I am requesting the addition of a “Disable NAT” checkbox or toggle on the firewall LAN-to-WAN rule configuration in the Cloud Management Portal for the Route-10 device.
Currently, this functionality is only achievable through manual UCI CLI commands, which disables NAT for the entire WAN zone and affects all traffic rather than allowing granular control per rule. This limitation creates challenges for advanced routing scenarios such as routing between subnets without NAT, bridge mode, or avoidance of double NAT setups.
A per-rule option in the UI to disable NAT would greatly enhance flexibility and simplify deployment for many customers. It would also bring the Route-10 configuration capabilities closer to other enterprise-grade routers that support no-NAT rules or routed modes.
We’re glad you are able to achieve desired functionality using the CLI. If you can post general guidelines on how to do what you’re doing with the CLI, that may help others.
If you feel this is something that should be part of the user interface, I recommend that you make a feature request post. Honestly, we’re curious about what use cases there might be for disabling NAT when using a switch may make more sense.
This disables NAT masquerading on the WAN zone, allowing routing between subnets without IP address translation. We understand this approach affects all WAN traffic and requires manual persistence configuration, which is outside normal support scope.
Just because this CLI process is outside normal support scope, we have not proceeded further with it for this particular scenario, preferring to wait for a supported and persistent method, ideally integrated into the management portal.
Regarding the question on use cases, the primary scenarios for disabling NAT on LAN-to-WAN rules in our environment include:
Advanced routed inter-subnet traffic where NAT hides original IPs unnecessarily
Situations requiring bridge mode or transparent pass-through functionality
Avoidance of double NAT layers in complex multi-router setups
Specific customer scenarios needing true layer 3 routing without address translation
While we acknowledge that using a switch could be an alternative, the flexibility to disable NAT per firewall rule in the UI would greatly simplify these deployments and avoid manual CLI scripting.
Thanks for the feature request submission! To clarify, the commands that were shared were solely an example of how it can be done. Technically what you want to do can be done immediately, but it requires more custom work. As you notice, right now it applies to the WAN which affects all in that zone.
It’s unfortunately not maintainable to support all custom configurations fully, which is why we share partial examples. I do understand that your preference here as well. What you need to do is break the desired wan into it’s own zone. Here’s a more specific example, assuming wan2 is the desired interface, if you wanted to try it in a lab environment:
# remove wan2 from the default wan NAT zone
uci del_list firewall.wan.network='wan2'
# now create a separate non-NAT zone
uci set firewall.wan_no_nat=zone
uci set firewall.wan_no_nat.name='wan_no_nat'
uci set firewall.wan_no_nat.input='DROP'
uci set firewall.wan_no_nat.output='ACCEPT'
uci set firewall.wan_no_nat.forward='DROP'
uci add_list firewall.wan_no_nat.network='wan2'
uci set firewall.wan_no_nat.masq='0'
uci set firewall.wan_no_nat.mtu_fix='1'
# save + apply
uci commit firewall
service firewall reload
So if this was going to another router, then I would think a static route is the only other thing you need to add and those are already available in Control.
If you needed forwarding from the entire lan, or a subset of, to hit that link, then you would add something like this (requires the same save+apply), but otherwise, it’s just the above code block.
# add forwarding example
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='wan_no_nat'