Created
December 18, 2016 14:39
Star
You must be signed in to star a gist
UniFi Security Gateway configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"firewall": { | |
"all-ping": "enable", | |
"broadcast-ping": "disable", | |
"group": { | |
"address-group": { | |
"authorized_guests": { | |
"description": "authorized guests MAC addresses" | |
}, | |
"guest_allow_addresses": { | |
"description": "allow addresses for guests" | |
}, | |
"guest_allow_dns_servers": { | |
"description": "allow dns servers for guests" | |
}, | |
"guest_portal_address": { | |
"description": "guest portal address" | |
}, | |
"guest_restricted_addresses": { | |
"address": [ | |
"192.168.0.0/16", | |
"172.16.0.0/12", | |
"10.0.0.0/8" | |
], | |
"description": "restricted addresses for guests" | |
}, | |
"unifi_controller_addresses": "''", | |
"voip_sip_server_addresses": { | |
"description": "VOIP SIP server addresses" | |
} | |
}, | |
"network-group": { | |
"captive_portal_subnets": { | |
"description": "captive portal subnets" | |
}, | |
"corporate_network": { | |
"description": "corporate subnets", | |
"network": [ | |
"192.168.1.0/24" | |
] | |
}, | |
"guest_allow_subnets": { | |
"description": "allow subnets for guests" | |
}, | |
"guest_network": { | |
"description": "guest subnets" | |
}, | |
"guest_restricted_subnets": { | |
"description": "restricted subnets for guests" | |
}, | |
"remote_user_vpn_network": { | |
"description": "remote user vpn subnets" | |
}, | |
"voip_network": { | |
"description": "voip subnets" | |
} | |
}, | |
"port-group": { | |
"guest_portal_ports": { | |
"description": "guest portal ports" | |
}, | |
"guest_portal_redirector_ports": { | |
"description": "guest portal redirector ports", | |
"port": [ | |
"39080" | |
] | |
}, | |
"unifi_controller_ports-tcp": { | |
"description": "unifi tcp ports", | |
"port": [ | |
"8080" | |
] | |
}, | |
"unifi_controller_ports-udp": { | |
"description": "unifi udp ports", | |
"port": [ | |
"3478" | |
] | |
}, | |
"voip_sip_server_ports": { | |
"description": "voip sip server udp ports", | |
"port": [ | |
"5060", | |
"10000-10100" | |
] | |
} | |
} | |
}, | |
"ip-src-route": "disable", | |
"ipv6-receive-redirects": "disable", | |
"ipv6-src-route": "disable", | |
"log-martians": "enable", | |
"name": { | |
"AUTHORIZED_GUESTS": { | |
"default-action": "drop", | |
"description": "authorization check packets from guest network" | |
}, | |
"GUEST_IN": { | |
"default-action": "accept", | |
"description": "packets from guest network", | |
"rule": { | |
"3001": { | |
"action": "accept", | |
"description": "allow DNS packets to external name servers", | |
"destination": { | |
"port": "53" | |
}, | |
"protocol": "udp" | |
}, | |
"3002": { | |
"action": "accept", | |
"description": "allow packets to captive portal", | |
"destination": { | |
"group": { | |
"network-group": "captive_portal_subnets" | |
}, | |
"port": "443" | |
}, | |
"protocol": "tcp" | |
}, | |
"3003": { | |
"action": "accept", | |
"description": "allow packets to allow subnets", | |
"destination": { | |
"group": { | |
"address-group": "guest_allow_addresses" | |
} | |
} | |
}, | |
"3004": { | |
"action": "drop", | |
"description": "drop packets to restricted subnets", | |
"destination": { | |
"group": { | |
"address-group": "guest_restricted_addresses" | |
} | |
} | |
}, | |
"3005": { | |
"action": "drop", | |
"description": "drop packets to intranet", | |
"destination": { | |
"group": { | |
"network-group": "corporate_network" | |
} | |
} | |
}, | |
"3006": { | |
"action": "drop", | |
"description": "drop packets to voip", | |
"destination": { | |
"group": { | |
"network-group": "voip_network" | |
} | |
} | |
}, | |
"3007": { | |
"action": "drop", | |
"description": "drop packets to remote user", | |
"destination": { | |
"group": { | |
"network-group": "remote_user_vpn_network" | |
} | |
} | |
}, | |
"3008": { | |
"action": "drop", | |
"description": "authorized guests white list", | |
"destination": { | |
"group": { | |
"address-group": "authorized_guests" | |
} | |
} | |
} | |
} | |
}, | |
"GUEST_LOCAL": { | |
"default-action": "drop", | |
"description": "packets from guest network to gateway", | |
"rule": { | |
"3001": { | |
"action": "accept", | |
"description": "allow DNS", | |
"destination": { | |
"port": "53" | |
}, | |
"protocol": "udp" | |
}, | |
"3002": { | |
"action": "accept", | |
"description": "allow ICMP", | |
"protocol": "icmp" | |
} | |
} | |
}, | |
"GUEST_OUT": { | |
"default-action": "accept", | |
"description": "packets forward to guest network" | |
}, | |
"LAN_IN": { | |
"default-action": "accept", | |
"description": "packets from intranet", | |
"rule": { | |
"3001": { | |
"action": "accept", | |
"description": "packets from unifi to voip", | |
"destination": { | |
"group": { | |
"network-group": "voip_network" | |
} | |
}, | |
"source": { | |
"group": { | |
"address-group": "unifi_controller_addresses" | |
} | |
} | |
}, | |
"3002": { | |
"action": "drop", | |
"description": "packets from intranet to voip", | |
"destination": { | |
"group": { | |
"network-group": "voip_network" | |
} | |
} | |
}, | |
"6001": { | |
"action": "accept", | |
"description": "accounting defined network 192.168.1.0/24", | |
"source": { | |
"address": "192.168.1.0/24" | |
} | |
} | |
} | |
}, | |
"LAN_LOCAL": { | |
"default-action": "accept", | |
"description": "packets from intranet to gateway" | |
}, | |
"LAN_OUT": { | |
"default-action": "accept", | |
"description": "packets forward to intranet", | |
"rule": { | |
"6001": { | |
"action": "accept", | |
"description": "accounting defined network 192.168.1.0/24", | |
"destination": { | |
"address": "192.168.1.0/24" | |
} | |
} | |
} | |
}, | |
"VOIP_IN": { | |
"default-action": "accept", | |
"description": "packets from voip to intranet", | |
"rule": { | |
"3001": { | |
"action": "accept", | |
"description": "icmp to unifi", | |
"destination": { | |
"group": { | |
"address-group": "unifi_controller_addresses" | |
} | |
}, | |
"protocol": "icmp" | |
}, | |
"3002": { | |
"action": "accept", | |
"description": "inform to unifi", | |
"destination": { | |
"group": { | |
"address-group": "unifi_controller_addresses", | |
"port-group": "unifi_controller_ports-tcp" | |
} | |
}, | |
"protocol": "tcp" | |
}, | |
"3003": { | |
"action": "accept", | |
"description": "stun to unifi", | |
"destination": { | |
"group": { | |
"address-group": "unifi_controller_addresses", | |
"port-group": "unifi_controller_ports-udp" | |
} | |
}, | |
"protocol": "udp" | |
}, | |
"3004": { | |
"action": "accept", | |
"description": "allow established/related sessions", | |
"destination": { | |
"group": { | |
"address-group": "unifi_controller_addresses" | |
} | |
}, | |
"state": { | |
"established": "enable", | |
"invalid": "disable", | |
"new": "disable", | |
"related": "enable" | |
} | |
}, | |
"3005": { | |
"action": "drop", | |
"description": "drop invalid state", | |
"destination": { | |
"group": { | |
"address-group": "unifi_controller_addresses" | |
} | |
}, | |
"state": { | |
"established": "disable", | |
"invalid": "enable", | |
"new": "disable", | |
"related": "disable" | |
} | |
}, | |
"3006": { | |
"action": "drop", | |
"description": "drop VoIP to LAN traffic", | |
"destination": { | |
"group": { | |
"network-group": "corporate_network" | |
} | |
} | |
}, | |
"3007": { | |
"action": "drop", | |
"description": "drop VoIP to GUEST traffic", | |
"destination": { | |
"group": { | |
"network-group": "guest_network" | |
} | |
} | |
}, | |
"3008": { | |
"action": "drop", | |
"description": "drop VoIP to REMOTE USER traffic", | |
"destination": { | |
"group": { | |
"network-group": "remote_user_vpn_network" | |
} | |
} | |
} | |
} | |
}, | |
"VOIP_LOCAL": { | |
"default-action": "drop", | |
"description": "packets from voip to gateway", | |
"rule": { | |
"3001": { | |
"action": "accept", | |
"description": "allow DNS", | |
"destination": { | |
"port": "53" | |
}, | |
"protocol": "udp" | |
}, | |
"3002": { | |
"action": "accept", | |
"description": "allow ICMP", | |
"protocol": "icmp" | |
}, | |
"3003": { | |
"action": "accept", | |
"description": "allow established/related sessions", | |
"state": { | |
"established": "enable", | |
"invalid": "disable", | |
"new": "disable", | |
"related": "enable" | |
} | |
}, | |
"3004": { | |
"action": "drop", | |
"description": "drop invalid state", | |
"state": { | |
"established": "disable", | |
"invalid": "enable", | |
"new": "disable", | |
"related": "disable" | |
} | |
} | |
} | |
}, | |
"VOIP_OUT": { | |
"default-action": "accept", | |
"description": "packets forward to voip" | |
}, | |
"WAN_IN": { | |
"default-action": "drop", | |
"description": "packets from internet to intranet", | |
"rule": { | |
"3001": { | |
"action": "accept", | |
"description": "allow established/related sessions", | |
"state": { | |
"established": "enable", | |
"invalid": "disable", | |
"new": "disable", | |
"related": "enable" | |
} | |
}, | |
"3002": { | |
"action": "drop", | |
"description": "drop invalid state", | |
"state": { | |
"established": "disable", | |
"invalid": "enable", | |
"new": "disable", | |
"related": "disable" | |
} | |
} | |
} | |
}, | |
"WAN_LOCAL": { | |
"default-action": "drop", | |
"description": "packets from internet to gateway", | |
"rule": { | |
"3001": { | |
"action": "accept", | |
"description": "allow established/related sessions", | |
"state": { | |
"established": "enable", | |
"invalid": "disable", | |
"new": "disable", | |
"related": "enable" | |
} | |
}, | |
"3002": { | |
"action": "drop", | |
"description": "drop invalid state", | |
"state": { | |
"established": "disable", | |
"invalid": "enable", | |
"new": "disable", | |
"related": "disable" | |
} | |
}, | |
"3003": { | |
"action": "accept", | |
"description": "allow ICMP", | |
"protocol": "icmp" | |
} | |
} | |
} | |
}, | |
"options": { | |
"mss-clamp": { | |
"interface-type": [ | |
"pppoe", | |
"pptp" | |
], | |
"mss": "1412" | |
} | |
}, | |
"receive-redirects": "disable", | |
"send-redirects": "enable", | |
"source-validation": "disable", | |
"syn-cookies": "enable" | |
}, | |
"interfaces": { | |
"ethernet": { | |
"eth0": { | |
"duplex": "auto", | |
"mtu": "1512", | |
"speed": "auto", | |
"vif": { | |
"4": { | |
"address": [ | |
"dhcp" | |
], | |
"dhcp-options": { | |
"client-option": [ | |
"send vendor-class-identifier "IPTV_RG";", | |
"request subnet-mask, routers, rfc3442-classless-static-routes;" | |
], | |
"default-route": "no-update", | |
"default-route-distance": "210", | |
"name-server": "update" | |
} | |
}, | |
"6": { | |
"firewall": { | |
"in": { | |
"name": "WAN_IN" | |
}, | |
"local": { | |
"name": "WAN_LOCAL" | |
} | |
}, | |
"mtu": "1508", | |
"pppoe": { | |
"2": { | |
"default-route": "none", | |
"firewall": { | |
"in": { | |
"name": "WAN_IN" | |
}, | |
"local": { | |
"name": "WAN_LOCAL" | |
} | |
}, | |
"mtu": "1500", | |
"name-server": "auto", | |
"password": "kpn", | |
"user-id": "xx-xx-xx-xx-xx-xx@internet" | |
} | |
} | |
} | |
} | |
}, | |
"eth1": { | |
"address": [ | |
"192.168.1.1/24" | |
], | |
"duplex": "auto", | |
"firewall": { | |
"in": { | |
"name": "LAN_IN" | |
}, | |
"local": { | |
"name": "LAN_LOCAL" | |
}, | |
"out": { | |
"name": "LAN_OUT" | |
} | |
}, | |
"speed": "auto" | |
}, | |
"eth2": { | |
"disable": "''", | |
"duplex": "auto", | |
"speed": "auto" | |
} | |
}, | |
"loopback": { | |
"lo": "''" | |
} | |
}, | |
"port-forward": { | |
"auto-firewall": "disable", | |
"hairpin-nat": "enable", | |
"lan-interface": [ | |
"eth1" | |
], | |
"wan-interface": "pppoe2" | |
}, | |
"protocols": { | |
"igmp-proxy": { | |
"interface": { | |
"eth0": { | |
"role": "disabled", | |
"threshold": "1" | |
}, | |
"eth0.4": { | |
"alt-subnet": [ | |
"213.75.0.0/16" | |
], | |
"role": "upstream", | |
"threshold": "1" | |
}, | |
"eth0.6": { | |
"role": "disabled", | |
"threshold": "1" | |
}, | |
"eth1": { | |
"role": "downstream", | |
"threshold": "1" | |
} | |
} | |
}, | |
"static": { | |
"interface-route": { | |
"0.0.0.0/0": { | |
"next-hop-interface": { | |
"pppoe2": { | |
"distance": "1" | |
} | |
} | |
}, | |
"213.75.112.0/21": { | |
"next-hop-interface": { | |
"eth0.4": { | |
"distance": "1" | |
} | |
} | |
} | |
} | |
} | |
}, | |
"service": { | |
"dhcp-server": { | |
"disabled": "false", | |
"hostfile-update": "enable", | |
"shared-network-name": { | |
"LAN_192.168.1.0-24": { | |
"authoritative": "enable", | |
"description": "vlan1", | |
"subnet": { | |
"192.168.1.0/24": { | |
"default-router": "192.168.1.1", | |
"dns-server": [ | |
"192.168.1.1" | |
], | |
"lease": "86400", | |
"start": { | |
"192.168.1.6": { | |
"stop": "192.168.1.254" | |
} | |
} | |
} | |
} | |
} | |
}, | |
"use-dnsmasq": "disable" | |
}, | |
"dns": { | |
"forwarding": { | |
"cache-size": "500", | |
"except-interface": [ | |
"pppoe2" | |
], | |
"options": [ | |
"host-record=unifi,127.0.0.1" | |
] | |
} | |
}, | |
"gui": { | |
"https-port": "443" | |
}, | |
"lldp": { | |
"interface": { | |
"eth0": { | |
"disable": "''" | |
} | |
} | |
}, | |
"nat": { | |
"rule": { | |
"5010": { | |
"description": "IPTV", | |
"destination": { | |
"address": "213.75.112.0/21" | |
}, | |
"log": "disable", | |
"outbound-interface": "eth0.4", | |
"protocol": "all", | |
"type": "masquerade" | |
}, | |
"6001": { | |
"description": "MASQ corporate_network to WAN", | |
"log": "disable", | |
"outbound-interface": "pppoe2", | |
"protocol": "all", | |
"source": { | |
"group": { | |
"network-group": "corporate_network" | |
} | |
}, | |
"type": "masquerade" | |
}, | |
"6002": { | |
"description": "MASQ voip_network to WAN", | |
"log": "disable", | |
"outbound-interface": "pppoe2", | |
"protocol": "all", | |
"source": { | |
"group": { | |
"network-group": "voip_network" | |
} | |
}, | |
"type": "masquerade" | |
}, | |
"6003": { | |
"description": "MASQ remote_user_vpn_network to WAN", | |
"log": "disable", | |
"outbound-interface": "pppoe2", | |
"protocol": "all", | |
"source": { | |
"group": { | |
"network-group": "remote_user_vpn_network" | |
} | |
}, | |
"type": "masquerade" | |
}, | |
"6004": { | |
"description": "MASQ guest_network to WAN", | |
"log": "disable", | |
"outbound-interface": "pppoe2", | |
"protocol": "all", | |
"source": { | |
"group": { | |
"network-group": "guest_network" | |
} | |
}, | |
"type": "masquerade" | |
} | |
} | |
}, | |
"ssh": { | |
"port": "22", | |
"protocol-version": "v2" | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
configure | |
set interfaces ethernet eth0 duplex auto | |
set interfaces ethernet eth0 speed auto | |
set interfaces ethernet eth0 mtu 1512 | |
set interfaces ethernet eth0 vif 4 address dhcp | |
set interfaces ethernet eth0 vif 4 dhcp-options client-option 'send vendor-class-identifier "IPTV_RG";' | |
set interfaces ethernet eth0 vif 4 dhcp-options client-option 'request subnet-mask, routers, rfc3442-classless-static-routes;' | |
set interfaces ethernet eth0 vif 4 dhcp-options default-route no-update | |
set interfaces ethernet eth0 vif 4 dhcp-options default-route-distance 210 | |
set interfaces ethernet eth0 vif 4 dhcp-options name-server update | |
set interfaces ethernet eth0 vif 6 mtu 1508 | |
set interfaces ethernet eth0 vif 6 firewall in name WAN_IN | |
set interfaces ethernet eth0 vif 6 firewall local name WAN_LOCAL | |
set interfaces ethernet eth0 vif 6 pppoe 2 default-route none | |
set interfaces ethernet eth0 vif 6 pppoe 2 firewall in name WAN_IN | |
set interfaces ethernet eth0 vif 6 pppoe 2 firewall local name WAN_LOCAL | |
set interfaces ethernet eth0 vif 6 pppoe 2 mtu 1500 | |
set interfaces ethernet eth0 vif 6 pppoe 2 name-server auto | |
set interfaces ethernet eth0 vif 6 pppoe 2 password kpn | |
set interfaces ethernet eth0 vif 6 pppoe 2 user-id xx-xx-xx-xx-xx-xx@internet | |
set protocols igmp-proxy interface eth0.4 alt-subnet 213.75.0.0/16 | |
set protocols igmp-proxy interface eth0.4 role upstream | |
set protocols igmp-proxy interface eth0.4 threshold 1 | |
set protocols igmp-proxy interface eth0.6 role disabled | |
set protocols igmp-proxy interface eth0 role disabled | |
set protocols igmp-proxy interface eth1 role downstream | |
set protocols igmp-proxy interface eth1 threshold 1 | |
set protocols static interface-route 213.75.112.0/21 next-hop-interface eth0.4 distance 1 | |
set protocols static interface-route 0.0.0.0/0 next-hop-interface pppoe2 distance 1 | |
set service nat rule 5010 description IPTV | |
set service nat rule 5010 destination address 213.75.112.0/21 | |
set service nat rule 5010 log disable | |
set service nat rule 5010 outbound-interface eth0.4 | |
set service nat rule 5010 protocol all | |
set service nat rule 5010 type masquerade | |
commit | |
save | |
exit |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment