1 to 1 NAT Firewall
The 1-to-1 NAT app is required if you plan to have publicly available IP addresses correlate with servers running on your local network. It does this by setting up Name Address Translation (NAT) rules that work both for incoming and outgoing traffic. For example, you may need a server placed in your network to have ports open to the Internet but have it be available on a separate IP address than your ClearOS server.
The ClearOS 1-to-1 NAT module creates a virtual IP address on the WAN side (public network) of your ClearOS server and also forwards the ports all in one setting. You should not set up a virtual IP address in the IP Setting module for the purposes of 1-1 NAT. You also should not set up a port forwarding rule in the Port Forwarding Module, this module will and must do both of those things for you. If you have assigned an external address as a Virtual IP address and want to use 1-to-1 NAT with that address, you will need to remove it from the IP Setting module before adding the rule here. If you have created a port forwarding firewall rule for the internal server and want to use 1-to-1 NAT with that port, you will need to remove it from the Port Forwarding module before adding the rule here. Once the rule is made, the IP address is provisioned, the port forwarding is created and correlated that to a server on the inside of your network. Both the incoming address and the outgoing destination are now associated to that address.
If your public address pool is capable of being subnetted, you can use the DMZ module instead if you want your servers behind the firewall to be in a public IP address space and physically have the public IP address.
Selecting the Technology You Need
ClearBOX configured with the following Interfaces:
- 3.4.5.2 - External IP (primary address)
- 3.4.5.3 - Alias on External IP (goes to ClearBOX only)
- 1.2.3.1 - DMZ (ClearBOX becomes the gateway router to IPs in subnet)
ClearBOX configured with the following Firewall Rules:
- 3.4.5.2 - Port Forwarding (to two separate internal server)
- 3.4.5.4 - 1-to-1 NAT (This userguide)
- 3.4.5.5 - 1-to-1 NAT (This userguide)
- 3.4.5.6 - 1-to-1 NAT (This userguide)
Installation
If your system does not have this app available, you can install it via the Marketplace.
Menu
You can find this feature in the menu system at the following location:
- Network
- ↳Firewall
- ↳1-to-1 NAT
Configuration
Initial screen
This display shows your current 1-to-1 NAT rules. From here you can Add, Disable and Delete rules and also check the details by clicking on the menu button.
Adding a Rule
Nickname
Give the rule a name. Spaces will be converted to “_”.
Interface
Select the external interface you want the rule to apply to
Public IP
Input the Public IP or this rule. It should be available and within the same subnet as your current IP address for your WAN interface.
Private IP
Input the LAN IP of the machine which will be receiving the traffic
Forward All Protocols and Ports
Some protocols can be finicky behind firewalls. This can happen because they use more ports than you may know about. In this case you may want to configure 1-to-1 NAT by forwarding all traffic.
Forward Selective Ports
If you only want to map selective ports, for example the TCP 80 web server port, you can configure particular ports in your 1-to-1 NAT mapping.
Protocol
TCP or UDP
Port or Port Range
This should either be a single port or a range of ports you wish to forward. To specify a range, use a colon (':') to separate the start port and end port e.g. 6000:6010.
1-to-1 NAT - With MultiWAN
If you have Multi-WAN enabled, please review the topic on source-based routes. Each 1-to-1 NAT rule must typically be assigned to an external MultiWAN interface.
Troubleshooting
In order to use the 1-to-1 NAT module properly, you must not have previously created any alias address which overlaps or have created any Port Forwarding policy which attempts to do the same thing. Also, the target internal system on your local network must have the default gateway set to ClearOS system.
Again, if you are trying to make a 1:1 NAT rule work, you will NOT use any other module to support this rule other than perhaps a custom firewall rule to provide an exception. The 1:1 NAT module provisions all the required components for the forward rule to work including the IP address (don't configure one as an alias in IP Settings), the incoming firewall rule (do not configure them in the Incoming firewall as that module is for ports going to the ClearOS server itself), and the port forwarding (do not also set up a port forwarding rule to cover this 1:1 NAT rule).