Network Address Translation changes the source and/or destination address of traffic traversing Route10. In a default configuration, all traffic egressing WAN is masqueraded to the WAN IP, and no other NAT occurs. This is the most commonly desired scenario, however many other NAT configurations are possible to accommodate other use cases, such as multiple public IPs. 

NAT Types

There are four types of NAT configuration available with Route10.

Masquerade

Masquerade translates traffic egressing an interface (usually WANs) to the source IP of the interface the traffic is leaving. In the default configuration, everything leaving a WAN interface is masqueraded to the IP of that WAN. This is a form of source NAT which is optimized for dynamic IP connections, but can be used with any type of interface. Source NAT configuration requires static WAN IP(s), where masquerade automatically uses the IP assigned to the interface. Masqueraded traffic also has its connections wiped out if the WAN IP changes, which prevents stale states on the old WAN IP from persisting past their usable lifetime. 

Source

Source NAT translates the source IP of a connection as defined in SNAT rules. This is most commonly used with multiple static public IPs, to translate specified IPs or networks to the configured SNAT target IP. 

Exclude

Exclude rules are used to disable all forms of source NAT (masquerade and SNAT). NAT can be disabled entirely for all traffic to make Route10 purely a routing device, and also only for certain specific source and/or destination IPs or networks. Common use cases include where a routed public IP subnet is in use internally, directly-assigned to internal devices, where you want them to use their assigned static IP rather than the WAN IP for their internet traffic. This option can also be used to completely disable NAT, where some other device is handling NAT for the network.

Destination

Destination NAT rewrites the destination IP and/or port of traffic traversing Route10, rather than the source IP as is the case with the three previous NAT types. Its most common use case is for port forwarding, however it can redirect traffic for many other purposes as well.

NAT Configuration

To configure NAT, browse to Settings > Firewall, Port-forward/NAT. Click Add there to add a new rule. 

Masquerade Configuration

Masquerade rules usually do not need to be configured because they’re enabled by default for WANs. However there are use cases where masquerade beyond the default is desired. 

Source NAT Configuration

The Source type allows configuring source NAT with a specific, statically-defined, source IP for translation. This is most often used with multiple static public IPs. 

Examples

The following example shows how to translate 192.168.1.3 to 203.0.113.3 for traffic egressing WAN1 (eth3). The source is set to 192.168.1.3 to translate traffic from that source IP. The destination and protocols are left blank to match everything. “Redirect to” has the post-NAT source IP of 203.0.113.3 configured. Zone In is LAN, and Zone Out is WAN. If you have more than one WAN, the NAT configuration will most always be specific to one WAN only, hence the specific outbound interface must be specified to limit it to that specific WAN. In this example, WAN1 is eth3, which is configured as Interface Out. All other fields are left at defaults. 

Exclude Configuration (Disable NAT)

Choose type “Exclude” to exclude traffic from NAT. To completely disable NAT, use the following configuration. The source, destination, and protocols are left blank to match all. Zone In is LAN, Zone Out is WAN. If you have multiple WAN interfaces and only want to disable NAT for one of them, specify Interface Out as the WAN interface where NAT is to be disabled.

Destination NAT Configuration

Destination NAT is covered in the Port Forwarding article.

Rule Ordering

The first matching user-defined source NAT rule (Source, Masquerade, and Exclude) wins. For example, if you have a matching Source NAT rule defined above a matching Exclude rule, then only the Source rule applies. Ensure your NAT rules are ordered in such a way that they apply as intended. Their order can be changed using the up and down arrow buttons under Settings > Firewall > Port-forward/NAT.

Destination NAT is separate from all types of source NAT, and applies as traffic is coming into an interface rather than as egressing. So there is no interaction or ordering considerations between SNAT and DNAT. The DNAT config will apply for ingress traffic, and the SNAT config for egress traffic. In some cases, specific traffic matches both SNAT and DNAT where both source and destination must be rewritten.