At 6:25 I think you meant to say "All incoming traffic to .195 ..." and not "port 195" since .195 is the last octet of an IP address and not a port number.
This is a great video, but I am a little confused. In your video you're able to select your WAN interface and have it list out IP Aliases on that interface. On my UDM Pro i cant even select the WAN interface on SNAT, did they remove this feature? ** Edit ** Turns out it isnt supported on PPPoE interfaces.
UniFi products are great but they are bit slow to release firmware upgrades with features. I still don't understand why a very very cheap home routers from other brands have all DHCP reversions on a nice table within the firmware while UniFi still have DHCP reservation list stick in-between non-reserved clients/IPs. Simple things like that has to be updated because even the ISP provided router/modem low power combo units have those features.
I've updated it also. But it seems that Unifi has added an ISP-specific NAT routing protocol (Masquerade). I have no clue how this was done. But it seems to work like normal.
Hello tank you for you're job. Unfortunately for me i can't do port forwarding. I don't know if i have to open my port in the firewall rules or not and if i have to open my translated port or the normal one. In french we say : C'est une usine a gaz and i think it's beautiful
I have a very capable edge firewall and an internet router in place. I now added a dream machine se. (www--internet router--firewall (exposed host, everything from internet router goes directly to the firewall--dream machine se). I do not want the dream machine to do any NAT but leave it to the firewall. Is that possible?
Still looks very complicated. Could you please explain how you would configure for eg your mail server on one of the ips? As I understand, it would need both source and destination nat.
1:1 Nat is intend to be used when you need to forward ALL ports to a destination, like a DMZ option. For a mail server I would suggest to continue using port forward on security section.
And as he´s telling the "source" NAT will fix the source public IP (if you have more than 1) and your server needs to get out using specific link/address
What I would like to see is how to configure e.g. the following situation: Let’s say I have a block of IP-addresses a.b.c.d/29. I have my home network out of a.b.c.e. But I want my mailserver to be a.b.c.f and my webserver to be a.b.c.g. For the webserver, that would be Destination NAT. But for the mailserver, due to SPF, DMARC etc., it would be a combination of source and destination NAT. And how would that be configured.
these bot comments.. i mean they arent wrong. Also, where and how did UniFi explode on the network scene.. freaking crazy, they are doing great work, and now looking at learning CCNA is still... sorta good??
0:08 There's no way way you can say that Unifi is enterprise level ready surely? The features you're talking about in this video are consumer grade...when we're talking about enterprise ready, we're talking about having single NAT rule that combines not only SNAT but DNAT into a single configuration as well as the ability to modify the source and destination IP's and services end to end.
Why you need NAT if you have IPV6? especially in US where is already 46% of the connections. In IPV6 there isn't no lack of IP adresses, NAT is obsolete.
While it’s true that IPv6 dramatically increases the number of available IP addresses, eliminating the primary motivation for using NAT, there are several reasons why NAT may still be relevant and necessary, even in an IPv6 environment: 1. Security and Network Management: NAT provides a layer of security by masking internal IP addresses from external networks. This can help prevent direct attacks on internal devices. In many organizations, NAT forms a part of the security and policy enforcement framework, controlling how internal resources are accessed. 2. Transition and Compatibility: The transition to IPv6 is ongoing and not all networks or devices are fully IPv6-compatible yet. NAT facilitates communication between IPv4 and IPv6 devices, ensuring interoperability and seamless connectivity during the transition phase. 3. Cost and Complexity: Completely phasing out IPv4 and NAT in favor of IPv6 can be costly and complex for many organizations. NAT allows organizations to maintain their existing IPv4 infrastructure while gradually integrating IPv6, thereby managing costs and reducing complexity.
@@senchaholic NAT is not a Firewall, NAT was a hack created due the lack of IPV4 adresses, complexity is the enemy of good security, everyone should be on IPV6 if possible, more simple, more efficient, and more secure, IPV6 is exactly how the internet should be run on the first place.
Great I hope they move to their switches and work on ACLs. Nice video thanks for putting it together.
At 6:25 I think you meant to say "All incoming traffic to .195 ..." and not "port 195" since .195 is the last octet of an IP address and not a port number.
This is a great video, but I am a little confused. In your video you're able to select your WAN interface and have it list out IP Aliases on that interface. On my UDM Pro i cant even select the WAN interface on SNAT, did they remove this feature? ** Edit ** Turns out it isnt supported on PPPoE interfaces.
UniFi products are great but they are bit slow to release firmware upgrades with features. I still don't understand why a very very cheap home routers from other brands have all DHCP reversions on a nice table within the firmware while UniFi still have DHCP reservation list stick in-between non-reserved clients/IPs. Simple things like that has to be updated because even the ISP provided router/modem low power combo units have those features.
I've updated it also. But it seems that Unifi has added an ISP-specific NAT routing protocol (Masquerade). I have no clue how this was done. But it seems to work like normal.
So masquerade is actually what your router does every time
Really cool stuff but I hope they add country restrictions per nat or firewall rules.
Hello tank you for you're job. Unfortunately for me i can't do port forwarding. I don't know if i have to open my port in the firewall rules or not and if i have to open my translated port or the normal one. In french we say : C'est une usine a gaz and i think it's beautiful
is there a way to force devices to use a local dns server instead of the hard coded ones?
1:1 nat has been asked for since 2015, it takes that long to get asked for features?
I have a very capable edge firewall and an internet router in place. I now added a dream machine se. (www--internet router--firewall (exposed host, everything from internet router goes directly to the firewall--dream machine se). I do not want the dream machine to do any NAT but leave it to the firewall. Is that possible?
Still looks very complicated. Could you please explain how you would configure for eg your mail server on one of the ips? As I understand, it would need both source and destination nat.
1:1 Nat is intend to be used when you need to forward ALL ports to a destination, like a DMZ option. For a mail server I would suggest to continue using port forward on security section.
And as he´s telling the "source" NAT will fix the source public IP (if you have more than 1) and your server needs to get out using specific link/address
What I would like to see is how to configure e.g. the following situation: Let’s say I have a block of IP-addresses a.b.c.d/29. I have my home network out of a.b.c.e. But I want my mailserver to be a.b.c.f and my webserver to be a.b.c.g. For the webserver, that would be Destination NAT. But for the mailserver, due to SPF, DMARC etc., it would be a combination of source and destination NAT. And how would that be configured.
still no way to do IPTV VLAN on WAN Routing?
I was wondering if this could be useful. Unfortunately not yet.
I’m also waiting for wan VLAN for IPTV and voip.
Will this also work for Gamers
these bot comments.. i mean they arent wrong. Also, where and how did UniFi explode on the network scene.. freaking crazy, they are doing great work, and now looking at learning CCNA is still... sorta good??
0:08 There's no way way you can say that Unifi is enterprise level ready surely? The features you're talking about in this video are consumer grade...when we're talking about enterprise ready, we're talking about having single NAT rule that combines not only SNAT but DNAT into a single configuration as well as the ability to modify the source and destination IP's and services end to end.
Thank you.
Why you need NAT if you have IPV6? especially in US where is already 46% of the connections. In IPV6 there isn't no lack of IP adresses, NAT is obsolete.
While it’s true that IPv6 dramatically increases the number of available IP addresses, eliminating the primary motivation for using NAT, there are several reasons why NAT may still be relevant and necessary, even in an IPv6 environment:
1. Security and Network Management: NAT provides a layer of security by masking internal IP addresses from external networks. This can help prevent direct attacks on internal devices. In many organizations, NAT forms a part of the security and policy enforcement framework, controlling how internal resources are accessed.
2. Transition and Compatibility: The transition to IPv6 is ongoing and not all networks or devices are fully IPv6-compatible yet. NAT facilitates communication between IPv4 and IPv6 devices, ensuring interoperability and seamless connectivity during the transition phase.
3. Cost and Complexity: Completely phasing out IPv4 and NAT in favor of IPv6 can be costly and complex for many organizations. NAT allows organizations to maintain their existing IPv4 infrastructure while gradually integrating IPv6, thereby managing costs and reducing complexity.
@@senchaholic NAT is not a Firewall, NAT was a hack created due the lack of IPV4 adresses, complexity is the enemy of good security, everyone should be on IPV6 if possible, more simple, more efficient, and more secure, IPV6 is exactly how the internet should be run on the first place.
@@pbrighamyou obviously don’t work for any organization with legacy systems.
@@pbrighamyeah, this video didn't actually explain that properly at all unfortunately, - 'its like port forwarding' apparently
Anyone wanna assist me in setting up a NAT to redirect DNS queries to my internal pihole?
SFP... you mean SPF