Is this website a real USG website

UniFi Security Gateway, FRITZ! Box & double NAT

In principle, it is unproblematic to operate the UniFi Security Gateway (USG) behind a FRITZ! Box. This takes on the task of establishing the Internet connection and, like me, is responsible for IP telephony. Either a fixed IP is set on the USG in the area of ​​the FRITZ! Box network or one can be assigned via DHCP. Then in the FRITZ! Box the USG asExposed host and the installation of the Security Gateway would be complete. Double NAT included.

UniFi Security Gateway & FRITZ! Box, Speedport etc.

Who has his router so far with the IP192.168.1.1 must change this before commissioning the USG. Even if it can be set differently, the constellation did not work for me. Only when the FRITZ! Box was configured to did the USG and the FB get along perfectly.

Double NAT

The Address Translation Network (NAT) is necessary, but double NAT is not. Through NAT, all devices in their own private network share the provider's public IP address. There is only one physical device for the provider and other devices on the Internet. Namely the router, the modem or the FRITZ! Box (All-IP device) in the internet. However, the data traffic to and from the Internet runs through the device that is responsible for NAT.

The simplest form of address conversion is called static NAT. With address translation, a private IP address is converted into a public IP address when it is transmitted from the private to the public address space. In the case of the response packet, the conversion takes place in reverse order.

UniFi Security Gateway

The UniFi Security Gateway combines the security functions of a firewall with routing technology in one unit. It is capable of routing up to 1 million packets per second and can easily pass through the UniFi controller configured, which also manages the UniFi access points for WLAN networks. The UniFi controller can manage flexible configurations and large applications. He can do several LAN and WLAN groups create and assign to the respective UniFi device.

The USG makes it possible to create VLANs with their own IP address ranges. The task of assigning DHCP addresses is taken over by the security gateway.

Since the security gateway builds over the WAN interface connects to the Internet and takes over the tasks of the NAT. Thus, with the constellation shown above, adouble NAT created. Once from the FRITZ! Box and once from the Security Gateway.

Consequences of double NAT

On the one hand, double NAT can lead to minimal losses in speed and increases the configuration effort. Port forwarding may have to be created twice with the functionExposed host I work around this problem. The ports are only forwarded from the security gateway to the corresponding devices in the private network; the USG itself is open on the Internet.

Under certain circumstances, VOIP devices in the private network can cause problems, since in my case it is taken over by the FRITZ! Box, there were none.

The way out

My solution to resolve the double NAT is to bring the FRITZ! Box into my private network and degrade it as an IP client and only let it run as an IP telephone system. At theADSL2 / VDSL2 connection had to come up with a powerful modem, which is also exclusively such.

After extensive research, it shouldDrayTek Vigor 130 become. It was extremely easy to set up and the latency has decreased noticeably.

Setting up a UniFi network from A-Z

Setting up the UniFi network from A-Z, for private and business use. Special properties of the Dream Machine are also used, as well as an ordinary UniFi network with access points and switch. The structure is initially the same for all purposes and further chapters are here optional. If 802.1X and MAC based application with dynamic VLAN assignment is used or not, everyone can decide for themselves. In addition, I will show you how to set up your own camera network with a Synology DiskStation and a dedicated LAN port and deny the cameras access to the Internet. A network for research and development will also be created as an example, which will be run by others VLANs completely sealed off is, but still has internet access. Next, a wireless network where you log in with the Synology DiskStation's username and password (local, LDAP or domain) instead of a key.

Simply explained in over 2 hours of video material.Here you can find the entire course with the example lessons. Please read the detailed description for all details about the course!

Dominik Bamberger

Hi, I'm Dominik the founder, operator and admin of You can find my videos on YouTube and in online courses here directly on my website I will introduce you to the topics in detail and much more intensively.

238 remarks

  1. Thomas on September 13, 2016 at 7:31 pm
    • BS on November 15, 2017 at 1:25 pm
      • Thomas Schweikertq on November 15, 2017 at 5:04 pm
      • Rolf on November 15, 2017 at 6:27 pm
      • Christian on August 19, 2020 at 10:41 am
    • Pierre on February 21, 2018 at 10:59 am
      • solei on March 16, 2018 at 8:21 am
      • Denis on July 3rd, 2018 at 8:09 am
    • Panther on April 11, 2019 at 10:40 am
    • Dani on April 29, 2019 at 9:19 pm
  2. thomas on September 14, 2016 at 4:52 am
      • Rolf on September 17th, 2016 at 6:25 pm
      • Michael on December 1st, 2016 at 12:20 PM
      • Jochen F on February 5th, 2017 at 2:48 pm
      • Werner on October 15, 2017 at 12:51 pm
      • bob on October 27, 2017 at 5:07 pm
      • sascHa on August 21, 2018 at 12:47 pm
  3. Andreas on September 14, 2016 at 6:43 am
  4. Ray on September 14, 2016 at 6:49 am
  5. Roger on September 14, 2016 at 7:33 am
  6. Michael on September 14, 2016 at 10:59 am
  7. Olaf on September 14, 2016 at 10:03 pm