Adding NAT Rules

Topics on this page: The NAPT Rule | The RDR Rule | The Basic Rule | The Filter Rule | The Bimap Rule

[Go back]

This topic explains how to create rules for the available flavors of NAT. Also see these NAT topics:

You cannot edit existing NAT rules. To change a rule setup, delete it and add a new rule with the new settings.

The NAPT Rule: Translating between private and public IP addresses

Follow these instructions to create a rule for translating the private IP addresses on your LAN to your public IP address. This type of rule uses the NAT flavor NAPT, which was used in your default configuration. The NAPT flavor translates private source IP addresses to a single public IP address. The NAPT rule also translates the source port numbers to port numbers that are defined on the NAT Global Configuration page (see Viewing Your NAT Setup and Statistics).

  1. If the NAT Rule Configuration page is not already displaying, click the NAT tab, then select NAT Rule Entry from the NAT Options drop-down list.
  2. Click Add to display the NAT Rule - Add page.
  3. From the Rule Flavor drop-down list, select NAPT.
The page redisplays with only the fields that are appropriate for this NAT flavor. 
  1. Enter a rule ID.
The Rule ID determines the order in which rules are invoked (the lowest numbered rule is invoked first, and so on). In some cases, two or more rules may be defined to act on the same set of IP addresses. Be sure to assign the Rule ID so that the higher priority rules are invoked before lower-priority rules. It is recommended that you select rule IDs as multiples of 5 or 10 so that, in the future, you can insert a rule between two existing rules.
When a data packet matches a rule, the data is acted upon according to that rule and is not subjected to higher-numbered rules.
  1. From the IFName drop-down list, select the interface on the device to which this rule applies.
Typically, NAT rules are used for communication between your LAN and the Internet. Because the device uses the WAN interface (which may be named ppp-0, eoa-0, or ipoa-0) to connect your LAN to your ISP, it is the usual IFName selection.
  1. In the Local Address From and Local Address To fields, type the starting and ending IP addresses, respectively, of the range of private address you want to be translated. 
You can specify that data from all LAN addresses should be translated by typing 0 (zero) in each From field and 255 in each To field. Or, type the same address in both fields if the rule only applies to one LAN computer.
  1. In the Global Address From field, type the public IP address assigned to you by your ISP. 
  2. Click Save Changes. and then click close on the confirmation page to return to the NAT Configuration page. The new rule should display in the NAT Rule Configuration table. 
  3. Ensure that the Enable radio button is selected, and then click Save Changes. A page displays to confirm your changes. 

NOTE: If want your changes to be permanent, be sure to Write Settings to Flash

The RDR Rule: Allowing External Access to a LAN Computer

The RDR rule flavor allows you to make a computer on your LAN, such as a Web or FTP server, available to Internet users without having to obtain a public IP address for that computer. The computer's private IP address is translated to your public IP address in all incoming and outgoing data packets.

Without an RDR rule (or Bimap rule), the device prevents attempts by external computers to access your LAN computers.

The following example illustrates using the RDR rule to provide external access to your web server:

Your ADSL/Ethernet router receives a packet containing a request for access to your Web server. The packet header contains the public address for your LAN as the destination IP address, and a destination port number of 80. Because you have set up an RDR rule for incoming packets with destination port 80, the device recognizes the data as a request for Web server access. The device changes the packet's destination address to the private IP address of your Web server and forwards the data packet to it.
Your Web server sends data packets in response. Before the ADSL/Ethernet router forwards them on to the Internet, it changes the source IP address in the data packets from the Web server's private address to your LAN's public address. To an external Internet user then, it appears as if your Web server uses your public IP address.
You can also configure the RDR rule to translate the source computer's port number to the number specified on the main NAT Configuration Page.

Follow these instructions to add an RDR rule (see steps 1-4 under "The NAPT Rule" for specific instructions corresponding to steps 1 and 2 below):

  1. Display the NAT Rule-Add Page, select RDR as the Rule Flavor, if necessary, and enter a Rule ID.
  2. Select the interface on which this rule will be effective.
  3. Select a protocol to which this rule applies, or choose ALL.
This selection specifies which type of Internet communication will be subject to this translation rule. You can select ALL if the rule applies to all data. Or, select TCP, UDP, ICMP, or a number from 1-255 that represents the IANA-specified protocol number.
  1. In the Local Address From and Local Address To fields, type the same private IP address, or the lowest and highest addresses in a range:
  • If you type the same IP address in both fields, incoming traffic that matches the criteria you specify in steps 5 and 6 will be redirected to that IP address. 
  • If you type a range of addresses, incoming traffic will be redirected to any available computer in that range. This option would typically be used for load balancing, whereby traffic is distributed among several redundant servers to help ensure efficient network performance. 
These addresses should correspond to private addresses already in use on your network (either assigned statically to your PCs, or assigned dynamically using DHCP, as discussed in DHCP Configuration Overview).
  1. In the Global Address From and Global Address To fields, type the public IP address assigned to you by your ISP. 
If you have multiple WAN (PPP) interfaces, note that this rule will not be enforced for data that arrives on other PPP interfaces.
If you have multiple WAN interfaces and want the rule to be enforced on more than one of them (or all), enter a range of IP addresses that include them. 
  1. In the Destination Port From and Destination Port To fields, enter the port ID (or a range) that you expect to see on incoming packets destined for the LAN computer for which this rule is being created. 
Incoming traffic that meets this rule criteria will be redirected to the Local Port number you specify in the next field.
For example, if you grant public access to a Web server on your LAN, you would expect that incoming packets destined for that computer would contain the port number 80. This setting serves as a filter; data packets not containing this port number would not be granted access to you local computer. 
  1. If the LAN computer that you are making publicly available is configured to use a non-standard port number for the type of traffic it receives, type the non-standard port number in the Local Port field. 
This option translates the standard port number in packets destined for your LAN computer to the non-standard number you specify. For example, if your Web server uses (non-standard) port 2000, but you expect incoming data packets to refer to (standard) port 80, you would enter 2000 here and 80 in the Destination Port fields. The headers of incoming packets destined for port 80 will be modified to refer to port 2000. The packet can then be routed appropriately to the web server.
  1. Follow steps 8-12 under "The NAPT Rule" to submit your changes.

The Basic Rule: Performing 1:1 Translations

The Basic flavor translates the private (LAN-side) IP address to a public (WAN-side) address, like NAPT rules. However, unlike NAPT rules, Basic rules do not also translate the port numbers in the packet header; they are passed through untranslated. Therefore, the Basic rule does not provide the same level of security as the NAPT rule.

To add a Basic rule, follow these instructions (see steps 1-4 under "The NAPT Rule" for specific instructions corresponding to steps 1 and 2 below):

  1. Display the NAT Rule-Add Page, select BASIC as the Rule Flavor, and enter a Rule ID.
  2. Select the interface on which this rule will be effective.
  3. Select a protocol to which this rule applies, or choose ALL.
This selection specifies which type of Internet communication will be subject to this translation rule. You can select ALL if the rule applies to all data. Or, select TCP, UDP, ICMP, or a number from 1-255 that represents the IANA-specified protocol number.
  1. In the Local Address From and Local Address To fields, type the starting and ending IP addresses that identify the range of private address you want to be translated. Or, type the same address in both fields.
If you specify a range, each address in the range will be translated in sequence to a corresponding address in a range of global addresses (which you specify in step 5). 
You can create a Basic rule for each specific address translation to occur. The range of addresses should correspond to private addresses already in use on your network, whether assigned statically to your PCs, or assigned dynamically using DHCP.
  1. In the Global Address From and Global Address To fields, type the starting and ending addresses that identify the pool of public IP addresses that your private addresses should be translated to. Or, type the same address in both fields (if you also specified a single address in step 4).
  2. Follow steps 8-12 under "The NAPT Rule" to submit your changes.

The Filter Rule: Configuring a Basic Rule with Additional Criteria

Like the Basic flavor, the Filter flavor translates public and private IP addresses on a one-to-one basis. The Filter flavor extends the capability of the Basic rule. Refer to "The Basic Rule" for a general description.

You can use the Filter rule if you want an address translation to occur only when your LAN computers initiate access to specific destinations. The destinations can be identified by their IP addresses, server type (such as FTP or Web server), or both.

Follow these instructions to add a Filter rule: (see steps 1-4 under The NAPT Rule for specific instructions corresponding to steps 1 and 2 below):

  1. Display the NAT Rule-Add Page, select FILTER as the Rule Flavor, and enter a Rule ID.
  2. Select the interface on which this rule will be effective.
  3. Select a protocol to which this rule applies, or choose ALL.

    This selection specifies which type of Internet communication will be subject to this translation rule. You can select ALL if the rule applies to all data. Or, select TCP, UDP, ICMP, or a number from 1-255 that represents the IANA-specified protocol number.
  1. In the Local Address From and Local Address To fields, type the starting and ending IP addresses that identify the range of private address you want to be translated. Or, type the same address in both fields.

    If you specify a range, each address will be translated in sequence to a corresponding addresses in a range of global addresses (which you specify in step 5). The address (or range) should correspond to a private address (or addresses) already in use on your network.
  1. In the Global Address From and Global Address To fields, type the starting and ending address that identify the range of public IP addresses to translate your private addresses to. Or, type the same address in both fields (if you also specified a single address in step 4).
  2. In the Destination Address From/To fields, specify a destination address (or range) if you want this rule to apply only to outbound traffic to the address (or range). 

    If you enter only the network ID portion of the destination address, then the rule will apply to outbound traffic from all computers on network.
  3. From the Destination Port From/To drop-down lists, select a port type if you want the rule to apply only to outbound traffic to servers of this type. Otherwise, leave them set to Any other port.

    If you want to specify a port type that is not available in the drop-down lists, you can instead type the port ID number in the text boxes to the right. 

    You can specify a range using the From/To fields if you want the rule to apply to a range of port types, or enter the same port number in both fields. 

    If you leave the selection set to Any other port, then outbound data will not be checked for the destination port type. See step 6 in The RDR Rule for an explanation of port IDs.
  4. Follow steps 8-12 under "The NAPT Rule" to submit your changes.

The Bimap Rule: Performing Two-Way Translations

Unlike the other NAT flavors, the Bimap flavor performs address translations in both the outgoing and incoming directions. 

In the incoming direction, when the specified device interface receives a packet with your public IP address as the destination address, this address is translated to the private IP address of a computer on your LAN. To the external computer, it appears as if the access is being made to the public IP address, when, in fact, it is communicating with a LAN computer. 

In the outgoing direction, the private source IP address in a data packet is translated to the LAN's public IP address. To the rest of the Internet, it appears as if the data packet originated from the public IP address. 

Bimap rules can be used to provide external access to a LAN device. They do not provide the same level of security as RDR rules, because RDR rules can also reroute incoming packets based on the port ID. Bimap rules do not account for the port number, and therefore allow external access regardless of the destination port type specified in the incoming packet.

To add a Bimap rule, follow these instructions: (see steps 1-4 under "The NAPT Rule" for specific instructions corresponding to steps 1 and 2 below):

  1. Display the NAT Rule-Add Page, select BIMAP as the Rule Flavor, and enter a Rule ID.
  2. Select the interface on which this rule will be effective.
  1. In the Local Address field, type the private IP address of the computer to which you are granting external access.
  2. In the Global Address field, type the address that you want to serve as the publicly known address for the LAN computer.
  3. Follow steps 8-12 under "The NAPT Rule" to submit your changes.

The Pass Rule: Allowing Specific Addresses to Pass Through Untranslated

You can create a Pass rule to allow a range of IP addresses to remain untranslated even when another rule is defined that would otherwise perform a translation on them.

The Pass rule must be assigned a rule ID that is a lower number than the ID assigned to the rule it is intended to pass. In you want a specific IP address or range of addresses to not be subject to an existing rule, say rule number 5, then you can create a Pass rule with an ID number from 1 to 4.

To add a Pass rule, follow these instructions: (see steps 1-4 under "The NAPT Rule" for specific instructions corresponding to steps 1 and 2 below):

  1. Display the NAT Rule-Add Page, select PASS as the Rule Flavor, and enter a Rule ID.
  2. Select the interface on which this rule will be effective.
  3. In the Local Address From and Local Address To fields, type the lowest and highest IP addresses that define the range of private address you want to be passed without translation.
If you want the Pass rule to act on only one address, type that address in both fields.
  1. Follow steps 8-12 under "The NAPT Rule" to submit your changes.