1:1 NAT with Ubiquiti Restricted Guest Wifi



  • I have a Ubiquiti Wireless Access Point where I have enabled a guest wifi network on it's own VLAN. I have the Ubiquiti Guest network feature enabled which adds ACLs to prevent clients from talking to any internal IP ranges.

    I've built the VLAN on the pfSense and everything is working just fine, the wireless guest clients get internet access but can't connect to any internal IPs.

    I now want to have those guest wireless devices use a different WAN IP than the rest of my networks. I have a VIP configured and have configured the 1:1 NAT for the Guest Wifi net using the IP of the VIP I want to use.

    When I do so the wireless clients lose all internet access.

    The client IP is 192.168.201.22
    The VIP I am using is 172.120.90.124

    In the state table I see:

    172.120.90.22:53155 (192.168.201.22:53155) -> 208.67.220.220:53

    Which looks to me like it is trying to use the wrong WAN IP.

    I have deleted and recreated the 1:1 NAT rule as well as deleted and recreated with a different VIP, both do the same thing.

    I don't see any entries in the firewall log for this traffic.

    I thought about disabling the Ubiquiti Guest network ACLs and relying on the pfSense firewall, but I would prefer to prevent cross talk between clients on the guest wifi.


  • LAYER 8 Netgate

    Why are you messing around with 1:1 NAT? Just create an outbound NAT rule that uses the proper VIP based on the source addresses of the traffic.



  • @Derelict:

    Why are you messing around with 1:1 NAT? Just create an outbound NAT rule that uses the proper VIP based on the source addresses of the traffic.

    Duh… thanks. That worked perfectly.


Log in to reply