NAT and Port Forwarding Model¶
This page summarizes practical NAT behavior for current t1n1wall operation.
NAT roles¶
- Outbound NAT: internal hosts share external address space
- Inbound NAT / port forwarding: selected external traffic reaches internal hosts
- 1:1 mappings: whole-address translation where required
Core rule¶
NAT translation and firewall policy are separate controls.
A port forward without the correct corresponding allow policy still fails.
Safe inbound exposure workflow¶
- Confirm target host and service are healthy internally
- Add NAT/port-forward mapping
- Add or confirm matching allow policy
- Test externally (not only from internal LAN path)
- Validate via logs and state behavior
Common errors¶
- Wrong target IP or port
- Service not listening on target host
- Missing corresponding allow policy
- Testing method bypasses real external path
Security guidance¶
- Expose only required ports
- Restrict source CIDRs when possible
- Prefer VPN-admin access over exposed management services
Related¶
- NAT: Advanced Modes — 1:1 NAT, Server NAT, and Outbound NAT configuration
- Publish Multiple Websites on One Public IP
- Open Ports for BitTorrent / P2P
- Firewall Policy (pf)
- Troubleshooting Checklist