11.7. SNAT (Postrouting)

SNAT or Source NAT is repsonsible for changing the Source IP Address of a Network Packet. It is the last rule that is processed in VT AIR when a new Network Packet arrives at the firewall.

With SNAT you can masquerade the sender of the Network Packet. SNAT rewrites the source of the Network Packet to the IP you choose.

SNAT

This image was created with icons by srip and Good Ware from Flaticon.

By default traffic coming from your local network and going to a destination outside of your network will be given a new source IP reflecting your WAN IP. However this is not always the desired behaviour. In High Availability setups for example a shared virtual WAN address must be used. Refer to Setup Examples for further details on this.

SNAT Default Rule

You can find the SNAT Rule Settings at Firewall → NAT.

You will find 3 Tabs here Inbound (DNAT), Outbound (SNAT) and Both (BiNAT).

Click on SNAT to get to the rules.

11.7.1. Move SNAT Rules

Rules are gouped by interface and are paged in groups of 20 rules. You can drag and drop user created rules to a different position and you can save that position by pressing save on the bottom navigation. You can also move a rule to the next or previous page or the first or last page if you mark the rule on the left (click on the first the cell of the firewall rule) and use the arrows on the bottom left. If you hover over the buttons they will also show you their description.

11.7.2. Create and Update SNAT Rules

If you click Add you will create a new dnat rule on the current interface where you are. You have various options for the rule to set and the rules are structured by the following sections:

  • General Settings

  • Sources

  • Destinations

  • NAT Settings

  • Advanced

11.7.2.1. General Settings

You can change the following options here:

Enabled Enable or Disable the rule

Interface You can change the Interface of this rule. It will be added to the end of the rule list of that interface if you change it.

No NAT This will exclude a match of this rule from SNAT. It might be useful for exceptions.

Address Family Is either IPv4, IPv6 or both. Depending on the sources and destinations you define the system might not generate a rule for both if you choose IPv4+IPv6.

Protocol The Layer 2 Protocol of the rule.

11.7.2.2. Sources

The Source setting has options for the Source IPs and if applicaple Source Ports. You can add muliple entries of each and also mix IPv4 and IPv6. The system will figure out the rule for you.

Source Ports can be found under Advanced Source Settings.

The Invert IP Match option will invert IPs and Macs as well as the ports.

11.7.2.3. Destinations

The Destination setting has options for the Destination IPs and if applicaple Destination Ports. You can add muliple entries of each and also mix IPv4 and IPv6. The system will figure out the rule for you.

The Invert IP Match option will invert IPs as well as the ports.

11.7.2.4. NAT Settings

You can configure the Translation IP and if applicaple the Translation Port. This is the address that the traffic will rewritten to. The firewall will change the source of the Network Packet to this address/port.

By default VT AIR will select a random port for the traffic. This is not useful in all situations. Some protocols depend on a static port like VOIP. Enable that option to use a static port.

11.7.2.5. Advanced

In the Advanced Settings you can configure a couple of extra options.

Logging You can log the rules traffic and also add a prefix so you can find it easier. Be aware that firewall logging is an expensive operation and generates a lot of log entries.

Routing Table You can apply this SNAT Rule to traffic using the specified routing table. The traffic must be matched by a firewall rule first that sets the routing table for the connection.

Input Interface You can set the input interface of the packet to match.

11.7.2.6. Changes

At the bottom of each rule you can see the Created date, Modified date and the user that last modified the rule Modified user.