It would be nice if you could filter through DPI data by date which I realize could take a bit to implement.
On an easier front, It would be super helpful if it showed the last time the DPI stats were cleared in the controller.
Hi, I would like to suggest an improvement to the UniFi GUI regarding USG dynamic dns.
I already see that some people requested the ability to just call an url when the IP address changes. That would be awesome but belongs to the original thread.
The topic here is to allow the Dynamic DNS to run from each WAN interface. I may need the IP address of both WAN1 and WAN2 linked to a ddns service. On linux, I am used to doing this by issuing "curl --interface ppp0" ... and the url call will go through the interface I told curl to use. The Dynamic DNS service will see the originating IP and all works fine.
So, if you ever develop the Custom URL dyndns feature, remember to add an option to chose which WAN to use (and default to use the main/active WAN interface).
When I'm comparing between Meraki Security Devices and USG, I realised a very important feature which USG lacks, which is the support for USB Cellular Stick.
I believe that the support for USB Sticks are crucial for:
1. Deployments that relied on cellular data as their primary connection.
2. Mission critical deployments which use cellular data as their failover.
Other than that, I don't see the reason for UBNT to not support USB Cellular Stick because even a cheap $40 mini router from TP-Link supports this function.
Suggestions on how to deploy support for USB Cellular Stick.
I would suggest UBNT add another option called "USB Cellular Stick" under the USG > WAN > Connection Type.
In the "USB Cellular Stick" Option, I would suggest putting "Country" and "Carrier" with preset settings like the ones shown below:
When we select the preset settings, please show the username and password of the preset settings in a blurred out column below so that we know which APN is used with the preset settings (Some Carriers have multiple APNs).
Other than that, please add a "Custom" settings option under the Username and Password for the APN settings so that we can use custom APNs when the situation requires it.
Personally, I don't think that the Connection Mode and Authentication Type have to be included.
Supported USB Cellular Sticks.
I would suggest UBNT to support only the mainstream USB Sticks since the USG isn't meant to be a cellular modem/router. I'll leave the supported USB Stick list from Meraki and other vendors below for reference:
Lastly, I would suggest UBNT to include a USB port for USB Cellular Stick on the next revised version of USG-3P so that the USG-3P can be deployed as a teleworker gateway.
I'm fully aware that IPv6 can be configured from the CLI now but UniFi is a SDN product which means that all if not most features should be able to be configured from the controller. not from the CLI.
I'm suggesting that UBNT include the IPv6 Settings under WAN settings for USG like as shown below. (Sorry, my drawing isn't very good)
In the IPv6 Connection Type, the following should be included:
1. Native IPv6
2. Tunnel 6to4
3. Tunnel 6in4
4. Tunnel 6rd
5. Static IPv6
Other than that, the following options in the picture should alse be included:
I don't know how Asus did it, but their routers are smart enough to get the right prefix without my intervention, I wish USG will have this feature too.
I wish UBNT will include full IPv6 support into the controller ASAP that is easy to setup without much technical knowledge.
I could be a great addition, if it was possible to enable colors og the connections in the Topology map, based on their utilization percentage.
This would be an easy way of visualizing bottlenecks in the infrastructure.
I'd like to be able to quickly block an entire country worth of IP addresses. This is trivial for a small country, say Cambodia, but with China having over 7000 assigned IP blocks this gets to be a really big headache. Ideally, I'd like a drop-down list of countries to block, and have the IP blocks for those countries pulled dynamically from somewhere like IPDeny.
Double bonus points if I can tell it "only allow from USA, drop everything else."
As an interim measure, can you at least let me copy and paste a huge list of IP blocks?
Hey i checked the usg kernel and it uses a pretty old cpu intensive version of fq_codel
There were changes made in the 4.4 Kernel but they should be backportable to the kernel you guys are using.
Most notable are the results (Quote from the link above.):
Thus far this batch drop patch is testing out beautifully. Under a 900Mbit flood going into 100Mbit on the pcengines apu2, cpu usage for ksoftirqd now doesn't crack 10%, where before (under pie,pfifo,fq_codel,cake & the prior fq_codel) it went to 88% and ultimately bad things happened, like losing routability. I've had it running for hours and I hardly notice it's there. Performance for the normal cc controlled and/or sparse flows is unaffected, aside from the uncontrolled flows eating their percentage of the link. Nice work. Thx. This should go into -stable.
Can some dev try to apply that in his freetime and check how much it really improves the ksoftirqd cpu usage on ubiquiti hardware ?
I would try to compile the kernel myself but i have no idea how that works with the sdks and changes you guys did.
Advanced options settings should be more through for Site-to-Site VPNs in the controller.
Break out Phase 1 / Phase 2 parameters where applicable.
Secondary / Backup peer IP.
SHA384/512 integrity if the hardware supports it. (256 was accepted in another idea.)
Additionally, AES-GCM 128/256 if the hardware supports it, but it might be a stretch.
I don't know which service and server is current using to Speed Test.
Would be nice if we could select Speed Test Service (speedtest.net, simet.nic.br, etc) and also which server we would like to use in speed test.
The idea is to have some settings in Unifi Controller.
Today from Brazil I'm having 100% more latency in Unifi Speed Test and about 5% less bandwidth (comparing with speedtest.net with BR server or simet.nic.br.
I have a remote network in AWS that I'd like to make just another Site in my Unifi controller with a USG managing all the routing/firewall. If Ubiquiti offered an EC2 AMI that was the USG software, I could easily weave this into my AWS VPC as the firewall for that private network.
This would let me treat my cloud network like just another extentsion of my network. I could manage routing / firewall rules to/from it in USG like any other site, rather than needing to manage AWS networks with yet a different and more complex interface than Unifi.
maybe it is possible to add following request.
- to add a DNS address at the PORT FORWARD RULE or for the FIREWALL RULE in the ´"from" form at the moment it looks like for me that it is only possible to add some ip addresses (i receive following message: "This field can have an IP address, a range of IP addresses separated by a dash (-), or a subnet.").
But i need to enter some dns adresses becaus, i have some remote sites with a dyndns address
My company is trying to find creative ways to help sell the idea of monthly subscriptions to monitor there network. We feel if we could send them a monthy report of upgrades that were performed, crashes, and DPI data for the last month it would create more value in a monthly service contract.
Today is possible to choose between 10 and 49 minutes to run the speed test.
Why is not possible to choose every hour or every 2 hours or also only one time per day?
I have a very stable internet connection (dedicated optical fiber). So why I have to use bandwidth to test every 49 minutes?
One / two times a day is enough.
It would be great to be able to see the status of the "Internet" connection on WAN1 and WAN2 in the GUI. I have set up numerous USGs that use WAN2 as failover, but have no way of seeing the active internet status of each port. The only thing that shows in the GUI is the Connection to the Modem.
An OpenVPN client for the USG with GUI support. Routes ALL WAN traffic through the tunnel without additional confugration when the client is connected. Should by default accept DNS settings sent from the VPN server etc. You get the idea, limit what ISPs can do to collect, profile, and sell personally identifiable data.
Here are the corrective items
1) Add the USG internal network(s) to "Network Protection" -> "Firewall" as the source for all outgoing rules
2) Add the USG internal network(s) to the "Network Protection" -> "NAT" masqerading sources
3) My major fault. make sure the USG internal networks are NOT assigned the the UTM already: "Interfaces & Routing" -> "Interfaces" -> "Additional Addresses"
then it works.
I have a couple of networks where I will never replace the router (for one I can't - it's provided as part of the environment) but I would still like to have stats in the controller.
I would like to see a pass through mode for the USG where it passes traffic with no NAT, no firewall rules, no DHCP, etc. Just analyzes traffic.
Even better - a monitor mode where I could feed a USG a mirror of the port that goes to my exising router so I don't have to have latency of the USG in the packets path. Use it as a sensor, basically.
I think you guys would sell a boatload of USGs if you supported this!
EDIT: It appears to be on the roadmap: https://community.ubnt.com/t5/UniFi-Routing-Switching/USG-Feature-Roadmap-January-2017-update/m-p/1792230#M31948
In Progress / Near Future
- DPI support in passthrough mode or on monitor interface
- UBNT-cmb on: Dynamic DNS per WAN interface
- UBNT-cmb on: Validate gateway IP within configured WAN subnet
- nrausch on: USG like pfSense
- aihumlae on: Port range forwarding to different range
- Sura-M on: Provide a USG AMI on Amazon EC2
- xs4 on: Change default-router IP in DHCP server
- gonzague on: Cut PoE power when switch reboots
- UBNT-cmb on: BBR Congestion-based Congestion Control for USG
- Sura-M on: Allow bulk entry for firewall src/dest IP addresses
- UBNT-cmb on: hostfile-update feature should append domain name suffix for USG itself to /etc/hosts
- Add GUI Controller option for DNS on USG
- Dynamic DNS per WAN interface
- Backup the Controller to network server.
- Validate gateway IP within configured WAN subnet
- Port redirection from WAN (USG) to another WAN and port address
- USG like pfSense
- Port range forwarding to different range
- Remote User VPN and FreeRadius options in UniFi
- Allow unique DHCP-relay for each vlan instead of linking all vlans to the same DHCP servers.
- Provide a USG AMI on Amazon EC2