Dst address translation (DNAT)

Destination Network Address Translation (DNAT)

Destination Network Address Translation (NAT) is to chance request packet destination IP address to another IP based on IP field or packet header field. This is typically used for inbound access, from public Internet to Internal network resources. mbox supports three types of Destination Network Address Translation (DNAT)

  • Static DNAT (one static public IP mapped to one private IP)
  • Port forwarding (one static public IP mapped to multiple private IP using different protocol & port numbers)
  • Dynamic DNAT (dynamic WAN IP address, mapped to private IP using protocol & port numbers)

NOTE:

  • When we need to map internal IP to a public IP address, the public IP address(es) has/have to be configured on the external WAN interface (as secondary IP) otherwise mbox will not respond to upstream ARP requests for the NAT address.
  • The firewall-access rule also must permit the respective inbound access to the private IPs.

#1 DNAT - Port forwarding (when WAN IP is static).

!interface eth0 enable ip address 203.127.1.7/28 ip address 203.127.1.8/28 ip address 203.127.1.9/28!!"Static NAT rule, from pubic IP to internal IP for http service only"firewall-dnat 1 translate inbound eth0 tcp dst 203.127.1.8 dport 80 xdst 192.168.1.8 xdport 80!!"Static NAT rule, from pubic IP to internal IP for http service only"firewall dnat-rule 2 translate translate inbound eth0 tcp dst 203.127.1.9 dport 443 xdst 192.168.1.9xdport 443!firewall-access 10 permit inbound eth0 tcp dport 80 remark "firewall rule must permit this access also"firewall-access 11 permit inbound eth0 tcp dport 443!

#2 dynamic DNAT - Port forwarding (when WAN IP is dynamic)

!firewall-dnat 10 translate inbound eth0 tcp dport 80 xdst 192.168.1.8 xdport 80!firewall-accesss 10 permit inbound eth0 tcp dport 80!

#3 DNAT - Static (one to one).

!interface eth0 enable ip address 203.127.1.7/28 ip address 203.127.1.8/28!firewall dnat-rule 1 translate inbound eth0 ip dst 203.127.1.8 xdst 192.168.1.8!firewall-access 10 permit inbound eth0 dst 192.168.1.8!