Ubiquiti are known for their Unifi range WiFi access points and easy management. If you use their controller software you can get some useful graphs and a dead-easy configuration utility. However, without having Unifi switches and gateway router (USG) you won’t get detailed traffic statistics. Problem with that is – you may not be able or willing to just swap out a gateway router, plus the Unifi firewall config is still not where it should be in my view.

The workaround I found is to simply disable NAT via the CLI and have an additional subnet between the gateway router and the USG. You can also turn off the firewall completely on the USG, but in most home use cases that’s not required. So this is the basic idea:

WAN <–> GW router <–> USG <–> LAN

Don’t forget to add a static route on the GW router pointing back to the LAN subnet and use a static IP for the USG WAN interface. Now let’s turn of NAT!

  1. ssh <your Unifi admin user>@<IP of your USG LAN interface>
  2. type ‘configure
  3. type ‘show service nat‘  #you should see rule 6001, 6002, 6003 by default
  4. type ‘set service nat rule 6001 disable‘ #disables corporate network NAT
  5. type ‘set service nat rule 6002 disable‘ #disables remote user network NAT
  6. type ‘set service nat rule 6003 disable‘ #disables guest network NAT
  7. type ‘compare‘ #just to see if you did things right 🙂
  8. type ‘commit
  9. type ‘save
  10. type ‘mca-ctrl -t dump-cfg > config.gateway.json‘  #IMPORTANT! you need this json file to make your changes persistent on the Unifi controller. Without this the USG reboots at some point and all changes are reverted!
  11. copy this file over to your Unifi controller, make sure it’s in the right location. In my case there’s only one site so the path is the default location.’scp config.gateway.json root@<controller_IP>:/usr/lib/unifi/data/sites/default/config.gateway.json


Optionally, if you wish to disable the firewall you can add the following steps between “6” and “7” above:

  1. type ‘delete interfaces ethernet eth0 firewall‘  #WAN port firewall settings
  2. type ‘delete interfaces ethernet eth1 firewall‘  #LAN1 port firewall settings
  3. type ‘delete interfaces ethernet eth2 firewall‘  #LAN2 port firewall settings

Obviously you only want to do this if you have that other gateway router and trust it’s firewall!


IMPORTANT! If you ran this procedure already and want to do other changes through the GUI or CLI (add a network, change USG IP’s, change DHCP settings, etc) you need to remove the  config.gateway.json file from the controller first, do your changes and run the procedure after. I really hope Ubiquiti will add all the CLI functionality to the GUI soon to make all of the above obsolete :).


2 Replies to “Run a Ubiquiti USG in (semi) Transparent Mode

  1. hey larse.

    How would this work with a layer 2 trunk with multiple vlans? will the usg pass through all vlans to the aps like a normal l2 bridge or this is completely outside of the scope of what the usg can be tricked into doing when nat is disabled?

    • Nathan,

      You can add sub-interfaces with VLAN tags and reuse (re-tag) across interfaces, but the USG would still act as a layer 3 device. Turning off NAT is helpful if you have another gateway router or firewall and you’d like to see traffic streams per enduser device rather than just one NATed address. A true layer 2 mode is out of scope and probably won’t be coming to the USG. It’s just not what it was intended for.

      Here an example config with VLAN 100 added to Eth2:

      ethernet eth2 {
      description LAN2
      firewall {
      in {
      ipv6-name LANv6_IN
      name LAN_IN
      local {
      ipv6-name LANv6_LOCAL
      name LAN_LOCAL
      out {
      ipv6-name LANv6_OUT
      name LAN_OUT
      + vif 100 {
      + address
      + }

      The ‘+’ just means the config was added but not applied yet.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.