Quick q. regarding IPS, am I in 'danger' by not having it enabled? If I just run my USG out of the box, at default settings is it at least as secure as my VM superhub? I'll be honest, I bought my USG as I wanted to have everything unifi rather than a VM superhub, unifi APs etc., though I'm thinking of going pfsense as it's easier to tinker with the more advanced stuff.
*** Official Ubiquiti Discussion Thread ***
- Thread starter RoyMi6
- Start date
Soldato
- Joined
- 24 Sep 2015
- Posts
- 3,976
Thanks - I guess I'll cancel the scheduled update I set for tonight then.
Soldato
- Joined
- 24 Sep 2015
- Posts
- 3,976
I usually go for them pretty much straight away though I'm careful with controller updated and always snapshot my VM before.
I got caught out by this one a few days ago, so I've gone back to 3.9.45 for the moment on my switches.
Is it possible to setup a site to site VPN using a Raspberry Pi?
I have a USG that I VPN into to view CCTV, etc. on my phone/iPad and it would be fun to have a site to site connection to my setup from a Sky Broadband connection, then presumably on the Sky router a static route would just be setup pointing to the Pi.
I have a USG that I VPN into to view CCTV, etc. on my phone/iPad and it would be fun to have a site to site connection to my setup from a Sky Broadband connection, then presumably on the Sky router a static route would just be setup pointing to the Pi.
Guys, anyone help me with what I may be doing wrong? I'm finally getting around to setting my USG up with my VPN (nord). I followed this guide: https://support.nordvpn.com/#/Conne...nfigure-an-EdgeRouter-or-Ubiquiti-devices.htm and I'm at the very end, but when I try the command via ssh (
sudo -i configure set interfaces openvpn vtun0 config-file /config/openvpn/de84.nordvpn.com.udp1194.ovpn commit save [server changed as I'm using a US one]) then I get the following error:
"-bash: configure: command not found"
I've tried using terminal on OSX and putty on Windows. Am I doing something blindingly obvious? I've ssh'd in as [email protected] and get to do everything just fine apart from the final command.
sudo -i configure set interfaces openvpn vtun0 config-file /config/openvpn/de84.nordvpn.com.udp1194.ovpn commit save [server changed as I'm using a US one]) then I get the following error:
"-bash: configure: command not found"
I've tried using terminal on OSX and putty on Windows. Am I doing something blindingly obvious? I've ssh'd in as [email protected] and get to do everything just fine apart from the final command.
Soldato
- Joined
- 24 Sep 2015
- Posts
- 3,976
Use this instead:
Seemingly the Edge Routers have slightly different command syntaxes.
You're going to have problems though, each time the USG checks in with the controller (every few minutes from memory) that extra config you added will be removed. You need to add the custom configuration using a file called 'config.gateway.json' saved on the file system of the controller so that this config is added into the USG by the controller.
Have a look here for more information about how to create one.
I'm using a config.gateway.json file with my setup as I wanted to give eth0 an IP address so that I could access the management interface on my VDSL modem. It took quite a bit trial and error to get it working. If there's an error in the file don't be surprised if the USG gets stuck in a reboot loop. Just rename the file to something else (which will make the USG ignore it) then fix the error, rename it back and see what happens.
The Ubnt guide isn't overly clear but if you want to set something in the interfaces section of the config then the config.gateway.json file needs to contain ALL the config for ALL the interfaces, not just the interface you want to change.
So in my case I wanted to see eth0 as 192.168.3.2/24 but my file needs to contain more than just the config for eth0. So the bit I actually needed was this:
But as the file needs to contain the config of ALL the interfaces the file actually looks like this:
Code:
configure; set interfaces openvpn vtun0 config-file /config/openvpn/de84.nordvpn.com.udp1194.ovpn; commit; saveSeemingly the Edge Routers have slightly different command syntaxes.
You're going to have problems though, each time the USG checks in with the controller (every few minutes from memory) that extra config you added will be removed. You need to add the custom configuration using a file called 'config.gateway.json' saved on the file system of the controller so that this config is added into the USG by the controller.
Have a look here for more information about how to create one.
I'm using a config.gateway.json file with my setup as I wanted to give eth0 an IP address so that I could access the management interface on my VDSL modem. It took quite a bit trial and error to get it working. If there's an error in the file don't be surprised if the USG gets stuck in a reboot loop. Just rename the file to something else (which will make the USG ignore it) then fix the error, rename it back and see what happens.
The Ubnt guide isn't overly clear but if you want to set something in the interfaces section of the config then the config.gateway.json file needs to contain ALL the config for ALL the interfaces, not just the interface you want to change.
So in my case I wanted to see eth0 as 192.168.3.2/24 but my file needs to contain more than just the config for eth0. So the bit I actually needed was this:
Code:
"eth0": {
"address": [
"192.168.3.2/24"
],
"duplex": "auto",
"firewall": {
"in": {
"name": "WAN_IN"
},
"local": {
"name": "WAN_LOCAL"
}
},But as the file needs to contain the config of ALL the interfaces the file actually looks like this:
Code:
{
"interfaces": {
"ethernet": {
"eth0": {
"address": [
"192.168.3.2/24"
],
"duplex": "auto",
"firewall": {
"in": {
"name": "WAN_IN"
},
"local": {
"name": "WAN_LOCAL"
}
},
"pppoe": {
"0": {
"default-route": "none",
"firewall": {
"in": {
"name": "WAN_IN"
},
"local": {
"name": "WAN_LOCAL"
}
},
"mtu": "1492",
"name-server": "none",
"password": "internet",
"user-id": "[email protected]"
}
},
"speed": "auto"
},
"eth1": {
"address": [
"192.168.8.1/24"
],
"duplex": "auto",
"firewall": {
"in": {
"name": "LAN_IN"
},
"local": {
"name": "LAN_LOCAL"
},
"out": {
"name": "LAN_OUT"
}
},
"speed": "auto"
},
"eth2": {
"duplex": "auto",
"speed": "auto"
}
},
"loopback": {
"lo": "''"
}
}
}
Last edited:
Soldato
- Joined
- 8 Jan 2003
- Posts
- 3,802
- Location
- Scotland
The config on the USG will only be nuked on a reboot/upgrade was how I thought it worked. Regardless, for it to be a permanent change, you need to follow the guide linked to above.
Soldato
- Joined
- 24 Sep 2015
- Posts
- 3,976
Nope.
As a test I added a newIP address on eth0 by doing 'configure; set interfaces ethernet eth0 192.168.4.1/24; commit; save' and ran a continual ping to 192.168.4.1 from my PC. It stopped responding after about 10 minutes.
Soldato
- Joined
- 24 Sep 2015
- Posts
- 3,976
Agreed. It's a pain in the backside having to do it this way. They're slowly making improvements though, when I got my USG you couldn't even add a static route through the GUI so I had to setup config.gateway.json just to add a static route.
@the-evaluator you diamond. I'll give it a go when I get home tonight. Thanks for taking the time to note that all down buddy.
This has been on their feature list since god was in short trousers, improvements are glacial, I wish they'd put more effort into functionality rather than "making the GUI look pretty or adding features nobody has really asked for"
Soldato
- Joined
- 24 Sep 2015
- Posts
- 3,976
I did say slowly 
I know what you mean though, they're putting more effort into superfluous stuff rather than features that people are asking for.
I know what you mean though, they're putting more effort into superfluous stuff rather than features that people are asking for.
Soldato
- Joined
- 24 Sep 2015
- Posts
- 3,976
No worries
As I said, it was a lot of trial and error for me to get my config file working but since I got it working I've not had to mess about with it.
Last edited:
I've used the Github method for static DNS entries for my home lab VLAN:
https://gist.github.com/xavierlacot/939e8fa14c9bb0ca4e3fe98e5b1f9a3d
These persist through provisioning.
However, reverse lookups don't work which is an issue with VMware. Does anyone know how to put in static DNS entries and ensure that reverse ones work?
I don't really want to install a DNS server within the VMware environment if I can avoid it as I'll be having to maintain two DNS lists.
https://gist.github.com/xavierlacot/939e8fa14c9bb0ca4e3fe98e5b1f9a3d
These persist through provisioning.
However, reverse lookups don't work which is an issue with VMware. Does anyone know how to put in static DNS entries and ensure that reverse ones work?
I don't really want to install a DNS server within the VMware environment if I can avoid it as I'll be having to maintain two DNS lists.
Soldato
- Joined
- 24 Sep 2015
- Posts
- 3,976
If you're running DHCP on the USG then you can enable the option to register PTR recrods into it's DNS forwarder. Go to services / DHCP and enable the option to 'register client hostnames from DHCP requests in USG DNS forwarder' which seems to work well. It won't help with devices that aren't using DHCP though.
If you need PTR records for devices with a static IP address then you could try this. I haven't tried it.
Just for my own interest, why does VMware care about PTR records?
If you need PTR records for devices with a static IP address then you could try this. I haven't tried it.
Just for my own interest, why does VMware care about PTR records?