Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

SPI help needed for Ubiquiti router

Discussion in 'Routers' started by Tran363, Sep 22, 2017.

  1. Tran363

    Tran363 New Around Here

    Joined:
    Sep 22, 2017
    Messages:
    2
    I have bought Ubiquiti Edgerouter Lite ERlite-3, and early October I have appointment with computer tech guy to come out to do house call to configure it. I am told he can handle everything except the SPI. Says he has no idea how to set up Stateful Packet Inspection on a Ubiquiti router, and I really want both NAT & SPI, so any tips on how to do it that I can pass on to him? Thank you for any help!
     
  2. abailey

    abailey Senior Member

    Joined:
    Mar 29, 2014
    Messages:
    475
    I must be confused. I thought a firewall had to use SPI if it had dynamic NAT (which is pretty much the default for firewalls). If you were only doing a static NAT or one to one NAT then I guess it would not have to be an SPI firewall. Not sure what the computer tech guy is talking about. When you say you want both NAT and SPI, what are you thinking SPI will do for you?

    Add: Maybe he is talking IPV6 where NAT is not used? If so then I don't know the answer as I don't know how the Ubiquiti router handles IPV6.
     
  3. Tran363

    Tran363 New Around Here

    Joined:
    Sep 22, 2017
    Messages:
    2
    I will start off by saying I know little about this, but what I have read on Wikipedia and sites like this:

    https://kb.netgear.com/1091/Security-Comparing-NAT-Static-Content-Filtering-SPI-and-Firewalls

    http://www.dslreports.com/forum/r12010843-NAT-vs-SPI-What-s-The-Difference

    http://forums.whirlpool.net.au/archive/2472847

    https://forums.anandtech.com/threads/difference-between-spi-and-nat-based-firewalls.1120566/

    Most of this I do not grasp, which is why I will be paying a Tech to set up the router. So far as I do understand it:
    1. NAT and SPI are two different things.
    2. You can have NAT without SPI (not sure if the reverse is true).
    The Tech tells me he can do everything, including the NAT, but he has no idea how to configure the SPI. I want both working. So either I have to find enough documentation to show him how to configure the SPI, or I have to start over and find a Tech that knows how to configure the SPI. From what I am reading, SPI is the hardware firewall, and the NAT "basically lets you use many pc behind one public address. this is generally not considered firewalling since no packet inspection in performed." Since I only have one PC, the NAT is low priority, but I want it in place, just in case I ever add a second PC.
     
  4. abailey

    abailey Senior Member

    Joined:
    Mar 29, 2014
    Messages:
    475
    Don't get too caught up in the terminology. I don't know of a router today that will do NAT but not SPI. When we talk about SPI it can mean many different things. It could be something as simple as stopping incoming traffic directed at the firewall to doing layer-7 inspection. In fact I have not heard of anyone talk about SPI (except for Marketing purposes) in several years. This is why I am surprised your computer tech guy even mentioned it, unless he means something more specific, like QOS, Layer-7 filtering, IPS or something like that. Anyway the Edgerouter Lite is very easy to set up. In fact it has a wizard you can use that will set up the firewall, NAT and "SPI". If you don't use the wizard then you can set up the firewall portion (which I assume is what your guy is calling SPI) and NAT separate.
     
  5. System Error Message

    System Error Message Part of the Furniture

    Joined:
    Oct 14, 2014
    Messages:
    3,521
    SPI, stateful packet inspection. This is really just a fancy name for a NAT firewall which all it does is that it does not pass packets that arent relevant. On mikrotik, one simply has to add a rule drop invalid state connections and enable conntrack. Not sure how you'd do this on ubiquiti.
     
  6. coxhaus

    coxhaus Very Senior Member

    Joined:
    Oct 7, 2010
    Messages:
    1,571
    Location:
    texas
    There are different levels of SPI but it based on the product you buy. If you look at Untangle it does more levels of SPI than a hardware router. You are going to get what ever your ERL3 supports when he configures it.
     

Share This Page