Reply
Highlighted
New Member
Posts: 7
Registered: ‎11-16-2016
Kudos: 85
Solutions: 1

USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

[ Edited ]

We recently implemented a USG Pro, and I had considerable trouble in configuring it for multiple WAN IPs and then directing inbound traffic to different locations based on the external IP that it came in on.  I've now got it working, and have written this post in an attempt to overcome the fairly limited documentation on the matter.

 

Preface: I'm going to build up the data so that it's easy to follow for those out there like me who arent familiar with how the router's OS works.

 

Firstly, you'll need to be able to log into your USG and your controller via SSH - there's enough detail around about doing that so I'll assume you know how to do that or can work it out.

 

Step 1: Setting up the external IPs

We were allocated a single fixed IP for our connection and we also purchased an additional range of 6 addresses.  This means that our USG has 7 public IPs.

 

I logged into the controller via SSH and navigated to the folder /srv/unifi/data/sites/default.  I created a file called config.gateway.json and entered the following text (note - I've changed the IPs for this example): 

 

{
        "interfaces": {
                "ethernet": {
                        "eth2": {
                                "address": [
                                        "10.20.30.40/30",
                                        "1.2.3.1/29",
                                        "1.2.3.2/29",
                                        "1.2.3.3/29",
                                        "1.2.3.4/29",
                                        "1.2.3.5/29",
                                        "1.2.3.6/29"
                                ]
                        }
                }
        }
}

The IP 10.20.30.40/30 was provided to me by our ISP.  The range 1.2.3.1 to 1.2.3.6 is the additional range we purchased.  Make sure you include the subnet (i.e. the "/30" or "/29" in my case - use the correct subnet for your scenario).

 

Note also that I've used eth2 - its possible your system will be using a different interface, so just make sure you're referring to the WAN interface for your device.

 

I recommend that you test the JSON in your file by running the following command each time you edit it.  If your JSON is correct it will return the data properly formatted, otherwise it will tell you where the error is.

 

python -m json.tool config.gateway.json

Having saved this file on the controller, you need to trigger a provision on the USG.  Restarting the gateway doesnt seem to do it, and anyway that brings down your connection which you dont want to do, as you should be able to make all these changes without affecting any users on the gateway.  The way I triggered the provision was to use the web interface for the controller, and edit the name of the network.  I was changing it from "Our Lan" to "Our Network" - that caused it to reprovision, although if anyone knows a better way to do that I'm all ears.

 

At this point, your external IPs should be working.

 

Step 2: Redirecting inbound traffic

This was the bit that really confused me, because I thought that I needed to set up port forwarding, which was how our previous firewall worked.  With the USG Pro, we need to use DNAT (i.e. network address translation).

 

Think of it this way; the inbound traffic is sent to your external IP of 1.2.3.1, but you actually want it to go to an internal IP of 10.0.0.20 so you need to do an address translation to facilitate that (not a port forward).

 

As such, I edited my config.gateway.json file to add another section as follows:

 

{
    "interfaces": {
        "ethernet": {
            "eth2": {
                "address": [
                    "10.20.30.40/30",
                    "1.2.3.1/29",
                    "1.2.3.2/29",
                    "1.2.3.3/29",
                    "1.2.3.4/29",
                    "1.2.3.5/29",
                    "1.2.3.6/29"
                ]
            }
        }
    },
    "service": {
        "nat": {
            "rule": {
                "1000": {
                    "description": "Intranet Web Ports",
                    "destination": {
                        "address": "1.2.3.1",
                        "port": "80,443"
                    },
                    "inbound-interface": "eth2",
                    "inside-address": {
                        "address": "10.0.0.21"
                    },
                    "protocol": "tcp",
                    "type": "destination"
                },
                "1010": {
                    "description": "CRM Web Ports",
                    "destination": {
                        "address": "1.2.3.2",
                        "port": "80,443"
                    },
                    "inbound-interface": "eth2",
                    "inside-address": {
                        "address": "10.0.0.22"
                    },
                    "protocol": "tcp",
                    "type": "destination"
                }
            }
        }
    }
}

In my example rule 1000, all web traffic from outside our office going to our intranet (with the external IP address of 1.2.3.1) is being redirected to the internal server IP address 10.0.0.21.  I've included the web port numbers on the destination - there is no need to include it on the "inside-address", although if you want to direct it to a different port you can include that port in the "inside-address" field.  Likewise, all web traffic being directed to our CRM on external address 1.2.3.2 is going to be sent to the internal server 10.0.0.22.

 

At this point, I recommend testing your config.gateway.json file and re-provisioning your gateway, just so that you know it's not going to cause any errors.  However, note that at this point your redirection wont work - you now need to ammend your firewall to allow the traffic into your LAN.

 

Step 3: Updating your firewall

Now you have traffic that's been directed to the right place, but it cant get in.  You need to allow that traffic in.  Again, this didnt work the way I've been used to - as previously I've configured firewalls in relation to the external IP that data was coming in on, and that was not the case with the USG.

 

Again, edit your config.gateway.json file to add a firewall section as follows:

 

{
    "interfaces": {
        "ethernet": {
            "eth2": {
                "address": [
                    "10.20.30.40/30",
                    "1.2.3.1/29",
                    "1.2.3.2/29",
                    "1.2.3.3/29",
                    "1.2.3.4/29",
                    "1.2.3.5/29",
                    "1.2.3.6/29"
                ]
            }
        }
    },
    "service": {
        "nat": {
            "rule": {
                "1000": {
                    "description": "Intranet Web Ports",
                    "destination": {
                        "address": "1.2.3.1",
                        "port": "80,443"
                    },
                    "inbound-interface": "eth2",
                    "inside-address": {
                        "address": "10.0.0.21"
                    },
                    "protocol": "tcp",
                    "type": "destination"
                },
                "1010": {
                    "description": "CRM Web Ports",
                    "destination": {
                        "address": "1.2.3.2",
                        "port": "80,443"
                    },
                    "inbound-interface": "eth2",
                    "inside-address": {
                        "address": "10.0.0.22"
                    },
                    "protocol": "tcp",
                    "type": "destination"
                }
            }
        }
    },
    "firewall": {
        "name": {
            "WAN_IN": {
                "rule": {
                    "1000": {
                        "action": "accept",
                        "description": "Intranet Web Ports", 
                        "destination": {
                            "address": "10.0.0.21",
                            "port": "80,443"
                        },
                        "protocol": "tcp",
                        "log": "enable"
                    },
                    "1010": {
                        "action": "accept",
                        "description": "CRM Web Ports", 
                        "destination": {
                            "address": "10.0.0.22",
                            "port": "80,443"
                        },
                        "protocol": "tcp",
                        "log": "enable"
                    }
                }
            }
        }
    }
}

Make sure you test your file then reprovision the gateway.  At this point, there's a very good chance that you're system is working, but that it will appear not to be.

 

I found that the DNS server in the gateway had cached incorrect entries and so I couldnt get valid test results whilst connected to our internal network.  Access the internet via an external connection (e.g. hotspot your phone or something similar) and do a test - it should work fine.

 

Miscellaneous Bits

  • I've numbered the rules 1000, 1010 and so-on.  You can use any numbering you want, just dont use rule numbers that already exist in that section, or you will overwrite what's there.
  • You're using JSON to create an associative array of values (think JavaScript), and so you will either add new values to the existing array or overwrite values if you use the same node name.
  • In my example I've only dealt with TCP: valid options are "tcp", "udp" or "tcp_udp".
  • You dont need to enable the log, but I like to.  You can view the log by logging into the USG via SSH and using the command tail -f /var/log/messages

 

 

Hopefully this will save someone the 2 days that I've spent trying to do what is pretty standard stuff in most corporate networks, and what I had expected a PRO version of a gateway would be able to do via the web interface.  I hope that these features will eventually be available via the GUI, but in the mean time this works fine.

 

Just to make me feel good, please either give me a Thumbs Up or suggest ammendments.  Thanks.

 

Ubiquiti Employee
Posts: 4,938
Registered: ‎08-08-2016
Kudos: 5241
Solutions: 343

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

Nicely done! Thumbs up from me. Yes those things will be coming to the UI sooner than later. 

New Member
Posts: 4
Registered: ‎04-10-2014
Kudos: 6

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

Hey @UBNT-cmb - any more of a definitive timeline? It's a pretty big roadblock on an otherwise very nice device.

New Member
Posts: 1
Registered: ‎08-12-2016
Kudos: 1

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

I'll bump this - this seems like a fairly fundamental feature with regards a device of this nature and this target-audience. I'm in the process of investigating potential devices to replace our current outdated routers with a single router, and a USG would be an attractive option if this ability existed from within the GUI - given that its GUI is one of its major selling points! 

Is there any more definitive timeline for the addition of this feature? 

New Member
Posts: 11
Registered: ‎11-18-2014
Kudos: 18

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

[ Edited ]

@UBNT-cmb: Any idea yet when it will be implemented?

New Member
Posts: 15
Registered: ‎02-18-2017
Kudos: 17

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

This is excacty what I have been looking for. Thanks for sharing.

Will try this out later today.

New Member
Posts: 2
Registered: ‎02-19-2017

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

Hello

 

I am having trouble getting anywhere with this. I understand the whole setting up part, but i am unsure how to get the config.gateway.json-file in the right place. I am connected with the USG Pro via SSH, but i cant navigate to the specified folder below.

I can find the srv folder, but it is empty.

 

Any tips on how to go get this done?

 

Thank you

 

New Member
Posts: 10
Registered: ‎01-21-2017
Kudos: 3

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

[ Edited ]

Hello, 

 

First you make the config on the gateway himself. When finished and happy you make a dump from the config.

 

mca-ctrl -t dump-cfg > /tmp/config.gateway.json

Now, (most easy using WinSCP) download the config from the gateway and upload this one to the unifi controller.

 

USG hardware is designed to lose CLI changes on the devices. The CONFIG needs to be stored on a controller (wich can be, cloudkey, amazon or server application).

 

I use a Cloud Key, so the config files are stored in: usr/lib/unifi/data/sites/*siteyouliketoconfig*

 

How to find the right site?

Login from the unifi cloud management portal, in the URL you will find the name of the site you are using.
When i logon to my own unifi i see this: https://unifi.ubnt.com/5.4.11.2/unifi/site/zv6i

So my site name on the cloudkey is: zv6i.

 

After placing the config in the controller, reboot the controller. Adter the reboot you need to reprovision the gateway. After a reprovision you know if the config is persistant.

 

If you have any other question please let me know!

 

 

New Member
Posts: 2
Registered: ‎02-19-2017

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

Hello,

 

I got all the settings done in the gateway without probems, but as you say the USG looses the changes when provisioning is done. 

I made a dump of the config and downloaded the file. At the moment I am using the unifi controller installed on a local server. 

I found the following folder \Ubiquiti UniFi\data\sites\default\ (this is the only site on the controller, but folder was empty is apart from another folder called map - is this normal) , and i copied config.gateway.json file to this folder. 

However when provisioning it doesnt seem to use any of these settings. 

I also tried making a new file with only the changes that i wanted, and removed everything else. This gave me the same result.

 

What do you suggest? Should i have the entire config file or only the changes like decribed in the initial post.

 

 

Anyway i dont think i will mess about with it now. I have ordered a cloud key so in a couple of days i will move my configuration to this instead. 

I have added the settings manually and it will work ok as long as i dont do anything that causes a new provisioning.

 

 

Thanks for the help.

 

New Member
Posts: 10
Registered: ‎01-21-2017
Kudos: 3

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

Strange,

 

Every new device i setup ill do this:

 

setup controller

setup usg (adopt, config basic in gui)

setup ap (adopt, config basic in gui)

 

export complete configs and dump it on the Controller. Make a minor change to trigger a provision and eventuelly reboot the whole setup. Please let me know if it works on the Cloudkey.

 

Regard,

 

New Member
Posts: 15
Registered: ‎02-18-2017
Kudos: 17

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

Hello again,

 

I used the wrong account when posting before. Tnaa is my customers account, and this is my own. 

I will be trying to use a cloud based solution instead of the cloud key, so I am setting it up now. 

Just thought of some other questions regarding this. 

I assume that if i am not doing any special setting that cant be done with the controller, then there is no reason to make a config-file and add to the controller. 

 

Lets say that i have added the whole config.gateway.json-file to the controller. How does this effect changes that i do on the controller GUI. Will all settings done on controller GUI still work? What happens if i do some setting that would conflict with the config-file. what setting would be used? the one in the file or the one in the controller?

 

Thanks,

 

New Member
Posts: 15
Registered: ‎02-18-2017
Kudos: 17

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

Hello,

 

Still having trouble with this, and not sure how to proceed. I now have the controller installed on an ubuntu server, and controller is working ok for 3 sites. I have placed my config.gateway.json-file /unifi/data/sites/xxx/. but it wont take these settings when provisioning. 

The only way i am gettigt my settings to the USG is manually in the CLI, but ofcourse this is not a usable solution since it looses all my settings when provisioniung from the controller.

 

Any ideas on how to proceed would be great. Are there any logs i can check to se what it does, or if it doesnt like my file?

 

 

Its a shame that ther isnt a setting in the controller to add configuration settings. It could be a setting called additional settings or something similar where you could just write the settings you need to add or remove.

 

 

/Martin

New Member
Posts: 15
Registered: ‎02-18-2017
Kudos: 17

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

Got this working today. I made a new config.gateway.json and it worked ok. I dont know what was wrong with the other one. I compared the files and they seem to be identical. 

Anyway its working now. Thanks for the help.

Emerging Member
Posts: 48
Registered: ‎03-01-2017
Kudos: 29
Solutions: 2

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

This is an amazing guide, thank you so much for posting it! I was going crazy with the configuration for hours and this helped me solve the problem in minutes!

New Member
Posts: 17
Registered: ‎04-04-2017
Kudos: 1

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

Hi,

This was a great article and once you follow this exactly, the Public IPs work. But do you know why any device trying to reach one of these public IPs stops working as soon as that device comes inside the network. 

That is, let say an external device "A" trying to reach an internal IP or device "B" through one of these Public IPs configured as below works well. But as soon as the external device "A" is brought inside the same network as the internal device "B", the connection fails.

The firewall rules are minimal and is just basic.

Can anyone help ?

 

New Member
Posts: 17
Registered: ‎04-04-2017
Kudos: 1

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

To add to that and in an attempt to isolate the issueas not being caused by any of the user devices, I have tried the below :

 

1) The external device is a mobile device trying to acces CCTV footage from NVRServer in th internal network, works well when configured as per the article, but as soon as the mobile device comes in the same network as that of the NVR, the conenction fails.

 

2)RDP from external client to internal ServerPC works as per the below configuration; but wtops connecting when the client is brought int he same network as that of the server

 

Thanks in advance!

 

Emerging Member
Posts: 48
Registered: ‎03-01-2017
Kudos: 29
Solutions: 2

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

[ Edited ]

Hi sjose,

 

I found this too, I have a webserver on HTTPS (port 443), but no internal machine could access the webserver on it's external IP.

 

I found I could add an internal "by-pass" of sorts in the config.gateway.json file which fixes it. It tells the router to direct traffic using a NAT.

 

See:

 

{
  "3000": {
    "description": "Webserver",
    "destination": {
      "address": "{external.ip}",
      "port": "443"
    },
    "inbound-interface": "eth0",
    "inside-address": {
      "address": "{internal.ip}"
    },
    "protocol": "tcp",
    "type": "destination"
  }
}

  I guess it's not perfect, but it's worked out pretty well so far for me.

New Member
Posts: 5
Registered: ‎02-19-2017

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

What are you adding to the json file to make this "by-pass" work.  I have been asking support for the answer for two weeks!

Emerging Member
Posts: 48
Registered: ‎03-01-2017
Kudos: 29
Solutions: 2

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

[ Edited ]

In my previous reply, you see the grey box of JSON? That's it.

 

I add it into config.gateway.json under "service.nat.rules": So my final config looks like this:

 

{
  "interfaces": {
    "ethernet": {
      "eth2": {
        "address": [
          "{external.ip}/28"
        ]
      }
    }
  },
  "service": {
    "nat": {
      "rule": {
        "1000": {
          "description": "Webserver",
          "destination": {
            "address": "{external.ip}",
            "port": "443"
          },
          "inbound-interface": "eth2",
          "inside-address": {
            "address": "{internal.ip}"
          },
          "protocol": "tcp",
          "type": "destination"
        },
        "3000": {
          "description": "Webserver Internal Bypass",
          "destination": {
            "address": "{external.ip}",
            "port": "443"
          },
          "inbound-interface": "eth0",
          "inside-address": {
            "address": "{internal.ip}"
          },
          "protocol": "tcp",
          "type": "destination"
        }
      }
    }
  },
  "firewall": {
    "name": {
      "WAN_IN": {
        "rule": {
          "1000": {
            "action": "accept",
            "description": "Webserver",
            "destination": {
              "address": "{internal.ip}",
              "port": "443"
            },
            "protocol": "tcp",
            "log": "enable"
          }
        }
      }
    }
  }
}

So as you can see above if you read through:

 

Rule 1000 in the NAT service handles incoming connections from the outside of the network.

Rule 3000 in the NAT service handles connections internally to ensure they're redirected before they leave the network.

 

Rule 1000 in the Firewall handles incoming connections going to the web server.

 

By no means is it pretty, hell it has proven to break a few things in isolated networks, but for the purposes of my case, it works nicely. Happy to allow for a work around if a better solution exists. If you read through what exact this does, it looks for connections on eth0 (LAN port), and if they want to go to the web server externally, don't let them, instead route them internally to an inside address.

New Member
Posts: 1
Registered: ‎04-06-2017

Re: USG Pro - Multiple WAN IPS mapped to various internal locations - How To Guide

Hi ACoghlan,

The JSON file as above, should that be created while in the USG or do you just create it elsewhere and copy to the Cloudkey .../sites/default/ folder?

Coz i created the same config.gateway.json and got it validated and so on, but the USG goes into endless loop of provisioning, after i place it in the Cloudkey. Moreover, the config doesn't take effect.

So, i got in touch with the Ubiquiti chat support who had advised that the configs have to be created in the USG and then dumped as a JSON file into the /sites/default/ folder in the Cloudkey. But they themselves couldn't tell me what commands to be performed in the USG to arive at that config.

 

Please tell me how you had made that config in the USG?

 

Appreiciate the help!

Reply