UniFi OS persistent NAT modification service
Note: No longer using UDM and actively supporting this tool. Feel free to MR updates or fork.
If you're like me, you'd like a way to persistently modify low-level UniFi OS networking. In my case, that's disabling IPv4 NAT, as UniFi provides no standard supported means to do this, and I have a northbound pfSense router/firewall.
tl;dr, double NAT bad.
Starting with UniFi OS 2.4.23, systemd is introduced. This allows the use of a simple service to disable NAT, tested against UniFi OS 3.2.7.
Until recently, you could use unifios-utilities on UniFi OS 1.x releases, with a simple boot script. This is no longer possible, as chronicled here.
Simple bash script that disables NAT, and a systemd service definition that runs it.
Login to your UniFiOS device (e.g. UDM-pro) using ssh and perform the following steps:
Download and install the natanator.sh
script directly on your UniFiOS device via:
wget -O /usr/local/bin/natanator.sh https://raw.githubusercontent.com/jadedeane/natanator/main/natanator.sh
chmod +x /usr/local/bin/natanator.sh
Download and install natanator.service
definition file in /etc/systemd/system
via:
wget -O /etc/systemd/system/natanator.service https://raw.githubusercontent.com/jadedeane/natanator/main/natanator.service
chmod 755 /etc/systemd/system/natanator.service
Reload systemd, enable and start the service:
systemctl daemon-reload
systemctl enable natanator.service
systemctl start natanator.service
Reboot and validate persistance.
To check the correct operation of the natanator service you can execute the following commands:
Check natanator.service
status via:
systemctl status natanator.service
which should then output something like:
● natanator.service - Natanator
Loaded: loaded (/etc/systemd/system/natanator.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2023-03-20 10:56:35 PDT; 5s ago
Main PID: 39805 (natanator.sh)
Tasks: 2 (limit: 4725)
Memory: 460.0K
CPU: 5ms
CGroup: /system.slice/natanator.service
├─39805 /bin/sh /usr/local/bin/natanator.sh
└─39814 sleep 60
Mar 20 10:56:35 udm systemd[1]: Started Natanator.
Check correct removal of the NAT/MASQUERADING firewall rules via:
iptables -t nat -L UBIOS_POSTROUTING_USER_HOOK | grep "MASQUERADE .* UBIOS_.*ADDRv4_eth."
If correctly removed this command should NOT return any output