Enable NAT

Enabling / Disabling NAT (SNAT / Source NAT / Masquerading) on the Office-LAN (uplink).

Default

Usually an IACBOX system runs with activated NAT on the Office-LAN (uplink) interface. This allows an easy setup without additional routes or firewall rules.

Use cases

Reasons to deactivate NAT on the upstream interface can be

Using third party filters / Layer 7 firewalls
Use advanced features on the firewall (Layer 7 inspection)
Custom proxies
Per-client traffic visibilty/analytics
Malware detection and the ability to block single devices on malicious behaviour
Multiple uplinks are in use via a load balancer. This makes the use of load balancer more robust as they can use the client IP to distribute clients to uplinks.

WebAdmin settings

Go to Network -> Settings switch to the Office-LAN tab and deactivate the Enable NAT checkbox.

Network changes

As Surf-LAN clients are not masqueraded, proper routing has to be set up in the upstream network.

Add routes for the Surf-LAN IP range. Defaults are
- Active client-to-client protection: 172.29.0.0/18
- Without client-to-client protection: 172.30.0.0/20
Add a return route for returning packets
- for <Surf-LAN IP-range> via <Office-LAN IP>

Linux example (active client-to-client protection and an Office-LAN IP of 192.168.1.1)

ip route add 172.29.0.0/18 via 192.168.1.1

NAT Helper Rules

NAT Helper Rules provide special NAT handling for applications that require connection tracking assistance. This is an advanced feature that should only be used by experienced administrators who understand its implications. 99% of network traffic does not require these rules.

These rules use iptables to listen for specific ports (TCP/UDP) and forward traffic to application-specific NAT helpers that track dynamic port allocations. Without proper NAT helpers, certain applications may fail to establish connections through NAT.

Supported Applications

TFTP - Trivial File Transfer Protocol
FTP - File Transfer Protocol
SIP - Session Initiation Protocol
IRC - Internet Relay Chat
SNMP - Simple Network Management Protocol

Default Rules

The system provides 5 predefined NAT helper rules for standardized ports that can be enabled or disabled:

4 SIP rules - For standard SIP communication
1 TFTP rule - For TFTP file transfers

Custom Rules

For applications missing or configured to use non-standard ports, custom NAT helper rules can be added through the UI. This allows specifying:

Custom port numbers
Protocol type (TCP/UDP)
Application-specific NAT helper

WARNING

Only configure custom NAT helper rules if you have applications that specifically require them and are not part of the default rules or are using non-standard ports. Incorrect configuration can impact network performance and connectivity.

Enable NAT

Default #

Use cases #

WebAdmin settings #

Network changes #

NAT Helper Rules #

Supported Applications #

Default Rules #

Custom Rules #