Ubiquiti are known for their Unifi range WiFi access points and easy management. If you use their controller software you can get some useful graphs and a dead-easy configuration utility. However, without having Unifi switches and gateway router (USG) you won’t get detailed traffic statistics. Problem with that is – you may not be able or willing to just swap out a gateway router, plus the Unifi firewall config is still not where it should be in my view.

The workaround I found is to simply disable NAT via the CLI and have an additional subnet between the gateway router and the USG. You can also turn off the firewall completely on the USG, but in most home use cases that’s not required. So this is the basic idea:

WAN <–> GW router <–> USG <–> LAN

Don’t forget to add a static route on the GW router pointing back to the LAN subnet and use a static IP for the USG WAN interface. Now let’s turn of NAT!

  1. ssh <your Unifi admin user>@<IP of your USG LAN interface>
  2. type ‘configure
  3. type ‘show service nat‘  #you should see rule 6001, 6002, 6003 by default
  4. type ‘set service nat rule 6001 disable‘ #disables corporate network NAT
  5. type ‘set service nat rule 6002 disable‘ #disables remote user network NAT
  6. type ‘set service nat rule 6003 disable‘ #disables guest network NAT
  7. type ‘compare‘ #just to see if you did things right 🙂
  8. type ‘commit
  9. type ‘save
  10. type ‘mca-ctrl -t dump-cfg > config.gateway.json‘  #IMPORTANT! you need this json file to make your changes persistent on the Unifi controller. Without this the USG reboots at some point and all changes are reverted!
  11. copy this file over to your Unifi controller, make sure it’s in the right location. In my case there’s only one site so the path is the default location.’scp config.gateway.json root@<controller_IP>:/usr/lib/unifi/data/sites/default/config.gateway.json

 

Optionally, if you wish to disable the firewall you can add the following steps between “6” and “7” above:

  1. type ‘delete interfaces ethernet eth0 firewall‘  #WAN port firewall settings
  2. type ‘delete interfaces ethernet eth1 firewall‘  #LAN1 port firewall settings
  3. type ‘delete interfaces ethernet eth2 firewall‘  #LAN2 port firewall settings

Obviously you only want to do this if you have that other gateway router and trust it’s firewall!

 

IMPORTANT! If you ran this procedure already and want to do other changes through the GUI or CLI (add a network, change USG IP’s, change DHCP settings, etc) you need to remove the  config.gateway.json file from the controller first, do your changes and run the procedure after. I really hope Ubiquiti will add all the CLI functionality to the GUI soon to make all of the above obsolete :).

 

6 Replies to “Run a Ubiquiti USG in (semi) Transparent Mode

  1. hey larse.

    How would this work with a layer 2 trunk with multiple vlans? will the usg pass through all vlans to the aps like a normal l2 bridge or this is completely outside of the scope of what the usg can be tricked into doing when nat is disabled?

    • Nathan,

      You can add sub-interfaces with VLAN tags and reuse (re-tag) across interfaces, but the USG would still act as a layer 3 device. Turning off NAT is helpful if you have another gateway router or firewall and you’d like to see traffic streams per enduser device rather than just one NATed address. A true layer 2 mode is out of scope and probably won’t be coming to the USG. It’s just not what it was intended for.

      Here an example config with VLAN 100 added to Eth2:

      ethernet eth2 {
      address 10.10.2.1/24
      description LAN2
      firewall {
      in {
      ipv6-name LANv6_IN
      name LAN_IN
      }
      local {
      ipv6-name LANv6_LOCAL
      name LAN_LOCAL
      }
      out {
      ipv6-name LANv6_OUT
      name LAN_OUT
      }
      }
      + vif 100 {
      + address 10.10.100.1/24
      + }

      The ‘+’ just means the config was added but not applied yet.

  2. My understanding is that the contents of config.gateway.json gets merged into the configuration done via the GUI.
    So if your config.gateway.json only contains the disabling of the natting, then you can still configure other things via the GUI.

    • Holger,

      The config.gateway.json file overrules whatever configuration is in the USG. Unfortunately the UniFi logic does not take the file into account when making changes through the GUI. This results in a constant provisioning loop as soon as you change things like DHCP, DNS – or basically anything that’s handled by the USG. The painful workaround is to remove the config.gateway.json file before making any changes through the GUI and re-do all manual configs after provisioning. After the manual changes are back in just recreate the config.gateway.json file as per the procedure and all is back to normal.
      Eventually I got tired of it and just automated the steps (hint – add timers!). This effects SW upgrades as well, not just config changes…

      I really hope Ubiquity one day will get their act together and permit CLI changes to merge with GUI configurations. It’s not that hard to do 🙂

  3. PLEASE HELP!

    Hello,

    My ISP provided me with a public IP 83.212.x.x and behind it routed a subnet class 89.149.x.x/27 so I can connect some of my computers with their own public IP to the Internet. I disable the NAT as you said above and added the subnet to the WAN eth2 port but it does not work and I had to restore the settings. Can you PLEASE help me solve this situation?

    Kind regards,
    R.

    • R,

      For this to work you’d need to add the 89.149.x.x/27 network to LAN or LAN2 and as type ‘corporate’. That should tell the USG to route traffic from the LAN/LAN2 interface out of WAN (and enable NAT, which you can turn off after). You’d still need some kind of routing for the 89.149.x.x/27 subnet to be reachable from the internet. Did your provider give you any details for that? For example, is there a static route configured on their end, OSPF, etc..?

      Another important thing to remember is that the USG is a state-full firewall. By default it will only let packets in on the WAN port that are part of a registered session. So if you are planning to use a web server on the 89.149.x.x/27 range, you’d still have to create a firewall / port forwarding rule that permits / forwards incoming traffic on port 80/443.

      Regards

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.