Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 NAT with Ubiquiti Restricted Guest Wifi

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeffhammett
      last edited by

      I have a Ubiquiti Wireless Access Point where I have enabled a guest wifi network on it's own VLAN. I have the Ubiquiti Guest network feature enabled which adds ACLs to prevent clients from talking to any internal IP ranges.

      I've built the VLAN on the pfSense and everything is working just fine, the wireless guest clients get internet access but can't connect to any internal IPs.

      I now want to have those guest wireless devices use a different WAN IP than the rest of my networks. I have a VIP configured and have configured the 1:1 NAT for the Guest Wifi net using the IP of the VIP I want to use.

      When I do so the wireless clients lose all internet access.

      The client IP is 192.168.201.22
      The VIP I am using is 172.120.90.124

      In the state table I see:

      172.120.90.22:53155 (192.168.201.22:53155) -> 208.67.220.220:53

      Which looks to me like it is trying to use the wrong WAN IP.

      I have deleted and recreated the 1:1 NAT rule as well as deleted and recreated with a different VIP, both do the same thing.

      I don't see any entries in the firewall log for this traffic.

      I thought about disabling the Ubiquiti Guest network ACLs and relying on the pfSense firewall, but I would prefer to prevent cross talk between clients on the guest wifi.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Why are you messing around with 1:1 NAT? Just create an outbound NAT rule that uses the proper VIP based on the source addresses of the traffic.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J
          jeffhammett
          last edited by

          @Derelict:

          Why are you messing around with 1:1 NAT? Just create an outbound NAT rule that uses the proper VIP based on the source addresses of the traffic.

          Duh… thanks. That worked perfectly.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.