Unifi Cloud Gateway Ultra – configuration and hardening

The Ubiquiti UniFi Cloud Gateway Ultra combines advanced security and performance in a compact device. It supports over 30 devices and 300 clients, providing an Intrusion Prevention System and Ubiquiti firewall for secure, reliable operation. Features include DHCP relay, secure remote access, and IGMP proxy.

STEP1 Initial setup of UCG ULTRA

https://dl.ui.com/qig/ucg-ultra/#index

STEP2 Initial configuration of Unifi

UniFi Cloud Gateway Ultra Setup, Unboxing, Comparison | Ubiquiti Networks UCG-Ultra

Source: Bogdan | Apex One IT

UniFi Basics: Initial Setup Made Easy

Source: Crosstalk Solutions

STEP3 Additional TAILSCALE VPN on Unifi for CGNAT

This is in addition to FULL-TUNNEL Teleport service  https://help.ui.com/hc/en-us/articles/5246403561495-UniFi-Gateway-Teleport-VPN

Why to install?

• VPN over CGNAT
• Connect site-to-site, connect devices from different networks
• Split-tunnel connection

1. Create account for TAILSCALE https://tailscale.com/
2. Enable SSH on Unifi https://www.youtube.com/watch?v=fU_FjiJsKmI (source: Hai provato a riavviare?)
3. Go to https://github.com/SierraSoftworks/tailscale-udm
4. Execute the following and specify which UNIFI subnet networks should be available via TAILSCALE

UNIFI# curl -sSLq https://raw.github.com/SierraSoftworks/tailscale-udm/main/install.sh | sh

UNIFI# tailscale up –advertise-routes=”192.168.1.0/24,192.168.2.0/24″ –accept-routes=true

5. Click on the URL for authentication prompted on Tailscale admin dashboard

STEP4 Add an additional DNS ad-blocker – NEXTDNS

1. Create NEXTDNS and configure it https://www.youtube.com/watch?v=WUG57ynLb8I (Source: Techlore)
2. Setup the NEXTDNS on Unifi so all connected devices to network will be resolved by configured rules https://github.com/nextdns/nextdns/wiki/UnifiOS

• Make sure that Networks configured has option DNS set to AUTO
• Connect to UNIFI via SSH
• Run the following command and follow the instructions:

UNIFI# sh -c ‘sh -c “$(curl -sL https://nextdns.io/install)“‘

• Check what is the ID of your profile in NEXTDNS ID: xx243 and apply the NEXTDNS ruleset to all subnets

UNIFI# nextdns start

UNIFI# nextdns activate

UNIFI# nextdns config set -profile xx243 -setup-router

UNIFI# nextdns config set -auto-activate -report-client-info

UNIFI# nextdns restart

If you’d like to have different ID ruleset to different subnet

• https://help.nextdns.io/t/35yzjfn/nextdns-setup-for-udm-prose-multi-vlan-multi-profile
• https://help.nextdns.io/t/x2h9k4q/different-blocklistssettings-per-device#p8h91xg

STEP5 Enable IPS/IDS for the networks

https://help.ui.com/hc/en-us/articles/360006893234-UniFi-Gateway-Intrusion-Detection-and-Prevention-IDS-IPS#:~:text=bypass%20security%20blocks.-,Testing%20IPS/IDS,-To%20test%20IPS

• Navigate to Network Settings > Security > Protection.
• Toggle on Intrusion Prevention.
• Select the networks you wish to apply IPS/IDS to
• Configure the Detection Mode as Notify (IDS) or Notify and Block (IPS)
• Select the Active Detections you want to apply.
• Ensure the Malicious User Agents category within the Hacking and
• Exploits section is enabled.
• Open a terminal or command prompt on a client connected to the UniFi

network.

• Run the following test command

CMD> curl -A “BlackSun” http://www.example.com

STEP6 Enable GEO-IP block for some countries

UniFi – How to Block Entire Countries From Your Network – GeoIP Filtering

Source: Willie Howe

• Go to UNIFI > FIREWALL & Security > Country restrictions
• BLOCK > Both directions
• Select countries that you would like to block in/out

STEP6 Configure Firewall rules

Unifi network 9.0 : Zone based firewall, Cyber secure, 1000 Site for site magic

Source: Mactelecom Networks