coolhva / usg-kpn-ftth Goto Github PK
View Code? Open in Web Editor NEWUSG configuration for KPN FTTH
USG configuration for KPN FTTH
I've been trying to get this to work on a USG-4-Pro with firmware 4.4.44 but I keep getting the following error when trying to provision:
configuration commit error.Error message: {
"DELETE": {
"failure": "0",
"success": "1"
},
"SESSION_ID": "xxxxxxxxxxxxxxxxxxxxxxxxx",
"SET": {
"error": {
"interfaces ethernet eth2 vif 6 mtu 1508": "MTU must be least than or equal to parent interface MTU\n\nValue validation failed\n",
"system offload ipv6 pppoe enable": "IPv6 forwarding must be enabled for pppoe offload\n\n�0\nValue validation failed\n"
},
"failure": "1",
"success": "1"
}
}
I've adjusted the interfaces for the USG-4-Pro basically, and left the rest the same (eth0 -> eth2 and eth1 -> eth0).
Herewith the config:
{
"system": {
"task-scheduler": {
"task": {
"postprovision": {
"executable": {
"path": "/config/scripts/post-config.d/dhcp6.sh"
},
"interval": "2m"
},
"postprovisionroutes": {
"executable": {
"path": "/config/scripts/post-config.d/setroutes.sh"
},
"interval": "2m"
}
}
},
"offload": {
"ipv6": {
"pppoe": "enable",
"vlan": "disable"
}
}
},
"firewall": {
"ipv6-name": {
"WANv6_LOCAL" : {
"rule": {
"1": {
"action": "accept",
"description": "Allow ICMPv6",
"log": "enable",
"protocol": "icmpv6"
},
"2": {
"action": "accept",
"description": "DHCPv6",
"destination": {
"port": "546"
},
"protocol": "udp",
"source": {
"port": "547"
}
}
}
},
"WANv6_IN" : {
"rule": {
"1": {
"action": "accept",
"description": "Allow ICMPv6",
"log": "enable",
"protocol": "icmpv6"
}
}
}
}
},
"interfaces": {
"ethernet": {
"eth2": {
"dhcp-options": {
"default-route": "no-update",
"default-route-distance": "1",
"name-server": "no-update"
},
"description": "WAN",
"mtu": "1512",
"vif": {
"4": {
"address": [
"dhcp"
],
"description": "IPTV",
"dhcp-options": {
"client-option": [
"send vendor-class-identifier "IPTV_RG";",
"request subnet-mask, routers, rfc3442-classless-static-routes;"
],
"default-route": "no-update",
"default-route-distance": "210",
"name-server": "no-update"
},
"ip": {
"source-validation": "loose"
}
},
"6": {
"firewall": {
"in": {
"ipv6-name": "WANv6_IN",
"name": "WAN_IN"
},
"local": {
"ipv6-name": "WANv6_LOCAL",
"name": "WAN_LOCAL"
},
"out": {
"ipv6-name": "WANv6_OUT",
"name": "WAN_OUT"
}
},
"pppoe": {
"2": {
"default-route": "auto",
"firewall": {
"in": {
"ipv6-name": "WANv6_IN",
"name": "WAN_IN"
},
"local": {
"ipv6-name": "WANv6_LOCAL",
"name": "WAN_LOCAL"
},
"out": {
"ipv6-name": "WANv6_OUT",
"name": "WAN_OUT"
}
},
"ipv6": {
"address": {
"autoconf": "''"
},
"dup-addr-detect-transmits": "1",
"enable": "''"
},
"mtu": "1492",
"name-server": "auto",
"password": "kpn",
"user-id": "kpn"
}
}
}
}
},
"eth0": {
"description": "LAN",
"ipv6": {
"address": {
"autoconf": "''"
},
"dup-addr-detect-transmits": "1",
"router-advert": {
"cur-hop-limit": "64",
"link-mtu": "0",
"managed-flag": "true",
"max-interval": "600",
"name-server": [
"2606:4700:4700::1111",
"2606:4700:4700::1001"
],
"other-config-flag": "false",
"prefix": {
"::/64": {
"autonomous-flag": "true",
"on-link-flag": "true",
"valid-lifetime": "2592000"
}
},
"radvd-options": "RDNSS 2606:4700:4700::1111 2606:4700:4700::1001 {};",
"reachable-time": "0",
"retrans-timer": "0",
"send-advert": "true"
}
}
}
}
},
"protocols": {
"igmp-proxy": {
"interface": {
"eth2.4": {
"alt-subnet": [
"0.0.0.0/0"
],
"role": "upstream",
"threshold": "1"
},
"eth0.4": {
"alt-subnet": [
"0.0.0.0/0"
],
"role": "downstream",
"threshold": "1"
},
"eth0": {
"role": "disabled",
"threshold": "1"
},
"eth1": {
"role": "disabled",
"threshold": "1"
}
}
},
"static": {
"interface-route6": {
"::/0": {
"next-hop-interface": {
"pppoe2": "''"
}
}
}
}
},
"port-forward": {
"wan-interface": "pppoe2"
},
"service": {
"dns": {
"forwarding": {
"except-interface": [
"pppoe2"
]
}
},
"nat": {
"rule": {
"5000": {
"description": "MASQ all traffic to IPTV network",
"destination": {
"address": "0.0.0.0/0"
},
"log": "disable",
"outbound-interface": "eth2.4",
"protocol": "all",
"type": "masquerade"
},
"6001": {
"outbound-interface": "pppoe2"
},
"6002": {
"outbound-interface": "pppoe2"
},
"6003": {
"outbound-interface": "pppoe2"
}
}
}
}
}
A bit premature, as it has only just been released, but wondering if this can/will also be supported on this new device.
I have followed the steps in the guide (https://www.vanachterberg.org/usg-kpn-ftth/posts/unifi-security-gateway-kpn-l2tp-vpn/) and I have been able to establish a VPN connection via my iPhone. When I lookup my ip on my phone, it is indeed the IP adres of my provider. However, I'm not able to access any internal resources. I have checked and double checked all the settings and they are exactly as in the guide. Any tips how to troubleshoot and find a resolution?
Using this configuration, when connected to a VPN service, the client IPv6 address is leaked.
You can verify this yourself by connecting to such a provider and then visiting https://www.whatismyip.com/.
The IPv4 address will be the address from your VPN provider.
The IPv6 address is the address of your device.
How can I adapt this config to have an IPv6 address for just the USG and use IPv4 internally?
One way I can achieve this, is by disabling IPv6 on every client, but that is cumbersome.
In my setup a different server is running a VPN connection and this server is both the default gateway and DNS server.
Hi,
First of all, thanks for this manual how to configure a USG with KPN, I'm using a USG 4 Pro so I had to change the ethX interfaces by the correct number and it works like a charm for internet and IPTV!
I'm only stuck on one part now, that's VPN L2TP, I placed the .sh file like mentioned, I followed a YT video (https://www.youtube.com/watch?v=ote3Zv0XdyU) how to setup the radius config, but no luck so far.
So my eth0 is LAN and eth2 is WAN for clarification.
If I ssh into my use, configure and command: "show vpn" this is the output:
ipsec {
ipsec-interfaces {
interface eth2.6
interface pppoe2
outside-address 0.0.0.0
When I try to connect using a L2TP VPN profile from my iPhone, I've set the server to my public 83.x.x.x address, filled out the account, password and secret field, then try to connect but I get an error: "The L2TP-VPN server did not respond.". Se he doesn't seem to reach the server, what am I doing wrong?
I have followed all the steps and all works except for that the IPTV hangs after a couple of seconds. It then starts again after a couple of seconds, and then stops again.
I have to add that my KPN 4k (latest model) set-top box is plugged into --> UniFi Switch 8 --> which is connected to a UniFi Switch 24 --> plugged in to the USG.
At the moment I have no custom VLAN's configured. Everything is still default except for your scripts.
I have internet fine, a couple of UniFi AP-AC-Pro's, Apple TV's, Samsung TV's, Sonos, security cams in the network.
Do I have to configure the switches? Anything else?
Thanks so much for your effort!
I have been running this setup since June 2023, today I noticed that some of my ports were open (22, 53, 80, 443). I used shields up (https://www.grc.com/x/ne.dll?bh0bkyd2) to verify this. I also saw SSH attempts in my usg logfiles. I confirmed that I could SSH into my usg from my mobile connection.
I don't know if this was from the start or it happened recently (maybe due an unifi update).
It took me a while to figure it out but is seems the pppoe is not seen as a WAN device so the drop rules don't apply. Based on https://gist.github.com/praseodym/cd5033c2e01a44e81362ff4898887d0d I saw that he configured the pppoe a bit different.
So I added the firewall part and provisioned the device, this solved the issue and all my ports are stealth now.
This is the config part, I added the 'firewall' block.
"6": {
"pppoe": {
"2": {
"default-route": "auto",
"mtu": "1500",
"name-server": "auto",
"password": "kpn",
"user-id": "kpn",
"firewall": {
"in": {
"name": "WAN_IN"
},
"local": {
"name": "WAN_LOCAL"
}
}
}
}
}
Hi Coolvha,
Awesome work some feedback.
First issue i had with firmware 4.4.56
Was error msg command line was; /bin/vbash^M: bad interpreter: No such file or directory.
Solution run this command line; sed -i -e 's/\r$//' kpn.sh
The second problem error is; no such file or directory /var/log/kpn.log
Made the file by hand and in /var/log/ and all was fine.
Again awesome work thank you
I used you config and when I want to start the IPTV decoder I get an error. At 85% it stops loading and I get the error code 561. Any idea what this can be?
When using a remote controller and you reset the USG it will not deploy before you put the scripts in the post-config.d folder.
Hi, everythings seems to work fine on my USG 4P but no luck with IPV6.
With show interfaces
I see an address on my LAN interface and with show interfaces pppoe pppoe2 log | match "IPV6|LL"
I can see the local and remote address. Also my windows computer is getting a IPV6 IP but I can't PING any IPV6 address and the ipv6test fails.
What am I doing wrong?
After provisioning the usg i get error 301. The script and json run as it should and kpn dns is used in the itv vlan
Hey coolhva and others,
I got my USG yesterday, provisioned it, added your script, and made it work (on subnet 192.168.1.0/24, But when I wanted to change the LAN IP to not automatically expanding the subnet by usage, I couldn't change the IP address and subnet anymore to 192.168.3.254/24.
I tried to set up the internal LAN to a different IP. but I keep getting the response that the controller has reserved 0.0.0.0/255.255.255.255 for the WAN port.
Then I tried it again from scratch, so provisioning, a reseted Unifi Controller (by removing the devices from the mongodb), I had to first put the USG in the same subnet, which is understandable. Then I added your scripts again. And then I had an internet connection, I haven't tried IPTV yet though. But when I saw I forgot to put my own DNS server (192.168.3.1), I wanted to change that, and there again I still get the same error for the same fields, which I didnt change even.
If you need logfiles for anything specific let me know, I will try to expand the post if I found out more.
Oh and by the way, really appreciate the repository! Keep up the good work! :)
Edit with workaround:
The setting use old UI will be able to change the LAN settings.
First of all, thanks for sharing your USG configuration.
I was going over the config and noticed that you're using Cloudflares IPv6 name-servers:
"name-server": [
"2606:4700:4700::1111",
"2606:4700:4700::1001"
I'm assuming this is just personal preference, but curious to know why you decided to go with this rather than KPNs name-servers:
2a02:a47f:e000::53
2a02:a47f:e000::54
After reboot of my USG 4 Pro, the VPN connection can be setup.
After a minute or 5, the VPN will be disconnected, aand can't connect anymore.
After manually executing the setvpn.sh the connection can be made, but even after 5 minutes the connection will be terminated.
After enabling IDS (or IPS) and enabling all rules, the engine is not working (running IPS test like curl -A "BlackSun" www.google.com doesn't trigger an alert on the firewall (USG 3.0). DNS is working, so that's no the issue.
Suricata.log (/var/log/suricata) is showing the following details:
[4799] 1/3/2022 -- 11:43:24 - (suricata.c:1107) (LogVersion) -- This is Suricata version 4.0.5
[4806] 1/3/2022 -- 11:44:01 - (runmodes.c:647) (RunModeInitializeEveOutput) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named eve-log.files
[4938] 1/3/2022 -- 11:44:01 - (util-ioctl.c:317) (SetEthtoolValue) -- [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'eth1': Operation not supported (122)
[4938] 1/3/2022 -- 11:44:01 - (util-ioctl.c:399) (GetIfaceOffloadingLinux) -- [ERRCODE: SC_ERR_NIC_OFFLOADING(284)] - NIC offloading on eth1: SG: SET, GRO: unset, LRO: unset, TSO: unset, GSO: unset. Run: ethtool -K eth1 sg off gro off lro off tso off gso off
[4806] 1/3/2022 -- 11:44:01 - (tm-threads.c:2182) (TmThreadWaitOnThreadInit) -- all 1 packet processing threads, 4 management threads initialized, engine started.
[4806] 1/3/2022 -- 11:48:20 - (detect-engine.c:2911) (DetectEngineReload) -- rule reload starting
[4806] 1/3/2022 -- 11:48:55 - (detect-engine.c:2973) (DetectEngineReload) -- rule reload complete
[4806] 3/3/2022 -- 00:02:08 - (detect-engine.c:2911) (DetectEngineReload) -- rule reload starting
[4806] 3/3/2022 -- 00:02:44 - (detect-engine.c:2973) (DetectEngineReload) -- rule reload complete
It seems to be related to offoading settings on the eth1 interface.
Can someone help me out? I'm running the config.gateway.json with ipv6 enabled and iptv on a different vlan.
Hey your script works for my default lan the ipv6 part, clients are getting an ipv6 address.
But i have a few more vlan (iot,homelab).
How can i get ipv6 for this vlan? i tried
https://gist.github.com/coolhva/31d19f62c4b50d24f4ee428b8b359193
But my internet wont come online, if edited the eth1.10 part to match mine which is eth1.30.
If saved the json, reprovisioned and rebooted serveral times.
On a working config on the usg “ show interfaces” i see the ipv6 working on eth1, on the edited one theres no ipv6 at all and no internet.
Hi,
First of all, thanks for the config files and scripts. I was used KPN in bridge mode instead of routed, and it stopped working yesterday.
When I try to upload your config to my USG, I get the following error:
{"DELETE":{"failure":"0","success":"1"},"SESSION_ID":"fb5867358399afc498daefc55d","SET":{"error":{"interfaces ethernet eth0 vif 6 mtu 1508":"MTU must be least than or equal to parent interface MTU\n\nValue validation failed\n"},"failure":"1","success":"1"}}
This is quite strange as all the config appears to be correct. I'm using the latest version of the controller and USG firmware.
Have you even encountered this before?
Thnx
When using the config.gateway.json on my USB (Model: UniFi-Gateway-3, Version: 4.4.44.5213844) the VPN section results in a commit failure causing a boot loop.
Message:
[commit error] VPN Warning: IPSec configured but no site-to-site peers or l2tp remote-users configured
Removing this section solves the problem and results in (so far) stable IPTV and internet.
First of all thanks for your work on this. It works like a charm, and thanks to your scripts in under 15 minutes!
Is it possible to use the WAN2 port of the USG as the connection to the fiber box (Nokia in my case), instead of WAN1? Could it be as simple as to substitute eth0 for eth2 in the json and kpn.sh?
As an alternative, is it possible to use the WAN2 port as the IPTV output port, to directly connect the IPTV box? What would need to be changed in the config to achieve this?
thanks again!
Hi,
I'm running in some issues with migration the controller to a Cloud Key Gen 2 (from docker) and I don't know if it is something with your config or a vendor bug.
Running your setup with a controller running in a Docker container (version 7.3.76 Build: atag_7.3.76_19582) has no issues. But after migration to a Cloud Key Gen 2 with Network Application (version 7.3.76 Build: atag_7.3.76_19582) I had some random internet drops (sometimes after 5 minutes, sometimes after an hour).
For the migration I had created a full backup and restore it on the Cloud Key. So far so good, everything was working without any problems. Except that my internet keeps dropping randomly.
I did some research in the logging and found out that the kpn.sh script has run around the time of the internet drops. The logging says because of a config change, but I didn't make any changes tot the config. The new UI show the status 'Getting Ready' when my internet has dropped. So it looks like the controller on the CK keeps provisioning the USG for some reason. And then de kpn script runs to set the config / routes correctly. The strange thing is, I didn't have this problem with the controller in Docker, with the same version.
The kpn.log when connected to the Cloud Key:
After provisioning (on new CK):
[Wed Feb 1 08:59:38 CET 2023] [set-kpn-hook.sh] Executed at Wed Feb 1 08:59:38 CET 2023
[Wed Feb 1 08:59:38 CET 2023] [set-kpn-hook.sh] Configuration changes have been commited, adding crontab for kpn.sh
[Wed Feb 1 09:00:01 CET 2023] [kpn.sh] Executed at Wed Feb 1 09:00:01 CET 2023
[Wed Feb 1 09:00:01 CET 2023] [kpn.sh] creating lock file at /config/scripts/post-config.d/kpn.lock
[Wed Feb 1 09:00:01 CET 2023] [kpn.sh] KPN found in crontab, removing /etc/cron.d/kpn
[Wed Feb 1 09:00:02 CET 2023] [kpn.sh] MTU for eth0 not configured, adjusting config
[Wed Feb 1 09:00:02 CET 2023] [kpn.sh] Disconnecting pppoe2 before changing MTU
Interface pppoe2: Connection is already down
[Wed Feb 1 09:00:02 CET 2023] [kpn.sh] Setting mtu for eth0 to 1512
[Wed Feb 1 09:00:03 CET 2023] [kpn.sh] Setting mtu for eth0 vif 6 to 1508
[Wed Feb 1 09:00:03 CET 2023] [kpn.sh] Commiting
[Wed Feb 1 09:00:13 CET 2023] [set-kpn-hook.sh] Executed at Wed Feb 1 09:00:13 CET 2023
[Wed Feb 1 09:00:13 CET 2023] [set-kpn-hook.sh] Configuration changes have been commited, adding crontab for kpn.sh
[Wed Feb 1 09:00:13 CET 2023] [kpn.sh] Connecting pppoe2 after changing MTU
Bringing interface pppoe2 up...
[Wed Feb 1 09:00:13 CET 2023] [kpn.sh] removing lock file at /config/scripts/post-config.d/kpn.lock
[Wed Feb 1 09:01:01 CET 2023] [kpn.sh] Executed at Wed Feb 1 09:01:01 CET 2023
[Wed Feb 1 09:01:01 CET 2023] [kpn.sh] creating lock file at /config/scripts/post-config.d/kpn.lock
[Wed Feb 1 09:01:01 CET 2023] [kpn.sh] KPN found in crontab, removing /etc/cron.d/kpn
[Wed Feb 1 09:01:01 CET 2023] [kpn.sh] removing lock file at /config/scripts/post-config.d/kpn.lock
[Wed Feb 1 09:01:01 CET 2023] [kpn.sh] Finished
[Wed Feb 1 09:05:01 CET 2023] [kpn.sh] Executed at Wed Feb 1 09:05:01 CET 2023
[Wed Feb 1 09:05:01 CET 2023] [kpn.sh] creating lock file at /config/scripts/post-config.d/kpn.lock
[Wed Feb 1 09:05:01 CET 2023] [kpn.sh] KPN found in crontab, removing /etc/cron.d/kpn
[Wed Feb 1 09:05:01 CET 2023] [kpn.sh] MTU for eth0 not configured, adjusting config
[Wed Feb 1 09:05:01 CET 2023] [kpn.sh] Disconnecting pppoe2 before changing MTU
Interface pppoe2: Connection is already down
[Wed Feb 1 09:05:02 CET 2023] [kpn.sh] Setting mtu for eth0 to 1512
[Wed Feb 1 09:05:02 CET 2023] [kpn.sh] Setting mtu for eth0 vif 6 to 1508
[Wed Feb 1 09:05:02 CET 2023] [kpn.sh] Commiting
[Wed Feb 1 09:05:12 CET 2023] [set-kpn-hook.sh] Executed at Wed Feb 1 09:05:12 CET 2023
[Wed Feb 1 09:05:12 CET 2023] [set-kpn-hook.sh] Configuration changes have been commited, adding crontab for kpn.sh
[Wed Feb 1 09:05:12 CET 2023] [kpn.sh] Connecting pppoe2 after changing MTU
Bringing interface pppoe2 up...
[Wed Feb 1 09:05:13 CET 2023] [kpn.sh] removing lock file at /config/scripts/post-config.d/kpn.lock
[Wed Feb 1 09:06:01 CET 2023] [kpn.sh] Executed at Wed Feb 1 09:06:01 CET 2023
[Wed Feb 1 09:06:01 CET 2023] [kpn.sh] creating lock file at /config/scripts/post-config.d/kpn.lock
[Wed Feb 1 09:06:01 CET 2023] [kpn.sh] KPN found in crontab, removing /etc/cron.d/kpn
[Wed Feb 1 09:06:01 CET 2023] [kpn.sh] removing lock file at /config/scripts/post-config.d/kpn.lock
[Wed Feb 1 09:06:01 CET 2023] [kpn.sh] Finished
I've searched in the issues and found out I can set the MTU in the config.gateway.json. After I did this, my internet didn't drop anymore, jeej! But after looking at the kpn.log I still see some activity:
kpn.log after put the MTU in the config.gateway.json
[Tue Feb 7 21:27:12 CET 2023] [kpn.sh] Executed at Tue Feb 7 21:27:12 CET 2023
[Tue Feb 7 21:27:12 CET 2023] [kpn.sh] creating lock file at /config/scripts/post-config.d/kpn.lock
[Tue Feb 7 21:27:12 CET 2023] [kpn.sh] routes dhcp hook does not exist
[Tue Feb 7 21:27:12 CET 2023] [kpn.sh] Creating dhcp hook at /etc/dhcp3/dhclient-exit-hooks.d/routes
[Tue Feb 7 21:27:12 CET 2023] [kpn.sh] Release dhcp interface eth0.4
Releasing DHCP lease on eth0.4 ...
[Tue Feb 7 21:27:16 CET 2023] [kpn.sh] Renew dhcp interface eth0.4
Renewing DHCP lease on eth0.4 ...
[Tue Feb 7 21:27:18 CET 2023] [kpn.sh] Restarting IGMP proxy
Warning: igmpproxy not running.
The IGMP proxy service will be started after commit. Check /var/log/messages.
[Tue Feb 7 21:27:20 CET 2023] [kpn.sh] The file /etc/commit/post-hooks.d/set-kpn-hook.sh does not exists, creating hook now
[Tue Feb 7 21:27:20 CET 2023] [kpn.sh] removing lock file at /config/scripts/post-config.d/kpn.lock
[Tue Feb 7 21:27:20 CET 2023] [kpn.sh] Finished
[Tue Feb 7 21:33:03 CET 2023] [set-kpn-hook.sh] Executed at Tue Feb 7 21:33:03 CET 2023
[Tue Feb 7 21:33:03 CET 2023] [set-kpn-hook.sh] Configuration changes have been commited, adding crontab for kpn.sh
[Tue Feb 7 21:34:01 CET 2023] [kpn.sh] Executed at Tue Feb 7 21:34:01 CET 2023
[Tue Feb 7 21:34:01 CET 2023] [kpn.sh] creating lock file at /config/scripts/post-config.d/kpn.lock
[Tue Feb 7 21:34:01 CET 2023] [kpn.sh] KPN found in crontab, removing /etc/cron.d/kpn
[Tue Feb 7 21:34:02 CET 2023] [kpn.sh] removing lock file at /config/scripts/post-config.d/kpn.lock
[Tue Feb 7 21:34:02 CET 2023] [kpn.sh] Finished
[Tue Feb 7 21:47:11 CET 2023] [set-kpn-hook.sh] Executed at Tue Feb 7 21:47:11 CET 2023
[Tue Feb 7 21:47:11 CET 2023] [set-kpn-hook.sh] Configuration changes have been commited, adding crontab for kpn.sh
[Tue Feb 7 21:48:01 CET 2023] [kpn.sh] Executed at Tue Feb 7 21:48:01 CET 2023
[Tue Feb 7 21:48:01 CET 2023] [kpn.sh] creating lock file at /config/scripts/post-config.d/kpn.lock
[Tue Feb 7 21:48:01 CET 2023] [kpn.sh] KPN found in crontab, removing /etc/cron.d/kpn
[Tue Feb 7 21:48:02 CET 2023] [kpn.sh] removing lock file at /config/scripts/post-config.d/kpn.lock
[Tue Feb 7 21:48:02 CET 2023] [kpn.sh] Finished
[Tue Feb 7 22:02:11 CET 2023] [set-kpn-hook.sh] Executed at Tue Feb 7 22:02:11 CET 2023
[Tue Feb 7 22:02:11 CET 2023] [set-kpn-hook.sh] Configuration changes have been commited, adding crontab for kpn.sh
[Tue Feb 7 22:03:02 CET 2023] [kpn.sh] Executed at Tue Feb 7 22:03:02 CET 2023
[Tue Feb 7 22:03:02 CET 2023] [kpn.sh] creating lock file at /config/scripts/post-config.d/kpn.lock
[Tue Feb 7 22:03:02 CET 2023] [kpn.sh] KPN found in crontab, removing /etc/cron.d/kpn
[Tue Feb 7 22:03:02 CET 2023] [kpn.sh] removing lock file at /config/scripts/post-config.d/kpn.lock
[Tue Feb 7 22:03:02 CET 2023] [kpn.sh] Finished
[Tue Feb 7 22:17:11 CET 2023] [set-kpn-hook.sh] Executed at Tue Feb 7 22:17:11 CET 2023
[Tue Feb 7 22:17:11 CET 2023] [set-kpn-hook.sh] Configuration changes have been commited, adding crontab for kpn.sh
[Tue Feb 7 22:18:01 CET 2023] [kpn.sh] Executed at Tue Feb 7 22:18:01 CET 2023
[Tue Feb 7 22:18:01 CET 2023] [kpn.sh] creating lock file at /config/scripts/post-config.d/kpn.lock
[Tue Feb 7 22:18:01 CET 2023] [kpn.sh] KPN found in crontab, removing /etc/cron.d/kpn
[Tue Feb 7 22:18:01 CET 2023] [kpn.sh] removing lock file at /config/scripts/post-config.d/kpn.lock
[Tue Feb 7 22:18:01 CET 2023] [kpn.sh] Finished
[Tue Feb 7 22:32:11 CET 2023] [set-kpn-hook.sh] Executed at Tue Feb 7 22:32:11 CET 2023
[Tue Feb 7 22:32:11 CET 2023] [set-kpn-hook.sh] Configuration changes have been commited, adding crontab for kpn.sh
[Tue Feb 7 22:33:01 CET 2023] [kpn.sh] Executed at Tue Feb 7 22:33:01 CET 2023
[Tue Feb 7 22:33:01 CET 2023] [kpn.sh] creating lock file at /config/scripts/post-config.d/kpn.lock
[Tue Feb 7 22:33:01 CET 2023] [kpn.sh] KPN found in crontab, removing /etc/cron.d/kpn
[Tue Feb 7 22:33:01 CET 2023] [kpn.sh] removing lock file at /config/scripts/post-config.d/kpn.lock
[Tue Feb 7 22:33:01 CET 2023] [kpn.sh] Finished
When I move back to my original controller (in docker) I only see one run of the kpn.sh script until I reboot the USG (of make a change that trigger a provisioning).
As far as I know there are no parsing issues of the config.gateway.json on the Cloud Key, because everything is working as expected and I didn’t see any errors in the controller web page or logs.
I’ve also tried a factory reset of the Cloud Key and USG and start from scratch with the same behavior.
Is this an issue somewhere or expected behavior? (Because I didn’t saw any runs on my old Docker controller and my internet drops when I didn’t put the MTU in the config.gateway.json?
And is there any explanation why this is only occur on the Cloud Key and not on the docker Controller and can I have any relationship with the config? A last note: As you can see in the log file the time between commits is exactly 15 minutes, which is more likely to be a vendor issue and a config issue.
I hope you can help find the cause of this (for me strange behaviour).
Thanks in advance!
-Sander
This place is probably my last resort to ask. So bear with me if you can :-)
I am running controller version atag_5.13.29_13635 with and software 4.4.51.5287926 on my USG. My controller is on the internet. So I have to connect my unprovisioned USG to the experiabox. Provision without the gateway-config.json. Copy the scripts. And copy the json file and then force provision. Before I reboot I connect the USG directly to the fiber modem.
After the reboot everything comes online and works like a charm Internet, IPTV and ipv6. But after I apply a config change that requires a provision on the USG it gets stuck in a provision loop and stops talking to the controller. I see errors in the log like:
user.err syslog: ace_reporter.reporter_fail(): Unknown[11]
Anyone seen this behavior?
usg-kpn-ftth/config.gateway.json
Line 212 in 643d2c4
TODO: Test if it works with 0.0.0.0/0 instead. This way, if the static route changes, everything will continue to work.
I had this strange issue: after upgrading my Unifi Controller and Switch firmware this weekend, IPTV stopped working. When I restarted the USG 3P, it didn't came up anymore, so I had no other choice than resetting it.
Now I am not sure whether I used the solution on this repo completely before. Since it looks really clean and stable, I wanted to implement it completely. Now after setting up all the files, IPTV still didn't work. Appearently I removed the software from Arris and had to download/install it again. However, this didn't succeed, because after the TV showed 'configuration activated', it gave an exception dialog with Error 651.
No matter what I did, I couldn't get it to work with the routes file. I finally excluded the setroutes.sh script and replaced it with Bas Meerman's solution. This works fine, so now I do have IPTV and IPv6 working smootly, but it's not the way I want it to work.
Two questions:
After following the instructions
The only thing that is visible in the log is the started execution time and creating lock file.
No further information and/or action is visible. There is also no internet connection.
I have installed a pi-hole DNS and a cloudflare proxy in my network.
All the clients use the pi-hole DNS and pi-hole in turn uses the cloudflare proxy to perform DNS over HTTPS.
It is only my android phone that manages to use a different DNS somehow, and so I thought it should be possible to redirect any device trying to use a different DNS server then my pi-hole back to my pi-hole again.
In the future there might be other devices in the network that try to dial 8.8.8.8 or 8.8.4.4 or use DNS without HTTPS on other DNS services.
After some googling I found an example of which the poster says it works, but on my gateway it unfortunately does not.
The config looks like below.
Do you know if such a redirect is possible?
Would I need to specify such redirects for ipv6 explicitly also?
"nat": {
"rule": {
"1":{
"description":"DNS Redirect",
"destination":{
"port":"53"
},
"inbound-interface":"eth1",
"inside-address":{
"address":"192.168.1.2",
"port":"53"
},
"source":{
"address":"!192.168.1.2"
},
"log":"disable",
"protocol":"tcp_udp",
"type":"destination"
},
"5000": {
"description": "MASQ all traffic to IPTV network",
"destination": {
"address": "0.0.0.0/0"
},
"log": "disable",
"outbound-interface": "eth0.4",
"protocol": "all",
"type": "masquerade"
},
"5001":{
"description":"Translate DNS to Internal",
"destination":{
"address":"192.168.1.2",
"port":"53"
},
"log":"disable",
"outbound-interface":"eth1",
"protocol":"tcp_udp",
"type":"masquerade"
},
"6001": {
"outbound-interface": "pppoe2"
},
"6002": {
"outbound-interface": "pppoe2"
},
"6003": {
"outbound-interface": "pppoe2"
}
}
},
Or do I perhaps have to replace the cloudflare DNS with my pi-hole's address?
And if so, should that be an IPv6 address or can that be an IPv4 address?
"0:0:0:0:0:ffff:c0a8:102"
"eth1": {
"description": "LAN",
"ipv6": {
"address": {
"autoconf": "''"
},
"dup-addr-detect-transmits": "1",
"router-advert": {
"cur-hop-limit": "64",
"link-mtu": "0",
"managed-flag": "true",
"max-interval": "600",
"name-server": [
"2606:4700:4700::1111",
"2606:4700:4700::1001"
],
"other-config-flag": "false",
"prefix": {
"::/64": {
"autonomous-flag": "true",
"on-link-flag": "true",
"valid-lifetime": "2592000"
}
},
"radvd-options": "RDNSS 2606:4700:4700::1111 2606:4700:4700::1001 {};",
"reachable-time": "0",
"retrans-timer": "0",
"send-advert": "true"
}
}
}
Would it be possible to bridge the incomming VoIP VLAN to LAN2 (Or a VLAN on LAN1)? currently I use a switch between the NTU and the WAN to split the VLAN off to the experiabox, I am using the experiabox purely as a VoIP converter.
Not sure if this is a bug or something I did wrong...
I followed the page for my usg pro 4 changed the eth ports accordingly so it matches the pro and not de usg (which I didn’t do before and put the pro in a provisioning loop facepalm)
So with correct settings I provisioned the pro
but when I run show interfaces
It’s not showing the pppoe2 interface...
Also no internet access
Rebooted multiple times
Am I missing something?
@UniFiSecurityGatewayPRO:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
eth0 192.168.187.200/24 u/u LAN
eth0.99 192.168.99.1/24 u/u
eth0.107 192.168.107.1/24 u/u
eth1 - A/D
eth2 - u/u WAN
eth2.4 10.87.202.38/22 u/u IPTV
eth2.6 - u/u
eth3 - A/D
lo 127.0.0.1/8 u/u
::1/128
Also i was an telfort user but was transferd to KPN last year due to takeover
First of all: thanks for sharing this. Super useful!
In your instructions, you mention that due to a bug, we cannot configure IPv6 properly via JSON. It seems, however, that the bug was fixed.
Does that mean we can get rid of the dhcp6.sh
now and incorporate IPv6 config in the JSON file? If so, how do we go about that?
Do you know if there is a way to export the current USG configuration in the json format required for config.gateway.json.
This would allow me to configure a lot using the UI, make some minor tweaks directly on the USG and then store the result as a backup.
I found this command mca-ctrl -t dump-cfg
.
Do you know if its output is the correct schema?
Hi,
I followed your guide to set up the USG3 with KPN FTTH, including IPTV. This works great and both internet and TV work !
I noticed that when i go to whatismyip.com it shows my ipv6 address, but i expected ipv6 to only be used internally. I followed your guide for debugging (link) and see i have two IPv6 subnets when running show interfaces
while your printscreen only has one.
Two questions :
Thank you for your efforts !
Michel
Is it normal that when the USG provisions when, for example, changing a firewall setting in the controller, that the IPV6 goes down for 2 minutes waiting for the script to run?
I thought it was just needed at boot, but maybe I was wrong.
The zip works perfectly well, but after a few hours the USG rebooted once and then restarted the PPOE connection 20 minutes later. Dropping all traffic for 5 minutes each time.
Hi all,
I noticed that my IPTV isn't working after a power outage. Cloud Key and USG boot up and everything is up and running. Apps on the KPN TV settop box work. Streaming earlier programs works. Watching live TV doesn't.
Logging onto the USG and performing a igmp-proxy restart command does the trick. Although I would expect the script to take care of this...
Any tips on debugging?
Thanks! Friso
Dear Coolhva,
Is it possible that the igmp-proxy.example.json is missing?
I am unable to find it.
Thank you very much for your time and for the great information in regards to this topic!
yours sincerely,
Davetin
The XS4ALL IPv6 configuration adds one additional line which is not compatible with KPN; therefore a different branch should be created.
Hi all - I'm coming from a previous config (https://github.com/basmeerman/unifi-usg-kpn) to this config as I wanted IPv6, and getting this error after triggering a provision on the USG (version 4.4.55.5377096):
Apr 19 21:01:31 USG mcad: mcad[3208]: ace_reporter.reporter_handle_response(): edgemax apply config failed (error code: 2)
Apr 19 21:01:31 USG mcad: mcad[3208]: ace_reporter.reporter_handle_response(): commit errors, {"DELETE": {"failure": "0", "success": "1"}, "SESSION_ID": "e33d853246028b366d5ab45579", "SET": {"error": {"interfaces ethernet eth0 vif 6 mtu 1508": "MTU must be least than or equal to parent interface MTU\n\nValue validation failed\n"}, "failure": "1", "success": "1"}}#012
Weird thing is that the MTU of 6
(1508) is less than the parent eth0
(1512)
Any ideas?
Also posted this on the Tweakers topic
Recently I setup a site-to-site vpn to 2 of my friends (2 separate connections)
The IP ranges are:
Mine: 10.72.0.0/24 (LAN), 10.72.10.0/24 (IPTV network), 10.72.20.0/24 (IOT)
Friend 1: 10.72.200.0/24 (Interface VTI64)
Friend 2: 10.0.0.0/16 (Interface VTI65)
Friend 2 is hosting a Plex server but with the configuration from this repository the answer I get from his server is routed wrongly (I can see the response on the USG but not on my PC (or any other device))
I have also tested it without any custom configuration (E.g. without IPTV and IPv6) and then it works perfectly fine.
Routes:
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB routeK>* 0.0.0.0/0 is directly connected, pppoe2
S>* 10.0.0.0/16 [30/0] is directly connected, vti65
C>* 10.72.0.0/24 is directly connected, eth1
C>* 10.72.10.0/24 is directly connected, eth1.200
C>* 10.72.20.0/24 is directly connected, eth1.20
S>* 10.72.200.0/24 [30/0] is directly connected, vti64
C>* 10.129.144.0/20 is directly connected, eth0.4
C>* 127.0.0.0/8 is directly connected, lo
C>* 195.190.228.17/32 is directly connected, pppoe2
K>* 213.75.112.0/21 via 10.129.144.1, eth0.4
config.gateway.json
{
"system": {
"task-scheduler": {
"task": {
"postprovision": {
"executable": {
"path": "/config/scripts/post-config.d/dhcp6.sh"
},
"interval": "2m"
},
"postprovisionroutes": {
"executable": {
"path": "/config/scripts/post-config.d/setroutes.sh"
},
"interval": "2m"
}
}
},
"offload": {
"ipv4": {
"forwarding": "enable",
"gre": "enable",
"pppoe": "enable",
"vlan": "enable"
},
"ipv6": {
"forwarding": "enable",
"pppoe": "enable",
"vlan": "disable"
}
}
},
"firewall": {
"ipv6-name": {
"WANv6_LOCAL": {
"rule": {
"1": {
"action": "accept",
"description": "Allow ICMPv6",
"log": "enable",
"protocol": "icmpv6"
},
"2": {
"action": "accept",
"description": "DHCPv6",
"destination": {
"port": "546"
},
"protocol": "udp",
"source": {
"port": "547"
}
}
}
},
"WANv6_IN": {
"rule": {
"1": {
"action": "accept",
"description": "Allow ICMPv6",
"log": "enable",
"protocol": "icmpv6"
}
}
}
}
},
"interfaces": {
"ethernet": {
"eth0": {
"dhcp-options": {
"default-route": "no-update",
"default-route-distance": "1",
"name-server": "no-update"
},
"description": "WAN",
"vif": {
"4": {
"address": [
"dhcp"
],
"description": "IPTV",
"dhcp-options": {
"client-option": [
"send vendor-class-identifier "IPTV_RG";",
"request subnet-mask, routers, rfc3442-classless-static-routes;"
],
"default-route": "no-update",
"default-route-distance": "210",
"name-server": "update"
},
"ip": {
"source-validation": "loose"
},
"mtu": "1500"
},
"6": {
"firewall": {
"in": {
"ipv6-name": "WANv6_IN",
"name": "WAN_IN"
},
"local": {
"ipv6-name": "WANv6_LOCAL",
"name": "WAN_LOCAL"
},
"out": {
"ipv6-name": "WANv6_OUT",
"name": "WAN_OUT"
}
},
"pppoe": {
"2": {
"default-route": "auto",
"firewall": {
"in": {
"ipv6-name": "WANv6_IN",
"name": "WAN_IN"
},
"local": {
"ipv6-name": "WANv6_LOCAL",
"name": "WAN_LOCAL"
},
"out": {
"ipv6-name": "WANv6_OUT",
"name": "WAN_OUT"
}
},
"ipv6": {
"address": {
"autoconf": "''"
},
"dup-addr-detect-transmits": "1",
"enable": "''"
},
"mtu": "1500",
"name-server": "auto",
"password": "kpn",
"user-id": "kpn"
}
}
}
}
},
"eth1": {
"description": "LAN",
"ipv6": {
"address": {
"autoconf": "''"
},
"dup-addr-detect-transmits": "1",
"router-advert": {
"cur-hop-limit": "64",
"link-mtu": "0",
"managed-flag": "true",
"max-interval": "600",
"name-server": [
"2606:4700:4700::1111",
"2606:4700:4700::1001"
],
"other-config-flag": "false",
"prefix": {
"::/64": {
"autonomous-flag": "true",
"on-link-flag": "true",
"valid-lifetime": "2592000"
}
},
"radvd-options": "RDNSS 2606:4700:4700::1111 2606:4700:4700::1001 {};",
"reachable-time": "0",
"retrans-timer": "0",
"send-advert": "true"
}
}
}
}
},
"protocols": {
"igmp-proxy": {
"interface": {
"eth0": {
"role": "disabled",
"threshold": "1"
},
"eth0.4": {
"alt-subnet": [
"0.0.0.0/0"
],
"role": "upstream",
"threshold": "1"
},
"eth0.6": {
"role": "disabled",
"threshold": "1"
},
"eth1": {
"role": "disabled",
"threshold": "1"
},
"eth1.20": {
"role": "disabled",
"threshold": "1"
},
"eth1.200": {
"alt-subnet": [
"0.0.0.0/0"
],
"role": "downstream",
"threshold": "1"
},
"vti64": {
"role": "disabled",
"threshold": "1"
},
"vti65": {
"role": "disabled",
"threshold": "1"
},
"pppoe2": {
"role": "disabled",
"threshold": "1"
}
}
},
"static": {
"interface-route6": {
"::/0": {
"next-hop-interface": {
"pppoe2": "''"
}
}
}
}
},
"port-forward": {
"wan-interface": "pppoe2"
},
"service": {
"dns": {
"forwarding": {
"except-interface": [
"pppoe2"
]
}
},
"nat": {
"rule": {
"5000": {
"description": "MASQ all traffic to IPTV network",
"destination": {
"address": "0.0.0.0/0"
},
"log": "disable",
"outbound-interface": "eth0.4",
"protocol": "all",
"type": "masquerade"
},
"6001": {
"outbound-interface": "pppoe2"
},
"6002": {
"outbound-interface": "pppoe2"
},
"6003": {
"outbound-interface": "pppoe2"
}
}
}
},
"vpn": {
"ipsec": {
"ipsec-interfaces": {
"interface": [
"pppoe2"
]
}
}
}
}
Hi Henk, I was able to complete the first tutorial and everything works! Thank you and the coffee is on its way. Now I want to work with vlan's, but I can't quite figure that out. I have the setup as follows:
NTU > USG->16P Unifi Switch -> Netgear GS105Ev2
That Netgear is in the living room. The KPN IPTV connect to the Netgear, among other things. The ports on the Netgear are as follows:
Port 1 -> Port 3 16P unifi switch
Port 2 -> KPN IPTV
Port 3 -> Sonos Boost
Port 4 -> TV
Port 5 -> Media Player
In addition, IGMP Snooping is enabled. I have performed the vlan tutorial and put port 3 on the switch on vlan661. Config uploaded and force provision done.
On the Netgear I have the following settings:
Then I connected the switch and turned everything back on. However, all devices connected to the Netgear now get a 192.168.3.xx address, whereas I expected only the KPN cabinet to get this and the rest will simply get the normal 192.168.2.xx address. Is this possible at all or did I make a mistake somewhere in the config on the Netgear? Should the tagged and untagged be the other way around? I hope you can see where the mistake is?
I see from the controller screenshot that also to you, @coolhva, the WAN 1 will go to DHCP when using this config? Is this a controller bug?
Hi,
Recently I upgraded all my devices to the latest firmware and run intro a problem with the USG and the setvpn.sh script.
I use this firmwares right now:
Controller: atag_6.0.45_14358
USG4-Pro: 4.4.52.5363507
The issue I discovered is the the script doesn't seem te be executed after a re-provisioning. When I do a re-provisioning of the USG, the VPN isn't working anymore, when I SSH into the USG and execute the command manual like, it instantly works again. This are the command I run:
source /opt/vyatta/etc/functions/script-template
configure
set vpn ipsec ipsec-interfaces interface pppoe2
delete vpn l2tp remote-access dhcp-interface eth2
set vpn l2tp remote-access outside-address 0.0.0.0
commit
exit
Does anyone else have this issue and know how to fix it?
I already made a post about this on the UI forums here, but I wanted to ask here the same question. Basically my USG seems to restart at random times, mostly once a day but it has done it multiple times a day once or twice now. I've used your setup so that's why I thought it might be useful to ask you as well. As stated in the post on the UI forums, I am running firmware version 4.4.50, as 4.4.51 seemed too unstable for IPTV to work well.
Whenever the USG has to reprovision (for example, after you change a port forwarding setting) internet connectivity will drop. It starts after about 1 minute and then takes a few minutes to come back up. Trying to ping from the USG will result in Network is unreachable
and the pppoe2 interface disappears from show interfaces
. This has only started happening since I updated to the kpn.sh
script, the older setroutes.sh
and setvpn.sh
script did not have this issue and kept internet connectivity during provisioning.
I assume this is because of pppoe2 being disconnected to set the MTU, is there a reason this has to be done now while it didn't before? Can't you just set it from the config.gateway.json
?
I had 2 VPN servers configured (L2TP and PPTP), but they seem to have stopped working since I have the custom config.
I guess because of the VLANS on the WAN has confused the VPN server.
Do you perhaps know how I get this working?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.