What's new

SPI help needed for Ubiquiti router

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Tran363

New Around Here
I have bought Ubiquiti Edgerouter Lite ERlite-3, and early October I have appointment with computer tech guy to come out to do house call to configure it. I am told he can handle everything except the SPI. Says he has no idea how to set up Stateful Packet Inspection on a Ubiquiti router, and I really want both NAT & SPI, so any tips on how to do it that I can pass on to him? Thank you for any help!
 
I must be confused. I thought a firewall had to use SPI if it had dynamic NAT (which is pretty much the default for firewalls). If you were only doing a static NAT or one to one NAT then I guess it would not have to be an SPI firewall. Not sure what the computer tech guy is talking about. When you say you want both NAT and SPI, what are you thinking SPI will do for you?

Add: Maybe he is talking IPV6 where NAT is not used? If so then I don't know the answer as I don't know how the Ubiquiti router handles IPV6.
 
I must be confused. I thought a firewall had to use SPI if it had dynamic NAT (which is pretty much the default for firewalls). If you were only doing a static NAT or one to one NAT then I guess it would not have to be an SPI firewall. Not sure what the computer tech guy is talking about. When you say you want both NAT and SPI, what are you thinking SPI will do for you?

Add: Maybe he is talking IPV6 where NAT is not used? If so then I don't know the answer as I don't know how the Ubiquiti router handles IPV6.

I will start off by saying I know little about this, but what I have read on Wikipedia and sites like this:

https://kb.netgear.com/1091/Security-Comparing-NAT-Static-Content-Filtering-SPI-and-Firewalls

http://www.dslreports.com/forum/r12010843-NAT-vs-SPI-What-s-The-Difference

http://forums.whirlpool.net.au/archive/2472847

https://forums.anandtech.com/threads/difference-between-spi-and-nat-based-firewalls.1120566/

Most of this I do not grasp, which is why I will be paying a Tech to set up the router. So far as I do understand it:
1. NAT and SPI are two different things.
2. You can have NAT without SPI (not sure if the reverse is true).
The Tech tells me he can do everything, including the NAT, but he has no idea how to configure the SPI. I want both working. So either I have to find enough documentation to show him how to configure the SPI, or I have to start over and find a Tech that knows how to configure the SPI. From what I am reading, SPI is the hardware firewall, and the NAT "basically lets you use many pc behind one public address. this is generally not considered firewalling since no packet inspection in performed." Since I only have one PC, the NAT is low priority, but I want it in place, just in case I ever add a second PC.
 
Don't get too caught up in the terminology. I don't know of a router today that will do NAT but not SPI. When we talk about SPI it can mean many different things. It could be something as simple as stopping incoming traffic directed at the firewall to doing layer-7 inspection. In fact I have not heard of anyone talk about SPI (except for Marketing purposes) in several years. This is why I am surprised your computer tech guy even mentioned it, unless he means something more specific, like QOS, Layer-7 filtering, IPS or something like that. Anyway the Edgerouter Lite is very easy to set up. In fact it has a wizard you can use that will set up the firewall, NAT and "SPI". If you don't use the wizard then you can set up the firewall portion (which I assume is what your guy is calling SPI) and NAT separate.
 
SPI, stateful packet inspection. This is really just a fancy name for a NAT firewall which all it does is that it does not pass packets that arent relevant. On mikrotik, one simply has to add a rule drop invalid state connections and enable conntrack. Not sure how you'd do this on ubiquiti.
 
There are different levels of SPI but it based on the product you buy. If you look at Untangle it does more levels of SPI than a hardware router. You are going to get what ever your ERL3 supports when he configures it.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top