This article gives some examples on policy based routing with the UniFi Security Gateway. UniFi and the USG models currently support Load Balancing or Failover when configuring Dual WAN setup in UniFi however if you want to configure a more advanced Policy Based Routing then this guide is for you.
- It is assumed you are familiar with the UniFi Controller and USG Configuration and have setup a second WAN interface with Load Balancing or Failover.
- You have read and under stand the following guides:
- Login to your UniFi Controller and ensure you have created and configured a second WAN interface that has internet connectivity:
Network Group: WAN2
IPV4: Configure your IPv4 settings for this WAN2 Port
Load Balancing: Failover only or Load Balanced
- Ensure the USG WAN2 Interface is enabled and provisioned before checking that both WAN interfaces have connectivity:
- Go to Settings > Site and locate the SSH Username and Password under the Device Authentication section and then SSH into your USG with this authentication using a program like PuTTY:
- Using the commands below we are configuring a default route out WAN2 and then a firewall rule to forward any traffic from the local network to 220.127.116.11 out WAN2 (via gateway 10.10.12.1):
set protocols static table 5 route 0.0.0.0/0 next-hop 10.10.12.1
set firewall modify LOAD_BALANCE rule 2500 action modify
set firewall modify LOAD_BALANCE rule 2500 modify table 5
set firewall modify LOAD_BALANCE rule 2500 destination address 18.104.22.168
set firewall modify LOAD_BALANCE rule 2500 protocol all
- Test the configuration works:
- As you can see our traffic is going out WAN1 (10.10.11.155 via gateway 10.10.11.1) for all traffic and WAN2 (10.10.12.253 via gateway 10.10.12.1) for traffic destined to 22.214.171.124.
NOTE: As these changes have been made directly on the USG they are not persistent and will be lost with a provision or reboot.
- To make changes persistent during provision and reboot you will need to first export your USG configuration and then remove all other configuration except your new configuration from step 4. You will also need to maintain the correct .json format for this to work. Once you have done this you can save it as a config.gateway.json file in the <unifi_base> directory (unifi_base/data/sites/site_id), For more information on how to do this please read the preparation guides included at the start of this article.
- Dump the USG config to screen, then paste it in to notepad++ or similar to trim the config file down to your desired configuration for persistent changes and save it as a config.gateway.json file in the UniFi base directory unifi_base/data/sites/site_id:
Command to dump the config to screen: mca-ctrl -t dump-cfg
- Formatted config.gateway.json file:
- Save to UniFi Base directory (unifi_base/data/sites/site_id):
- Restart your UniFi Controller and then reboot your USG before verifying that the changes have persisted after a reboot. If you changes are lost after a reboot then you either have an invalid config.gateway.json formatted file or the file is stored in the wrong place. In the screenshot above the config.gateway.json file is stored directly under the data folder as this is the default sites location however if you have multiple sites the file should be stored under the site id folder (review the preparation links at the start of this article).
Examples 1-3 (All examples are based off the network diagram at the top of this article):
- Forward traffic destined for 126.96.36.199 via gateway 10.10.12.1
- Forward all traffic with an internal source network address of 192.168.1.10 via gateway 10.10.12.1
- Forward all traffic with an internal source network address of 192.168.2.0/24 via gateway 10.10.12.1 (internal 192.168.1.0/24 traffic will go via gateway 10.10.11.1)