Skip to content

Instantly share code, notes, and snippets.

@praseodym
Created December 18, 2016 14:39
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save praseodym/cd5033c2e01a44e81362ff4898887d0d to your computer and use it in GitHub Desktop.
UniFi Security Gateway configuration
{
"firewall": {
"all-ping": "enable",
"broadcast-ping": "disable",
"group": {
"address-group": {
"authorized_guests": {
"description": "authorized guests MAC addresses"
},
"guest_allow_addresses": {
"description": "allow addresses for guests"
},
"guest_allow_dns_servers": {
"description": "allow dns servers for guests"
},
"guest_portal_address": {
"description": "guest portal address"
},
"guest_restricted_addresses": {
"address": [
"192.168.0.0/16",
"172.16.0.0/12",
"10.0.0.0/8"
],
"description": "restricted addresses for guests"
},
"unifi_controller_addresses": "''",
"voip_sip_server_addresses": {
"description": "VOIP SIP server addresses"
}
},
"network-group": {
"captive_portal_subnets": {
"description": "captive portal subnets"
},
"corporate_network": {
"description": "corporate subnets",
"network": [
"192.168.1.0/24"
]
},
"guest_allow_subnets": {
"description": "allow subnets for guests"
},
"guest_network": {
"description": "guest subnets"
},
"guest_restricted_subnets": {
"description": "restricted subnets for guests"
},
"remote_user_vpn_network": {
"description": "remote user vpn subnets"
},
"voip_network": {
"description": "voip subnets"
}
},
"port-group": {
"guest_portal_ports": {
"description": "guest portal ports"
},
"guest_portal_redirector_ports": {
"description": "guest portal redirector ports",
"port": [
"39080"
]
},
"unifi_controller_ports-tcp": {
"description": "unifi tcp ports",
"port": [
"8080"
]
},
"unifi_controller_ports-udp": {
"description": "unifi udp ports",
"port": [
"3478"
]
},
"voip_sip_server_ports": {
"description": "voip sip server udp ports",
"port": [
"5060",
"10000-10100"
]
}
}
},
"ip-src-route": "disable",
"ipv6-receive-redirects": "disable",
"ipv6-src-route": "disable",
"log-martians": "enable",
"name": {
"AUTHORIZED_GUESTS": {
"default-action": "drop",
"description": "authorization check packets from guest network"
},
"GUEST_IN": {
"default-action": "accept",
"description": "packets from guest network",
"rule": {
"3001": {
"action": "accept",
"description": "allow DNS packets to external name servers",
"destination": {
"port": "53"
},
"protocol": "udp"
},
"3002": {
"action": "accept",
"description": "allow packets to captive portal",
"destination": {
"group": {
"network-group": "captive_portal_subnets"
},
"port": "443"
},
"protocol": "tcp"
},
"3003": {
"action": "accept",
"description": "allow packets to allow subnets",
"destination": {
"group": {
"address-group": "guest_allow_addresses"
}
}
},
"3004": {
"action": "drop",
"description": "drop packets to restricted subnets",
"destination": {
"group": {
"address-group": "guest_restricted_addresses"
}
}
},
"3005": {
"action": "drop",
"description": "drop packets to intranet",
"destination": {
"group": {
"network-group": "corporate_network"
}
}
},
"3006": {
"action": "drop",
"description": "drop packets to voip",
"destination": {
"group": {
"network-group": "voip_network"
}
}
},
"3007": {
"action": "drop",
"description": "drop packets to remote user",
"destination": {
"group": {
"network-group": "remote_user_vpn_network"
}
}
},
"3008": {
"action": "drop",
"description": "authorized guests white list",
"destination": {
"group": {
"address-group": "authorized_guests"
}
}
}
}
},
"GUEST_LOCAL": {
"default-action": "drop",
"description": "packets from guest network to gateway",
"rule": {
"3001": {
"action": "accept",
"description": "allow DNS",
"destination": {
"port": "53"
},
"protocol": "udp"
},
"3002": {
"action": "accept",
"description": "allow ICMP",
"protocol": "icmp"
}
}
},
"GUEST_OUT": {
"default-action": "accept",
"description": "packets forward to guest network"
},
"LAN_IN": {
"default-action": "accept",
"description": "packets from intranet",
"rule": {
"3001": {
"action": "accept",
"description": "packets from unifi to voip",
"destination": {
"group": {
"network-group": "voip_network"
}
},
"source": {
"group": {
"address-group": "unifi_controller_addresses"
}
}
},
"3002": {
"action": "drop",
"description": "packets from intranet to voip",
"destination": {
"group": {
"network-group": "voip_network"
}
}
},
"6001": {
"action": "accept",
"description": "accounting defined network 192.168.1.0/24",
"source": {
"address": "192.168.1.0/24"
}
}
}
},
"LAN_LOCAL": {
"default-action": "accept",
"description": "packets from intranet to gateway"
},
"LAN_OUT": {
"default-action": "accept",
"description": "packets forward to intranet",
"rule": {
"6001": {
"action": "accept",
"description": "accounting defined network 192.168.1.0/24",
"destination": {
"address": "192.168.1.0/24"
}
}
}
},
"VOIP_IN": {
"default-action": "accept",
"description": "packets from voip to intranet",
"rule": {
"3001": {
"action": "accept",
"description": "icmp to unifi",
"destination": {
"group": {
"address-group": "unifi_controller_addresses"
}
},
"protocol": "icmp"
},
"3002": {
"action": "accept",
"description": "inform to unifi",
"destination": {
"group": {
"address-group": "unifi_controller_addresses",
"port-group": "unifi_controller_ports-tcp"
}
},
"protocol": "tcp"
},
"3003": {
"action": "accept",
"description": "stun to unifi",
"destination": {
"group": {
"address-group": "unifi_controller_addresses",
"port-group": "unifi_controller_ports-udp"
}
},
"protocol": "udp"
},
"3004": {
"action": "accept",
"description": "allow established/related sessions",
"destination": {
"group": {
"address-group": "unifi_controller_addresses"
}
},
"state": {
"established": "enable",
"invalid": "disable",
"new": "disable",
"related": "enable"
}
},
"3005": {
"action": "drop",
"description": "drop invalid state",
"destination": {
"group": {
"address-group": "unifi_controller_addresses"
}
},
"state": {
"established": "disable",
"invalid": "enable",
"new": "disable",
"related": "disable"
}
},
"3006": {
"action": "drop",
"description": "drop VoIP to LAN traffic",
"destination": {
"group": {
"network-group": "corporate_network"
}
}
},
"3007": {
"action": "drop",
"description": "drop VoIP to GUEST traffic",
"destination": {
"group": {
"network-group": "guest_network"
}
}
},
"3008": {
"action": "drop",
"description": "drop VoIP to REMOTE USER traffic",
"destination": {
"group": {
"network-group": "remote_user_vpn_network"
}
}
}
}
},
"VOIP_LOCAL": {
"default-action": "drop",
"description": "packets from voip to gateway",
"rule": {
"3001": {
"action": "accept",
"description": "allow DNS",
"destination": {
"port": "53"
},
"protocol": "udp"
},
"3002": {
"action": "accept",
"description": "allow ICMP",
"protocol": "icmp"
},
"3003": {
"action": "accept",
"description": "allow established/related sessions",
"state": {
"established": "enable",
"invalid": "disable",
"new": "disable",
"related": "enable"
}
},
"3004": {
"action": "drop",
"description": "drop invalid state",
"state": {
"established": "disable",
"invalid": "enable",
"new": "disable",
"related": "disable"
}
}
}
},
"VOIP_OUT": {
"default-action": "accept",
"description": "packets forward to voip"
},
"WAN_IN": {
"default-action": "drop",
"description": "packets from internet to intranet",
"rule": {
"3001": {
"action": "accept",
"description": "allow established/related sessions",
"state": {
"established": "enable",
"invalid": "disable",
"new": "disable",
"related": "enable"
}
},
"3002": {
"action": "drop",
"description": "drop invalid state",
"state": {
"established": "disable",
"invalid": "enable",
"new": "disable",
"related": "disable"
}
}
}
},
"WAN_LOCAL": {
"default-action": "drop",
"description": "packets from internet to gateway",
"rule": {
"3001": {
"action": "accept",
"description": "allow established/related sessions",
"state": {
"established": "enable",
"invalid": "disable",
"new": "disable",
"related": "enable"
}
},
"3002": {
"action": "drop",
"description": "drop invalid state",
"state": {
"established": "disable",
"invalid": "enable",
"new": "disable",
"related": "disable"
}
},
"3003": {
"action": "accept",
"description": "allow ICMP",
"protocol": "icmp"
}
}
}
},
"options": {
"mss-clamp": {
"interface-type": [
"pppoe",
"pptp"
],
"mss": "1412"
}
},
"receive-redirects": "disable",
"send-redirects": "enable",
"source-validation": "disable",
"syn-cookies": "enable"
},
"interfaces": {
"ethernet": {
"eth0": {
"duplex": "auto",
"mtu": "1512",
"speed": "auto",
"vif": {
"4": {
"address": [
"dhcp"
],
"dhcp-options": {
"client-option": [
"send vendor-class-identifier "IPTV_RG";",
"request subnet-mask, routers, rfc3442-classless-static-routes;"
],
"default-route": "no-update",
"default-route-distance": "210",
"name-server": "update"
}
},
"6": {
"firewall": {
"in": {
"name": "WAN_IN"
},
"local": {
"name": "WAN_LOCAL"
}
},
"mtu": "1508",
"pppoe": {
"2": {
"default-route": "none",
"firewall": {
"in": {
"name": "WAN_IN"
},
"local": {
"name": "WAN_LOCAL"
}
},
"mtu": "1500",
"name-server": "auto",
"password": "kpn",
"user-id": "xx-xx-xx-xx-xx-xx@internet"
}
}
}
}
},
"eth1": {
"address": [
"192.168.1.1/24"
],
"duplex": "auto",
"firewall": {
"in": {
"name": "LAN_IN"
},
"local": {
"name": "LAN_LOCAL"
},
"out": {
"name": "LAN_OUT"
}
},
"speed": "auto"
},
"eth2": {
"disable": "''",
"duplex": "auto",
"speed": "auto"
}
},
"loopback": {
"lo": "''"
}
},
"port-forward": {
"auto-firewall": "disable",
"hairpin-nat": "enable",
"lan-interface": [
"eth1"
],
"wan-interface": "pppoe2"
},
"protocols": {
"igmp-proxy": {
"interface": {
"eth0": {
"role": "disabled",
"threshold": "1"
},
"eth0.4": {
"alt-subnet": [
"213.75.0.0/16"
],
"role": "upstream",
"threshold": "1"
},
"eth0.6": {
"role": "disabled",
"threshold": "1"
},
"eth1": {
"role": "downstream",
"threshold": "1"
}
}
},
"static": {
"interface-route": {
"0.0.0.0/0": {
"next-hop-interface": {
"pppoe2": {
"distance": "1"
}
}
},
"213.75.112.0/21": {
"next-hop-interface": {
"eth0.4": {
"distance": "1"
}
}
}
}
}
},
"service": {
"dhcp-server": {
"disabled": "false",
"hostfile-update": "enable",
"shared-network-name": {
"LAN_192.168.1.0-24": {
"authoritative": "enable",
"description": "vlan1",
"subnet": {
"192.168.1.0/24": {
"default-router": "192.168.1.1",
"dns-server": [
"192.168.1.1"
],
"lease": "86400",
"start": {
"192.168.1.6": {
"stop": "192.168.1.254"
}
}
}
}
}
},
"use-dnsmasq": "disable"
},
"dns": {
"forwarding": {
"cache-size": "500",
"except-interface": [
"pppoe2"
],
"options": [
"host-record=unifi,127.0.0.1"
]
}
},
"gui": {
"https-port": "443"
},
"lldp": {
"interface": {
"eth0": {
"disable": "''"
}
}
},
"nat": {
"rule": {
"5010": {
"description": "IPTV",
"destination": {
"address": "213.75.112.0/21"
},
"log": "disable",
"outbound-interface": "eth0.4",
"protocol": "all",
"type": "masquerade"
},
"6001": {
"description": "MASQ corporate_network to WAN",
"log": "disable",
"outbound-interface": "pppoe2",
"protocol": "all",
"source": {
"group": {
"network-group": "corporate_network"
}
},
"type": "masquerade"
},
"6002": {
"description": "MASQ voip_network to WAN",
"log": "disable",
"outbound-interface": "pppoe2",
"protocol": "all",
"source": {
"group": {
"network-group": "voip_network"
}
},
"type": "masquerade"
},
"6003": {
"description": "MASQ remote_user_vpn_network to WAN",
"log": "disable",
"outbound-interface": "pppoe2",
"protocol": "all",
"source": {
"group": {
"network-group": "remote_user_vpn_network"
}
},
"type": "masquerade"
},
"6004": {
"description": "MASQ guest_network to WAN",
"log": "disable",
"outbound-interface": "pppoe2",
"protocol": "all",
"source": {
"group": {
"network-group": "guest_network"
}
},
"type": "masquerade"
}
}
},
"ssh": {
"port": "22",
"protocol-version": "v2"
}
}
}
configure
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth0 mtu 1512
set interfaces ethernet eth0 vif 4 address dhcp
set interfaces ethernet eth0 vif 4 dhcp-options client-option 'send vendor-class-identifier "IPTV_RG";'
set interfaces ethernet eth0 vif 4 dhcp-options client-option 'request subnet-mask, routers, rfc3442-classless-static-routes;'
set interfaces ethernet eth0 vif 4 dhcp-options default-route no-update
set interfaces ethernet eth0 vif 4 dhcp-options default-route-distance 210
set interfaces ethernet eth0 vif 4 dhcp-options name-server update
set interfaces ethernet eth0 vif 6 mtu 1508
set interfaces ethernet eth0 vif 6 firewall in name WAN_IN
set interfaces ethernet eth0 vif 6 firewall local name WAN_LOCAL
set interfaces ethernet eth0 vif 6 pppoe 2 default-route none
set interfaces ethernet eth0 vif 6 pppoe 2 firewall in name WAN_IN
set interfaces ethernet eth0 vif 6 pppoe 2 firewall local name WAN_LOCAL
set interfaces ethernet eth0 vif 6 pppoe 2 mtu 1500
set interfaces ethernet eth0 vif 6 pppoe 2 name-server auto
set interfaces ethernet eth0 vif 6 pppoe 2 password kpn
set interfaces ethernet eth0 vif 6 pppoe 2 user-id xx-xx-xx-xx-xx-xx@internet
set protocols igmp-proxy interface eth0.4 alt-subnet 213.75.0.0/16
set protocols igmp-proxy interface eth0.4 role upstream
set protocols igmp-proxy interface eth0.4 threshold 1
set protocols igmp-proxy interface eth0.6 role disabled
set protocols igmp-proxy interface eth0 role disabled
set protocols igmp-proxy interface eth1 role downstream
set protocols igmp-proxy interface eth1 threshold 1
set protocols static interface-route 213.75.112.0/21 next-hop-interface eth0.4 distance 1
set protocols static interface-route 0.0.0.0/0 next-hop-interface pppoe2 distance 1
set service nat rule 5010 description IPTV
set service nat rule 5010 destination address 213.75.112.0/21
set service nat rule 5010 log disable
set service nat rule 5010 outbound-interface eth0.4
set service nat rule 5010 protocol all
set service nat rule 5010 type masquerade
commit
save
exit
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment