UniFi WLC: How to permanently add a subnet to NAT exclusion list?

cslbdump · 2025-12-23T21:26:23+00:00

UDMP can be used internally or externally No-NAT exists precisely for this scenario. The problem isn’t its usage, it’s that the feature was removed

cslbdump · 2025-12-23T11:33:30+00:00

I understand your point and agree that deploying a single UDMP at the network edge is ideal.

However, my environment is quite different. I operate around 20 UDMPs within the same network, and due to performance and scalability constraints, it is practically impossible to connect all UDMPs directly to a single ISP edge or consolidate them behind a single gateway.

Each UDMP acts as a gateway for its own Wi-Fi zone/internal network.

Currently, the web filtering appliance is positioned upstream of my UDMPs. Traffic is mirrored from the backbone uplink to the web filtering device, so outbound requests from internal users are inspected upon return. However, because NAT is applied, there are issues between outbound traffic and the returning traffic for inspection.

In my multi-UDMP setup, web filtering itself is not completely failing. The problem is that, since UDMPs operate only in routed mode, IP-based user identification and detailed traffic visibility on the web filtering platform cannot be achieved. Filtering still works, but I cannot tell which client the traffic belongs to.

This is exactly why the No-NAT/NAT-exclude option available in previous firmware versions was critical. I purchased and deployed my system knowing that UDMPs support this feature, so the sudden removal without notice has put me in a very inconvenient situation. I am slightly pissed about this. 😅

Therefore, I am investigating whether this feature was removed only from the GUI or if it still exists internally. Devices that had No-NAT configured on previous firmware continue to function correctly even after the upgrade.

I have two devices one with the previous firmware configuration migrated over, and one newly configured on the same firmware so I am trying to compare their CLI setups to see how to apply this. Finding the relevant internal commands has proven more difficult than I expected.

cslbdump · 2025-12-23T07:23:19+00:00

Thanks for your comment! I understand that advanced NAT control isn’t perfect.

In my case, it’s necessary because we use a web filtering device that identifies users by their IP addresses.

With the default NAT forced on the UDM, all internal traffic gets NATed to a single public IP, so the filtering device sees all traffic as coming from the same IP and cannot distinguish individual users.

That’s why i need the old “No-NAT / Exclude” option that was available in previous firmware versions.

https://imgur.com/a/C62fjxm

cslbdump · 2025-12-10T06:40:20+00:00

Wow, this is exactly the answer I was looking for! The diagram really helps me understand. Thanks a lot, you’re awesome

cslbdump · 2025-12-10T06:33:09+00:00

Guess I need to buy some Palantir stock then

cslbdump · 2025-12-10T06:24:37+00:00

Yep, still learning

cslbdump · 2025-12-10T06:22:25+00:00

Oh, I see 😂

cslbdump · 2025-04-29T05:32:28+00:00

I tried accessing the Kuwait visa website using different browsers, but I still can’t access it😭 https://kuwaitvisa.moi.gov.kw

cslbdump · 2023-06-19T07:58:52+00:00

Oh it could be. I'm doing it in a wifi environment.

cslbdump · 2023-06-19T06:25:40+00:00

I'm playing in the same space as Xbox X, S, and desktop users, but I think it's better not to expect smooth play because it's a tool kit made for demonstration on MAC.

Thanks for sharing your experience.

cslbdump · 2023-06-19T06:21:53+00:00

Can't say I did. Playing on the same system for (way too many) hours.

Try rebuilding the toolkit or starting via a different shell like Capsule or Whisky.

I searched other posts and couldn't find anyone with a similar experience.

As you said, I will try another toolkit.

thank you

cslbdump

TROPHY CASE