Member
Posts: 229
Registered: ‎05-07-2014
Kudos: 32
Solutions: 1

Re: Guide to disabling NAT on USG


@bitter wrote:

Your reasoning is right and according to your topology the solution should be creating a route for 192.168.0.0/24 next hop 192.168.99.200 /24 (USG ip) in Router A, but you said to create a route static on USG first, why? 


@bitter Hm.. not sure if I am understanding this correctly.

 

My solutions was

a) Create static route on Router A (which you agree)

b) then, also, Create static route on USG (which you are asking why?)

 

 

I am not sure if I can answer you question why. I only know that when the NAT was disabled on the USG, then my  reasoning was that the USG needs to be informed how to get to Router A, so a static route needed to be created on the USG. That is my reasoning.

 

So, are you saying I did not have to create a static route on the USG/Unifi controller, and it will work as well?

Emerging Member
Posts: 46
Registered: ‎05-05-2016
Kudos: 2
Solutions: 3

Re: Guide to disabling NAT on USG

[ Edited ]

It should work without static route on USG because networks 192.168.0.0/24 and 192.168.99.0/24 are directly connected to USG

Member
Posts: 229
Registered: ‎05-07-2014
Kudos: 32
Solutions: 1

Re: Guide to disabling NAT on USG


@bitter wrote:

It should work without static route on USG because networks 192.168.0.0/24 and 192.168.99.0/24 are directly connected to USG


@bitter Thanks, I get it. I just removed the static route on the USG and it worked. Thanks, so overdone that part. I will adapt the post I made earlier!

New Member
Posts: 7
Registered: ‎07-27-2017

Re: Guide to disabling NAT on USG


@Amaravati wrote:

DPI (finally) WORKING

 

So I thought I should post this, just for all the noobs like myself. After some advice (see previous posts, and here) I had to move my DHCP from my original router to the USG. This simplfied a lot of things. So how is my current setup?

 

Prerequisite: you need to install the config.gateway.json file in the appropriate directory (that depends where your controller is installed on, yes... I also needed to google that. It took me a while to figure out that you had to rename the file disable-NAT-config.gateway.json.txt  To config.gateway.json..... yep.)

 

 

 


Hello, also noob trying to get this to work as I haven't been able to get it working with my IPcop box yet, but before I went any further, How can you confirm if the gateway.json file is in fact working? I put it in what I believe is the correct folder on my computer that is running the controller software, but how do I tell if it is actually disabling NAT? Do you know? Just trying to trouble shoot my set up. Thanks. 

New Member
Posts: 4
Registered: ‎08-30-2017

Re: Guide to disabling NAT on USG

[ Edited ]

I'm thinking you've just answerered my question...and it's no.

 

My Router A is a pfSense firewall with multiple subnets with unique access policies.  It has a single WAN to the Internet, but the LAN interface is connected to a switch as a trunk.  I have 4 subnets on that trunk going to the switch for different purposes like VPN (VLAN 20), IoT (VLAN 30), etc.  I can put my home devices on different VLANs and in turn they have different access to the Internet, each other, NAS servers, Plex, etc.

 

Following your example I guess I have to pick a single internal subnet to experiment with my USG?  It's not obvious to me the USG would route the tagged traffic in a way pfSense would recognize?

 

Are you using switch VLANs and a single firewall policy or subnets on the firewall with unique policies?

 

Member
Posts: 229
Registered: ‎05-07-2014
Kudos: 32
Solutions: 1

Re: Guide to disabling NAT on USG


@jam987 wrote:

Hello, also noob trying to get this to work as I haven't been able to get it working with my IPcop box yet, but before I went any further, How can you confirm if the gateway.json file is in fact working? I put it in what I believe is the correct folder on my computer that is running the controller software, but how do I tell if it is actually disabling NAT? Do you know? Just trying to trouble shoot my set up. Thanks. 


Hi @YWAMIT98 I had the same issue, can't tell (in my experience). So I tested it by

 

1) copy the file in the 'right' location

2) force reprovision the USG (by clicking on the USG in the controller and under settings or so, manage --> force reprovision)

3) then clicked in a laptop/computer in the USG Lan port and try to connect to the internet. If you haven't setup the static route on your router, it 'should' not give you any internet. So that is how I knew it was disabled. 

 

Give it a try?

Member
Posts: 229
Registered: ‎05-07-2014
Kudos: 32
Solutions: 1

Re: Guide to disabling NAT on USG


@dhilltx wrote:

I'm thinking you've just answerered my question...and it's no.

 

My Router A is a pfSense firewall with multiple subnets with unique access policies.  It has a single WAN to the Internet, but the LAN interface is connected to a switch as a trunk.  I have 4 subnets on that trunk going to the switch for different purposes like VPN (VLAN 20), IoT (VLAN 30), etc.  I can put my home devices on different VLANs and in turn they have different access to the Internet, each other, NAS servers, Plex, etc.

 

Following your example I guess I have to pick a single internal subnet to experiment with my USG?  It's not obvious to me the USG would route the tagged traffic in a way pfSense would recognize?

 

Are you using switch VLANs and a single firewall policy or subnets on the firewall with unique policies?

 


@dhilltx Yes... I had the same issue. That's why I was advised to move the DHCP and all the vlans to the USG to handle. I didn't had a special setup on my original router, so moving all the VLANs + their DHCPs to the USG was, a hassle, but durable. I have VLANS with each a different subnet and each with different firewall policies. But they all passes the USG to the router based on their subnet (not VLAN). So my router wouldn't know anything about the VLAN tags, but only sees the IP addressing. 

 

Is that what you are asking?

 

New Member
Posts: 7
Registered: ‎11-07-2016
Kudos: 1

Re: Guide to disabling NAT on USG

[ Edited ]

@mrassbach I am in the exact same situation, a USG behind a UTM, and when I enable the disable NAT rule and add the static route to the USG there is not outbound connection anymore.

 

Did you solve it? and if so, how?

New Member
Posts: 6
Registered: ‎04-24-2017

Re: Guide to disabling NAT on USG

Hi 

 

 

 

New Member
Posts: 6
Registered: ‎04-24-2017

Re: Guide to disabling NAT on USG

Important add the defined network object also to the WebAdmin settings as an allowed network to access the webadmin UTM interface from your internal USG networks. 

New Member
Posts: 7
Registered: ‎11-07-2016
Kudos: 1

Re: Guide to disabling NAT on USG

@mrassbach, thank you, you made me look at the right places.

Here are the corrective items
1) Add the USG internal network(s) to "Network Protection" -> "Firewall" as the source for all outgoing rules
2) Add the USG internal network(s) to the "Network Protection" -> "NAT" masqerading sources
3) My major fault. make sure the USG internal networks are NOT assigned the the UTM already: "Interfaces & Routing" -> "Interfaces" -> "Additional Addresses"

then it works.
New Member
Posts: 4
Registered: ‎03-24-2017
Kudos: 4

Re: Guide to disabling NAT on USG

No NAT versus sensor on port mirror - This thread seems to have moved toward the former, when many of us have been asking about the latter.  Is there still a plan to allow someone to port mirror the LAN side of their existing firewall to the USG allowing it to inspect data without being inline at all with the firewall/switch?  See attached...

 

2017-09-14_9-29-50.png
SuperUser
Posts: 9,511
Registered: ‎01-10-2012
Kudos: 6068
Solutions: 386

Re: Guide to disabling NAT on USG


@bigric wrote:

Is there still a plan to allow someone to port mirror the LAN side of their existing firewall to the USG allowing it to inspect data without being inline at all with the firewall/switch?  

 


If you read through the posts from UBNT folks in the feature request that you also posted in Man Happy it sounds like DPI only works if the chipset is routing.  DPI doesn't work when bridging.  And since much of this is embedded in the chipset itself, I get the feeling the only way it will ever be able to monitor as you (and I!) want is with new hardware Leaving

 

So being able to at least disable NAT is something, although I agree far from ideal.  Also proably why there hasn't been much more posted by UBNT on the matter. 

 

What will really be interesting is if the newer EdgeRouter hardware that will no doubt eventally make it's way to Unifi has the abiltiy to do DPI while bridging and not routing Drool5

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!

Having wifi problems? Take a look here first: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
Emerging Member
Posts: 103
Registered: ‎10-24-2014
Kudos: 14
Solutions: 2

Re: Guide to disabling NAT on USG

+1

UEWA, UBWA, UBRSS
SuperUser
Posts: 9,511
Registered: ‎01-10-2012
Kudos: 6068
Solutions: 386

Re: Guide to disabling NAT on USG

@bigric and others, it looks like UBNT Brandon responded in the feature request thread. Scroll down towards the bottom of page 31 since permalinking to an individual comment seems to be broken.

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!

Having wifi problems? Take a look here first: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
New Member
Posts: 15
Registered: ‎12-08-2014

Re: Guide to disabling NAT on USG

[ Edited ]

In regards to the usg used on a mirrored port. If one were to do this with a unifi switch, how would you put a port  in managemnet mode? I only see aggregate, mirror, and switch mode for any given port.
Would you apply a Firewall rule on the USG to not send traffic out?

I presume that we need access to the lan side of the USG in order for the Unifi controller to communicate with the USG. Could this not be done with a firewall policy, thus eliminating the extra port and cable from the switch to the USG. 

New Member
Posts: 40
Registered: ‎05-31-2016
Kudos: 17

Re: Guide to disabling NAT on USG

The reason this has been such a requested feature is because it was listed on the January 2017 USG feature roadmap:

https://community.ubnt.com/t5/UniFi-Routing-Switching/USG-Feature-Roadmap-January-2017-update/m-p/17...

Eight months later, we're being told it's too much work to implement? Can't blame people for voicing their opinion.
SuperUser
Posts: 9,511
Registered: ‎01-10-2012
Kudos: 6068
Solutions: 386

Re: Guide to disabling NAT on USG

[ Edited ]

@TParker31 wrote:
The reason this has been such a requested feature is because it was listed on the January 2017 USG feature roadmap:

Actually it was on the roadmap because it was already a very popular feature request.  I know since I created the feature request in April of 2016 Man Happy 

 

And I created it based on some thoughts by others that I also linked to in that request, so I can't even take credit for the original idea.  I just liked it so much that I wanted to elevate it to ensure it got noticed.  That seems to have worked.

 


Eight months later, we're being told it's too much work to implement? Can't blame people for voicing their opinion.

 Again, I think you have it backwards.  UBNT-Brandon indicated they now think they can do it in software but it's complicated since it's a completely different philosophy than was originally intended for the USG.  Even though it's a substantial rewrite, they are not only pursuing it but it's a high priority due to the popularity of the feature request.  That's hugely positive for me.  I figured disabling NAT would be the best we could do with current hardware and bridging would take new hardware based on previous feedback, so that's a positive change indeed.  

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!

Having wifi problems? Take a look here first: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
New Member
Posts: 40
Registered: ‎05-31-2016
Kudos: 17

Re: Guide to disabling NAT on USG

I'm not sure what you're trying to defend here, but at the end of the day there is no"DPI support in passthrough mode or on monitor interface" feature for the USG. Anyone who appreciates the value of the unifi products simply buys what they need and uses their own router. What people want in the DPI data functionality of the USG without any other routing function. The initial post in the feed was very vague and really didn't help anyone who wanted to try disabling NAT. From there it sprung off into solutions using different routers and so on. IMO there should have been better instructions for lets say an edge router, pfsense, and sophos utm to explain these setups in more detail. Further discussions in this thread have been just that which is helpful to everyone.
New Member
Posts: 33
Registered: ‎08-18-2017
Kudos: 2

Re: Guide to disabling NAT on USG

@UBNT-Brandon, @UBNT-cmb

 

Are there any updates on this? Not specifically with monitor mode, but with a UI for disabling NAT without resorting to CLI and JSON files.