                        "invalid": "enable"
                    }
                },
                "5": {
                    "action": "accept",
                    "description": "Allow ICMPv6",
                    "log": "enable",
                    "protocol": "icmpv6"
                }
            }
        },
        "wan_local-6": {
            "default-action": "drop",
            "description": "wan_local",
            "enable-default-log": "''",
            "rule": {
                "1": {
                    "action": "accept",
                    "description": "Allow Enabled/Related state",
                    "state": {
                        "established": "enable",
                        "related": "enable"
                    }
                },
                "2": {
                    "action": "drop",
                    "description": "Drop Invalid state",
                    "log": "enable",
                    "state": {
                        "invalid": "enable"
                    }
                },
                "5": {
                    "action": "accept",
                    "description": "Allow ICMPv6",
                    "log": "enable",
                    "protocol": "icmpv6"
                },
                "6": {
                    "action": "accept",
                    "description": "DHCPv6",
                    "destination": {
                        "port": "546"
                    },
                    "protocol": "udp",
                    "source": {
                        "port": "547"
                    }
                }
            }
        }
    }
}

We also need to add the following to set the default IPv6 gateway:

"protocols": {
    "static": {
        "interface-route6": {
            "::/0": {
                "next-hop-interface": "pppoe0"
            }
        }
    }
}
© 2019 xand