I'm fully aware that IPv6 can be configured from the CLI now but UniFi is a SDN product which means that all if not most features should be able to be configured from the controller. not from the CLI.
I'm suggesting that UBNT include the IPv6 Settings under WAN settings for USG like as shown below. (Sorry, my drawing isn't very good)
In the IPv6 Connection Type, the following should be included:
1. Native IPv6
2. Tunnel 6to4
3. Tunnel 6in4
4. Tunnel 6rd
5. Static IPv6
Other than that, the following options in the picture should alse be included:
I don't know how Asus did it, but their routers are smart enough to get the right prefix without my intervention, I wish USG will have this feature too.
I wish UBNT will include full IPv6 support into the controller ASAP that is easy to setup without much technical knowledge.
port-channel load-balance allows configuration of 7 different modes. UniFi switches can only use the default 3 currently, should UI-expose configuration of this parameter.
As per law we should be able to log guest user internet activity per session, atleast top level domain access logs. This is becoming necessity as per new anti-terrorist laws for providing public wifi.
Figure out a way to log URL to a remote logging server directly from AP or USG which is handling guest accounting would be super useful
in "networks" i created a network called "LAN guest" with purpose as "guest" and VLAN 2 ID & 184.108.40.206/20 IP series
USG is serving guest portal to LAN users but it's not controlling the speeds, and i doubt it's controlling the Time & data limit as well.
When will guest controls be provided for LAN guests?
USG should be able to handle wired guest similar to how unifi APs do, with designated speed, data n time limits set using API
I'd like to see a way to do granular parental controls.
Such as creating groups and then adding all devices (wired & wireless) from each kid into a kid1-group for each kid (kid1,kid2, etc), then granular alloting time for all devices from kid1-group, and alloting time per application per kid1-group, assign webprofiles to kid1-group, etc, and then a "superhandy interface to add and delete apps, time, block etc, " see below for more detail.
Currently have :
- 1 USG
- 1 Unifi Controller
- 2 Unifi US-8-60W switches
- 2 Unifi AP AC PRO access points
Got into Unifi for stability purpose and so I could properly separate out the guest wifi and with a VLAN. Also I like the SDN approach, the interface and the application on the phone/tablet.
In my previous network setup I had some possibility to do timed access control for all devices (not just wifi connected by also all hardwired ones). I also had the option to assign predefined web/url profiles to each device (and the option to use a customized profiles based on the webcategories available for these profiles).
Nice that you can assign hours of use to wireless networks but you cannot to hardwired networks.
And overall it would e easier if an option like this could also be assigned to a "group" with devices in it.
Overall would be very usefull to have some (much more) parental controls / group controls
1. Create user groups based on a set of devices
- Including not just wireless devices but also wired devices
- usergroup "Kid1": Tablet (wifi), phone (wifi), laptop (wifi), desktop (wired ethernet)
- usergroup "Kid2": Tablet (wifi)
- And allow to create groups with groups in it: Kids group includes Kid1 and Kid2
Then be able to do various types of controls with these groups:
2. Control Internet access times through the USG (on basis of a group):
- block traffic between 10:00PM-08:30AM for all devices assigned a "user group" kid1
- block traffic between 8:00PM-08:30AM for all devices assigned a "user group" kid2
3. Amount of time that can be used per "user group"
- I.e. assign 4 hours to all devices in "user group" kid 1
- Assign amount of hours per day, for example assign 4 hours for Tuesday to Sunday, and Monday is computer free day so is 0 hours.
- Allow the option when devices are used at the same time that only counts as if one device was being used.
4. Control "access times" and "alloted time on a day" easy via the unifi App on my phone (and controller)
- A view that shows "user groups"
- Per "user group" "easily" add additional or reduce time or block the "user group" (all devices in that group), s
- Give an extra 15 minutes or 30 minutes outside the assigned time.
- Per "user group" easily increase the time one off to end a bit later i.e. this day you can use Internet till 11:00 PM instead of 10:00PM by pressing "add 15 minutes to end time"
- Block for that day (block button that only blocks that day and goes back to the program by end of day).
5. Possibility to create "webfiltering profiles"
- Options to create "allow lists", "block lists", based on "custom urls"
- Option to use "predefined website categories" I.e. block categories such as, Adult, Advertising, Dangerous materials, Drugs, Gambling, Malware, Phishing, Redirector, Hate, Violence, etc
- And then also the option to customize these categories.
6. Per group control assign a "webfiltering profile"
7. Assign firewall rules against "user groups"
8. Have predefined firewall rules / profiles suitable for kids (similar to webfiltering profiles).
- Then assign a "usergroup" to such a firewall rules profile
Had webfiltering profiles I could assign per device on my synology RT1900AC, that was very usefull. I.e. block the kids from in particular known malware sites was usefull (but also adult and hate I thought very usefull).
9. Allot time per application (use DPI) per "all devices in a user group"
Since the USG already does DPI also define "alloted time" per application (DPI based)
- I.e. "devices in user group KID1" can use 60 minutes Facetime per day / Kid 1 and all his/her devices can do 60 minutes facebook per day .
- I.e. "devices in user group KID1" can use 120 minutes Netflix per day
Edit 1: as mentioned below Circle is a very good example, like the level of granularity, easy interface, etc.
Would be nice if something like that were implemented (software wise, or as a separate hw component) .
Edit 2: added tying DPI data to "user groups".
Have a configuration screen to allow the inclusing of USB WAN devices for the USG. Plenty of workarounds are posted, but nothing direct.
In my example, I've taken a MikroTik, and nat to the usb LTE interface from a VLAN. That VLAN is trunked on the trunk, a port on the switch is configured for that VLAN and carried to to WAN2.
We really should have a simple built in option to attach devices directly to the USG, then check a box for failover.
Just a feature request to add port forwarding functionality to the above page. While I appreciate that it's already within its own section of the USG configuration, given its function, it seems to be a logical place for it to exist. You then have a one stop shop for these related functions.
Don't think you need to remove the functionality from where it is now so much as add it to the page in a similar format as the FW rules are today.
As the page would be irrelevant without a USG, a simple tag similar to other USG dependant functions could be included to ensure folks understand the prerequisites.
Many ISPs deliver multiple services with diffrent VLANs.
USG currently works with internet delivered with VLAN tags. "Use VLAN ID" settings in the GUI.
ISP also deliveres IPTV on a seperate VLAN which needs to be only bridged. (NO NAT, NO firewall, nothing) the settop box will request DHCP directly from the ISP
Many of the consumer grade routers have these predefined by country and ISP, or just let the user enterteh VLAN ids.
USG GUI can just enable the option and manual input of these VLAN ids, even dedicate the VOIP port for IPTV instead.
I would like to suggest a cold spare option.
Whilst for some setups it is possible to use HA setups, sometimes there are setups involving DSL (or other) modems in bridged mode where HA doesn't work. In these situations, I typically leave duplicate pre provisioned hardware.
I would really like to suggest the ability to assign a "cold spare" - I envisage usage something along the lines of:
An adopted cold spare has everything other than uplinks to the controller disabled so that we can leave spare hardware at a site
Upon diagnosing a fault, a technician can go to the controller, decommision/mark a device as faulty and then clone it to a pre-adopted "cold spare".
The technician can then tell the client (or other technician) to simply unplug one piece of hardware and swap it for another port by port.
And then carry on like normal...
I see the HA idea being approved and agree that for the long term, a good HA solution would be nice - but as I said, there are some situations where you have DSL bridges or single upstreams where that won't work and you need a cold spare.... In addition, this would be great for switches!
In the IPSEC site to site settings for my USG, I have a site with a dynamic address that initiates a vpn to my site with a static address. It would be helpful if the peer could be listed as a hostname instead of forcing an IP address.
A lot of tools out there allow for automation of treatment for endpoints on the network. This can range from moving an endpoint to a remediation VLAN to killing access all together depending on the health/state of said endpoint.
Currently the API is not officially supported. Its geared mostly towards the unifi wireless. It does not provide much control of the Switching and USG portions of unifi. Previously the last.inform was a goldmine in gatherthing data, however since 5.4.9 it no longer exists...
For control of devices we do have dynamic VLAN assignments via 802.1x, but this functionality is biast towards the wireless gear, as it is near useless on the switches. You cannot create a VLAN on the switch in which its ID will be used by dynamic VLAN. Which means it is impossible to get a routeable interface from the USG to the switch as the switch's uplink cannot tag said VLAN... Additionally dynamic VLAN assignments via 802.1x is lacking by the fact Change of Autorization is not supported by both the AP's and Switches Ubiquiti produces.
Allow the API to be queried for DPI data/VLAN assignments/etc by MAC and/or IP address.
Allow the API to be queried for all data previously found in the inform.last i.e. USG external IP address.
Allow the API to reassign a switch port to a new VLAN when fed a MAC address or switch/port.
Manipulate USG firewall policies through the API.
In my setup now, I cannot use Remote User VPN's because my USG is behind another NAT device...
In my situation, this is unavoidable, as I have a device in front of the USG that balance more than 2 ISP connections.
Since the "WAN IP" address of my USG is an internal address, I cannot use the VPN services provided through UniFi because L2TP and other VPN Services do not recognize the incoming packets as valid.
Maybe adding a configuration option for the real IP address to match VPN packets to would be better?
Using UniFi controller 5.4.11 and UniFi switch 24. While wireless activity can be reported on 24hr, week or month basis, the switch statistics are only available on 24hr (one day at the time) basis. Please add week and month aggregation for switch stats as well.
- UBNT-cmb on: Cold spare
- UBNT-cmb on: Better API Support
ion of switch LACP load-balan ce mode
ng of updates
- UBNT-cmb on: Assign "Listening IP" for L2TP VPN
- markhedrick on: SIP ALG in USG
- flyvert on: Spanning tree port cost, edgeport, auto-edge UI control
Add port forwarding configurat
ion to Routing & Firewall settings page
- UBNT-cmb on: POE power option for USG
- zx2c4 on: WireGuard VPN support