New Member
Posts: 1
Registered: ‎02-13-2018

Re: Guide to disabling NAT on USG

Soooo - is it available already?

I've updated to CONTROLLER VERSION 5.7.18.

But could'nt find it yet. Do I need to update firmwares, too?

 
New Member
Posts: 13
Registered: ‎04-21-2016

Re: Guide to disabling NAT on USG

Feature coming in 5.7.x   - the x is still unknown

New Member
Posts: 23
Registered: ‎01-04-2011
Kudos: 11

Re: Guide to disabling NAT on USG


@bitterwrote:

I tried adding source address xx.xx.xx.xx or xx.xx.xx.xx/xx (if you want to exclude multiple ips) and it works good.

{
	"service": {
		"nat": {
			"rule": {
				"5999": {
					"exclude": "''",
					"outbound-interface": "eth0",
					"type": "masquerade",
					"source": {
						"address": "xxx.xxx.xxx.xxx"
					}
				}
			}
		}
	}
}

I tried this out and it works great for excluding an ip or ip range.  But I have tried modify it so you could exclude multiple ip ranges and all I wind up doing is putting the USG in a reprovision loop so  I am  goofing up, but I am not sure where.  I am hoping somebody who has more knowledge of working with the config.json could whip up an example showing how to add multiple ip ranges or if you could point me to an already existing an example that would be awesome.  

 

below is one example I have tried and it put me in to a reprovision loop:

 

{
	"service": {
		"nat": {
			"rule": {
				"5999": {
					"exclude": "''",
					"outbound-interface": "eth0",
					"type": "masquerade",
					"source": {
						"address": "xxx.xxx.xxx.xxx/xx"
					},
					{"address": "xxx.xxx.xxx.xxx/xx"}
				}
			}
		}
	}
}

Am I close, did I miss anything, any help would be greatly appreciated.

New Member
Posts: 4
Registered: ‎12-10-2017
Kudos: 2

Re: Guide to disabling NAT on USG

[ Edited ]

When you set up the USG without NAT you still use it to distribute ip addresses and it still will route traffic just not via NAT, so there must be (an even greater) separation of network addresses than before NAT.

 


This sounds, in principle, like what I want: pfsense as external firewall, external router, DNS resolver and NAT. USG as internal firewall (necessary?), internal router for VLANs etc., DHCP server for my local net and a simple DNS forwarder.

 

@ecomerc, your chart showed the same IP for UTM LAN and USG WAN -- that is an error. Should look as follows (two different private subnets):

 

ISP --> pfsense WAN ---> pfsense LAN ----> USG WAN ---> USG LAN ---> USW & other LAN devices

 ...  --> 188.xxxxxxxx ---> 192.168.2.1 -----> 192.168.2.2 ---> 192.168.1.1 ----> 192.168.1.x

 

[EDIT: Deleted crap. I can confirm the above is a working setup, with a static route added on the pfsense router pointing to the USG WAN for network 192.168.1.0/24. Seems original post of ecomerc contained a typo.]

New Member
Posts: 20
Registered: ‎04-25-2014
Kudos: 26
Solutions: 1

Re: Guide to disabling NAT on USG

I've updated to 5.8.12

But could'nt find it. Do I need to downgrade to 5.7.x ?

New Member
Posts: 29
Registered: ‎08-29-2017
Kudos: 2

Re: Guide to disabling NAT on USG

[ Edited ]

Anything new reagarding  disabling NAT via GUI? I won't buy one until that works.

 

 

New Member
Posts: 1
Registered: ‎07-16-2018

Re: Guide to disabling NAT on USG

I am waiting to hear the same thing. I want to use the USG with my sonicwalls with NAT disabled so I can pull the DPI and traffic data. It seems after reading through this thread that isnt isnt exactly as straight forward as some might hope, but that ubiquity is working on a release soon to allow NAT to be disabled and run in a 'monitoring mode' ?? Hopefully that is a case and I can pick one up in the near future! 

Or, is there a proven method that disables NAT compleltey? 

New Member
Posts: 2
Registered: ‎09-05-2017

Re: Guide to disabling NAT on USG

Hi,

I have tried this on the USG PRO but it still didnt remove the WAN IN firewall rules from affecting NAT. I have had to create a rule to accept ALL traffic on the public routed subnet i have set up on LAN2 on my USG PRO. Once this was done, I was getting ICMP responses from the SonicWALL on the public range and they were able to establish a site to site VPN



New Member
Posts: 5
Registered: ‎11-08-2016

Re: Guide to disabling NAT on USG

Has anyone been able to get this working in the latest version?

Emerging Member
Posts: 100
Registered: ‎02-27-2018
Kudos: 30

Re: Guide to disabling NAT on USG

[ Edited ]

My setup is currently: pfSense > Netgear switch > NanoHD x 2, controller running on QNAP NAS.

I would buy a USG for the DPI functionality, but don't want to stop using pfSense as router.

Could someone explain to me in simple terms what using a USG with NAT disabled means in terms of networking?

Currently my network looks like:

PPPoE connection > pfSense 192.168.0.1 > Netgear switch > NanoHD x 2, Wifi & Wired Devices all under DHCP 192.168.0.2 to 192.168.0.50

If I were to add a USG with NAT disabled between the pfsense and the switch, how would that affect the networking/addressing? Is it, essentially, completely transparent, or how would I need to change my network addressing?

Other question, I understand speeds on the USG are limited fairly significantly when DPI is enabled, that's OK I only have a 50mb connection. But just wondering are the throughput limits when using DPI the same when NAT is disabled?

Thanks.....

PS - It would be really nice if this was added as a GUI option.

New Member
Posts: 4
Registered: ‎12-10-2017
Kudos: 2

Re: Guide to disabling NAT on USG

[ Edited ]

@occamsrazorYou will have two separate private networks and need to change addressing somewhat:

1. One 192.168.x.0/24 network with just your pfsense 192.168.x.1 and your USG WAN port at (e.g.) 192.168.x.2.

2. Then your proper LAN behind the USG with a different network 192.168.y.0/24, with the USG LAN as the router/gateway at 192.168.y.1.

3. You should as of now use the USG as a DHCP / DNS server for the 192.168.y.0/24 network. That gives you the benefit of the Unifi environment and you do not need to fiddle with advanced setups on the pfsense. (the USG could forward DNS requests to pfsense so you could still use e.g. pfblockerNG as adblock)

You may wish to continue using the 192.168.0.x network for your proper LAN - then the pfsense LAN and USG WAN would need to move to another network (e.g. 192.168.2.x or .1.x). So: USG LAN = 192.168.0.1. USG WAN = 192.168.2.2. pfsense LAN = 192.168.2.1. pfsense WAN = whatever IP your ISP is providing to you.

Short steps:
1. Install USG and set it up to provide DHCP/DNS in your new private network (as per standard).
2. Use the provided config.json file. [Note: The additional firewall rules do not show up in GUI/Controller!]
3. On your pfsense, add a static route to your "proper LAN" (192.168.0.0/24) via gateway USG WAN (192.168.2.2). Do not miss this step!
4. Provision the USG.

Speed should not be significantly affected by DPI (hardware accelerated) -- only by using Smart Queues (traffic shaping) or IDS/IPS. But both of those you can set up on the pfsense.

Emerging Member
Posts: 100
Registered: ‎02-27-2018
Kudos: 30

Re: Guide to disabling NAT on USG


@cendres_de wrote:

 

Thanks a lot for that very detailed explanation, it's very helpful indeed. I will give it some thought.

New Member
Posts: 9
Registered: ‎09-13-2017
Kudos: 4

Re: Guide to disabling NAT on USG


@occamsrazor wrote:

My setup is currently: pfSense > Netgear switch > NanoHD x 2, controller running on QNAP NAS.

I would buy a USG for the DPI functionality, but don't want to stop using pfSense as router.


 

I've been waiting for this feature for a while, and I must confess that my opinion is now - don't bother!

 

Having experienced (unrelated) internet connectivity issue, I briefly removed my pfsense router and installed the 'pending' USG. Finally I had an extra green circle!

 

Except that my VPN circles didn't light up - the IPsec tunnel was running, exactly as on pfsense (thanks to the beauty of the controller) but no indication.

 

I also had missing infomation for my VLANs, and erroneous traffic throughput indications over the 24-hour trial.

 

The final straw was that I made one GUI change for the USG, and the whole network went down. I couldn't recover the device so reverted to pfsense (without the USG) and restored to one of the controller auto-backups.

 

System is running again, but in summary:

  • I'm happy with the Unifi Controller, WiFi & VLANs
  • pfsense gives a more detailed UI, more options & better control
  • the USG just isn't worth the hassle, to get DPI in pass-thru, if switching from pfsense

Just my 2c, but I'll keep the USG for a rainy day...

Emerging Member
Posts: 101
Registered: ‎09-03-2014
Kudos: 21
Solutions: 1

Re: Guide to disabling NAT on USG

I'm on 5.8.30 - How do I diable NAT on the WAN interface? I don't see it in the GUI.

Thanks.

Member
Posts: 260
Registered: ‎05-14-2018
Kudos: 28
Solutions: 4

Re: Guide to disabling NAT on USG

Emerging Member
Posts: 58
Registered: ‎09-15-2017
Kudos: 13

Re: Guide to disabling NAT on USG

i have 6 VLANs on my USG and want to add a PFSense or Sophos Firewall in front along with a Pi-Hole DNS

 

Will the config file in the 1st post work in removing the double NAT and still provide DHCP and other services through the USG ? or do i replace the USG with the new router and configure all the home subnets on it along with the DHCP scopes ?

 

thanks

Emerging Member
Posts: 101
Registered: ‎09-03-2014
Kudos: 21
Solutions: 1

Re: Guide to disabling NAT on USG

Is this still coming to the GUI?

New Member
Posts: 3
Registered: ‎07-05-2018

Re: Guide to disabling NAT on USG

When i push the .json (with eth2 modification) on my cloud key (i have a USG 4 PRO) after provisioning, internet is down...

 

GG

Ubiquiti USG Pro 4 | UniFi CloudKey | UniFi Switch 16-150W |2x UAP-AC-HD | UAP-AC-PRO | Synology DS918+
Emerging Member
Posts: 90
Registered: ‎05-01-2016
Kudos: 15
Solutions: 2

Re: Guide to disabling NAT on USG

So if I have my network setup like this:

 

(internet) PfSense -> USG Pro -> LAN 

 

Can I still see the stats of the USG on my portal? And if I don't need DHCP or DNS as I don't them them on my firewall for homelan could I still do things like VPN using a mix of pfSense and my MS server to manage connections?

 

Thanks

 

New Member
Posts: 5
Registered: ‎01-07-2017
Kudos: 2

Re: Guide to disabling NAT on USG

This is helpful for testing in the lab, but what we really need for deployment is a proper option in the manager GUI to disable NAT.

 

We have customers with public IP blocks that need this feature. We have other customers where a USG would make an ideal internal firewall between security zones.

 

But until we can turn off NAT from the manager, it isn't going to happen.