3 Ways to install a Ubiquiti UniFi Security Gateway (USG)
1) External UniFi Controller
- On the external UniFi controller, log in and click on the settings icon (two gears in the lower left corner)
- Select “Networks” from the list on the left and click the pencil to edit it
- Make sure the IP/Subnet is configured correctly and check the “DHCP Server” checkbox and configured the correct DHCP range and click Save
- Plug the USG in and allow the WAN interface to receive a public internet IP address. If it is double-NAT behind a modem or ISP provided firewall, be sure to change the modem or firewalls internal IP range to something other than what you want your local network to be. In this example, the ISP modem is bridged and the USG is receive a public internet IP address
- Plug a computer into the LAN port on the USG, you will receive a 192.168.1.x IP address. Using Putty, ssh into the USG at 192.168.1.1 and use ubnt for the username and password
- set-inform http://unificontroller:8080/inform
- On the Unifi Controller, adopt the USG
- set-inform http://unificontroller:8080/inform
2) Internal UniFi Controller
- Because the USG’s LAN network is 192.168.1.1 by default, it’s not as simple to configure as it should be. Ubiquiti really needs to address this issue, as the web interface, that currently only allows you to configure the WAN settings, should also allow you to configured the LAN settings. If that was the case, installing a USG in a current network would be extremely simple to setup. But, since it isn’t, here’s how to do it.
- On the internal UniFi controller, log in and click on the settings icon (two gears in the lower left corner)
- Select “Networks” from the list on the left and click the pencil to edit it
- Make sure the IP/Subnet is configured correctly and check the “DHCP Server” checkbox and configured the correct DHCP range and click Save
- In this example, the UniFi Controller is running at 10.10.8.28, so we need the LAN IP to be on the same network.
- Plug the USG in and allow the WAN interface to receive a public internet IP address. If it is double-NAT behind a modem or ISP provided firewall, be sure to change the modem or firewalls internal IP range to something other than what you want your local network to be. In this example, the ISP modem is bridged and the USG is receive a public internet IP address
- Plug a computer into the LAN port on the USG, you will receive a 192.168.1.x IP address. Using Putty, ssh into the USG at 192.168.1.1 and use ubnt for the username and password
- The rest of these, type each on an individual line on the USG:
- configure
- edit interfaces ethernet eth1
- set address 10.10.8.1/24
- delete address 192.168.1.1/24
- exit
- show interfaces (should see + and – next to each under Ethernet eth1)
- delete service dhcp-server shared-network-name LAN_192.168.1.0-24
- set service dhcp-server shared-network-name LAN_10.10.8.0-24
- set service dhcp-server shared-network-name LAN_10.10.8.0-24 subnet 10.10.8.0/24 default-router 10.10.8.1
- set service dhcp-server shared-network-name LAN_10.10.8.0-24 subnet 10.10.8.0/24 dns-server 8.8.8.8
- set service dhcp-server shared-network-name LAN_10.10.8.0-24 subnet 10.10.8.0/24 start 10.10.8.100 stop 10.10.8.200
- show service dhcp-server shared-network-name (see that it has – next to all the 192.168.1.0-24
- commit
- The USG will reboot,when it comes back up, you should receive a 10.10.8.x IP address from DHCP and just need to perform the set-inform command
- set-inform http://10.10.8.28:8080/inform
- adopt it on the controller
- set-inform http://10.10.8.28:8080/inform
3) Internal Unifi Controller, pre-prepped externally
Because it appears the USG was designed to use an external controller, it seems easier to prep the USG from an external location.
- Follow the exact same steps shown in 1) External UniFi Controller, once the USG has been provisioned, you can take it (or ship it) to the correct location. Once on-site, it will already have the correct internal IP address, making it easier to re-adopt on the new controller
- ssh into the USG using the admin username and password on the controller you initially prepped it on.
- set-inform http://10.10.8.28:8080/inform
- adopt it on the new controller
- set-inform http://10.10.8.28:8080/inform