Implementing Policy-based Routing on a Unifi USG

Configuring the Ubiquiti USG for policy based routing can be done through the config.gateway.json functionality or through the command line.

Refer to Ubiquiti support document 215458888 for details on how to translate command line configuratio to a persistant config.gateway.json file that will survive between provisions to the USG.

Unfortunately, Ubiquiti has basically given up on enhancing their USG line based on Vyatta, so we’re going to have to do this ourselves.

Command line example for routing VLANs out specific interfaces

Assume the following:

• We have three internal VLANs, 100 through 102
• Each VLAN is assigned the IP range 192.168.<VLAN_ID>.0/24, and assigned a virtual interface of eth1.<VLAN_ID>
• There are three VPN interfaces, vtun0 through 2 connected to different VPN endpoints
• Each VLAN is routed to a specific VPN endpoint

1. Enter Configuration mode:

   configure

2. (optional) Ensure that the appropriate interfaces are set up and configured. I am configuring this routing exmaple using OpenVPN:

   set interfaces openvpn vtun0 config-file /config/openvpn/<Endpoint 1>.ovpn
   set interfaces openvpn vtun0 description 'VPN Endpoint 1'
   set interfaces openvpn vtun1 config-file /config/openvpn/<Endpoint 2>.ovpn
   set interfaces openvpn vtun1 description 'VPN Endpoint 2'
   set interfaces openvpn vtun2 config-file /config/openvpn/<Endpoint 3>.ovpn
   set interfaces openvpn vtun2 description 'VPN Endpoint 3'

3. Configure outbound NAT rules

   set service nat rule 5000 description 'MASQ VLAN 100 to VPN Endpoint 1'
   set service nat rule 5000 outbound-interface vtun0
   set service nat rule 5000 type masquerade
   set service nat rule 5000 protocol all
   set service nat rule 5001 description 'MASQ VLAN 101 to VPN Endpoint 2'
   set service nat rule 5001 outbound-interface vtun1
   set service nat rule 5001 type masquerade
   set service nat rule 5001 protocol all
   set service nat rule 5002 description 'MASQ VLAN 102 to VPN Endpoint 2'
   set service nat rule 5002 outbound-interface vtun2
   set service nat rule 5002 type masquerade
   set service nat rule 5002 protocol all

4. Create a routing table for each of the VPN interfaces

   set protocols static table 10 interface-route 0.0.0.0/0 next-hop-interface vtun0
   set protocols static table 11 interface-route 0.0.0.0/0 next-hop-interface vtun1
   set protocols static table 12 interface-route 0.0.0.0/0 next-hop-interface vtun2

5. Change Firewall source-validation parameter to ensure that packets are accepted as long as their source address matches ANY interface

   set firewall source-validation loose

6. Assign a routing table according to source address. Ensure that inter-VLAN traffic is excluded.

   set firewall modify IVPN_ROUTING rule 10 description 'Inter VLAN Exclusion'
   set firewall modify IVPN_ROUTING rule 10 destination group network-group corporate_network
   set firewall modify IVPN_ROUTING rule 10 modify table main
   set firewall modify IVPN_ROUTING rule 20 description 'Route VLAN 100 to VPN Endpoint 1'
   set firewall modify IVPN_ROUTING rule 20 source address 192.168.100.0/24
   set firewall modify IVPN_ROUTING rule 20 modify table 10
   set firewall modify IVPN_ROUTING rule 21 description 'Route VLAN 101 to VPN Endpoint 2'
   set firewall modify IVPN_ROUTING rule 21 source address 192.168.101.0/24
   set firewall modify IVPN_ROUTING rule 21 modify table 11
   set firewall modify IVPN_ROUTING rule 22 description 'Route VLAN 102 to VPN Endpoint 3'
   set firewall modify IVPN_ROUTING rule 22 source address 192.168.102.0/24
   set firewall modify IVPN_ROUTING rule 22 modify table 12

7. Attach policy to VLAN interfaces

   set interfaces ethernet eth1 vif 100 firewall in modify IVPN_ROUTING
   set interfaces ethernet eth1 vif 101 firewall in modify IVPN_ROUTING
   set interfaces ethernet eth1 vif 102 firewall in modify IVPN_ROUTING

8. Commit, save, and exit.

   commit
   save
   exit