NAT (Network Address Translation)
Masquerading
For the masquerading setting:
- Firewall
- General Settings
follow the menus. It can be configured with the Masquerading checkboxes in the table under Zones=>Forward on the incoming page. Masquerading hides the source IP address of data packets with the router's WAN IP address. The masquerading and MSS compression feature of the WAN interface must be enabled, but it should be disabled on the LAN interface.
SNAT (Source NAT)
| Parameter | Description | Default Value |
|---|---|---|
| Enable | Enable/Disable | Enable |
| Name | Name of the rule | |
| Protocol | TCP+UDP/TCP/UDP/ICMP | TCP+UDP |
| Source IP address | This can be a source IP address or IP range to match for this rule, such as 192.168.1.100 or 192.168.1.100-192.168.1.200. "Any" matches all source IP addresses, meaning this rule covers packets that match all source IP addresses. | Any |
| Source Port | This can be a source port or port range to match for this rule, such as 999 or 888-999. "Null" matches all source ports, meaning this rule covers packets that match all source ports. | Null |
| Destination IP address | This can specify a destination IP address or IP range to match for this rule, such as 192.168.2.100 or 192.168.2.100-192.168.2.200. "Null" matches all destination IP addresses, meaning this rule covers packets that match all destination IP addresses. | Null |
| Destination Port | This can specify a destination port or port range to match for this rule, such as 999 or 888-999. "Null" matches all destination ports, meaning this rule covers packets that match all destination ports. | Null |
| SNAT IP address | Replace the source IP address of the matching traffic with this address. | custom |
| SNAT port | Replace the source port of the matching traffic with this port, "Null" uses the original source port. | Null |
Source NAT is a special form of packet masquerading that changes the source address of a packet leaving the router. When using Source NAT, you need to disable the masquerading feature of the WAN port.
To add a Source NAT rule:
- Firewall
- Traffic Rules
follow the menus. Click the Add and edit button in the New source NAT section under the Source NAT tab.
Use the default settings to leave all source IP addresses and destination IP addresses unchanged. Then click the Save & Apply button.
In this case, we changed the source IP address leaving the router to 192.168.9.1. However, the source IP address of an ICMP packet ping request from a PC (IP: 192.168.1.114) connected to the same router to a computer (IP: 192.168.13.4) connected to the router appears as 192.168.9.1 instead of 192.168.1.114.
Port Forwarding
To add a port forwarding rule:
- Firewall
- Port Forwards
follow the menus. Port forwarding rules can assign a specific port number of the WAN network to a device belonging to the selected internal network.
| Parameter | Description | Default Value |
|---|---|---|
| Name | Name of the rule | Null |
| Protocol | TCP+UDP/TCP/UDP | TCP+UDP |
| External zone | Wired WAN, 4G, VPN | wan |
| External Port | This can be a port or port range, such as 8000-9000. When the external port is empty, it indicates the DMZ (Demilitarized Zone) function. | Null |
| Internal Zone | LAN Name | lan |
| Internal IP address | Router LAN IP address | Null |
| Internal Port | You specify a port or port range, such as 8000-9000. However, when both the external port and internal port are empty, it indicates the DMZ (Demilitarized Zone) operation. | Null |
NAT DMZ
While port forwarding rules redirect a specified WAN port to an internal network device, DMZ (Demilitarized Zone) rules redirect all ports belonging to the WAN interface to an internal network device. DMZ rules are set in the port forwarding interface, and in DMZ mode, there is no need to set external and internal ports.
All ports belonging to the WAN address will be redirected to the internal network device 192.168.1.110.
- Port forwarding and DMZ cannot be used simultaneously.