Emerging Member
Posts: 101
Registered: ‎09-03-2014
Kudos: 21
Solutions: 1

Re: Guide to disabling NAT on USG

This was supposed to be in the 5.7 GUI - We're on 5.10 now and no sign of it. Update, please?

New Member
Posts: 20
Registered: ‎08-03-2016
Kudos: 1

Re: Guide to disabling NAT on USG

By "manager" do you mean the unifi controller? If so, then that is where the entirety of this setup takes place. There isn't a need to hit the USG directly to disable NAT for a subnet or interface.

New Member
Posts: 5
Registered: ‎01-07-2017
Kudos: 2

Re: Guide to disabling NAT on USG

Yes, on the UniFi controller through the web interface, as a properly supported feature. A checkbox to turn off NAT isn’t rocket science.

New Member
Posts: 4
Registered: ‎01-08-2019

Re: Guide to disabling NAT on USG

 am using a USG-Pro.

I have a public subnet that I need to pass through to some servers, but I also need a local subnet for regular trafic.

In other words, I need to use LAN1 as my passthrough subnet x.y.z.160/28 and LAN2 to be an internal network 192.168.x.y/24.

 

What would my configuration need to be to have LAN1 be the passthrough and LAN2 be a 192 network still using NAT?

 

Thanks

Mike

New Member
Posts: 20
Registered: ‎08-03-2016
Kudos: 1

Re: Guide to disabling NAT on USG

It's in the thread. You create/edit the config.gateway.json in your site directory and specify the prefix to exclude from NAT (just replace x.x.x.x/x with your IP/netmask):

{
"service":{
"nat":{
"rule":{
"5999":{
"description":"disable nat",
"exclude":"''",
"outbound-interface":"eth2",
"protocol":"all",
"source":{
"address":"x.x.x.x/x"
},
"type":"masquerade"
}
}
}
}
}
Member
Posts: 118
Registered: ‎08-23-2017
Kudos: 1
Solutions: 2

Re: Guide to disabling NAT on USG

Will a json change will survive an update?


@shifty wrote:
It's in the thread. You create/edit the config.gateway.json in your site directory and specify the prefix to exclude from NAT (just replace x.x.x.x/x with your IP/netmask):

{
"service":{
"nat":{
"rule":{
"5999":{
"description":"disable nat",
"exclude":"''",
"outbound-interface":"eth2",
"protocol":"all",
"source":{
"address":"x.x.x.x/x"
},
"type":"masquerade"
}
}
}
}
}

 

New Member
Posts: 20
Registered: ‎08-03-2016
Kudos: 1

Re: Guide to disabling NAT on USG

I haven't tested it, but I would assume so. It certainly persists through other provisioning changes and functions through multiple USG firmware's and controller versions.
New Member
Posts: 28
Registered: ‎02-18-2016
Kudos: 15

Re: Guide to disabling NAT on USG


@UBNT-cmb wrote:

 UI and back end are in the works to expose NAT configuration in the controller...


Just a friendly reminder, about two years later...can Ubiquiti finally get this done?


@ejacksch wrote:

Yes, on the UniFi controller through the web interface, as a properly supported feature. A checkbox to turn off NAT isn’t rocket science.



One wouldn't think so!

New Member
Posts: 3
Registered: ‎03-17-2019
Kudos: 4

Re: Guide to disabling NAT on USG

I’m brand new to the Ubiquiti / UniFi product line but I have to say that while I am extremely impressed with what I’ve seen of it so far (mostly in just reading the Specs, Guides & Forums, etc.) I’m astonished that this issue of putting the USG in Bridge Mode and/or simply disabling NAT via the GUI hasn’t been rectified yet, in fact I’m surprised that it wasn’t always there in the first place... but after 2 years of user requests it seems inexcusable...

 

Highlighted
New Member
Posts: 4
Registered: ‎02-03-2019
Kudos: 2

Re: Guide to disabling NAT on USG

[ Edited ]

I just experienced this isue and official unifi support redirected me tro this post..It is stange that NAT disable option in not yet in the GUI yet.

Member
Posts: 198
Registered: ‎03-20-2017
Kudos: 9

Re: Guide to disabling NAT on USG

Hello,

 

which situations do require to disable NAT on the USG?

I am unsure, if it's that, what I am looking for.

New Member
Posts: 4
Registered: ‎02-03-2019
Kudos: 2

Re: Guide to disabling NAT on USG

[ Edited ]

For my setup i had to disable because our remote department with USG XG 8 was connected via ISP MPLS/VPLS and it's like our internal LAN so it dooesn't need a double NAT.

When NAT was turnet on on my remote department all our equipment (Aceess points, Users PC's, etc) who was connected to USG was identified (in main office firewall logs) as USG WAN IP adrress and not actual device IP, for example: 192.168.190.1, 192.168.190.2, 3, 4, 5.... was identified as USG WAN IP (172.16.0.3).

When i turnet off NAT on USG all my equipment was identified ciorectly 192.168.190.1, 192.168.190.2.

Basicly ijust copy paste (didn't changed nothing) json file from the first post to controller and force provisioned.

Works perfect.

 

{
	"service": {
		"nat": {                                       
			"rule": {                   
				"5999": {                        
					"exclude": "''",        
					"outbound-interface": "eth0",
					"type": "masquerade"
				}
			}
		}
	}
}

 

Member
Posts: 198
Registered: ‎03-20-2017
Kudos: 9

Re: Guide to disabling NAT on USG

Ok, thanks.

So this will not help me, if my USG is behind a NAT router from my ISP to get the WAN IP directly to my USG?

New Member
Posts: 4
Registered: ‎02-03-2019
Kudos: 2

Re: Guide to disabling NAT on USG

I think you need to talk with your ISP and they can convert NAT to route in their equipment when you can use NAT on your USG.
Member
Posts: 198
Registered: ‎03-20-2017
Kudos: 9

Re: Guide to disabling NAT on USG

[ Edited ]

They can't cause it's a special bonding modem/router which bonds DSL + LTE.

If I would bridge the modem, then it will loose bonding ability and only uses DSL.

Emerging Member
Posts: 801
Registered: ‎02-03-2019
Kudos: 242
Solutions: 37

Re: Guide to disabling NAT on USG

However if you can add (a) static route(s) for your LAN network(s) on the ISP-Router you could use a transit network like 192.168.100.0/30 between ISP-Router and USG with no need for NAT on the USG side.

(The Public-IP still would be on the ISP-Modem which will do NAT towards the Internet but all traffic between the two routers would not need NAT)

Member
Posts: 198
Registered: ‎03-20-2017
Kudos: 9

Re: Guide to disabling NAT on USG

I have activated DMZ on the ISP router and put the USG into the DMZ. Is that also NAT?

Emerging Member
Posts: 801
Registered: ‎02-03-2019
Kudos: 242
Solutions: 37

Re: Guide to disabling NAT on USG

[ Edited ]

The one has nothing to do with the other. Having the DMZ (or „exposed host“) configured on the ISP-Router just means that it will pass all incoming traffic to the exposed host but has nothing to do with NAT switched on/off on the USG.

 

If you want to disable NAT on the USG the ISP-router must „know“ about the network(s) behind the USG which is achieved by adding static network routes on the ISP-router for those network(s) with the USG being the gateway.

Member
Posts: 198
Registered: ‎03-20-2017
Kudos: 9

Re: Guide to disabling NAT on USG

Ok, thanks. The modem/router of my ISP is: Huawei HA 35-22

Maybe someone does know if and how static route on that model is possible?

Emerging Member
Posts: 801
Registered: ‎02-03-2019
Kudos: 242
Solutions: 37

Re: Guide to disabling NAT on USG

Just did some googling and just found complaints from other users that you can’t add any routes on it. Not even changing the default LAN-network is possible. So you‘ll have to live with double-NAT (which usually works quite well for most use cases)