Skip to content

NAT and Port Forwarding Model

This page summarizes practical NAT behavior for current t1n1wall operation.

NAT roles

  • Outbound NAT: internal hosts share external address space
  • Inbound NAT / port forwarding: selected external traffic reaches internal hosts
  • 1:1 mappings: whole-address translation where required

Core rule

NAT translation and firewall policy are separate controls.

A port forward without the correct corresponding allow policy still fails.

Safe inbound exposure workflow

  1. Confirm target host and service are healthy internally
  2. Add NAT/port-forward mapping
  3. Add or confirm matching allow policy
  4. Test externally (not only from internal LAN path)
  5. Validate via logs and state behavior

Common errors

  • Wrong target IP or port
  • Service not listening on target host
  • Missing corresponding allow policy
  • Testing method bypasses real external path

Security guidance

  • Expose only required ports
  • Restrict source CIDRs when possible
  • Prefer VPN-admin access over exposed management services