Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

LAN & WAN Reviews

Advanced Configuration - NAT, PAT & IP Routing

If you want to allow connections from the internet to PCs and other devices on your internal network, you have a number of choices. The most common is to use network address translation (NAT), optionally with port address translation (PAT). m0n0wall's flexibility with this can be initially confusing, but once you understand the conventions in use, it is fairly straight forward.

There are four tabs on the NAT option, Inbound, Server NAT, 1:1 and Outbound. Inbound is akin to the functionality you will find on most firewalls and some routers, and allows connections to the IP address of the WAN interface to be mapped to IP addresses on one of the internal interfaces, port range by port range. An example of its use would be to map inbound SMTP connections on port 25 to an internal mail server.

Internal NAT Admin Page

Figure 4: Internal NAT Admin Page

The next two tabs are useful if you have a range of public IP addresses assigned to you by your ISP. Server NAT is used to define additional external IP addresses that can be used in inbound NAT mappings as above. 1:1 can be used for two purposes. The first is to map all connections on all ports on a specified external IP address to a specified internal IP address. This is useful if you have a server that provides more than one external service, so that you don't have to specify port mappings separately for each service.

The second capability that 1:1 NAT provides is more powerful and allows the mapping of an external subnet of IP addresses to an internal subnet of the same size. This is extremely useful if you have a number of externally accessible servers on an internal interface.

The final tab, Outbound, can be used to turn NAT off completely so that m0n0wall behaves as a no-NAT router. Enabling Outbound NAT removes all the automatically created outbound NAT rules. Alternatively, you can configure outbound NAT mappings for specified internal subnets to specified external IP addresses. 

Outbound NAT Admin Page

Figure 5: Outbound NAT Admin Page

For Server NAT, 1:1 and Advanced Outbound NAT, you may need to configure Proxy ARP so that m0n0wall responds on its WAN interface for IP addresses other than the WAN IP address. Proxy ARP is used instead of aliasing IP addresses to the external interface (also known as "server loopback") because it allows whole subnets and ranges of IP addresses to be configured very easily, whereas aliases would have to be configured individually. Be aware that Proxy ARP only works where the WAN interface is configured with a static IP address or by DHCP. It also isn't required if extra IP addresses are routed to your WAN IP or are assigned to the WAN interface by PPPoE or PPTP.

One final point to remember is that all NAT / PAT mappings are still subject to the firewall rules, which I will cover now.

More LAN & WAN

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

For reasons not important here, I have both Xfinity and FiOS connetions active at my house. (The FiOS will be the only permanent one, Xfinity goes awa...
When setting up multiple VPN clients, it is my understanding that Client 1 has the highest priority, then Client 2, and so on. Does this mean that Cli...
Whenever I try to update/upgrade opkg I'm getting the following response:Code: admin@RT-AC68U-08B0:/usr/lib# opkg updateDownloading http://bin.entwar...
My post relates to an issue with ASUS AiMesh and 2.4GHz clients.I have configured a Blue Cave as the AiMesh router and 2x RT-AC68U's as AiMesh nodes. ...
Several times per day my AC-58U refuses to work on the 5GHz band.Looking at the system log I can see the following repeating 50-100 times:Jul 14 12:59...

Don't Miss These

  • 1
  • 2
  • 3