Skip to content

NAT: Advanced Modes

This page covers the three NAT modes beyond basic inbound port forwarding: 1:1 NAT, Server NAT, and Outbound NAT. For basic port forwarding, see NAT and Port Forwarding.

1:1 NAT

Purpose

1:1 NAT creates a permanent, bidirectional mapping between one external (public) IP and one internal (private) IP. All traffic from the internal host appears to the internet as the external IP, and all traffic destined for the external IP is forwarded to the internal host — without specifying individual ports.

Web UI location

Firewall > NAT > 1:1

Configuration

Field Notes
Interface Typically WAN
External IP The public address (must be reachable from WAN)
Internal IP The private host being mapped
Description Purpose of the mapping

Requirements

  • The external IP must be routable to the firewall's WAN interface. If it is an additional IP address (not the primary WAN IP), proxy ARP must be configured so the firewall responds to ARP requests for that address.
  • Firewall rules are still required to permit traffic. 1:1 NAT handles the address translation only.

Interaction with inbound port forwarding

1:1 NAT takes precedence over inbound port forwarding rules that reference the same external IP. Use 1:1 NAT when a host requires full external IP exposure; use inbound port forwarding when only specific ports need forwarding.


Server NAT

Purpose

Server NAT defines a pool of external IP addresses that can be assigned as forwarding targets for inbound NAT rules. It is used when you have multiple public IPs and want to assign specific ones as entry points for different services or servers.

Web UI location

Firewall > NAT > Server NAT

Configuration

Field Notes
External IP address A public IP available as an inbound NAT target
Description Server or service name

Usage

Once a Server NAT entry exists, it becomes available as an external IP option in inbound port forwarding rules (Firewall > NAT > Inbound).

As with 1:1 NAT, external IPs that are not the primary WAN address require proxy ARP to be configured.


Outbound NAT

Purpose

Outbound NAT controls how internal traffic is translated (SNAT) as it exits to external networks. By default, t1n1wall automatically creates one outbound NAT rule per internal interface subnet, translating all outbound traffic to the WAN IP.

Web UI location

Firewall > NAT > Outbound

Modes

Automatic (default)

When Enable Advanced Outbound NAT is unchecked, the system automatically generates outbound masquerade rules for each internal interface subnet. All internal subnets are translated to the WAN IP address. Any custom rules configured on this page are ignored in this mode.

Advanced

When Enable Advanced Outbound NAT is checked, only the user-specified rules apply. The automatic rules are disabled. You must manually define every outbound translation your network requires.

Advanced rule fields

Field Notes
Interface Source interface (LAN, WAN, optional)
Source Internal network being translated
Destination Target network (use any for internet traffic)
Target Address to translate to (blank = WAN interface IP)
No port mapping Preserves source ports instead of remapping

When to use advanced mode

  • Multiple WAN IPs where different internal subnets should exit via different external addresses
  • DMZ or optional interface subnets that should appear as a different external IP than the LAN subnet
  • Policy NAT requirements where specific traffic must exit via a specific address

Caution

Switching to advanced mode with no rules configured results in no outbound NAT — internal hosts will not reach the internet until rules are added. Plan the required rules before enabling advanced mode.


Proxy ARP

Proxy ARP is required when the firewall must respond to ARP requests for additional public IP addresses (addresses other than the primary WAN IP) on behalf of internal hosts.

Configure at Services > Proxy ARP. Add each additional external IP that the firewall should claim via ARP. Without this, traffic destined for those IPs will not reach the firewall.