Network Address Translation (NAT) / Port Address Translation (PAT)

The first subsystem that is passed through with IPv4 access from WAN is the Network Address Translation (NAT).

The request is sent to the official IPv4 address of the be.IP™ (that of the WAN connection) and then forwarded to the desired IPv4 address in LAN (exposed host) or to a server in a special DMZ (demilitarized zone, an interface that is separate and monitored by additional firewall rules). In our example the target is implementation in the LAN that is connected to br0 (IPv4 address 192.168.2.254). For this reason, the designation "Exposed Host" is used.

Go to the Network->NAT->NAT Configuration->New menu.

Network->NAT->NAT Configuration->New

Proceed as follows:

  1. Enter a Description such as, e.g. All_to_Firewall .

  2. Select a Interface such as WAN_GERMANY - TELEKOM ENTERTAIN .

  3. Leave the settings Type of traffic = incoming (Destination NAT) .

  4. Leave the Service settings as User-defined .

  5. Leave the Protocol settings as Any .

  6. Ensure that at the option New Destination IP Address/Netmask = host and that the IPv4 address is 192.168.2.254 .

    This rule means that all IPv4 traffic arriving at the PPPoE-WAN interface will be forwarded to the IP address 192.168.2.254.

  7. Click OK to confirm your settings.

The outgoing source ports must now be set for the outgoing traffic regarding sensitive data. This is, for example, necessary for a few manufacturers (LANCOM, Sophos UTM, ...) for starting phase 1 (IKE) of an IPSec connection. This step for IPSec is not necessary if a be.IP™ or a device from bintec elmeg GmbH is in use.

Go to the Network->NAT->NAT Configuration->New menu.

Network->NAT->NAT Configuration->New

Proceed as follows:

  1. Enter a Description such as, e.g. IKE_Sourceport .

  2. Select a Interface such as WAN_GERMANY - TELEKOM ENTERTAIN .

  3. Select the Type of traffic = outgoing (Source NAT) setting.

  4. For the NAT method select symmetrical .

  5. Leave the Service settings as User-defined .

  6. Under Protocol select UDP .

  7. Select Original Source Port/Range = Specify port then enter 500 .

  8. Select New Destination IP Address/Netmask = Specify port then enter 500 .

  9. The New Source IP Address/Netmask given as 0.0.0.0 acts as a placeholder for the dynamically assigned WAN interface IP address If a "fixed" official IP address is available, then this can be entered here.

  10. Under New Source Port enable Original .

  11. Click OK to confirm your settings.

For other services that require retention of the Source Port then please use the same procedure as the above example. Select the corresponding Protocol then enter Port.

Copyright© Version 08/2020 bintec elmeg GmbH