Setting up 1:1 NAT in NG Firewall


1:1 NAT (Network Address Translation) is a mode of NAT that maps one internal address to one external address. For example, if a network has an internal servers at, 1:1 NAT can map to, where is an additional external IP address provided by your ISP.

Common uses for this are web or email servers or other resources that should be reachable via a public IP  address "reserved" for them.


Setting up 1:1 NAT

This process involves three steps:

  1. set up an external IP Address Alias
  2. create a Port Forward Rule for the external address so its inbound traffic is redirected to the correct internal destination
  3. create a NAT Rule for the internal resource to map its outbound traffic to the correct external address.

In this example, we'll assume you're trying to set up 1:1 NAT for and

Set up the alias

An alias is an additional IP address that is "owned" by that interface. Your ISP must have provided you with more than one IP address to set up an alias.

  1. Go to Config > Network > Interfaces and edit the WAN interface which will own the new IP.
  2. At the bottom of the Edit Interface menu, click Add to create a new alias entry.
  3. Enter the IP address the interface will own, the appropriate netmask, and click Done.


Creating the Port Forward

A Port Forward Rule redirects traffic which arrives at a specified IP address to a specified internal destination. This step creates the "inbound" association, instructing NG Firewall to send all traffic which arrives at your WAN IP alias to the internal server.

  1. Go to Config > Network > Port Forward Rules
  2. Click Add to open the Add Port Forward Rule menu.
  3. Click Switch to Advanced at the bottom left-hand corner of the menu.
  4. Add the following conditions to the rule:
    1. Destined Local is True
    2. Destination Address is [your alias IP]
  5. Click Done


Creating the NAT Rule

A custom NAT Rule overrides the WAN interface's default NAT configuration, enabling the outbound traffic to be "relabeled" as originating from a different IP address than the WAN's default IP. This rule ensures that traffic flowing from the internal server is returned using the same IP address it arrived on.

  1. Go to Config > Network > NAT Rules
  2. Click Add
  3. Add the condition Source Address is [internal server's IP]
  4. Change the NAT Type to "Custom" and enter your WAN alias IP in the New Source field.
  5. Click Done


Verifying 1:1 NAT

You can verify outbound traffic from the internal device by navigating to an IP checking service, such as

You can verify inbound traffic using a device external to your network by pointing your browser to the WAN alias IP. Using the above example, opening a browser window to should load the server at

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk