Dynamic NAT with multiple external public addresses

ERR Posts: 2
First Comment
edited April 2021 in Security


I am new with Zyxel. I am trying to setup an USG20-VPN to replace an existing setup made like this:

ISP give the customer different public IP address (i.e. - The internal network is a single local subnet (i.e.

The firewall is using on the WAN port.

What I am trying to achieve is to use two public IP addresses used to NAT the local network. These public addresses are different from the WAN port address (i.e. are and

I have created two virtual WAN interfaces with and ; then I defined a IP RANGE object with these two adresses.

On the Network -> NAT area I have tried to create a "Many 1:1 NAT" with the external object and the LAN1_SUBNET internal net, but the I have the following error displayed "Warning Message: 'The IP Configuration is invalid. Please check the Original IP and Mapped IP.'".

I am unsure this is the correct way to do it. And that it is possible to do it with the USG20-VPN.

Any help is welcome.


All Replies

  • [Deleted User]
    [Deleted User] Posts: 213  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    edited January 2020

    Hello @ERR and welcome to the forum!

    I guess you want that specific internal IPs or subnets should use a specific WAN IP when going out into the internet?

    Then please follow this guide here from page 4 on ("SNAT Routing):


    Virtual WAN interfaces and "Many 1:1 NAT" rules are not needed and you can remove them.

    I hope this helps!

    Best regards


  • ERR
    ERR Posts: 2
    First Comment

    Hello Lukas,

    No, I don't want to set the internal IP or subnet to use a specific WAN IP.

    The internal subnet is only one (, and the external are multiple WAN IP addresses, that are allocated dinamically. Moreover the WAN IP addresses to be used for NAT are different from the one used for the firewall.

    I had already looked to that document but I believe it is not my case.

    Thank you

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @ERR

    I think you don’t need Many 1:1 NAT in certain purpose.

    In your scenario, you need more physical wan interface to be configured on your device since virtual interfaces may not fulfill this kind of requirement.

    Since USG20-VPN has only 1 WAN port, we’ll suggest to use model USG110 instead to support multiple WAN interfaces.

    For more spec information about USG110, you can refer to the datasheet below:


    With multiple WAN IP addresses, WAN trunk with policy route setting can allow a range of IP address to go out through the WAN trunk interface.

    Here is the reference about how to set up WAN trunk, you may check if this feature can fulfill your requirement.


Security Highlight