Chapter 6. Network Address Translation

Table of Contents

6.1. NAT Primer
6.1.1. Types of NAT
6.1.2. Other Resources
6.2. Inbound NAT
6.3. Outbound NAT
6.4. Server NAT
6.5. 1:1 NAT
6.6. Choosing the appropriate NAT for your network

6.1. NAT Primer

Network Address Translation (NAT) allows you to use RFC 1918 private IP addresses for addressing on your internal network, and allow all hosts on the internal networks to access the Internet using one public IP address.

Due to the typical expense of obtaining public IP addresses, most networks do not purchase one public IP address for each network host. NAT allows multiple machines to connect to the Internet using a single public IP address. Additionally, using NAT for Internet access protects internal network computers from unwanted access attempts.

Practically, this means that NAT allows you to receive one IP address from your Internet Service Provider and that everyone on your local network can use that IP address to access the Internet. It also allows you to select one or more software services (web server, file server, database server) to make accessible from the Internet but to limit access to other services or IP port numbers.

m0n0wall offers 4 types of NAT:

  • Inbound NAT

  • Outbound NAT

  • Server NAT

  • 1:1 NAT


Although a NAT rule can redirect traffic into your network you still must enabled filtering rules to allow the traffic to pass through the stateful packet firewall.

6.1.1. Types of NAT

There are two most commonly used and most familiar types of NAT, bidirectional or 1:1 (pronounced one to one), and Port Address Translation, or PAT. In both cases m0n0wall will change the IP header of packets that traverse the NAT enabled interface but NAT and PAT each change a different part of the IP header. NAT Explained

NAT translate the IP address in the IP packer header. NAT rules can be applied to TCP or UDP packets that are either incoming and/ or outgoing on any m0n0wall Ethernet interfaces except the LAN interface. Some common NAT uses include:

  • sharing an Internet connection with multiple computers

  • adding multiple IP addresses to a WAN interface

  • translating entire IP subnets to another

  • redirect outgoing network traffic to a different IP address

  • redirect incoming network traffic to a different IP address or port address

  • spoof the IP origin of outgoing traffic to appear as coming from a different IP address

For each NAT rule, m0n0wall builds and maintains a table of network connections that are using each rule. PAT Explained

PAT translates port numbers in the IP packet header. For example you can translate port traffic arriving on the WAN at TCP port 8080 to instead be redirected to port 80. When PAT is combined with NAT you can provide access to multiple webservers such as to send incoming Internet traffic for port 8001 to an internal webserver at port 80 and port 8002 to another web server at port 80.


Since only TCP and UDP packets are using port numbers, only these packets can benefit from PAT based translation rules.

PAT configuration is included in the NAT configuration pages whenever you choose to use port addresses or port ranges. Other uses for PAT include:

  • hiding common ports to make them less obvious for script based attacks

  • making data appear to originate from a particular port address

  • allow multiple instances of a server on the same computer Proxy ARP

Normally, an Ethernet interface which has an IP address being requested on a network will respond first to an ARP request to say that the IP address exists and that the Ethernet interface is accepting traffic for it.

Without Proxy ARP you can still assign multiple IP addresses to the WAN interface but your Internet Service Provider must edit their routing tables to redirect the traffic accordingly.


PPPoE connections do not use ARP requests. If you are assigning multiple IP addresses to y PPPoE WAN interface then the service provider must route the traffic correctly.