5.4. 1:1 NAT

1:1 NAT maps an internal IP to external IP, generally mapping a public IP address to a private IP address and vice versa. When you assign a 1:1 NAT mapping, any traffic coming from that host to the Internet will be NAT'ed to the defined external IP, and any traffic coming into the external IP will be NAT'ed and passed to the internal IP if firewall rules permit. (by default, the firewall rules do not allow any inbound traffic to 1:1 NAT mappings)

You can also map entire subnets with one entry.

You can also use this on optional networks, but that is not a common use of this functionality.

5.4.1. Adding a 1:1 NAT entry

Go to the Firewall -> NAT screen and click the 1:1 tab. Click the to add a new entry. Interface

Interface will be WAN in most all cases. External subnet

The external subnet will be set to the IP address or subnet you wish to map. Usually this will be a single IP address (and hence a /32 mask). If you have, for example, a full class C public subnet and your LAN or DMZ is a full class C subnet and you want to 1:1 NAT everything to its own public IP, you need to enter your entire public IP subnet here. Internal subnet

In most cases this will be a single IP address on either your LAN or an optional interface like a DMZ. Or in the case of 1:1 NAT'ing an entire subnet, enter the subnet address here. The mask given in the External subnet is used, as they must be identical. Description

Description is optional but recommended.

After verifying your entries, click Save and Apply changes.


Depending on the way your WAN connection is setup, you may need Proxy ARP for 1:1 NAT to function. See the Proxy ARP section under Server NAT for more information.