04-04-2019 06:09 AM
It depends if you want the firewall to see the internal IPs. If you NAT at the USG, your SonicWall will see all traffic as originating from the USG's WAN IP. I personally would find that very limiting.
This is yet another reason that UBNT needs to follow through and add an option to disable NAT in the manager.
04-04-2019 07:27 AM - edited 04-04-2019 07:42 AM
As I understand, after I do as mentioned in first port of this thread, all client IP will be visible to main Router.
Is it somehow possible (may be iptables etc) to preserve Mac Address of IP packets so main router can see client's Mac Addresses.
Reason for this requirement is that my ASUS-Merlin router supports conditional DNS and parental control based upon Mac address of clients. Once I put USG between my clients and ASUS router, I can not use parental control features as all Mac address info is lost.
04-04-2019 08:53 AM
Everyone should avoid double nat. A lot of services will place your IP in the service dialogue, not just your IP header. Long story short, to avoid having to use hacks to make certain services work, you will want to prevent multiple translations.
The most common case for us needing to disable NAT is simply if we have a multi dwelling unit that we need to pass public IPs to the customer(s) and control speeds. You need a firewall to set up user profiles with speed constraints, but we don't want to be our cutsomers' router. Better for us to demarc before that, so we don't have to mess with port forwarding, ALG..etc.
04-04-2019 11:19 AM
“All I really want from the Sonicwall is for it to do its UTM function and stop " bad " traffic to flow through to the USG and then network behind the USG.”
FWIW I just set up a USG 3P with a SonicWALL TZ 215 for same purpose...
I configured one of the SonicWALL’s additional Interfaces (X2 in this case) as a Static IP on the LAN Zone (as the non-Guest Wireless Clients need to access the Production LAN, although one could get more granular with the SonicWALL Zones & Firewall Rules).
I Connected the USG WAN Port to the SonicWALL X2 Port (USG WAN Port set as Static).
I Configured the USG Firewall WAN IN to ALLOW ALL (so I could manage it from the Production LAN if needed and since it’s all behind the SonicWALL Firewall the security at that point is non-issue).
I configured one Wireless Network as a Non-Guest Network.
I configured one Wireless Network (Named Guest) on a VLAN.
I configured one Network (Named Guest) as Purpose=Guest (on the above VLAN)
I configured the Production/Corporate LAN DHCP to use the Internal DNS Server Only.
I configure the Guest LAN DHCP to use Public DNS Servers.
The USG Default Guest Control / Access Control Filters appear to be doing the job nicely.
It’s been running it this way for several days and everything is working (or not working) the way it should be and the double NAT hasn’t been a problem in this limited use scenario.