TL;DR – If you have an AmpliFi HD router and need to connect to a corporate VPN, do not check the “Enable Hardware NAT” box in the WebUI.
I’m still working at home (#flattenthecurve) and using my company’s corporate VPN to access private resources in AWS. Today, I ran into an issue where I was able to connect to my corporate VPN using the GlobalProtect client but was not able to connect to AWS servers or even browse the web. I reached out to my team and later our network admin. They didn’t see the issues I was having and suggested that this issue may be on my network.
I started my troubleshooting by power-cycling everything in my network stack, including my laptop. I own an Arris SURFboard modem, an AmpliFi HD router w/ two mesh access points, a 48-port NETGEAR ProSafe switch, and finally I use a USB-C to Ethernet adapter to connect to a wall port in my office. After power-cycling and reconnecting my laptop to my office’s ethernet port, I still couldn’t connect to my VPN and browse the web.
The next step was to remove variables. I plugged my laptop directly into the modem’s ethernet port and I was finally able to connect to the VPN and access our AWS servers. That meant that my laptop and USB-C to Ethernet adapter were working fine. The issue was upstream from my laptop and downstream from the modem. I reconnected the router to the modem and power-cycled them both again. Then I connected my laptop to an ethernet port on the back of the router. The VPN issues were back. This tells me that something was wrong in the router. The router was working fine with the VPN yesterday though and not today, so what changed?
The biggest part of troubleshooting any electronic system that was working one day and stopped working the next is to answer this simple question: what changed? Well, to make a long story short, here’s what I realized.
Last night, I turned off the WiFi on my laptop and plugged in my ethernet adapter to speed up a transfer to my NAS. This morning, I had not turned the WiFi back on; I was only using ethernet. I turned WiFi back on and the VPN started working like normal again! The WiFi network comes from the same router, same subnet, same everything – just wireless. I dug into my router’s WebUI (which has more advanced settings than the iOS app) and saw one setting that might be the culprit. It’s called “Enable Hardware NAT”.
This setting had been enabled since I got the router almost a year ago but I unchecked it and power-cycled the router. Now the VPN works over strictly ethernet connections as well. After doing some research, I found out two things: 1) I don’t need to enable hardware NAT since I don’t have a gigabit home internet connection, and 2) VPNs don’t like to be double-NAT’d.
The crazy thing is that this was only a problem for me today but in truth, the VPN never worked over ethernet in my home. But because my laptop always had the WiFi connection enabled even when using ethernet, I just never noticed.
Amore Open Source 
How have you liked the meshing aspect of the UniFi hardware? Any issues you’ve encountered? I thought about going that route myself but ran into issues with signal strength and hopping between APs too frequently.
LikeLike
AmpliFi is a little different than the UniFi system. I’ve worked with both in the past. But I haven’t noticed any excessive AP hopping issues with AmpliFi.
LikeLike
thank you for writing this. I experienced the same issue with the Amplifi (Ubiquiti) and their support took over a month to tell me this. Even my own company did not know this. I went through the same process you did and used all of my knowledge on routing to try to solve this. Hardware NAT is new
Rick (CISSP, CCNA)
LikeLike
Thanks for your comment and I’m glad you found the post helpful.
LikeLike