Disable NAT

Enabling / Disabling NAT (SNAT / Source NAT / Masquerading) on the Office-LAN (uplink).

Default #

Usually an IACBOX system runs with activated NAT on the Office-LAN (uplink) interface. This allows an easy setup without additional routes or firewall rules.

Use cases #

Reasons to deactivate NAT on the upstream interface can be

• Using third party filters / Layer 7 firewalls
• Use advanced features on the firewall (Layer 7 inspection)
• Custom proxies
• Per-client traffic visibilty/analytics
• Malware detection and the ability to block single devices on malicious behaviour
• Multiple uplinks are in use via a load balancer. This makes the use of load balancer more robust as they can use the client IP to distribute clients to uplinks.

WebAdmin settings #

Go to Network -> Settings switch to the Office-LAN tab and deactivate the Enable NAT checkbox.

Network changes #

As Surf-LAN clients are not masqueraded, proper routing has to be set up in the upstream network.

• Add routes for the Surf-LAN IP range. Defaults are

  • Active client-to-client protection: 172.29.0.0/18
  • Without client-to-client protection: 172.30.0.0/20

• Add a return route for returning packets

  • for <Surf-LAN IP-range> via <Office-LAN IP>

Linux example (active client-to-client protection and an Office-LAN IP of 192.168.1.1)

ip route add 172.29.0.0/18 via 192.168.1.1

Limitations for port 80 #

Please note, that our transparent HTTP proxy intercepting traffic on port 80 still masquerades the IP addresses of clients. The HTTP proxy will get removed with the next major version, so this limitation is only there for version 21.0.