Reply
Ubiquiti Employee
Posts: 5,167
Registered: ‎08-08-2016
Kudos: 5636
Solutions: 355

Guide to disabling NAT on USG

[ Edited ]

This has come up a number of times, so wanted to post a short howto. UI and back end are in the works to expose NAT configuration in the controller, but in the mean time, those who want to disable NAT completely only need a single NAT rule in config.gateway.json. The attached file put into place as config.gateway.json in the appropriate /data/sites/ directory, then forcing a provision of USG, will disable all NAT on eth0. 

 

If using USG Pro, you'll want to replace eth0 with eth2 so you have the appropriate WAN interface. 

New Member
Posts: 5
Registered: ‎12-15-2015

Re: Guide to disabling NAT on USG

[ Edited ]

When i manually delete the existing nat rules (6001, 6002, 6003) commit and save and export the config to a config.gateway.json file, put it in the right directory and let the USG (both Pro and Non  Pro) reprovision, then the rulles which were deleted before are back in the USG config. It seems that the NAT rules 6001-6003 are automatically deployed.

Regular Member
Posts: 445
Registered: ‎10-14-2015
Kudos: 173
Solutions: 57

Re: Guide to disabling NAT on USG

@hoep there is no need to delete the existing ones, if you use the example provided by @UBNT-cmb as rule 5999 processes the data before it hits rule 6000,6001....

SuperUser
Posts: 9,481
Registered: ‎01-10-2012
Kudos: 5972
Solutions: 386

Re: Guide to disabling NAT on USG

Thanks for this!  It should make quite a few people in the USG Monitor feature request happy (including me!)

 

Now off to play Man Happy

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!

Having wifi problems? Take a look here first: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
Highlighted
Emerging Member
Posts: 78
Registered: ‎10-08-2016
Kudos: 26
Solutions: 1

Re: Guide to disabling NAT on USG

Working beautifully on a USG4 Pro.

 

Thank you!

New Member
Posts: 4
Registered: ‎03-24-2014

Re: Guide to disabling NAT on USG

Works as advertised on USG pro.  Is there a way to have the DPI clients/users by IP rather than mac address?  I'm assuming this a layer3 vs layer2 issue since I've put it inline between two other routers and only see the mac of one router as the only client on the LAN side for all traffic. 

Member
Posts: 229
Registered: ‎05-07-2014
Kudos: 32
Solutions: 1

Re: Guide to disabling NAT on USG

Hi,

 

i can try try to figure out, but I though ask first. Can anyone can share their setup how to accomplish this on the network (after disabling all NAT)? Which cable goes into Lan/wan and do I need to setup a mirror or just put in between my router and switch?

 

thanks......

New Member
Posts: 17
Registered: ‎04-04-2017
Kudos: 1

Re: Guide to disabling NAT on USG

Any updates 

New Member
Posts: 40
Registered: ‎05-31-2016
Kudos: 17

Re: Guide to disabling NAT on USG

Could someone please elaborate on completing this configuration? I was able to able add this rule to the existing .json file. But upon placing the USG behind my Sophos UTM, could not get traffic to pass through the USG, no matter what rules I put in place. Any help would be appreciated.

New Member
Posts: 4
Registered: ‎01-01-2017
Kudos: 1

Re: Guide to disabling NAT on USG

Yes! Can someone please post diagrams with configuration?

 

I have

USG Pro

Edge Router Pro

Edge Switch 48 Port (ES-48-500W)

 

 

Member
Posts: 229
Registered: ‎05-07-2014
Kudos: 32
Solutions: 1

Re: Guide to disabling NAT on USG

@UBNT-cmb I think some  of us are dying to find out how to continue this setup on the hardware side. Could you complete your initial post?

 

thanks

Emerging Member
Posts: 46
Registered: ‎05-05-2016
Kudos: 2
Solutions: 3

Re: Guide to disabling NAT on USG

Thanks for the solution. 

But I would want to disable NAT only for few ips (ex: from 192.168.1.50 to 192.168.168.1.60), can it be accomplished?

SuperUser
Posts: 9,481
Registered: ‎01-10-2012
Kudos: 5972
Solutions: 386

Re: Guide to disabling NAT on USG


@bitter wrote:

Thanks for the solution. 

But I would want to disable NAT only for few ips (ex: from 192.168.1.50 to 192.168.168.1.60), can it be accomplished?


NAT = Network Address Translation

 

Affects the whole subnet.  You can't have some devices on a subnet with one IP address and other devices with a different address.  


Now, if you are talking about restricting traffic for certain IPs vs. other IPs then absolutely you can do that with firewall rules.  Not NAT.  

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!

Having wifi problems? Take a look here first: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
Emerging Member
Posts: 46
Registered: ‎05-05-2016
Kudos: 2
Solutions: 3

Re: Guide to disabling NAT on USG

[ Edited ]

I don't want to restrict any traffic, simply I don't want that the gateway does nat for few ips and does only its job of router. Pro router can accomplish this, unifi not? 

SuperUser
Posts: 9,481
Registered: ‎01-10-2012
Kudos: 5972
Solutions: 386

Re: Guide to disabling NAT on USG


@bitter wrote:

Pro router can accomplish this, unifi not? 


Can you cite an example?  What you are asking for makes aboslutely no sense to me but I think we might have a communications issue.  If you can provide a vendor and functionality they do then it would be easier to confirm either way if the USG does or doesn't do what you are after. 

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!

Having wifi problems? Take a look here first: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
Member
Posts: 229
Registered: ‎05-07-2014
Kudos: 32
Solutions: 1

Re: Guide to disabling NAT on USG


@Amaravati wrote:

@UBNT-cmb I think some  of us are dying to find out how to continue this setup on the hardware side. Could you complete your initial post?

 

thanks


@jposluns could you help? Or am I guessing WAN port to Router, and LAN port to LAN/Switch is correct.

Member
Posts: 229
Registered: ‎05-07-2014
Kudos: 32
Solutions: 1

Re: Guide to disabling NAT on USG


@UBNT-cmb wrote:

This has come up a number of times, so wanted to post a short howto. UI and back end are in the works to expose NAT configuration in the controller, but in the mean time, those who want to disable NAT completely only need a single NAT rule in config.gateway.json. The attached file put into place as config.gateway.json in the appropriate /data/sites/ directory, then forcing a provision of USG, will disable all NAT on eth0. 

 

If using USG Pro, you'll want to replace eth0 with eth2 so you have the appropriate WAN interface. 


Anyone know when one 'updates' the firmware of the USG will this setting remain?

Emerging Member
Posts: 46
Registered: ‎05-05-2016
Kudos: 2
Solutions: 3

Re: Guide to disabling NAT on USG


@EricE wrote:

@bitter wrote:

Pro router can accomplish this, unifi not? 


Can you cite an example?  What you are asking for makes aboslutely no sense to me but I think we might have a communications issue.  If you can provide a vendor and functionality they do then it would be easier to confirm either way if the USG does or doesn't do what you are after. 


pfsense just for cite one, you can mapping outbound nat specificied ips or subnet.

Bringing back to my question, it could seem out of sense, but in few enviroments could be usefull do not NAT the entirely lan network. But I don't want to talking about it in this thread obviously.

 

SuperUser
Posts: 9,481
Registered: ‎01-10-2012
Kudos: 5972
Solutions: 386

Re: Guide to disabling NAT on USG

Interesting. 

 

Well, you can't do it from the GUI.  But it appears you can do it from the CLI on the EdgeRouter:  https://help.ubnt.com/hc/en-us/articles/205231700-EdgeRouter-Destination-NAT-rules

 

and that means you can probably get it to work in the CLI on the USG.  If you do get it working, you have to export the config on the USG and save it to the Unifi controller as outlied here:  https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-How-to-further-customize-USG-configuration-w...

 

Otherwise your CLI customizations won't survive a reprovision of the USG by the controller. 

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!

Having wifi problems? Take a look here first: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
Emerging Member
Posts: 46
Registered: ‎05-05-2016
Kudos: 2
Solutions: 3

Re: Guide to disabling NAT on USG

[ Edited ]

I tried adding source address xx.xx.xx.xx or xx.xx.xx.xx/xx (if you want to exclude multiple ips) and it works good.

{
	"service": {
		"nat": {
			"rule": {
				"5999": {
					"exclude": "''",
					"outbound-interface": "eth0",
					"type": "masquerade",
					"source": {
						"address": "xxx.xxx.xxx.xxx"
					}
				}
			}
		}
	}
}
Reply