Enable NAT

Enabling / Disabling NAT (SNAT / Source NAT / Masquerading) on the Office-LAN (uplink).

Default

Usually an IACBOX system runs with activated NAT on the Office-LAN (uplink) interface. This allows an easy setup without additional routes or firewall rules.

image

Use cases

Reasons to deactivate NAT on the upstream interface can be

  • Using third party filters / Layer 7 firewalls
  • Use advanced features on the firewall (Layer 7 inspection)
  • Custom proxies
  • Per-client traffic visibilty/analytics
  • Malware detection and the ability to block single devices on malicious behaviour
  • Multiple uplinks are in use via a load balancer. This makes the use of load balancer more robust as they can use the client IP to distribute clients to uplinks.

WebAdmin settings

Go to Network -> Settings switch to the Office-LAN tab and deactivate the Enable NAT checkbox.

image

Network changes

As Surf-LAN clients are not masqueraded, proper routing has to be set up in the upstream network.

  • Add routes for the Surf-LAN IP range. Defaults are

    • Active client-to-client protection: 172.29.0.0/18
    • Without client-to-client protection: 172.30.0.0/20

  • Add a return route for returning packets

    • for <Surf-LAN IP-range> via <Office-LAN IP>

Linux example (active client-to-client protection and an Office-LAN IP of 192.168.1.1)

ip route add 172.29.0.0/18 via 192.168.1.1
← VLANs
Using Routes →