Giters

jens-maus / natanator

Unifi OS persistent network modification service

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

natanator

UniFi OS persistent NAT modification service

Background

If you're like me, you'd like a way to persistently modify low-level UniFi OS networking. In my case, that's disabling IPv4 NAT, as UniFi provides no standard supported means to do this, and I have a northbound pfSense router/firewall.

tl;dr, double NAT bad.

Starting with UniFi OS 2.4.23, systemd is introduced. This allows the use of a simple service to disable NAT.

The following service examples use UniFi OS 3.0.19, on a UDM Pro (non-SE).

Alternatives

Until recently, you could use unifios-utilities on UniFi OS 1.x releases, with a simple boot script. This is no longer possible, as chronicled here.

Solution

Simple bash script that disables NAT, and a systemd service definition that runs it.

Installation

Login to your UniFiOS device (e.g. UDM-pro) using ssh and perform the following steps:

  1. Download and install the natanator.sh script directly on your UniFiOS device via:

    wget -O /usr/local/bin/natanator.sh https://raw.githubusercontent.com/jadedeane/natanator/main/natanator.s
chmod +x /usr/local/bin/natanator.sh

  2. Download and install natanator.service definition file in /etc/systemd/system via:

    wget -O /etc/systemd/system/natanator.service https://raw.githubusercontent.com/jadedeane/natanator/main/natanator.service
chmod 755 /etc/systemd/system/natanator.service

  3. Reload systemd, enable and start the service:

    systemctl daemon-reload
systemctl enable natanator.service
systemctl start natanator.service

  4. Reboot and validate persistance.

Operation check

To check the correct operation of the natanator service you can execute the following commands:

  1. Check natanator.service status via:

    systemctl status natanator.service

    which should then output something like:

    ● natanator.service - Natanator
     Loaded: loaded (/etc/systemd/system/natanator.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-03-20 10:56:35 PDT; 5s ago
   Main PID: 39805 (natanator.sh)
      Tasks: 2 (limit: 4725)
     Memory: 460.0K
        CPU: 5ms
     CGroup: /system.slice/natanator.service
             ├─39805 /bin/sh /usr/local/bin/natanator.sh
             └─39814 sleep 60

Mar 20 10:56:35 udm systemd[1]: Started Natanator.

  2. Check correct removal of the NAT/MASQUERADING firewall rules via:

    iptables -t nat -L UBIOS_POSTROUTING_USER_HOOK | grep "MASQUERADE .* UBIOS_ADDRv4_eth."

    If correctly removed this command should NOT return any output

About

Unifi OS persistent network modification service

Languages

Language:Shell 100.0%