Sure … but that will be some small text to read
0 BACKUP YOUR UNIFI CONTROLLER CONFIGURATION
I will expect you to know how to do this …you really should do it in case of a faulty action within the following. - I cannot take any responsibility for breaks in your system
1 PREPARING THE ROBOROCK GROUP
First of all via GUI create firewall group ‘Roborock-NAT’, add your Roborock ip-address (or other affected MIIO device ip) and wait for provisioning to complete.
Then ssh to your USG (NOT your Unifi Controller!) and run:
mca-ctrl -t dump-cfg | grep -B10 “Roborock-NAT”
From this you should see something like:
},
"61214e23498a12adbfe37923 <THIS IS THE GROUP ID>": {
"address": [
"192.168.3.99 <THIS IS THE ROBOROCK IP>"
],
"description": "Roborock-NAT"
From this output note down the Unifi GROUP ID for your “Roborock-NAT” group.
In this example it is “61214e23498a12adbfe37923”
2 CONFIGURE TEMPORARY RULES VIA COMMAND LINE
Now we will configure the rule once through the command line, so you are able to test it and extract the “config.gateway.json” for your case.
As you are already within SSH session at your USG, execute:
ip addr
This prints your current ip configuration. Within there find the virtual interface name of the VLAN your Roborock is in (usually eht1.<vlan_id>) .
Still within ssh session at your USG execute the following commands:
#dump current configuration for later reference:
mca-ctrl -t dump-cfg > /tmp/config_ref.json
#create the source NAT rule:
configure
set service nat rule 5000 description 'source NAT HA->Roborock group'
set service nat rule 5000 type source
set service nat rule 5000 source address <YOUR HA SERVER IP - e.g. 192.168.1.10>
set service nat rule 5000 outside-address address <free IP to be used by HA within VLAN of your roborock - e.g. 192.168.3.10>
set service nat rule 5000 protocol all
#alternatively to the following "destination group address group..." rule you can apply the source-nat for a single address only and NOT use the firewall group..
#to do this replace the following line with:
# set service nat rule 5000 destination address 192.168.3.99
#in the following rule replace 61214e23498a12adbfe37923 with your appropriated group ID we identified previously
set service nat rule 5000 destination group address-group <YOUR ROBOROCK-NAT GROUP ID - e.g. 61214e23498a12adbfe37923>
#in the following rule replace eth1.3 with your appropriated interface name we identified in previous step via "ip addr"
set service nat rule 5000 outbound-interface <YOUR INTERFACE NAME - e.g. eth1.3>
commit
save
exit
#dump the new configuration:
mca-ctrl -t dump-cfg > /tmp/config_new.json
at this point your roborock should be already working until the next provisioning or restart of the Unifi Secure Gateway. - As said the rules created via command line are temporary only.
3 CREATE config.gateway.json FOR PERMANENT USAGE
To make your configuration permanent we have to create a config.gateway.json. This is a configuration file stored on your unifi controller, being merged into your GUI configuration during every provisioning, so your USG will receive it and create the NAT rules equally to above.
Again within your ssh session on USG execute:
diff /tmp/config_ref.json /tmp/config_new.json
This will output a difference of your previous configuration without and the new one with the Roborock rule set. At some point of the diff you should find something like:
...
@@ -1396,6 +1415,23 @@
},
"nat": {
"rule": {
+ "5000": {
+ "description": "source NAT HA->Roborock group",
+ "destination": {
+ "group": {
+ "address-group": "61214e23498a12adbfe37923"
+ }
+ },
+ "outbound-interface": "eth1.3",
+ "outside-address": {
+ "address": "192.168.3.10"
+ },
+ "protocol": "all",
+ "source": {
+ "address": "192.168.1.10"
+ },
+ "type": "source"
+ },
"6001": {
"description": "MASQ corporate_network to WAN",
...
This mainly is the content of your config.gateway.json. So copy & paste your output within a text editor, clean up the part with + and @ to have a clean JSON config. Then extend previously to the “nat”: { tag with “service”: { tag - the resulting file should look like the following - ensure you have closed all brakets :
{
"service": {
"nat": {
"rule": {
"5000": {
"description": "source NAT HA->Roborock group",
"destination": {
"group": {
"address-group": "61214e23498a12adbfe37923"
}
},
"outbound-interface": "eth1.3",
"outside-address": {
"address": "192.168.3.10"
},
"protocol": "all",
"source": {
"address": "192.168.1.10"
},
"type": "source"
}
}
}
}
}
Save this as “config.gateway.json” and use scp (for LINUX & MAC… not sure what to use best on windows… maybe winscp?) to copy the file to your UNIFI controller into: the path of /srv/unifi/data/sites/default/config.gateway.json
So a scp command would e.g. look something like:
scp config.gateway.json [email protected]:/srv/unifi/data/sites/default/
After this force a reprovisioning of your unifi secure gatway through your unifi GUI and you should be done