Ubiquiti are known for their Unifi range WiFi access points and easy management. If you use their controller software you can get some useful graphs and a dead-easy configuration utility. However, without having Unifi switches and gateway router (USG) you won’t get detailed traffic statistics. Problem with that is – you may not be able or willing to just swap out a gateway router, plus the Unifi firewall config is still not where it should be in my view.
The workaround I found is to simply disable NAT via the CLI and have an additional subnet between the gateway router and the USG. You can also turn off the firewall completely on the USG, but in most home use cases that’s not required. So this is the basic idea:
WAN <–> GW router <–> USG <–> LAN
Don’t forget to add a static route on the GW router pointing back to the LAN subnet and use a static IP for the USG WAN interface. Now let’s turn of NAT!
- ssh <your Unifi admin user>@<IP of your USG LAN interface>
- type ‘configure‘
- type ‘show service nat‘ #you should see rule 6001, 6002, 6003 by default
- type ‘set service nat rule 6001 disable‘ #disables corporate network NAT
- type ‘set service nat rule 6002 disable‘ #disables remote user network NAT
- type ‘set service nat rule 6003 disable‘ #disables guest network NAT
- type ‘compare‘ #just to see if you did things right 🙂
- type ‘commit‘
- type ‘save‘
- type ‘mca-ctrl -t dump-cfg > config.gateway.json‘ #IMPORTANT! you need this json file to make your changes persistent on the Unifi controller. Without this the USG reboots at some point and all changes are reverted!
- copy this file over to your Unifi controller, make sure it’s in the right location. In my case there’s only one site so the path is the default location.’scp config.gateway.json root@<controller_IP>:/usr/lib/unifi/data/sites/default/config.gateway.json‘
Optionally, if you wish to disable the firewall you can add the following steps between “6” and “7” above:
- type ‘delete interfaces ethernet eth0 firewall‘ #WAN port firewall settings
- type ‘delete interfaces ethernet eth1 firewall‘ #LAN1 port firewall settings
- type ‘delete interfaces ethernet eth2 firewall‘ #LAN2 port firewall settings
Obviously you only want to do this if you have that other gateway router and trust it’s firewall!
IMPORTANT! If you ran this procedure already and want to do other changes through the GUI or CLI (add a network, change USG IP’s, change DHCP settings, etc) you need to remove the config.gateway.json file from the controller first, do your changes and run the procedure after. I really hope Ubiquiti will add all the CLI functionality to the GUI soon to make all of the above obsolete :).