A couple notes about the Ubiquiti USG_

🇺🇦 Resources to help support the people of Ukraine. 🇺🇦
July 25, 2018 @20:00

UniFi Security Gateway in the NMS

A couple days ago I wrote a bit about setting up a new Ubiquiti UniFi Security Gateway, and after living with it for a bit I have a few additional notes.

/config/user-data is preserved through resets

I'm not exactly sure why this happened but I fat fingered the JSON and during a provisioning cycle the USG wiped the certificates from /config/auth (where it seems to want you to put them) and while rebuilding I noticed that /config/user-data doesn't get wiped. When you run the restore-default command it seems to have set -x in it somewhere and emits this:

mernisse@ubnt:~$ set-default
+ cmd=restore-default
+ shift
+ case $cmd in
+ exit_if_fake restore-default
++ uname -a
++ grep mips
+ '[' 'Linux ubnt 3.10.20-UBNT #1 SMP Fri Nov 3 15:45:37 MDT 2017 mips64 GNU/Linux' = '' -o -f /tmp/FAKE ']'
+ exit_if_busy restore-default
+ '[' -f /var/run/system.state ']'
++ cat /var/run/system.state
+ state=ready
+ '[' ready '!=' ready ']'
+ state_lock
+ lockfile /var/run/system.state
+ TEMPFILE=/var/run/system.state.4478
+ LOCKFILE=/var/run/system.state.lock
+ ln /var/run/system.state.4478 /var/run/system.state.lock
+ rm -f /var/run/system.state.4478
+ return 0
+ echo 120
+ echo 3
+ rm -f /config/mgmt
+ apply_restore_default
++ cut -c -8
++ echo 7080 27092 31310 11976 31941
++ /usr/bin/md5sum
+ local R=eb2c7606
+ prune_old_config
+ find /root.dev/ -type d -iname 'w.????????' -exec rm -rf '{}' ';'
+ rm -f /config/config.boot
+ rm -f /config/unifi
+ rm -f /config/auth/ca.crt /config/auth/server.crt /config/auth/server.key
+ mv /root.dev/w /root.dev/w.eb2c7606
+ state_unlock
+ /bin/rm -f /var/run/system.state.lock
+ reboot

I made a copy of the certificates for the VPN in /config/user-data to ensure that if this happens again I can simply copy them back into place.

You can load a local JSON config file

The core of the UniFi system is the integration to the NMS, otherwise it would just be an EdgeRouter LITE. It appears that the provisioning process causes the controller's configuration to be merged with your config.gateway.json file and sent to the device. The downside is that you can't just push the JSON down to the USG, you need the entire rendered payload. Luckily you do have access to the underlying commands to import and export the configuration.

Once you have the USG up and working you can backup the JSON from the ssh console by running:

mca-ctrl -t dump-cfg > /config/user-data/backup.json

If for some reason the configuration gets messed up and you can no longer talk to the controller because the VPN is down you can simply reload it with:

 mca-ctrl -t apply -c /config/user-data/backup.json

All in all I'm still happy with it minus two things that I've sent to Ubiquiti using their feedback form:

  1. Would really like to have the PEM encoded certificates in the config.gateway.json. This would certainly help if you need to reload the device.
  2. Would like to have a checkbox to bridge eth1 and eth2. Almost everything at the office is wireless, but I do have a Synology NAS that I want wired, thankfully the UniFi UAP-AC-IW that is there has a built in 2 port switch but if I wanted to use a different AP it seems like it would be really handy to be able to easily use the WAN 2 port as a switched LAN port.

🍺 👍

Comment via e-mail. Subscribe via RSS.