NAT (Network Address Translation)
Masquerading (Address Masking)
To configure address masking:
- Firewall
- General Settings
Navigate to Zones => Forward on the page and configure the Masquerading checkbox in the table.
Masquerading hides the source IP address of data packets by replacing it with the router’s WAN IP address. The masquerading and MSS clamping features must be enabled on the WAN interface and disabled on the LAN interface.
SNAT (Source NAT)
| Parameter | Description | Default Value |
|---|---|---|
| Enable | Enable / Disable | Enable |
| Name | Rule name | |
| Protocol | TCP+UDP / TCP / UDP / ICMP | TCP+UDP |
| Source IP address | Source IP address or IP range used for matching rules, such as 192.168.1.100 or 192.168.1.100-192.168.1.200. If set to "Any", the rule applies to all source IP addresses. | Any |
| Source Port | Source port or port range for rule matching, such as 999 or 888-999. If set to "Null", the rule matches all source ports. | Null |
| Destination IP address | Destination IP address or IP range for matching rules, such as 192.168.2.100 or 192.168.2.100-192.168.2.200. If set to "Null", the rule matches all destination IP addresses. | Null |
| Destination Port | Destination port or port range for rule matching, such as 999 or 888-999. If set to "Null", the rule matches all destination ports. | Null |
| SNAT IP address | Replace the source IP address of matched traffic with this address. | custom |
| SNAT port | Replace the source port of matched traffic with this port. If set to "Null", the original source port is used. | Null |
Source NAT is a special packet masking method that changes the source address of packets leaving the router. When using Source NAT, you must disable the masquerading feature on the WAN port.
To add a Source NAT rule:
- Firewall
- Traffic Rules
Navigate to Source NAT tab and click Add and edit under New source NAT.
Use the default settings to match all source and destination IP addresses. Then click Save & Apply.
In this example, the router’s outgoing source IP address was changed to 192.168.9.1. However, when a PC connected to the router (IP: 192.168.1.114) sends an ICMP ping request to another device connected to the router (IP: 192.168.13.4), the source IP appears as 192.168.9.1 instead of 192.168.1.114.
Port Forwarding
To add a port forwarding rule:
- Firewall
- Port Forwards
Port forwarding rules map a specific WAN port to a device inside the selected internal network.
| Parameter | Description | Default Value |
|---|---|---|
| Name | Rule name | Null |
| Protocol | TCP+UDP / TCP / UDP | TCP+UDP |
| External zone | Wired WAN, 4G, VPN | wan |
| External Port | This can be a port or port range such as 8000-9000. If the external port is empty, this represents the DMZ (Demilitarized Zone) function. | Null |
| Internal Zone | LAN name | lan |
| Internal IP address | Router LAN IP address | Null |
| Internal Port | Specify a port or port range such as 8000-9000. When both external and internal ports are empty, this represents DMZ operation. | Null |
NAT DMZ
Port forwarding rules map a specific WAN port to an internal network device, while DMZ rules forward all WAN interface ports to an internal network device.
DMZ rules are configured in the port forwarding interface, and external port and internal port settings are not required in DMZ mode.
All ports belonging to the WAN interface will be forwarded to the internal network device with IP address 192.168.1.110.
- Port forwarding and DMZ cannot be used simultaneously.