NAT: Advanced Modes¶
This page covers the three NAT modes beyond basic inbound port forwarding: 1:1 NAT, Server NAT, and Outbound NAT. For basic port forwarding, see NAT and Port Forwarding.
1:1 NAT¶
Purpose¶
1:1 NAT creates a permanent, bidirectional mapping between one external (public) IP and one internal (private) IP. All traffic from the internal host appears to the internet as the external IP, and all traffic destined for the external IP is forwarded to the internal host — without specifying individual ports.
Web UI location¶
Firewall > NAT > 1:1
Configuration¶
| Field | Notes |
|---|---|
| Interface | Typically WAN |
| External IP | The public address (must be reachable from WAN) |
| Internal IP | The private host being mapped |
| Description | Purpose of the mapping |
Requirements¶
- The external IP must be routable to the firewall's WAN interface. If it is an additional IP address (not the primary WAN IP), proxy ARP must be configured so the firewall responds to ARP requests for that address.
- Firewall rules are still required to permit traffic. 1:1 NAT handles the address translation only.
Interaction with inbound port forwarding¶
1:1 NAT takes precedence over inbound port forwarding rules that reference the same external IP. Use 1:1 NAT when a host requires full external IP exposure; use inbound port forwarding when only specific ports need forwarding.
Server NAT¶
Purpose¶
Server NAT defines a pool of external IP addresses that can be assigned as forwarding targets for inbound NAT rules. It is used when you have multiple public IPs and want to assign specific ones as entry points for different services or servers.
Web UI location¶
Firewall > NAT > Server NAT
Configuration¶
| Field | Notes |
|---|---|
| External IP address | A public IP available as an inbound NAT target |
| Description | Server or service name |
Usage¶
Once a Server NAT entry exists, it becomes available as an external IP option in inbound port forwarding rules (Firewall > NAT > Inbound).
As with 1:1 NAT, external IPs that are not the primary WAN address require proxy ARP to be configured.
Outbound NAT¶
Purpose¶
Outbound NAT controls how internal traffic is translated (SNAT) as it exits to external networks. By default, t1n1wall automatically creates one outbound NAT rule per internal interface subnet, translating all outbound traffic to the WAN IP.
Web UI location¶
Firewall > NAT > Outbound
Modes¶
Automatic (default)¶
When Enable Advanced Outbound NAT is unchecked, the system automatically generates outbound masquerade rules for each internal interface subnet. All internal subnets are translated to the WAN IP address. Any custom rules configured on this page are ignored in this mode.
Advanced¶
When Enable Advanced Outbound NAT is checked, only the user-specified rules apply. The automatic rules are disabled. You must manually define every outbound translation your network requires.
Advanced rule fields¶
| Field | Notes |
|---|---|
| Interface | Source interface (LAN, WAN, optional) |
| Source | Internal network being translated |
| Destination | Target network (use any for internet traffic) |
| Target | Address to translate to (blank = WAN interface IP) |
| No port mapping | Preserves source ports instead of remapping |
When to use advanced mode¶
- Multiple WAN IPs where different internal subnets should exit via different external addresses
- DMZ or optional interface subnets that should appear as a different external IP than the LAN subnet
- Policy NAT requirements where specific traffic must exit via a specific address
Caution¶
Switching to advanced mode with no rules configured results in no outbound NAT — internal hosts will not reach the internet until rules are added. Plan the required rules before enabling advanced mode.
Proxy ARP¶
Proxy ARP is required when the firewall must respond to ARP requests for additional public IP addresses (addresses other than the primary WAN IP) on behalf of internal hosts.
Configure at Services > Proxy ARP. Add each additional external IP that the firewall should claim via ARP. Without this, traffic destined for those IPs will not reach the firewall.