11.8. BiNAT (Prerouting + Postrouting)

BiNAT is repsonsible for changing the Source and Destination IP Address of a Network Packet. It is DNAT and SNAT combined.

It will only work for a 1:1 mapping of an host to another IP Address.

You can find the BiNAT Rule Settings at Firewall → NAT.

You will find 3 Tabs here Inbound (DNAT), Outbound (SNAT) and Both (BiNAT).

Click on BiNAT to get to the rules.

11.8.1. Move BiNAT Rules

Rules are gouped by interface and are paged in groups of 20 rules. You can drag and drop user created rules to a different position and you can save that position by pressing save on the bottom navigation. You can also move a rule to the next or previous page or the first or last page if you mark the rule on the left (click on the first the cell of the firewall rule) and use the arrows on the bottom left. If you hover over the buttons they will also show you their description.

11.8.2. Create and Update BiNAT Rules

If you click Add you will create a new dnat rule on the current interface where you are. You have various options for the rule to set and the rules are structured by the following sections:

  • General Settings

  • Destinations

  • NAT Settings

  • Advanced

11.8.2.1. General Settings

You can change the following options here:

Enabled Enable or Disable the rule

Interface You can change the Interface of this rule. It will be added to the end of the rule list of that interface if you change it.

Address Family Is either IPv4, IPv6 or both. Depending on the sources and destinations you define the system might not generate a rule for both if you choose IPv4+IPv6.

11.8.2.2. Destinations

The Destination setting has options for the Destination IPs. The destination is the IP that the internal host is mapped to. It is usually an IP on the Firewall e.g. a WAN virtual IP.

11.8.2.3. NAT Settings

You can configure the Redirect IP here. This is the address that the traffic will rewritten/forwarded to. It is the internal IP of a host that is associated with the Destination.

If NAT Reflection is enabled you can also choose the Netmask of a Redirect IP in order to generate a NAT Reflection rule that matches the traffic of the same subnet. This is necessary to create a proper SNAT Rule for such traffic or NAT Reflection will not work properly.

11.8.2.4. Advanced

In the Advanced Settings you can configure a couple of extra options.

Logging You can log the rules traffic and also add a prefix so you can find it easier. Be aware that firewall logging is an expensive operation and generates a lot of log entries.

11.8.2.5. Changes

At the bottom of each rule you can see the Created date, Modified date and the user that last modified the rule Modified user.