07-27-2018 02:42 PM
Hi, I'm using the USG as a gateway in my house and I would like to NAT a specific IP protocol over my homelab. When creating the NAT via the GUI or via SSH, I can only select TCP or UDP as transport protocol. I can create Firewall rules with IP protocol but not NAT rules. Is there another way?
The reasoning behind is to route protocol 41 (IPv6 over IPv4 encapsulation) from a tunnel broker on the Internet. But it is valid for other IP protocols (e.g. IP-over-IP, GRE, IPSEC AH/ESP, etc.).
07-27-2018 03:12 PM
Create a port forward, you can specify the port number there. Once you are finished, it will automatically create the firewall rule for you.
Port forward on the USG is what NAT is on other firewalls.
07-27-2018 03:49 PM
It does seem something of an oversight - there's no way in the gui to do this (despite, as you say, it being possible for firewall rules).
EdgeOS (to which USGs are very similar under the hood) allows protocol numbers so there's every reason to think you can achieve what you want to do, but it'd involve making a json config file on the controller.
I'd start by making a dummy rule with UDP and a recognisable name, export the config, look for your rule and edit the protocol number. From that you'd need to create the json file - it's a long time since I last did that but there are guides around this forum.
07-27-2018 05:11 PM
Thanks, I'll give it a try on exporting the config. A bit afraid of breaking my USG in the other hand
Once you've generated your json file make sure to run it through a sanity checker - there are various online utilities available to do this. You do run the risk of falling into reboot loops if the USG chokes, so best to be safe...