Reply
Member
Posts: 114
Registered: ‎11-30-2014
Kudos: 19

USG Pro config for Netherlands FTTH XS4All Fiber

[ Edited ]

Hi!

 

Today I received my USG Pro. I'm trying to configure it but I'm running into walls. I lack the knowledge to make it do what it supposedly can do. Is there anyone who can help me out? 

 

Here's what I need it to do: 

I've got a fiber connection (isp XS4All, Netherlands) at my home. 

- VLAN 6 = internet, here PPPoe does auth, I'd like this to be routed to port LAN1

- PPPoe (obviously, hence previous statement)

- VLAN 4 = IPTV. I would like this to be routed to port LAN2

- routing and firewalling

 

I also have a subnet with 8 IP's I need to route to my virtual environment. This is a /29 network with 8 public IPs. This may become a separate VLAN if need be. It currently runs along VLAN6 as well. 

 

Apparently the USG Pro can do all this but after about a day of trial and error I'm no further then I was when I started. 

 

Who can help me out (and more importantly, also wants to help me out) Man Happy 

 

Many thanks in advance!

Alex

Regular Member
Posts: 626
Registered: ‎05-02-2014
Kudos: 121
Solutions: 5

Re: USG Pro config for Netherlands FTTH XS4All Fiber

https://www.byluke.nl/tutorial/ubiquiti-usg-werkend-krijgen-kpn-glasvezel/

Pas de net hop en je ppoe login aan in de json.
Maar xs4all verschilt niet zo veel met kpn .

[code]
{
"firewall": {
"ip-src-route": "disable",
"ipv6-name": {
"WANv6_IN": {
"default-action": "drop",
"description": "WAN inbound traffic forwarded to LAN",
"enable-default-log": "''",
"rule": {
"10": {
"action": "accept",
"description": "Allow established/related sessions",
"state": {
"established": "enable",
"related": "enable"
}
},
"20": {
"action": "drop",
"description": "Drop invalid state",
"state": {
"invalid": "enable"
}
}
}
},
"WANv6_LOCAL": {
"default-action": "drop",
"description": "WAN inbound traffic to the router",
"enable-default-log": "''",
"rule": {
"10": {
"action": "accept",
"description": "Allow established/related sessions",
"state": {
"established": "enable",
"related": "enable"
}
},
"20": {
"action": "drop",
"description": "Drop invalid state",
"state": {
"invalid": "enable"
}
},
"30": {
"action": "accept",
"description": "Allow IPv6 icmp",
"protocol": "ipv6-icmp"
},
"40": {
"action": "accept",
"description": "allow dhcpv6",
"destination": {
"port": "546"
},
"protocol": "udp",
"source": {
"port": "547"
}
}
}
}
},
"ipv6-receive-redirects": "disable",
"ipv6-src-route": "disable",
"log-martians": "enable",
"source-validation": "disable"
},
"interfaces": {
"bridge": {
"br0": {
"aging": "300",
"bridged-conntrack": "disable",
"hello-time": "2",
"max-age": "20",
"priority": "32768",
"promiscuous": "disable",
"stp": "false"
}
},
"ethernet": {
"eth0": {
"description": "eth0 - FTTH",
"duplex": "auto",
"mtu": "1512",
"speed": "auto",
"vif": {
"4": {
"address": [
"dhcp"
],
"description": "eth0.4 - IPTV",
"dhcp-options": {
"client-option": [
"send vendor-class-identifier "IPTV_RG";",
"request subnet-mask, routers, rfc3442-classless-static-routes;"
],
"default-route": "no-update",
"default-route-distance": "210",
"name-server": "update"
}
},
"6": {
"description": "eth0.6 - Internet",
"mtu": "1508",
"pppoe": {
"2": {
"idle-timeout": "180",
"dhcpv6-pd": {
"no-dns": "''",
"pd": {
"0": {
"interface": {
"eth1": "''"
},
"prefix-length": "/48"
}
},
"rapid-commit": "disable"
},
"firewall": {
"in": {
"ipv6-name": "WANv6_IN",
"name": "WAN_IN"
},
"local": {
"ipv6-name": "WANv6_LOCAL",
"name": "WAN_LOCAL"
}
},
"ipv6": {
"address": {
"autoconf": "''"
},
"dup-addr-detect-transmits": "1",
"enable": "''"
},
"mtu": "1500",
"name-server": "auto",
"password": "kpn",
"user-id": "MAC-ADRES-WAN-POORT@internet"
}
}
},
"7": {
"bridge-group": {
"bridge": "br0"
},
"description": "eth0.7 - VOIP",
"mtu": "1500"
}
}
},
"eth1": {
"description": "eth1 - LAN",
"duplex": "auto",
"speed": "auto",
"ipv6": {
"dup-addr-detect-transmits": "1",
"router-advert": {
"cur-hop-limit": "64",
"link-mtu": "0",
"managed-flag": "false",
"max-interval": "600",
"name-server": [
"2001:4860:4860::8888",
"2001:4860:4860::8844"
],
"other-config-flag": "false",
"prefix": {
"::/64": {
"autonomous-flag": "true",
"on-link-flag": "true",
"valid-lifetime": "2592000"
}
},
"radvd-options": [
"RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};"
],
"reachable-time": "0",
"retrans-timer": "0",
"send-advert": "true"
}
}
},
"eth2": {
"description": "eth2 - ExperiaBox",
"duplex": "auto",
"speed": "auto",
"vif": {
"7": {
"bridge-group": {
"bridge": "br0"
},
"description": "eth2.7 - ExperiaBox VOIP",
"mtu": "1500"
}
}
}
}
},
"protocols": {
"igmp-proxy": {
"interface": {
"eth0.4": {
"alt-subnet": [
"0.0.0.0/0"
],
"role": "upstream",
"threshold": "1"
},
"eth1": {
"alt-subnet": [
"0.0.0.0/0"
],
"role": "downstream",
"threshold": "1"
}
}
},
"static": {
"interface-route6": {
"::/0": {
"next-hop-interface": {
"pppoe2": "''"
}
}
},
"route": {
"213.75.112.0/21": {
"next-hop": {
"10.58.44.1": "''"
}
}
}
}
},
"port-forward": {
"auto-firewall": "enable",
"wan-interface": "pppoe2"
},
"service": {
"dhcp-server": {
"hostfile-update": "disable",
"shared-network-name": {
"LAN_192.168.2.0-24": {
"authoritative": "enable",
"subnet": {
"192.168.2.0/24": {
"dns-server": [
"192.168.2.254",
"8.8.8.8",
"8.8.4.4"
]
}
}
}
}
},
"dns": {
"forwarding": {
"cache-size": 150,
"name-server": [
"8.8.8.8",
"8.8.4.4"
],
"except-interface": ["eth0", "eth2","eth0.6"],
"options": [
"listen-address=192.168.2.254"
]
}
},
"nat": {
"rule": {
"5000": {
"description": "IPTV",
"destination": {
"address": "213.75.112.0/21"
},
"log": "disable",
"outbound-interface": "eth0.4",
"protocol": "all",
"type": "masquerade"
},
"5010": {
"description": "KPN Internet",
"log": "enable",
"outbound-interface": "pppoe2",
"protocol": "all",
"source": {
"address": "192.168.2.0/24"
},
"type": "masquerade"
},
"6001": {
"disable": "''"
},
"6002": {
"disable": "''"
},
"6003": {
"disable": "''"
},
"6004": {
"disable": "''"
},
"6005": {
"disable": "''"
},
"6006": {
"disable": "''"
},
"6007": {
"disable": "''"
},
"6008": {
"disable": "''"
}
}
}
},
"system": {
"name-server": [
"8.8.8.8",
"8.8.4.4",
"2001:4860:4860::8888",
"2001:4860:4860::8844"
]
}
}
[/code]


Member
Posts: 114
Registered: ‎11-30-2014
Kudos: 19

Re: USG Pro config for Netherlands FTTH XS4All Fiber

Hi Stekkerdoos!

 

Thanks! That's a terrific start. This seems to be a partial solution for me, however. I have not got an Experia box and VOIP does not need to be redirected as it does not come through a separate VLAN (in fact, VOIP goes though VLAN6). 

 

When I look at the code, VIF is the virtual interface, 0.4 would be virtual interface 4 on ETH0. Does that automaticully relate to VLAN4?

 

The reason I ask is that the USG has 4 ports. If I understand and counted correctly, ETH0 is designated LAN1, ETH1 is LAN2, ETH2 is WAN1 and ETH3 is WAN2. If I want the designations to match function I need to rearrange the ETH assignments. 

 

And then I still need to route my /29 subnet. The USG is supposed to support a DMZ. It would be cool if we could assign this /29 a VLAN tag (for instance VLAN666) and map that to the DMZ. We could use the WAN2 port for this. 

 

My Next Hop would be the next host I connect to when I connect to the internet?

Also, am I correct to understand that KPN uses your MAC address to authenticate?

 

I think XS4All does it differently. I do have a username and password. 

 

Again, many thanks for the assistance!

 

Kind regards, 

Alex

Member
Posts: 114
Registered: ‎11-30-2014
Kudos: 19

Re: USG Pro config for Netherlands FTTH XS4All Fiber

Sorry, I already worked out that a VIF addresses a VLAN and not a virtual interface, unlike in Linux. Got that one covered now Man Happy 

New Member
Posts: 11
Registered: ‎08-11-2016
Kudos: 6

Re: USG Pro config for Netherlands FTTH XS4All Fiber

Hi amuetste,

 

Did you already covered this right now? I see your post is from februari this year. I'm in exactly the same situation (XS4ALL, IPTV on LAN2), and like to have this configured with a private subnet on the USG Pro.

It would save me a lot of work if somebody already has find a way to set this up.

 

Kind regards,

 

Mark

New Member
Posts: 1
Registered: ‎07-17-2017

Re: USG Pro config for Netherlands FTTH XS4All Fiber

Hi guys,

 

I'm also using FTTH with xs4all subscription with IPTV. Do you need the pro version of the USG or will the standard smaller USG be sufficient to use instead of the Fritzbox?

 

Thanks,

 

Rob

Emerging Member
Posts: 54
Registered: ‎11-12-2016
Kudos: 6

Re: USG Pro config for Netherlands FTTH XS4All Fiber

Any xs4all users here who have managed to replace the Fritzbox with the Gateway?

New Member
Posts: 9
Registered: ‎01-13-2018

Re: USG Pro config for Netherlands FTTH XS4All Fiber

Replacing is a big word, but a work around yes.

I've added an extra subnet /ipv4 (9,50 per month) and assigned the IP from that to the WAN interface of the Unifi USG.

Highlighted
New Member
Posts: 3
Registered: ‎04-17-2017

Re: USG Pro config for Netherlands FTTH XS4All Fiber

Hi @VerheijenRob, could you post your configuration to show us how you did it? I'm also interested in (at least partially) replacing the FritzBox.

Emerging Member
Posts: 47
Registered: ‎01-22-2018
Kudos: 1

Re: USG Pro config for Netherlands FTTH XS4All Fiber

[ Edited ]

I have FTTH with XS4All working with IPv6 and routed IPTV.
This is on a USG3, I can't imagine it would take too much work adapting it for the Pro:

{
   "interfaces" : {
      "ethernet" : {
         "eth0" : {
            "vif" : {
               "4" : {
                  "address" : [
                     "dhcp"
                  ],
                  "dhcp-options" : {
                     "client-option" : [
                        "send vendor-class-identifier "IPTV_RG";",
                        "request subnet-mask, routers, rfc3442-classless-static-routes;"
                     ],
                     "default-route" : "no-update",
                     "default-route-distance": "210",
                     "name-server" : "no-update"
                  }
               },
               "6" : {
                  "pppoe" : {
                     "2" : {
                        "firewall": {
                           "in": {
                              "ipv6-name": "WANv6_IN",
                              "name": "WAN_IN"
                           },
                           "out": {
                              "ipv6-name": "WANv6_OUT",
                              "name": "WAN_OUT"
                           },
                           "local": {
                              "ipv6-name": "WANv6_LOCAL",
                              "name": "WAN_LOCAL"
                           }
                        },
                        "ipv6" : {
                           "dup-addr-detect-transmits" : "1",
                           "enable" : "''",
                           "address" : {
                              "autoconf" : "''"
                           }
                        },
                        "dhcpv6-pd" : {
                           "prefix-only" : "''",
                           "rapid-commit" : "enable",
                           "pd" : {
                              "0" : {
                                 "prefix-length" : "/48"
                              }
                           }
                        },
                        "user-id" : "myuser",
                        "password" : "*****************"
                     }
                  }
               }
            }
         }
      }
   },
   "service" : {
      "nat" : {
         "rule" : {
            "5000" : {
               "type" : "masquerade",
               "destination" : {
                  "address" : "213.75.112.0/21"
               },
               "protocol" : "all",
               "outbound-interface" : "eth0.4",
               "log": "disable"
            },
            "6001" : {
               "type" : "masquerade",
               "source" : {
                  "group" : {
                     "network-group" : "corporate_network"
                  }
               },
               "protocol" : "all",
               "outbound-interface" : "pppoe2",
               "log": "disable"
            },
            "6003": {
               "type": "masquerade",
               "source": {
                  "group": {
                     "network-group": "guest_network"
                  }
               },
               "outbound-interface": "pppoe2",
               "protocol": "all",
               "log": "disable"
            }
         }
      }
   },
   "protocols" : {
      "igmp-proxy" : {
         "interface" : {
            "eth0.4" : {
               "role" : "upstream",
               "threshold" : "1",
               "alt-subnet" : [
                  "213.75.167.0/24"
               ]
            },
            "eth1" : {
               "role" : "downstream",
               "threshold" : "1",
               "alt-subnet" : [
                  "192.168.1.0/24"
               ]
            }
         }
      },
      "static" : {
         "interface-route6" : {
            "::/0" : {
               "next-hop-interface" : {
                  "pppoe2" : "''"
               }
            }
         }
      }
   }
}

 As I've tried to do as much in the interface as possible, I'm running 5.7.x (adds IPv6), and have the following things configured there:

 - A static route for 213.75.112.0/21 via 10.194.200.1.

 - A firewall rule in wan6_local for traffic from link-local (fe80::/10) UDP 547 to link-local UDP 546. (For DHCPv6)

 

If anyone has any tips to reduce the amount of json, or any other improvements, please share.

 

Ah, and don't forget to enable IGMP snooping on your switch / network.

New Member
Posts: 9
Registered: ‎01-13-2018

Re: USG Pro config for Netherlands FTTH XS4All Fiber

[ Edited ]

Do you have VDSL or Glass Fiber?

I'm working on a small article covering this set-up, with some screenshots regarding the devices.

Will post the URL soon once it's ready.

The hardest part for me was the VLAN setup and keeping the TV to work.

Emerging Member
Posts: 47
Registered: ‎01-22-2018
Kudos: 1

Re: USG Pro config for Netherlands FTTH XS4All Fiber

Fiber. I'll add it to my post for clarification.
New Member
Posts: 2
Registered: ‎02-14-2018

Re: USG Pro config for Netherlands FTTH XS4All Fiber

Hi Alex,

 

Did you succeed in configuring the USG for use with xs4all?

Regular Member
Posts: 626
Registered: ‎05-02-2014
Kudos: 121
Solutions: 5

Re: USG Pro config for Netherlands FTTH XS4All Fiber

Yes,

You can do nat en and ip6 in the controller so the Json only contained vlan4 and igmp proxy
New Member
Posts: 9
Registered: ‎01-13-2018

Re: USG Pro config for Netherlands FTTH XS4All Fiber

[ Edited ]

network.png

This is the set-up you could use for fiber. For VDSL an extra device (DrayTek Vigor 130) is required to convert the RJ11 to RJ45. But more details will be shared later, with screenshots and configuration options.

New Member
Posts: 3
Registered: ‎04-17-2017

Re: USG Pro config for Netherlands FTTH XS4All Fiber

I suppose I could have been more clear in my post. I'm on the verge of buying the USG Pro, but am trying to find enough information to make sure it will work for my setup.

 

I also have xs4all fiber (but no IPTV) , and the extra IP subnet. Can you setup the extra subnet via the GUI? Because I don't recognise the configuration for the extra IP subnet in the posted example configuration.

 

Ideally, I would like to tag the extra IP subnet traffic with a vLAN id while I distribute it to wherever it is needed in my house.

Emerging Member
Posts: 47
Registered: ‎01-22-2018
Kudos: 1

Re: USG Pro config for Netherlands FTTH XS4All Fiber

Looking at that diagram, that looks like bridged IPTV, not routed, correct?

Regular Member
Posts: 626
Registered: ‎05-02-2014
Kudos: 121
Solutions: 5

Re: USG Pro config for Netherlands FTTH XS4All Fiber

[ Edited ]

@victorclaessen

No there is no GUI  option for a extra subnet. 

Only 1 Wan ip is posible. 

 

If you have multiple wan vlans/pppoe and IPS 

 

use a edge router the usg is a no-go

 

the json config (kind of cli) is terrible and dangerous one mistake and you have a bootloop and you site is down.

 

there is no test and apply. The USG is for soho and verry small businesses use

 

the edgerouter is pro router the USG is the home router. 

 

 

Emerging Member
Posts: 47
Registered: ‎01-22-2018
Kudos: 1

Re: USG Pro config for Netherlands FTTH XS4All Fiber

If you're referring to the configuration I posted, that's correct. I don't have any extra subnet.
Regular Member
Posts: 626
Registered: ‎05-02-2014
Kudos: 121
Solutions: 5

Re: USG Pro config for Netherlands FTTH XS4All Fiber

[ Edited ]

@VerheijenRobyou can remove the tp-link and use igmp proxy from the USG

Xss4all is phase out bridge iptv so you can’t use your setup any more. You have to move to routed iptv (doing igmp proxy in the USG) it is faster switching channels and you will get more options (meer tv) you can use the Netflix and and NPO and many more apps on the STB. Also it will activate Netflix connect you can steam to your xs4all stb (tv Kastje)

 

it it is verry easy to remove the TP-link Xs4all is just a brand of KPN the using exactly network and configuration so There is a lot of info and  there are many working Json to download on the Dutch forums. 

Reply