Developers Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


1 to 1 NAT Firewall

The 1-to-1 NAT app is required if you plan to have publicly available IP addresses correlate with servers running on your local network. It does this by setting up Name Address Translation (NAT) rules that work both for incoming and outgoing traffic. For example, you may need a server placed in your network to have ports open to the Internet but have it be available on a separate IP address than your ClearOS server.

The ClearOS 1-to-1 NAT module creates a virtual IP address on the WAN side (public network) of your ClearOS server and also forwards the ports all in one setting. You should not set up a virtual IP address in the IP Setting module for the purposes of 1-1 NAT. You also should not set up a port forwarding rule in the Port Forwarding Module, this module will and must do both of those things for you. If you have assigned an external address as a Virtual IP address and want to use 1-to-1 NAT with that address, you will need to remove it from the IP Setting module before adding the rule here. If you have created a port forwarding firewall rule for the internal server and want to use 1-to-1 NAT with that port, you will need to remove it from the Port Forwarding module before adding the rule here. Once the rule is made, the IP address is provisioned, the port forwarding is created and correlated that to a server on the inside of your network. Both the incoming address and the outgoing destination are now associated to that address.

Depending on the VPN technologies that you use, the 1-to-1 NAT module is capable of causing the firewall to forward the outgoing traffic before it hits the VPN. Be sure to test your 1-to-1 NAT rules when using in conjunction with VPNs. If you are affected by this, you may need to create a custom firewall rule to overcome the 1-to-1 NAT's need to push the traffic from the internal server to the external IP address.

If your public address pool is capable of being subnetted, you can use the DMZ module instead if you want your servers behind the firewall to be in a public IP address space and physically have the public IP address.

Selecting the Technology You Need

Select Your Firewall Method

ClearBOX configured with the following Interfaces:

ClearBOX configured with the following Firewall Rules:

Installation

If your system does not have this app available, you can install it via the Marketplace.

You can find this feature in the menu system at the following location:

  • Network
    • ↳Firewall
      • ↳1-to-1 NAT

Configuration

Initial screen

https://clearos.com/dokuwiki2/lib/exe/fetch.php?media=content:en_us:7_ug_nat_1.png

This display shows your current 1-to-1 NAT rules. From here you can Add, Disable and Delete rules and also check the details by clicking on the menu button.

Adding a Rule

https://clearos.com/dokuwiki2/lib/exe/fetch.php?media=content:en_us:7_ug_nat_2.png

Nickname

Give the rule a name. Spaces will be converted to “_”.

Interface

Select the external interface you want the rule to apply to

Public IP

Input the Public IP or this rule. It should be available and within the same subnet as your current IP address for your WAN interface.

If you want to input the interface's normal IP address then you need to use the Port Forwarding module and not the 1-to-1 NAT module.

Private IP

Input the LAN IP of the machine which will be receiving the traffic

Forward All Protocols and Ports

Some protocols can be finicky behind firewalls. This can happen because they use more ports than you may know about. In this case you may want to configure 1-to-1 NAT by forwarding all traffic.

This means that there is no firewall between the internet and the device behind your ClearOS server. Make sure you secure the target LAN system some other way, perhaps with its own firewall

This is also the only way to forward portless traffic such as ICMP (pings etc), GRE, ESP and AH.

Forward Selective Ports

If you only want to map selective ports, for example the TCP 80 web server port, you can configure particular ports in your 1-to-1 NAT mapping.

Protocol

TCP or UDP

Port or Port Range

This should either be a single port or a range of ports you wish to forward. To specify a range, use a colon (':') to separate the start port and end port e.g. 6000:6010.

If you need more than one port or range of ports forwarded, simply create another rule using the same IP addresses.

1-to-1 NAT - With MultiWAN

If you have Multi-WAN enabled, please review the topic on source-based routes. Each 1-to-1 NAT rule must typically be assigned to an external MultiWAN interface.

Troubleshooting

In order to use the 1-to-1 NAT module properly, you must not have previously created any alias address which overlaps or have created any Port Forwarding policy which attempts to do the same thing. Also, the target internal system on your local network must have the default gateway set to ClearOS system.

Again, if you are trying to make a 1:1 NAT rule work, you will NOT use any other module to support this rule other than perhaps a custom firewall rule to provide an exception. The 1:1 NAT module provisions all the required components for the forward rule to work including the IP address (don't configure one as an alias in IP Settings), the incoming firewall rule (do not configure them in the Incoming firewall as that module is for ports going to the ClearOS server itself), and the port forwarding (do not also set up a port forwarding rule to cover this 1:1 NAT rule).

content/en_us/7_ug_nat_firewall.txt · Last modified: 2018/06/11 02:00 by nickh

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3A7_ug_nat_firewall&1710846456