This article gives some examples on policy based routing with the UniFi Security Gateway. UniFi and the USG models currently support Load Balancing or Failover when configuring Dual WAN setup in UniFi however if you want to configure a more advanced Policy Based Routing then this guide is for you.

Network Diagram:


  1. Login to your UniFi Controller and ensure you have created and configured a second WAN interface that has internet connectivity:
    Name: WAN2
    Purpose: WAN
    Network Group: WAN2
    IPV4: Configure your IPv4 settings for this WAN2 Port
    Load Balancing: Failover only or Load Balanced
  2. Ensure the USG WAN2 Interface is enabled and provisioned before checking that both WAN interfaces have connectivity:

  3. Go to Settings > Site and locate the SSH Username and Password under the Device Authentication section and then SSH into your USG with this authentication using a program like PuTTY:

  4. Using the commands below we are configuring a default route out WAN2 and then a firewall rule to forward any traffic from the local network to out WAN2 (via gateway
    set protocols static table 5 route next-hop
    set firewall modify LOAD_BALANCE rule 2500 action modify
    set firewall modify LOAD_BALANCE rule 2500 modify table 5
    set firewall modify LOAD_BALANCE rule 2500 destination address
    set firewall modify LOAD_BALANCE rule 2500 protocol all
  5. Test the configuration works:
  6. As you can see our traffic is going out WAN1 ( via gateway for all traffic and WAN2 ( via gateway for traffic destined to
    NOTE: As these changes have been made directly on the USG they are not persistent and will be lost with a provision or reboot.
  7. To make changes persistent during provision and reboot you will need to first export your USG configuration and then remove all other configuration except your new configuration from step 4. You will also need to maintain the correct .json format for this to work. Once you have done this you can save it as a config.gateway.json file in the <unifi_base> directory (unifi_base/data/sites/site_id), For more information on how to do this please read the preparation guides included at the start of this article.
  8. Dump the USG config to screen, then paste it in to notepad++ or similar to trim the config file down to your desired configuration for persistent changes and save it as a config.gateway.json file in the UniFi base directory unifi_base/data/sites/site_id:
    Command to dump the config to screen: mca-ctrl -t dump-cfg
  9. Formatted config.gateway.json file:
  10. Save to UniFi Base directory (unifi_base/data/sites/site_id):
  11. Restart your UniFi Controller and then reboot your USG before verifying that the changes have persisted after a reboot. If you changes are lost after a reboot then you either have an invalid config.gateway.json formatted file or the file is stored in the wrong place. In the screenshot above the config.gateway.json file is stored directly under the data folder as this is the default sites location however if you have multiple sites the file should be stored under the site id folder (review the preparation links at the start of this article).

Examples 1-3 (All examples are based off the network diagram at the top of this article):

  1. Forward traffic destined for via gateway
  2. Forward all traffic with an internal source network address of via gateway
  3. Forward all traffic with an internal source network address of via gateway (internal traffic will go via gateway