Auteur Sujet: Le guide complet pour USG/USG PRO (Internet, TV, Livebox & IPV6) (Lu 306521 fois)

jonlprd · « **Réponse #84 le:** 01 décembre 2017 à 00:01:28 »

Citation de: thefa le 30 novembre 2017 à 07:48:01

Look at this message here :
https://lafibre.info/remplacer-livebox/unifi-security-gateway-en-remplacement-de-la-livebox/msg484204/#msg484204

What you are trying to do is a mix between my setup with a fully isolated LAN for TV, starting from the USG, and what Mike does : a VLAN over the same shared physical LAN...

This is why I would really focus on getting TV box to work directly connected to LAN2, to be sure that this is ok. Then, we'd look at the LAN config...

Sorry I can't be more assertive 😀

Your response is great and thank you for the english! I posted a reply below with some new results. I managed to get internet + tv working when liveboxtv is connected directly to ETH2. I describe in detail the steps I took below. I also posted the working config.boot. Thank you for your help!

jonlprd · « **Réponse #85 le:** 01 décembre 2017 à 00:28:35 »

Thank you @mike78530 and @thefa for your response! I could not have made progress this far without your help

So I have managed to get everything working with the LiveboxTV directly connected into ETH2. I will post the config.gateway.json below. I then reconnected the LiveboxTV to my living room switch and it does not function anymore. Internet is still functioning.

Steps I took:

1) Removed the TV network with VLAN 832 completely.
2) Reset USG and followed Mike's guide only for internet part
3) generated script from this URL https://www.l9.fr/usg-config-generator.php and ran script line by line via ssh. There were some errors when running this script.
4) Confirmed internet working.
5) Copied the config.boot to save working configuration
5) Plugged in controller, everything still worked.
6) Unplugged LiveboxTV and plugged back in to living room switch. LiveboxTV no longer functions even after I copy the config.gateway.json file onto controller and provisioned USG.

So, as you say, the complication seems to be that I'm connecting both LAN1 and LAN2 in the switch(s).

Here is the config.boot:

Code: [Sélectionner]

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group authorized_guests {
            description "authorized guests MAC addresses"
        }
        address-group guest_allow_addresses {
            description "allow addresses for guests"
        }
        address-group guest_allow_dns_servers {
            description "allow dns servers for guests"
        }
        address-group guest_portal_address {
            description "guest portal address"
        }
        address-group guest_restricted_addresses {
            address 192.168.0.0/16
            address 172.16.0.0/12
            address 10.0.0.0/8
            description "restricted addresses for guests"
        }
        address-group unifi_controller_addresses {
        }
        network-group captive_portal_subnets {
            description "captive portal subnets"
        }
        network-group corporate_network {
            description "corporate subnets"
            network 192.168.1.0/24
            network 192.168.2.0/24
        }
        network-group guest_allow_subnets {
            description "allow subnets for guests"
        }
        network-group guest_network {
            description "guest subnets"
        }
        network-group guest_restricted_subnets {
            description "restricted subnets for guests"
        }
        network-group remote_client_vpn_network {
            description "remote client VPN subnets"
        }
        network-group remote_site_vpn_network {
            description "remote site VPN subnets"
        }
        network-group remote_user_vpn_network {
            description "remote user vpn subnets"
        }
        port-group guest_portal_ports {
            description "guest portal ports"
        }
        port-group guest_portal_redirector_ports {
            description "guest portal redirector ports"
            port 39080
            port 39443
        }
        port-group unifi_controller_ports-tcp {
            description "unifi tcp ports"
            port 8080
        }
        port-group unifi_controller_ports-udp {
            description "unifi udp ports"
            port 3478
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name AUTHORIZED_GUESTS {
        default-action drop
        description "authorization check packets from guest network"
    }
    name GUEST_IN {
        default-action accept
        description "packets from guest network"
        rule 3001 {
            action accept
            description "allow DNS packets to external name servers"
            destination {
                port 53
            }
            protocol udp
        }
        rule 3002 {
            action accept
            description "allow packets to captive portal"
            destination {
                group {
                    network-group captive_portal_subnets
                }
                port 443
            }
            protocol tcp
        }
        rule 3003 {
            action accept
            description "allow packets to allow subnets"
            destination {
                group {
                    address-group guest_allow_addresses
                }
            }
        }
        rule 3004 {
            action drop
            description "drop packets to restricted subnets"
            destination {
                group {
                    address-group guest_restricted_addresses
                }
            }
        }
        rule 3005 {
            action drop
            description "drop packets to intranet"
            destination {
                group {
                    network-group corporate_network
                }
            }
        }
        rule 3006 {
            action drop
            description "drop packets to remote user"
            destination {
                group {
                    network-group remote_user_vpn_network
                }
            }
        }
        rule 3007 {
            action drop
            description "authorized guests white list"
            destination {
                group {
                    address-group authorized_guests
                }
            }
        }
    }
    name GUEST_LOCAL {
        default-action drop
        description "packets from guest network to gateway"
        rule 3001 {
            action accept
            description "allow DNS"
            destination {
                port 53
            }
            protocol udp
        }
        rule 3002 {
            action accept
            description "allow ICMP"
            protocol icmp
        }
    }
    name GUEST_OUT {
        default-action accept
        description "packets forward to guest network"
    }
    name LAN_IN {
        default-action accept
        description "packets from intranet"
        rule 6001 {
            action accept
            description "accounting defined network 192.168.1.0/24"
            source {
                address 192.168.1.0/24
            }
        }
        rule 6002 {
            action accept
            description "accounting defined network 192.168.2.0/24"
            source {
                address 192.168.2.0/24
            }
        }
    }
    name LAN_LOCAL {
        default-action accept
        description "packets from intranet to gateway"
    }
    name LAN_OUT {
        default-action accept
        description "packets forward to intranet"
        rule 6001 {
            action accept
            description "accounting defined network 192.168.1.0/24"
            destination {
                address 192.168.1.0/24
            }
        }
        rule 6002 {
            action accept
            description "accounting defined network 192.168.2.0/24"
            destination {
                address 192.168.2.0/24
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "packets from internet to intranet"
        rule 3001 {
            action accept
            description "allow established/related sessions"
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 3002 {
            action drop
            description "drop invalid state"
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "packets from internet to gateway"
        rule 3001 {
            action accept
            description "allow established/related sessions"
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 3002 {
            action drop
            description "drop invalid state"
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_OUT {
        default-action accept
        description "packets to internet"
    }
    options {
        mss-clamp {
            interface-type pppoe
            interface-type pptp
            interface-type vti
            mss 1452
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description ISP
        vif 832 {
            address dhcp
            description ISP_DATA
            dhcp-options {
                client-option "send vendor-class-identifier &quot;sagem&quot;;"
                client-option "send user-class &quot;+FSVDSL_livebox.Internet.softathome.Livebox4&quot;;"
                client-option "send rfc3118-auth 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00;"
                client-option "request subnet-mask, routers, domain-name-servers, domain-name, broadcast-address, dhcp-lease-time, dhcp-renewal-time, dhcp-rebinding-time, rfc3118-auth;"
                default-route update
                default-route-distance 210
                name-server update
            }
            egress-qos "0:0 1:0 2:0 3:0 4:0 5:0 6:6 7:0"
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
        }
        vif 838 {
            address dhcp
            description ISP_TV_VOD
            dhcp-options {
                client-option "send vendor-class-identifier &quot;sagem&quot;;"
                client-option "send user-class &quot;\047FSVDSL_livebox.MLTV.softathome.Livebox4&quot;;"
                client-option "send dhcp-client-identifier 1:00:00:00:00:00;"
                client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
                default-route no-update
                default-route-distance 210
                name-server update
            }
            egress-qos "0:4 1:4 2:4 3:4 4:4 5:4 6:4 7:4"
        }
        vif 840 {
            address 192.168.255.254/24
            description ISP_TV_STREAM
            egress-qos "0:5 1:5 2:5 3:5 4:5 5:5 6:5 7:5"
        }
    }
    ethernet eth1 {
        address 192.168.1.1/24
        description LAN_ETH1
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description LAN_ETH2
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall disable
    hairpin-nat enable
    lan-interface eth2
    lan-interface eth1
    wan-interface eth0
}
protocols {
    igmp-proxy {
        interface eth0 {
            role disabled
            threshold 1
        }
        interface eth0.832 {
            role disabled
            threshold 1
        }
        interface eth0.838 {
            role disabled
            threshold 1
        }
        interface eth0.840 {
            alt-subnet 0.0.0.0/0
            role upstream
            threshold 1
        }
        interface eth1 {
            role disabled
            threshold 1
        }
        interface eth2 {
            alt-subnet 0.0.0.0/0
            role downstream
            threshold 1
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update enable
        shared-network-name LAN_ETH1_DHCP {
            authoritative enable
            subnet 192.168.1.1/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.100 {
                    stop 192.168.1.200
                }
            }
        }
        shared-network-name LAN_ETH2_DHCP {
            authoritative enable
            subnet 192.168.2.1/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.100 {
                    stop 192.168.2.200
                }
            }
        }
        shared-network-name net_LAN_192.168.1.0-24 {
            authoritative enable
            description vlan1
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                domain-name localdomain
                lease 86400
                start 192.168.1.6 {
                    stop 192.168.1.254
                }
            }
        }
        shared-network-name net_Livebox_TV_192.168.2.0-24 {
            authoritative enable
            description vlan4012
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 80.10.246.2
                dns-server 80.10.246.129
                lease 86400
                start 192.168.2.6 {
                    stop 192.168.2.254
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 10000
            except-interface eth0
            options ptr-record=1.1.168.192.in-addr.arpa,USG
            options host-record=unifi,192.168.1.39
            options host-record=unifi,127.0.0.1
        }
    }
    gui {
        https-port 443
        listen-address 192.168.1.1
        listen-address 192.168.2.1
    }
    lldp {
        interface eth0 {
            disable
        }
    }
    nat {
        rule 6001 {
            description "MASQ corporate_network to WAN"
            log disable
            outbound-interface eth0
            protocol all
            source {
                group {
                    network-group corporate_network
                }
            }
            type masquerade
        }
        rule 6002 {
            description "MASQ remote_user_vpn_network to WAN"
            log disable
            outbound-interface eth0
            protocol all
            source {
                group {
                    network-group remote_user_vpn_network
                }
            }
            type masquerade
        }
        rule 6003 {
            description "MASQ guest_network to WAN"
            log disable
            outbound-interface eth0
            protocol all
            source {
                group {
                    network-group guest_network
                }
            }
            type masquerade
        }
        rule 6010 {
            description "MASQ LAN to WAN"
            log disable
            outbound-interface eth0.832
            protocol all
            type masquerade
        }
        rule 6011 {
            description "MASQ TV to WAN"
            log disable
            outbound-interface eth0.838
            protocol all
            type masquerade
        }
    }
    ssh {
        listen-address 192.168.1.1
        listen-address 192.168.2.1
        port 22
        protocol-version v2
    }
    upnp2 {
        listen-on eth1
        nat-pmp enable
        secure-mode enable
        wan eth0.832
    }
}
system {
    conntrack {
        expect-table-size 2048
        hash-size 32768
        table-size 262144
        timeout {
            icmp 30
            other 600
            tcp {
                close 10
                close-wait 60
                established 7440
                fin-wait 120
                last-ack 30
                syn-recv 60
                syn-sent 120
                time-wait 120
            }
            udp {
                other 30
                stream 180
            }
        }
    }
    domain-name localdomain
    host-name USG
    ip {
        override-hostname-ip 192.168.1.1
    }
    login {
        user admin {
            authentication {
                encrypted-password $6$OQou9Di2$NbiQDhg4phCNLXARDVWsoh8dLeFjLvaZLmawUrX35Rlf3PedReDsvysJ.DzetifyGXiHHe5pWhXaH5tu0zKb20
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
    }
    offload {
        ipsec enable
        ipv4 {
            forwarding enable
            pppoe enable
            vlan enable
        }
        ipv6 {
            forwarding enable
            vlan enable
        }
    }
    static-host-mapping {
        host-name setup.ubnt.com {
            alias setup
            inet 192.168.1.1
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Brussels
    traffic-analysis {
        dpi enable
    }
}
unifi {
    mgmt {
        cfgversion 61c6a3c56e594c9d
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v4.4.12.5032482.171103.1538 */

thefa · « **Réponse #86 le:** 01 décembre 2017 à 09:56:23 »

ok, so this is good, as we know now where to look precisely:-)

For the LAN, i'm a bit far away from my comfort zone, but I'll try anyway:

TV is on the second LAN port of the USG, so no need for a VLAN here to segregate the traffic on the USG, I think.
But you will need to create a virtual LAN between the TV box on the second switch and the port on the first switch that is connected to the second LAN on the USG.
I think this is what port based VLANs are intended for, so you would need to:
- tag with a given VLAN the port on switch 2 that is connected to the TV box
- tag with the same VLAN the port on switch 1 that is connected to the USG on the second LAN
- ensure that the ports connecting the 2 switches with each other are transporting all VLANs (trunk)

Note that I'm not sure at all that this is the right way of doing it, so don't spend too much time on this until Mike confirms it could work this way.

mike78530 · « **Réponse #87 le:** 01 décembre 2017 à 12:42:23 »

Citation de: thefa le 01 décembre 2017 à 09:56:23

ok, so this is good, as we know now where to look precisely:-)

For the LAN, i'm a bit far away from my comfort zone, but I'll try anyway:

TV is on the second LAN port of the USG, so no need for a VLAN here to segregate the traffic on the USG, I think.
But you will need to create a virtual LAN between the TV box on the second switch and the port on the first switch that is connected to the second LAN on the USG.
I think this is what port based VLANs are intended for, so you would need to:
- tag with a given VLAN the port on switch 2 that is connected to the TV box
- tag with the same VLAN the port on switch 1 that is connected to the USG on the second LAN
- ensure that the ports connecting the 2 switches with each other are transporting all VLANs (trunk)

Note that I'm not sure at all that this is the right way of doing it, so don't spend too much time on this until Mike confirms it could work this way.

very good summary thefa

if it's not working, move the liveboxTV on ETH1 and edit your config and do not connect the controller

jonlprd · « **Réponse #88 le:** 01 décembre 2017 à 18:41:29 »

Citation de: mike78530 le 01 décembre 2017 à 12:42:23

if it's not working, move the liveboxTV on ETH1 and edit your config and do not connect the controller

Ok, I now have everything working and the LiveboxTV is in the living room now

I really don't know how it is working haha! I think it is magic! I will post both the config.gateway.json and config.boot below.

My config.gateway.json file is a bit messy since its using the generated file from this post: https://www.choiz.fr/2017-08-26-remplacer-sa-livebox-par-un-unifi-security-gateway-3p-(usg).html. The IPv6 isn't working either.

So now, my goals (now that both internet and tv are working), are:

1) Go in to go in the existing config.gateway.json file and try to remove what I do not need (so the file is cleaner).

2) Try to get IPv6 working by copying your config.gateway.json file you provided in a previous post.

If you have any suggestions on how I might be able to get the IPv6 working, that would be amazing

Before now, I would always use your config.gateway.json for my IPv6 + internet, and it always worked. So if there is a possibility to implement your config.gateway.json file into the existing one I have now, everything would be perfect.

If it helps other members of the forum, I can take pictures of my setup and fully document the steps I took to get the TV and internet working consistently. I would really like to clean up the .json file and get IPv6 working before that (so less confusion for other members).

I will try to reach out to the creator of that blog post and see if he has any suggestions.

thefa · « **Réponse #89 le:** 01 décembre 2017 à 22:02:16 »

@jonlprd I'm interested in the setup you have chosen on your switches, if you have kept the second physical LAN port on the USG. Just for info. Thanks,

flipper · « **Réponse #90 le:** 05 décembre 2017 à 23:47:34 »

question basique un peu "conne". Je veux modifier le serveur DNS de mon réseau, si je regarde les propriétés de mon reseau local sur ma tablette, j'ai 8.8.8.8, 8.8.8.4, mais je ne retrouve pas ces éléments dans ma conf .json ou bien sur mon interface. J'ai 208.67.222.222 et 208.67.220.220 en manual DHCP Name server de mon LAN. Est ce normal? Je voudrais utiliser les DNS Quad9

jonlprd · « **Réponse #91 le:** 08 décembre 2017 à 23:10:02 »

Hello @mike78530

I have managed to get the TV working consistently. I have it plugged directly into ETH2. I had to delete one line from your TV script in order for the commit to pass.

This line causes error for me:

Code: [Sélectionner]

set service nat rule 6020 source group network-group corporate_network

[ service nat rule 6020 source group network-group corporate_network ]
calling cfgPathExists() without config session

If I delete this line and run the script again, I am able to commit and save with no errors. My internet does not work at this point since I uncheck VLAN 832 from the gui. I can go back into the gui and turn on VLAN 832, but after 8-10 seconds, the controller re-provisions the USG and disables 832. I think maybe these lines are causing the problem:

Code: [Sélectionner]

set protocols igmp-proxy interface eth0.832 role disabled
set protocols igmp-proxy interface eth0.832 threshold 1

What do you think?

So, at this point I have to choose between Internet, or TV haha! I have saved two copies of my config.boot file. I will attach them both. One is with internet working, and the other is with TV working. Please let me know your input on this. Resolving this last issue is the final piece to the puzzle for me

Merci Beaucoup!

jonlprd · « **Réponse #92 le:** 08 décembre 2017 à 23:13:59 »

Citation de: thefa le 01 décembre 2017 à 22:02:16

@jonlprd I'm interested in the setup you have chosen on your switches, if you have kept the second physical LAN port on the USG. Just for info. Thanks,

Hey! Sorry for the late response. I am still working on this project, haha!

So far, the TV is working while directly connected to ETH2. However, I do think its possible to make it work through the switch with port tagging. As soon as I get both internet and tv working together at the same time, I will attempt this next.

thefa · « **Réponse #93 le:** 08 décembre 2017 à 23:48:36 »

I had the same problem and only way out for me was to remove the VLAN 832 from the GUI and configure the router with the Json file. Everything is captured in the Json I have published earlier.

flipper · « **Réponse #94 le:** 09 décembre 2017 à 22:18:29 »

Citation de: flipper le 05 décembre 2017 à 23:47:34

question basique un peu "conne". Je veux modifier le serveur DNS de mon réseau, si je regarde les propriétés de mon reseau local sur ma tablette, j'ai 8.8.8.8, 8.8.8.4, mais je ne retrouve pas ces éléments dans ma conf .json ou bien sur mon interface. J'ai 208.67.222.222 et 208.67.220.220 en manual DHCP Name server de mon LAN. Est ce normal? Je voudrais utiliser les DNS Quad9

personne pour me donner une indication?

jonlprd · « **Réponse #95 le:** 13 décembre 2017 à 14:22:24 »

Citation de: thefa le 08 décembre 2017 à 23:48:36

I had the same problem and only way out for me was to remove the VLAN 832 from the GUI and configure the router with the Json file. Everything is captured in the Json I have published earlier.

Which commands did you run to configure the router? Or did you manually configure the json file? I can't seem to find your json file that you published. Do you mind posting it again so I can take a look?

Thanks