Another USG behind pfSense

I’ve been trying to get a USG setup properly behind a Netgate SG-3100. The goal being to get DPI and the rest of the dashboard in UniFi controller functioning. Following the Guide to disabling NAT on USG at the ubnt forum, I disabled NAT via a shell script on the USG, not a JSON file where the controller resides. My problem is I’m not getting any traffic coming through the USG WAN port which I’ve connected to a LAN switchport on my Netgate.

Here’s the script I used. The line where I retrieve the date/time is a another way for me to verify the script executed.



$cmdwrap begin

Disable NAT

$cmdwrap set service nat rule 5999 exclude
$cmdwrap set service nat rule 5999 outbound-interface eth0
$cmdwrap set service nat rule 5999 type masquerade
echo $(date) >> /home/atlas61/runtimes

End changes

$cmdwrap commit
$cmdwrap end

Here’s my setup:

On the USG side:

  1. I uploaded my script to USG directory /config/scripts/post-config.d
  2. Made it executable using chmod +x [filename]
  3. Setup port forwarding so that everything entering WAN goes to LAN interface
  4. LAN interface is 10.24.x.2
  5. Enabled DHCP on LAN interface 10.24.x.100 - .200

On the Netgate side:

  1. Setup a gateway to USG WAN 10.0.x.254
  2. Setup static route to 10.24.x.0/24 through USG WAN 10.0.x.254
  3. Setup rule on LAN1 interface so that anything coming from 10.24.x.0/24 is passed.
  4. Disabled DHCP for LAN1 interface.

USG was rebooted and I verified NAT was disabled using ‘show nat rules’
Screen Shot 2020-05-21 at 2.12.44 PM

Do I need additional rules on the Netgate side to get this working? The USG?
Your input is appreciated. Thank you.

There’s no need for static routes in your config.

if the USG Lan is giving out dhcp then you’ll need nat turned on.

I think what you are trying to do is this

Noted. I wouldn’t be double NATed behind the USG?

Maybe I should have DHCP done by pfSense?