When you use the web-based config.gateway.json configurator, there are options to create DNAT, SNAT, Firewall WAN_IN, and Hairpin DNAT rules.
After selecting all those options and setting the rules you want to map an external IP to an internal IP via NAT, you might get a configuration similar to the following:
In the configuration above, the external address
192.168.1.10 is mapped to the internal address
192.168.99.10 via NAT.
If you have the internal machine
192.168.99.10 on a VLAN (e.g.
eth1.2), then you will need to modify the
port-forward sections of the above configuration.
service.nat.rule section (“rule”, nested under “nat”, nested under “service”), find the “Hairpin” rules. By default, the web configurator starts numbering those rules around 1500. Add all VLAN interfaces that you want the Hairpin NAT rules to apply to, to the
inbound-interface line (you will need to make the value an array).
service.nat.rule “Hairpin” rule:
Next, in the
lan-interface array (under the
port-forward section), add the VLAN interface where
192.168.99.10 is located (at least). You can also add other VLAN interfaces here that you want the Hairpin NAT rule to apply to.
If you have multiple rules (e.g. multiple public IPs mapped to different internal host IPs), where the hosts are all on different VLANs, add all the VLAN interfaces to the
lan-interface array specifies, I think, is what interfaces you want the hairpin NAT rules to apply to. This means if you want two hosts, e.g.
192.168.99.20 to be able to communicate with each other using their external IPs, you will need to have the Hairpin rules applied to both the VLAN interfaces where those hosts are connected.
Furthermore, you will need to save the
config.gateway.json file in the following location on your Unifi Controller (e.g. Cloud Key):
default could be different, depending on what the internal name of your Unifi Site is.
You can find the internal sites by running:
ls /srv/unifi/data/sites/ on your Unifi Controller.
config.gateway.json in the right location, navigate to the Unifi UI and Force Provision the USG.
Force Provisioning the USG will take the
config.gateway.json present on the Controller and apply it to the USG.
Force Provision steps:
- Open “Network” Unifi app
- “Devices” view
- Click on the USG
- In the USG pane that shows up, click “Config” (gear icon)
- Open “Manage Device” drawer/section
- Press “Provision” button under the “Force Provision” section.
Your USG should now be forwarding packets from public IPs to local/VLAN IPs properly.