5.2. Inbound NAT

Inbound NAT allows you to open ports on your public IP address(es) to hosts in your LAN or OPT networks. Click Firewall -> NAT, and the on the Inbound NAT tab to add an entry.

5.2.1. Interface

Interface is generally WAN because we want to permit traffic coming in from the Internet. You can also select any optional interfaces here.

Optional interfaces might be useful on a DMZ interface to allow access from the DMZ to a port on a host on your LAN. For example, if you want to use a LAN DNS server, you could put an Inbound NAT rule in on the DMZ interface opening UDP port 53 to your DNS server's LAN IP address, and use m0n0wall's DMZ interface IP address as your DNS server on DMZ hosts. There isn't really any advantage over doing this versus putting in a firewall rule to permit this traffic and using the LAN IP address of the DNS server, rather than NAT'ing it.

5.2.2. External address

External address is set to the WAN interface's IP address. If you have multiple public IP's, you can use other addresses here that you have previously defined on the Server NAT tab.

5.2.3. Protocol

Choose which IP protocol the service you are using requires, either TCP, UDP or TCP and UDP.

5.2.4. External port range

Either select the desired protocol from the drop down box, or type in the port range in the text boxes. You can leave the "to" field empty if you only want to map a single port.


When you want to open more than one port to a system, for example HTTP and HTTPS, do not use a port range from HTTP to HTTPS. This will work, but it also opens up 361 ports that you don't need opened between TCP 80 and 443. If you need to open two non-sequential ports to a system, you need to put in two Inbound NAT entries.

5.2.5. NAT IP

This is the internal IP address of the machine to which you are mapping the ports. In the given example, the LAN IP address of the web server is This can also be a host on an optional network, and ideally it will be to a host on a DMZ. You should avoid opening ports to your LAN if possible.

5.2.6. Local port

This is the port on the NAT IP defined above to which we want to translate the connection. In this case it is the same as the external port, but it doesn't have to be.

5.2.7. Description

Optional as always, but we strongly recommend putting in a description so you remember the purpose of this entry, and to make your rules easier to read and comprehend.

5.2.8. Auto-add a firewall rule to permit traffic through this NAT rule

I recommend you check this box in all circumstances. If you need to tighten the default rule, you can do so later. If you don't let the webGUI create the rule automatically, it's more likely to be incorrect or problematic.

Click Save, then click Apply changes. You'll see your result, similar to the following.

5.2.9. Editing Inbound NAT Firewall Rule

After adding an Inbound NAT entry and allowing the system to automatically create the firewall rule permitting traffic through that NAT entry, you can go to the Firewall -> Rules page to edit the rule. You might want to do this if, for example, you don't want to allow the entire Internet to access the service you have opened.

You'll see the rule under your WAN interface, similar to the following.

Click the next to the rule to edit it. You'll see something similar to the following.

To restrict access to this service, change the Source from any to either a network or single host and enter the appropriate details. After confirming your changes, click Save, and Apply changes.