Ubiquiti USG – spoofing MAC address of the WAN port

If spoofing or cloning the MAC address on the WAN port is something you need to do, it’s usually needed to be done immediately after setup, yet on the Ubiquiti USG there is no way to do it in the controller’s GUI (January 2019), so I decided to write up quick step-by-step recipe since I haven’t found one simple enough for people entirely new to the Ubiquiti’s ecosystem, its Controller and whatnot. Though I do assume you’ve used ssh before.

So we have the Ubiquiti UniFi Security Gateway (USG) and we want to spoof (clone) MAC address of the WAN port – usually when you need to clone the address of the old router (or else the internet won’t work).

How to spoof MAC address of WAN port on the USG:

1. Log in directly into the USG using ssh

You can use Putty on Windows or Terminal on UNIX/macOS.

To log in, use the credentials created during initial setup (these are different from UniFi Controller login credentials):

ssh admin@192.168.1.1 (I am using Mac & Terminal)

After login, you will be greeted by a UniFi text art, where there is one sentence worth noting: *NOTE*: Configuration changes made here are not persistent. They will be overwritten by the controller on next provision.

It basically says that anything we’ll do here won’t last past the device’s next full reboot. I did not noticed that the first time and the WAN’s port MAC address returned to default when the USG’s rebooted after firmware update.

2. Change the MAC address temporarily

Theoretically you can go directly to step #3, but this is a good step to make sure you are cloning the correct MAC address to the correct physical port, and also it works immediately without the need to reboot the USG and Controller.

So once in the command line, issue this sequence of commands:

configure
set interfaces ethernet eth0 mac 10:7B:EF:2F:3C:38 (of course change the MAC)
commit
save
exit

The USG has three ports, where the WAN port (the first one) is eth0, you can also change the MAC address of the other two ports as well by doing eth1 (the default LAN port) or eth2 (LAN/WAN).

Now check if the new MAC address works (I did it simply by observing if the internet started pouring in… :D). If it does, you can proceed to the final step #3:

3. Save the settings for good

The quickest way is simply to take this piece of json, edit the MAC address (to match the one above) and then save it somewhere as config.gateway.json file.

{
    "interfaces": {
        "ethernet": {
            "eth0": {
                "mac": "10:7B:EF:2F:3C:38"
            }
        }
    }
}

It is recommend to double check the validity of the file, e.g. on jsonlint.com to avoid any issues (simply make sure not to lose any of the {} brackets).

Now place this file in the UniFi Controller’s site folder. Depending on where you installed the controller, this most likely will be the default folder in these locations:
* Windows: C:\Users\<username>\Ubiquiti UniFi\data\sites\default
* Linux: /usr/lib/unifi/data/sites/default/
* Mac: ~/Library/Application Support/UniFi/data/sites/default/
* Cloud Key: /srv/unifi/data/sites/default/

That’s it. Now the MAC setting will be loaded even after the USGs reboot. You can test and verify that everything works as it should by forcing provision (described here), tl;dr: UniFi Controller Devices > USG > Config > Manage Device > Force provision, or by simply rebooting the USG.

The json file is basically for pieces of settings that cannot (yet) be done through the UI. It is all well described in the official documentation.

One Reply to “Ubiquiti USG – spoofing MAC address of the WAN port”

  1. Hi again.
    Forget my previous mail. Needed a full reboot. MAC now is on eth0 and all sub (VLAN) interface.

    Only thing that differ from your procedure, probably cause my controller is running on a Pi is that folders were a little bit different (symlink) and the owner was the user Unifi witch I don’t have the password. System user.

    So had to modify folder rights, modify, then set back as they were (750).

    Thx for this procedure

Leave a Reply

Your email address will not be published.