Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Wi-Fi Router Charts

Click for Wi-Fi Router Charts

Mesh System Charts

Click for Wi-Fi Mesh System Charts

Advanced Configuration - NAT, PAT & IP Routing

If you want to allow connections from the internet to PCs and other devices on your internal network, you have a number of choices. The most common is to use network address translation (NAT), optionally with port address translation (PAT). m0n0wall's flexibility with this can be initially confusing, but once you understand the conventions in use, it is fairly straight forward.

There are four tabs on the NAT option, Inbound, Server NAT, 1:1 and Outbound. Inbound is akin to the functionality you will find on most firewalls and some routers, and allows connections to the IP address of the WAN interface to be mapped to IP addresses on one of the internal interfaces, port range by port range. An example of its use would be to map inbound SMTP connections on port 25 to an internal mail server.

Internal NAT Admin Page

Figure 4: Internal NAT Admin Page

The next two tabs are useful if you have a range of public IP addresses assigned to you by your ISP. Server NAT is used to define additional external IP addresses that can be used in inbound NAT mappings as above. 1:1 can be used for two purposes. The first is to map all connections on all ports on a specified external IP address to a specified internal IP address. This is useful if you have a server that provides more than one external service, so that you don't have to specify port mappings separately for each service.

The second capability that 1:1 NAT provides is more powerful and allows the mapping of an external subnet of IP addresses to an internal subnet of the same size. This is extremely useful if you have a number of externally accessible servers on an internal interface.

The final tab, Outbound, can be used to turn NAT off completely so that m0n0wall behaves as a no-NAT router. Enabling Outbound NAT removes all the automatically created outbound NAT rules. Alternatively, you can configure outbound NAT mappings for specified internal subnets to specified external IP addresses. 

Outbound NAT Admin Page

Figure 5: Outbound NAT Admin Page

For Server NAT, 1:1 and Advanced Outbound NAT, you may need to configure Proxy ARP so that m0n0wall responds on its WAN interface for IP addresses other than the WAN IP address. Proxy ARP is used instead of aliasing IP addresses to the external interface (also known as "server loopback") because it allows whole subnets and ranges of IP addresses to be configured very easily, whereas aliases would have to be configured individually. Be aware that Proxy ARP only works where the WAN interface is configured with a static IP address or by DHCP. It also isn't required if extra IP addresses are routed to your WAN IP or are assigned to the WAN interface by PPPoE or PPTP.

One final point to remember is that all NAT / PAT mappings are still subject to the firewall rules, which I will cover now.

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Don't Miss These

  • 1
  • 2