11-28-2017 10:54 PM
Sorry, confusing stuff. Correction:
The wan port of the USG is 10.11.0.40, the lan port 10.11.40.1.
To elaborate now that I see the specific IPs here, the Juniper needs a static route for 10.11.40.0/24 pointing to 10.11.0.40.
12-04-2017 12:35 PM - edited 12-04-2017 01:33 PM
thanks for all your posts. Finally I this working except port forwarding.
I see all my client in the USG and DPI is working great. The DHCP is running on the USG. I created a static rout in the Router. But I have to forward a few ports for services I need outside my home.
I dont see any devices exept the USG in my Router. So cant foward there. I have to forward in the USG but its not working. How can I do this?
Router LAN ------> USG WAN --------->USG LAN ------> LAN Switch
192.168.1.1------->192.168.1.3--------- >192.168.2.200------> 192.168.2.x
I want to forward 192.168.2.25 with port xxx. Please help
Ok I can forward a port, if I set the port in the Router and in the USG.
BUT: Is it not that what you want to prevent by disabling NAT? I'm confused :-(
12-07-2017 07:56 PM
Dont mean to hijak but.....
I have succesfully set up an Edgerouter X to load balance two wans and pass through to wan1 of a USG.
BUT I need to be able to have the USG handle port forwarding and vpn, etc...
What and how do I configure the Edgerouter X
12-11-2017 11:27 PM
Love to hear the answer on Transparent Bridge Mode. I purchased the USG for DPI. But right now it is a brick. I have 4 vlans (2 are pvlans) and a management lan. Frontending a firewall with a router and creating "transport" ip ranges for the vlans seems ... error prone. Not to mention how to get the different VPNs on my Fortinet that need direct layer 2 connection to the vlans. All seems like a hack. The solution is simple - Bump in the wire - Transparent Bridge Mode.
Don't get me wrong. I like Ubiquiti. Well I wish the unifi products had the features of the edgeswitchs (like pvlans). But the APs are outstanding and the point to multipoint options for campus connections work well. The USG has the potential as a simple DPI box. Like to see it go that direction.
12-28-2017 01:39 PM
My currnet config:
Internet -> pfSense WAN -> fpSense LAN -> Cisco 3650G PS switch.
My pfSense has HAProxy enabled because I host several websites. So if a USG Pro inbetween the Internet and pfSense WAN and disable NAT will the internet traffic still be able to get to my web servers?
Would doing it this way work?
Internet -> USG PRO WAN -> USG PRO LAN -> pfSense WAN -> pfSense LAN -> Cisco 3650G PS swtich. - or am I looking at this wrong?
01-15-2018 12:44 AM
There are two steps and one simple extra check, as I describe here: https://community.ubnt.com/t5/UniFi-Routing-Switching/Guide-to-disabling-NAT-on-USG/m-p/2057754/high...
1) Add the USG internal network(s) to "Network Protection" -> "Firewall" as the source for all outgoing rules
2) Add the USG internal network(s) to the "Network Protection" -> "NAT" masqerading sources
3) Make sure the USG internal networks are NOT assigned the the UTM already: "Interfaces & Routing" -> "Interfaces" -> "Additional Addresses"
And be sure that the USG and the UTM does not use the same network addresses, that will leave everything confused.
01-15-2018 12:58 AM
Thanks for your answer, I´ll give it another try
But one more question:
Is it possibe to set it like: Fritzbox 192.168.0.1 - Sophos UTM 192.168.1.100 - Unifi USG 192.168.2.1 and then back to internal LAN 192.168.1.0/24?
and do I need a static route on the USG controller?
01-15-2018 01:06 AM - edited 01-15-2018 01:10 AM
Short answer: no, that would mess up completely.
When you set up the USG without NAT you still use it to distribute ip addresses and it still will route traffic just not via NAT, so there must be (an even greater) separation of network addresses than before NAT.
Fritzbox LAN ------> UTM WAN --------->UTM LAN ---------> USG WAN --------->USG LAN ------> LAN device
192.168.0.1------->192.168.0.2--------- >192.168.2.1------> 192.168.2.1--------- >192.168.1.1------> 192.168.1.x
To your other question, yes a static route should be set on the USG, it should route the UTM LAN network to the WAN interface of the USG.
01-15-2018 09:50 AM - edited 01-15-2018 10:01 AM
do not get it work
My rule under "Network Protection" -> "NAT" masqerading looks like:
External WAN is the WAN address from the Sophos UTM.
Is this enaugh?
01-15-2018 10:12 AM
I think that will work, I have "All internal networks" a group that consists of the USG LAN and the UTM LAN networks instead of the Any.
The reason it is not working for you is because I have forgotten to say that you need the static route (obviously) sorry about that:
I should probably do a complete writeup of this thing