Member
Posts: 198
Registered: ‎03-20-2017
Kudos: 9

Re: Guide to disabling NAT on USG

Ok, thank you!

Member
Posts: 117
Registered: ‎08-23-2017
Kudos: 1
Solutions: 2

Re: Guide to disabling NAT on USG

I want to front end a USG Pro 4P with a Sonicwall UTM that would feed the USG. Do I care about double NAT?

New Member
Posts: 5
Registered: ‎01-07-2017
Kudos: 2

Re: Guide to disabling NAT on USG

It depends if you want the firewall to see the internal IPs. If you NAT at the USG, your SonicWall will see all traffic as originating from the USG's WAN IP.  I personally would find that very limiting.

 

This is yet another reason that UBNT needs to follow through and add an option to disable NAT in the manager.

New Member
Posts: 2
Registered: ‎05-23-2017

Re: Guide to disabling NAT on USG

[ Edited ]

As I understand, after I do as mentioned in first port of this thread,  all client IP will be visible to main Router.

 

Is it somehow possible (may be iptables etc) to preserve Mac Address of IP packets so main router can see client's Mac Addresses.

 

Reason for this requirement is that my ASUS-Merlin router supports conditional DNS and parental control based upon Mac address of clients. Once I put USG between my clients and ASUS router, I can not use parental control features as all Mac address info is lost.

 

New Member
Posts: 20
Registered: ‎08-03-2016
Kudos: 1

Re: Guide to disabling NAT on USG

Everyone should avoid double nat. A lot of services will place your IP in the service dialogue, not just your IP header. Long story short, to avoid having to use hacks to make certain services work, you will want to prevent multiple translations. 

 

The most common case for us needing to disable NAT is simply if we have a multi dwelling unit that we need to pass public IPs to the customer(s) and control speeds. You need a firewall to set up user profiles with speed constraints, but we don't want to be our cutsomers' router. Better for us to demarc before that, so we don't have to mess with port forwarding, ALG..etc.

Member
Posts: 117
Registered: ‎08-23-2017
Kudos: 1
Solutions: 2

Re: Guide to disabling NAT on USG

All I really want from the Sonicwall is for it to do its UTM function and stop " bad " traffic to flow through to the USG and then network behind the USG.
New Member
Posts: 3
Registered: ‎03-17-2019
Kudos: 4

Re: Guide to disabling NAT on USG

 

“All I really want from the Sonicwall is for it to do its UTM function and stop " bad " traffic to flow through to the USG and then network behind the USG.”

 

FWIW I just set up a USG 3P with a SonicWALL TZ 215 for same purpose...

 

I configured one of the SonicWALL’s additional Interfaces (X2 in this case) as a Static IP on the LAN Zone (as the non-Guest Wireless Clients need to access the Production LAN, although one could get more granular with the SonicWALL Zones & Firewall Rules).

 

I Connected the USG WAN Port to the SonicWALL X2 Port (USG WAN Port set as Static).

 

I Configured the USG Firewall WAN IN to ALLOW ALL (so I could manage it from the Production LAN if needed and since it’s all behind the SonicWALL Firewall the security at that point is non-issue).

 

I configured one Wireless Network as a Non-Guest Network.

 

I configured one Wireless Network (Named Guest) on a VLAN.

 

I configured one Network (Named Guest) as Purpose=Guest (on the above VLAN)

 

I configured the Production/Corporate LAN DHCP to use the Internal DNS Server Only.

 

I configure the Guest LAN DHCP to use Public DNS Servers.

 

The USG Default Guest Control / Access Control Filters appear to be doing the job nicely.

 

It’s been running it this way for several days and everything is working (or not working) the way it should be and the double NAT hasn’t been a problem in this limited use scenario.