It's fairly easy to enable syslog in Unifi Controller, however to log blocked or dropped traffic at the firewall needs a few extra steps. By default anything blocked by the firewall isnt logged.
The Unifi USG comes with pre-defined firewall rules. We need to edit these rules which can be done on the USG using command line and then also needs a json file to persist after a reboot or re-provision. We also need to create some new rules and enable syslog server.
First we need to find a syslog server. For this example I will use kiwi syslog which is free.
Install to an easy to find location and run the console, we will come back to configure it later.
Login to your Unifi controller and go to settings and enable remote logging and enter the IP of where the kiwi syslog server is and normally the default port is 514.
Now go to Routing and Firewall and select firewall.
We need to create 2 new rules, both identical, 1 in WAN_LOCAL and the other in WAN_IN
Name - LAST - default drop and log
Enabled - ON
After pre-defined rules
Advanced - Enable Logging
Tick New, Established, Relate, Invalid
Dont match on ipsec
Leave rest default
So we should have something like this
Next we need to change the pre-defined firewall rules on the USG.
SSH onto your USG and login
set firewall name WAN_LOCAL rule 3002 log enable
set firewall name WAN_IN rule 3002 log enable
Next we need to configure Kiwi to capture the logs.
More to come soon
The next part is optional. The syslog logs in kiwi contain alot of information but this doesnt really mean much to us. I recommend using something like sumologic to collect parse and visualize the data.
Below is a screenshot of my dashboard. It displays the number of blocked connections by their geo-location. A list of top 10 blocked IPs, the total number of blocked requests over 24 hours and finally a graph of the number of blocked connections in 30 min increments. These numbers come from the firewall rule [WAN_LOCAL-4000-D].
Head over to the next Guide "Syslog to SumoLogic" to setup the visualization of the logs.
For the security consious out there you may have split your home network up into VLANs. If you've found this page by searching then you probably already know what a VLAN is and its purpose.
At home I have split my network into 4 VLANs.
VLAN1 - Main data VLAN for all my devices
VLAN40 - VLAN for guests to use
VLAN60 - Security VLAN, CCTV, alarms etc
VLAN80 - IOT devices, internet of things, zwave, zigbee, sonos and home automation etc.
The idea of keeping IOT devices on a seperate VLAN to other devices is mainly for security. Most IOT devices are easily hackable and if this does happen they will only be able to access devices on VLAN80 and not my other devices.
Anyway this post will explain how to get the Sonos devices on VLAN80 to communicate with the controllers (iPhone, iPad, PC) on VLAN1.
With Unifi we need to enable igmp-proxy. To set it we need to SSH onto the USG.
and enter the following commands
edit protocols igmp-proxy
set interface eth1.80 role downstream
set interface eth1.80 threshold 1
set interface eth1 role upstream
set interface eth1 threshold 1
eth1.80 = the VLAN of the sonos devices (IOT)
eth1 = VLAN1 the main data VLAN with the Sonos controllers on.
I recommend restarting the igmp-proxy service on the USG.
To do so enter the command
Now it is set, you will have to re-configure the Sonos Device with the controller.
With Unifi, the CLI commands arent persistent with a re-provision. To make the changes stick we need to use a config.gateway.json file
Obviously changing the VLAN numbers to what ever yours are.
Ok well this didnt really work straight away for me.
To check that igmp is working you can issue the following commands
show ip multicast mfc
show ip multicast interfaces
This should show any multicast data its source and where it is going. For example
On the top half you can see see the source and that some data is going from eth1 to eth1.80. However with the command Show IP multicast interfaces you can see that no multicast data is coming into eth1.80 interface, it seems to be going out on eth1 and into eth1.60.
To resolve this I had to issue the restart igmp-proxy command to restart the service. A USG re-provision didnt work.
If like me you are running a Unifi system at home then you will probably want to connect to the controller via HTTPS. This also applies to the Guest Portal, providing them with a Trusted Certificate and not a self signed one.
This guide is for machines running Windows, but has some similarities for other OS.
Unifi Controller installed and running either by a service or the app
A Trusted Certificate and private.key
If you havent already done so, check out my post on how to get a certificate for free Easy Let's Encrypt Certificate
Also you can find out how to install and configure a Unifi Controller here. (Coming Soon!)
Step 1 - Key Store Explorer
Head over to Keystore Explorer and download the program and install it. This is used to import our certificates to the keystore unifi uses.
Step 2 - Creating a PKCS #12
If you are familiar with creating a PKCS #12 certificate then please create one with your unifi controllers domain name and the guest portals domain name with the password of aircontrolenterprise.
If you arent familiar with creating a PKCS #12 file, see below.
Step 3 - Importing the Certificates
Find the location of the Unifi Controller directory. On Windows the default directory is
C:\Users\%USER NAME%\Ubiquiti UniFi
In the folder 'data' there is a file called keystore. Open the keystore file with key store explorer.
The password is aircontrolenterprise
You should now see the below
Select the unifi key in keystore explorer then click on 'tools' and import key pair and choose 'PKCS #12'.
Decryption password is aircontrolenterprise
Enter the alias 'unifi' in lower case
If it asks to overwrite click 'YES'
Save the Keystore file.
Finally restart your unifi controller and it should now have a working certificate!
Free Home Use Firewall is a fully equipped software version of the Sophos UTM firewall, available at no cost for home users – no strings attached. It features full Network, Web, Mail and Web Application Security with VPN functionality and protects up to 50 IP addresses.