I’ve been trying to get a USG setup properly behind a Netgate SG-3100. The goal being to get DPI and the rest of the dashboard in UniFi controller functioning. Following the Guide to disabling NAT on USG at the ubnt forum, I disabled NAT via a shell script on the USG, not a JSON file where the controller resides. My problem is I’m not getting any traffic coming through the USG WAN port which I’ve connected to a LAN switchport on my Netgate.

Here’s the script I used. The line where I retrieve the date/time is a another way for me to verify the script executed.

#!bin/bash

cmdwrap=/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper

$cmdwrap begin

Disable NAT

$cmdwrap set service nat rule 5999 exclude
$cmdwrap set service nat rule 5999 outbound-interface eth0
$cmdwrap set service nat rule 5999 type masquerade
echo $(date) >> /home/atlas61/runtimes

End changes

$cmdwrap commit
$cmdwrap end

Here’s my setup:

Screen Shot 2020-05-15 at 11.38.10 PM780×296 30.2 KB

On the USG side:

1. I uploaded my script to USG directory /config/scripts/post-config.d
2. Made it executable using chmod +x [filename]
3. Setup port forwarding so that everything entering WAN goes to LAN interface
4. LAN interface is 10.24.x.2
5. Enabled DHCP on LAN interface 10.24.x.100 - .200

On the Netgate side:

1. Setup a gateway to USG WAN 10.0.x.254
2. Setup static route to 10.24.x.0/24 through USG WAN 10.0.x.254
3. Setup rule on LAN1 interface so that anything coming from 10.24.x.0/24 is passed.
4. Disabled DHCP for LAN1 interface.

USG was rebooted and I verified NAT was disabled using ‘show nat rules’

Do I need additional rules on the Netgate side to get this working? The USG?
Your input is appreciated. Thank you.

There’s no need for static routes in your config.

if the USG Lan is giving out dhcp then you’ll need nat turned on.

I think what you are trying to do is this
https://community.ui.com/questions/USG-behing-firewall-transparent-mode/ad3b17f6-9644-4d27-9cf2-6bd77b4ca137

Noted. I wouldn’t be double NATed behind the USG?

Maybe I should have DHCP done by pfSense?

I found the problem.

While going through everything in the Controller settings, I found that the ‘Router’ entry within Settings → Networks → WAN was empty. No IP address specified. Once I entered the IP of the Netgate LAN port connected to the USG WAN port and updated, the network status changed from Bad to Excellent and Traffic Statistics began appearing! One of those doh! moments.

After all of that work, I’m dismayed to find that the script is not executing after making configuration changes in the controller’s web ui. It’s only executed if the USG is restarted.

Please correct me if I’m wrong, but I believe it’s related to the setup of the UniFi environment. The controller (in my case) resides on a Cloud Key whereas the script resides on the USG. So when configuration changes are made in controller that gets pushed out to the USG there is no hook in that process to trigger execution of that script. That’s why the script only runs when the USG is restarted.

Apologies if I’ve led anyone down the wrong path with this.

With the exception of the script, the other steps still apply. You’ll just have to use a JSON file instead of the script to disable NAT.