How to Configure Ubiquiti USG with DHCP Option 66

February 28, 2017 in Ubiquiti DHCP JSON
https://rchase.com/static/img/unifi-security-gateway.png

Overview

In this example I am configuring DHCP Option 66 for 2 different VLANs: LAN and VoIP. Option 66 will point to the DNS name of the PBX where the phones will download their configuration files. The reason I am applying option 66 to the LAN as well as VoIP VLAN is because a factory reset phone will not know the VoIP VLAN, it will get DHCP from the LAN. Then it will download its configuration file, which will give it its correct VLAN.

The instructions show how to configure the USG with DHCP Option 66, dump its JSON config, and then place the JSON config on the Unifi Controller so that the config will stick even if the router is reprovisioned by Unifi Controller.

Configuration

SSH into USG

Use device username and password which can be found in Unifi Controller > Settings > Site. Then enter the configure command to enter configuration mode.

    configure

Enter show command

    show

From the output of the show command, find the shared-network-names for your VLANs, for example “shared-network-name VoIP_10.1.1.0-24”

Set DHCP Option 66

    set service dhcp-server shared-network-name VoIP_10.1.1.0-24 subnet 10.1.1.0/24 tftp-server-name http://sub.yourdomain.com/app/provision/?mac=$MA
    set service dhcp-server shared-network-name LAN_192.168.1.0-24 subnet 192.168.1.0/24 tftp-server-name http://sub.yourdomain.com/app/provision/?mac=$MA

Save config

    commit;save;exit

Dump JSON config

    mca-ctrl -t dump-cfg 

Copy this section

    {
    "service": {
            "dhcp-server": {
                    "shared-network-name": {
                            "LAN_192.168.1.0-24": {
                                    "subnet": {
                                            "192.168.1.0/24": {
                                                    "tftp-server-name": "http://sub.yourdomain.com/app/provision/?mac=$MA"
                                            }
                                    }
                            },
                            "VoIP_10.1.1.0-24": {
                                    "subnet": {
                                            "10.1.1.0/24": {
                                                    "tftp-server-name": "http://sub.yourdomain.com/app/provision/?mac=$MA"
                                            }
                                    }
                            }
                    }
            }
    }
    }

Note Your tftp-server-name will be different based on phone system and phone model. For my FusionPBX server I use “http://sub.mydomain.com/app/provision/?mac=$MA" for Cisco SPA phones, or “http://sub.mydomain.com/app/provision/" for Yealink phones

SSH into Unifi Controller

You can find the site name by looking at the URL of the Unifi Controller webpage for the site, then enter:

    cd /usr/lib/unifi/data/sites/<site-name>

Create/edit config.gateway.json file:

    nano config.gateway.json

Paste in the config extracted from the USG

Save the text file (CTRL+X, then Y, then enter). You should now have DHCP Option 66 configured on your USG!

Subscribe for updates

comments powered by Disqus

Latest Posts

IoT Hacking: Momentum IP Camera - Penetration Test Report
Apr 23, 2018
IoT Hacking: Momentum IP Camera - Penetration Test Report
Read More
IoT Hacking: Momentum IP Camera - Custom Firmware
Apr 13, 2018
IoT Hacking: Momentum IP Camera - Custom Firmware
Read More
IoT Hacking: Momentum IP Camera - Getting Root
Apr 12, 2018
IoT Hacking: Momentum IP Camera - Getting Root
Read More