Ubiquiti UniFi Security Gateway Disable NAT

This is a guide for disabling the Network Address Translation (NAT) function on the Ubiquiti Networks UniFi Security Gateway (USG). The NAT functionality can be disabled by a custom config.gateway.json file on the UniFi Controller. There is no User Interface option currently to disable NAT.


  • SSH access to the UniFi Controller

Summary Steps

  • Create or update a custom config.gateway.json configuration file
  • Perform a manual device provision of the USG

Create or update a custom config.gateway.json configuration file

First, identify the interface on which Network Address Translation should be disabled. For the USG-PRO-4, the physical WAN1 port corresponds to the ETH2 logical interface.

Modify the /usr/lib/unifi/data/sites/default/config.gateway.json file to include a rule that disables NAT. You may need to replace <default> with the site code that you are working with, if not the default site.

Below is an example of the config.gateway.json file from my lab environment where NAT was disabled on WAN1/ETH2 for a USG-PRO-4.

	"service": {
		"nat": {
			"rule": {
				"5999": {
					"exclude": "''",
					"outbound-interface": "eth2",
					"type": "masquerade"

The custom configuration uses rule 5999 because NAT is performed by a static ruleset of 6000-6002. Using rule 5999 ensures that the custom rule processes first and “wins”.

Perform a manual device provision of the USG

To apply custom changes written to the config.gateway.json file, a manual provisioning operation must be ran from the UniFi web interface. This will reapply all configurations to the USG, including custom settings written to the config file.

Select Devices from the navigation
Select your Security Gateway device
Select the Config (cogwheel) tab
Scroll down and select the Provision button

Note: Routing, internet access, and other services may be temporarily disrupted during a provisioning operation.

Select provision

Additional Notes

The config.gateway.json file is included in backups initiated through the web interface and will be reapplied when a backup is restored.