New Member
Posts: 19
Registered: ‎03-30-2016
Kudos: 2

Re: Guide to disabling NAT on USG

What's the best way to use the USG with NAT off infront of a Edge Router Pro? I really want to use the USG as a tranparent bridge so I can take advantage USG graphs and other feature like DPI. 

 

Currently I have  ----- Internet (Static IP) ----- EdgeRouter Pro ----- LAN

 

What would be the best options?    ----- Internet (Static IP) ----- USG ----- EdgeRouter Pro ----- LAN? 

New Member
Posts: 34
Registered: ‎05-14-2016
Kudos: 1

Re: Guide to disabling NAT on USG

Hi, I went ahead and purchased a USG specifically because of your post. But now I'm trying to add this config.gateway.json and I can't find the approriate directory to put it in.

 

The directions I've read indicate to add the file to our controller/cloud key? That's seems counter-intuitive to me; wouldn't I add it to the USG instead?

 

The directory <unifi_base>/data/sites/default exists on our controller/cloud keys but does not on this new USG.

Our site has two UniFi cloud keys.

 

This USG is right out of the box so it hasn't been introduced to our network or UniFi yet.

 

Would you advise on where I should drop this config.gateway.json file?

New Member
Posts: 40
Registered: ‎05-31-2016
Kudos: 17
New Member
Posts: 34
Registered: ‎05-14-2016
Kudos: 1

Re: Guide to disabling NAT on USG

Thanks, TParker.

 

Another question to the group: since we have 2 cloud keys will we also need need 2 USG's?

New Member
Posts: 7
Registered: ‎07-27-2017

Re: Guide to disabling NAT on USG

Can anyone provide  direction for a novice in how to set this up correctly once I disable nat? 

 

My set up is: 

 

2 x DSL lines-----> Load balancer (192.168.10.2) ------> IPcop Server/firewall  (10.0.0.1) ---->  POE switch -->  10 x Unifi Access points. 

 

I am assuming I place this after my IPCop server between it and my POE switch. But what setting would I need to  use to get it to talk to everything else correctly? 

 

Thank you. 

New Member
Posts: 7
Registered: ‎07-27-2017

Re: Guide to disabling NAT on USG


@TParker31 wrote:

Could someone please elaborate on completing this configuration? I was able to able add this rule to the existing .json file. But upon placing the USG behind my Sophos UTM, could not get traffic to pass through the USG, no matter what rules I put in place. Any help would be appreciated.


Were you able to get this working? If so, could you share  what you did? 

Thanks, 

New Member
Posts: 36
Registered: ‎11-21-2016
Kudos: 11

Re: Guide to disabling NAT on USG

[ Edited ]

@TParker31/ @YWAMIT98 / @gnycbsa

 

This quick example might help:

UniFi Network.png

 

With NATing disabled, you must have Static Routes pointing your UniFi LAN Networks back to your USG.

 

New Member
Posts: 40
Registered: ‎05-31-2016
Kudos: 17

Re: Guide to disabling NAT on USG

Gary,

 

Thanks for the diagram. I'll use your ranges for this question:

 

I have an additional issue that maybe you can help with.

 

When I VPN into my router, I receive an alternate IP range. (10.240.2.0/24)

 

I have rules in place to hit all devices on the 10.255.1.0/24 network, the 192.168.0.0/24 network, and I can access the USG at 192.168.0.1, but no other deivce on the 192.168.0.0/24 network.

 

Conversely I can access a remote device on the 10.240.2.0/24 network from a device on the 192.168.0.0/24 network.

 

I've chalked this up to FW rules on the USG WAN 1 port, but no matter what rules I try I've had zero success.

 

Any help would be appreciated.

 

 

New Member
Posts: 19
Registered: ‎03-30-2016
Kudos: 2

Re: Guide to disabling NAT on USG

What's the best way to do this when you just want to use the USG as a passthrough?

 

Internet (Static IP Fiber) ----- USG?? ----- EdgeRouter Pro (Main Subnet 192.168.100.0/24 and a bunch of VLAN's)  I really like having the Edgerouter as the gateway and doing NAT. 

                                                        

 

 

 

New Member
Posts: 36
Registered: ‎11-21-2016
Kudos: 11

Re: Guide to disabling NAT on USG

[ Edited ]

Hi @TParker31,

Correct, the Firewall on the USG will still be blocking all inbound connections on WAN1 whereby all outbound is allowed, which explains what your seeing.

I don't have any inbound rules myself. But can dummy up one this evening to test with when I get home.

I think it should be as simple as;
- Create 2 FW Groups, one for 10.255.1.0/24 and another for 192.168.0.0/24 .
- Create a New 'WAN IN' FW Rule and Accept traffic from the Source 10.255.1.0/24 Group to the Destination 192.168.0.0/24 Group on All Protocols.

It you create a FW Rule using 'Source/Destination Type' of Network, make sure you change the drop down option from ADDRv4 to NETv4.

New Member
Posts: 36
Registered: ‎11-21-2016
Kudos: 11

Re: Guide to disabling NAT on USG

Hi @gnycbsa

If it was me, I'd have it strung together this way:

Internet ----- EdgeRouter Pro ----- USG (Main Subnet 192.168.100.0/24 and a bunch of VLAN's)

And only use the EdgeRouter Pro for config that can't easily be accomplished on the USG.


This way could work as well:

Internet ----- USG ----- EdgeRouter Pro (Main Subnet 192.168.100.0/24 and a bunch of VLAN's)

But you lose some of the benefits on the unified environment.
Plus its the EdgeRouter Pro in the case that would need NATing disabled on its WAN/USG facing interface.

New Member
Posts: 40
Registered: ‎05-31-2016
Kudos: 17

Re: Guide to disabling NAT on USG

Thanks for the help, but this exactly what I had tried before.

Please see if you can get this to work and let me know what I'm missing.
New Member
Posts: 36
Registered: ‎11-21-2016
Kudos: 11

Re: Guide to disabling NAT on USG

Hi @TParker31

 

The following rule works for me:

 

fw1.JPG

 

fw2.JPGfw3.JPG

 

However I initially thought this rule hadn’t worked.
So I edited and Enabled Logging and selected all 4 States (New, Established, Invalid & Related) and saved this amendment.

After this, I noticed the Firewall Rule started to work, and Traffic was passing successfully.
I then went back in and edited the Rule and unchecked Enabled Logging and all 4 States as per above screen shots, and it continued to work.

I think this was my impatience, in that I hadn’t gave the USG enough time to reprovision the first time around. But it might be worth trying in case it’s a bug.

 

 

Ubiquiti Employee
Posts: 5,174
Registered: ‎08-08-2016
Kudos: 5679
Solutions: 355

Re: Guide to disabling NAT on USG


@Amaravati wrote:

@UBNT-cmb wrote:

This has come up a number of times, so wanted to post a short howto. UI and back end are in the works to expose NAT configuration in the controller, but in the mean time, those who want to disable NAT completely only need a single NAT rule in config.gateway.json. The attached file put into place as config.gateway.json in the appropriate /data/sites/ directory, then forcing a provision of USG, will disable all NAT on eth0. 

 

If using USG Pro, you'll want to replace eth0 with eth2 so you have the appropriate WAN interface. 


Anyone know when one 'updates' the firmware of the USG will this setting remain?


Yes, that's just a configuration parameter, it will remain independent of firmware or controller version. 

New Member
Posts: 4
Registered: ‎08-30-2017

Re: Guide to disabling NAT on USG

Are you using VLANs?

 

I'm preparing to insert vs. return my new Amazon USG between my existing pfSense appliance (Netgate) and core LAN switch (Netgear).  I follow your LAN and WAN routing but must preserve the existing internal VLANs and unique subnet firewall policies I already have in place.

 

Once I disable NAT on the USG, when source traffic from 192.168.1.0/24, 192.168.20.0/24, 192.168.30.0/24, etc. hits the USG LAN interface and routes without NAT to the USG WAN interface will it remove the VLAN tags?  I'm hoping my existing pfSense appliance LAN interface (configured as trunk) still see the original VLAN tags coming inbound from the USG WAN interface which originate downstream via the 802.1Q trunk between the USG LAN and Netgear Core.

 

My topology planning is attached...thanks in advance for your thoughts!

Overview.JPG
New Member
Posts: 6
Registered: ‎04-24-2017

Re: Guide to disabling NAT on USG

@TPraker31 I had the same setup with a Sophos UTM in front of my USG. I added the rule to disable the NAT on the USG, but no internet connection after it. I add a static route from UTM to the USG. Is there anything else what I missed to do? Maybe you can share your configuration of UTM and USG with me. Thanks in advance.
Member
Posts: 229
Registered: ‎05-07-2014
Kudos: 32
Solutions: 1

Re: Guide to disabling NAT on USG

[ Edited ]

DPI (finally) WORKING

 

So I thought I should post this, just for all the noobs like myself. After some advice (see previous posts, and here) I had to move my DHCP from my original router to the USG. This simplfied a lot of things. So how is my current setup?

 

Prerequisite: you need to install the config.gateway.json file in the appropriate directory (that depends where your controller is installed on, yes... I also needed to google that. It took me a while to figure out that you had to rename the file disable-NAT-config.gateway.json.txt  To config.gateway.json..... yep.)

 

Setup: Router with USG
Router A = connection to the public / WAN
192.168.99.250 / 24 = LAN PORT (this should be on a different network than your LAN!)
|
|
192.168.99.200 /24 = USG WAN PORT (this should be in the same network as your Router A)
USG = DHCP to my local lan
192.168.0.200 /24 = USG LAN PORT
|
|
LAN (via a switch) ==> ALL the other stuff

 

Settings to make LAN network visible on Router A
Settings in Router A (to tell this router to route all the LAN request back to USG)
Create a static route
Destination 192.168.0.0/24 (the network your LAN sits on)
Gateway 192.168.99.200 (the IP address of the USG WAN port)

 

Example of the router Static Route settings window

 IMG_1533.PNG

 


Settings in the Unifi Controller to route your USG gateway 192.168.0.200 to Router A's IP address 192.168.99.250
Settings in Unifi Controller > Settings > Static Router & Firewall > Static Route > Create:
Name: Router A (or whatever)
Network: 192.168.0.200/192.168.0.0/24 (your LAN network)
Distance: 1
Next Hop: 192.168.99.250 (the Router A IP address)


Result:
1) DPI is working for all clients
2) The main page with throughput and latency is all working
3) since moving the DHCP to the USG, I can now easily change the dhcp/vlan stuff and all my Unifi Switches are all provisioned at once. So router A only function is now to act as a internet router (no dhcp or vlan stuff anymore)

4) I have a few VLANs so I have repeated the above settings for each VLAN network (which has a different network subnet)

 

Note: I got some help from my router's forum here

Note: I am currently at the network, so I can't post any more detailed pictures. I also hope I have got the detail right. So if there is request I can post some screenshots if needed.

 

EDIT: corrected the Network address (see 192.168.0.200 striked)Removed the settings for USG/Unifi controller. 1 static route from Router A to USG was enough. Apparently USG is smart enough to route back to Router A when that is set. Thanks @bitter for your help.

 

Emerging Member
Posts: 46
Registered: ‎05-05-2016
Kudos: 2
Solutions: 3

Re: Guide to disabling NAT on USG


Settings in the Unifi Controller to route your USG gateway 192.168.0.200 to Router A's IP address 192.168.99.250
Settings in Unifi Controller > Settings > Static Router & Firewall > Static Route > Create:
Name: Router A (or whatever)
Network: 192.168.0.200/24 (your LAN network)
Distance: 1
Next Hop: 192.168.99.250 (the Router A IP address)

 


I am a bit confused here, if you lan is directly connected to your USG, why is 192.168.99.250 (Router A) the next hop for 192.168.0.0/24 network?

Member
Posts: 229
Registered: ‎05-07-2014
Kudos: 32
Solutions: 1

Re: Guide to disabling NAT on USG


@bitter wrote:

Settings in the Unifi Controller to route your USG gateway 192.168.0.200 to Router A's IP address 192.168.99.250
Settings in Unifi Controller > Settings > Static Router & Firewall > Static Route > Create:
Name: Router A (or whatever)
Network: 192.168.0.200/24 (your LAN network)
Distance: 1
Next Hop: 192.168.99.250 (the Router A IP address)

 


I am a bit confused here, if you lan is directly connected to your USG, why is 192.168.99.250 (Router A) the next hop for 192.168.0.0/24 network?


@bitter

 

First of all, a disclaimer, it works at my place, but whether I have overdone something, I am open for corrections.

 

Answer:

a) the USG's NAT is disabled. Therefore any request for 'internet' is not translated towards Router A. While the LAN is connected to the USG, the local LAN network (192.168.0.0/24) was not aware of Router A.

b) solution: forward the network to Router A's IP address (is this called IP forwarding?)

 

@bitter could you clarify whether this was already clear to you, but the way I did it was wrong. Or was something else you are asking?

 

 

 

Emerging Member
Posts: 46
Registered: ‎05-05-2016
Kudos: 2
Solutions: 3

Re: Guide to disabling NAT on USG

Your reasoning is right and according to your topology the solution should be creating a route for 192.168.0.0/24 next hop 192.168.99.200 /24 (USG ip) in Router A, but you said to create a route static on USG first, why?