Guide to disabling NAT on USG

When i manually delete the existing nat rules (6001, 6002, 6003) commit and save and export the config to a config.gateway.json file, put it in the right directory and let the USG (both Pro and Non  Pro) reprovision, then the rulles which were deleted before are back in the USG config. It seems that the NAT rules 6001-6003 are automatically deployed.

@hoep there is no need to delete the existing ones, if you use the example provided by @UBNT-cmb as rule 5999 processes the data before it hits rule 6000,6001....

Thanks for this!  It should make quite a few people in the USG Monitor feature request happy (including me!)

Now off to play

Working beautifully on a USG4 Pro.

Thank you!

Works as advertised on USG pro.  Is there a way to have the DPI clients/users by IP rather than mac address?  I'm assuming this a layer3 vs layer2 issue since I've put it inline between two other routers and only see the mac of one router as the only client on the LAN side for all traffic. 

Hi,

i can try try to figure out, but I though ask first. Can anyone can share their setup how to accomplish this on the network (after disabling all NAT)? Which cable goes into Lan/wan and do I need to setup a mirror or just put in between my router and switch?

thanks......

Any updates 

Could someone please elaborate on completing this configuration? I was able to able add this rule to the existing .json file. But upon placing the USG behind my Sophos UTM, could not get traffic to pass through the USG, no matter what rules I put in place. Any help would be appreciated.

Yes! Can someone please post diagrams with configuration?

I have

USG Pro

Edge Router Pro

Edge Switch 48 Port (ES-48-500W)

@UBNT-cmb I think some  of us are dying to find out how to continue this setup on the hardware side. Could you complete your initial post?

thanks

Thanks for the solution. 

But I would want to disable NAT only for few ips (ex: from 192.168.1.50 to 192.168.168.1.60), can it be accomplished?

---

@bitter wrote:

Thanks for the solution. 

But I would want to disable NAT only for few ips (ex: from 192.168.1.50 to 192.168.168.1.60), can it be accomplished?

---

NAT = Network Address Translation

Affects the whole subnet.  You can't have some devices on a subnet with one IP address and other devices with a different address.  

Now, if you are talking about restricting traffic for certain IPs vs. other IPs then absolutely you can do that with firewall rules.  Not NAT.  

I don't want to restrict any traffic, simply I don't want that the gateway does nat for few ips and does only its job of router. Pro router can accomplish this, unifi not? 

---

@bitter wrote:

Pro router can accomplish this, unifi not? 

---

Can you cite an example?  What you are asking for makes aboslutely no sense to me but I think we might have a communications issue.  If you can provide a vendor and functionality they do then it would be easier to confirm either way if the USG does or doesn't do what you are after. 

---

@Amaravati wrote:

@UBNT-cmb I think some  of us are dying to find out how to continue this setup on the hardware side. Could you complete your initial post?

 

thanks

---

@jposluns could you help? Or am I guessing WAN port to Router, and LAN port to LAN/Switch is correct.

---

@UBNT-cmb wrote:

This has come up a number of times, so wanted to post a short howto. UI and back end are in the works to expose NAT configuration in the controller, but in the mean time, those who want to disable NAT completely only need a single NAT rule in config.gateway.json. The attached file put into place as config.gateway.json in the appropriate /data/sites/ directory, then forcing a provision of USG, will disable all NAT on eth0. 

 

If using USG Pro, you'll want to replace eth0 with eth2 so you have the appropriate WAN interface. 

---

Anyone know when one 'updates' the firmware of the USG will this setting remain?

---

@EricE wrote:

---

@bitter wrote:

Pro router can accomplish this, unifi not? 

---

Can you cite an example?  What you are asking for makes aboslutely no sense to me but I think we might have a communications issue.  If you can provide a vendor and functionality they do then it would be easier to confirm either way if the USG does or doesn't do what you are after. 

---

pfsense just for cite one, you can mapping outbound nat specificied ips or subnet.

Bringing back to my question, it could seem out of sense, but in few enviroments could be usefull do not NAT the entirely lan network. But I don't want to talking about it in this thread obviously.

Interesting. 

Well, you can't do it from the GUI.  But it appears you can do it from the CLI on the EdgeRouter:  https://help.ubnt.com/hc/en-us/articles/205231700-EdgeRouter-Destination-NAT-rules

and that means you can probably get it to work in the CLI on the USG.  If you do get it working, you have to export the config on the USG and save it to the Unifi controller as outlied here:  https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-How-to-further-customize-USG-configuration-w...

Otherwise your CLI customizations won't survive a reprovision of the USG by the controller. 

I tried adding source address xx.xx.xx.xx or xx.xx.xx.xx/xx (if you want to exclude multiple ips) and it works good.

{
	"service": {
		"nat": {
			"rule": {
				"5999": {
					"exclude": "''",
					"outbound-interface": "eth0",
					"type": "masquerade",
					"source": {
						"address": "xxx.xxx.xxx.xxx"
					}
				}
			}
		}
	}
}