Two nat rules for one port

ITMT
ITMT Posts: 6  Freshman Member
First Comment
edited April 2021 in Security
Hello,

is it possible to NAT two differrent source addresses with one destination port and one public address to two different DMZ destinations?


Required behavior:
1. WAN client 50.10.10.10 requests connection on port tcp/80 with destination address 10.0.1.1
2. ZyWALL will check client source address (50.10.10.10) and destination port (tcp/80) and decides (according to NAT rules) to NAT traffic to the DMZ client 192.168.1.10, to the port tcp/80
3. WAN client 50.10.10.20 requests connection on port tcp/80 with destination address 10.0.1.1
4. ZyWALL will check client source address (50.10.10.20) and destination port (tcp/80) and decides (according to NAT rules) to NAT traffic to the DMZ client 192.168.1.20, to the port tcp/80

Thank you.

Regards, Radim.

Comments

  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 2018

    I don't think you can NAT two different source addresses with the ZyWall as is you can only NAT to the destination not from source to destination as source is any.

    You could add it in ideas

    https://businessforum.zyxel.com/categories/security-ideas

  • ITMT
    ITMT Posts: 6  Freshman Member
    First Comment
    Thank you for response.

    I recently switched from a linux system, so I am still comparing ZyWall firewall possibilities with netfilter/iptables.

    With netfilter is pretty easy to apply following rules:

    iptables -A PREROUTING -i wan1 -s 50.10.10.10 -p tcp --dport 80 -j NAT --to-destination 192.168.1.10<br>iptables -A PREROUTING -i wan1 -s 50.10.10.20 -p tcp --dport 80 -j NAT --to-destination 192.168.1.20

    Anyway, thank you.

    Regards, Radim

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    edited January 2018
    Thanks @PeterUK and @lan31 for sharing.

    Hello ITMT,
    The request "USG supports NAT port forwarding by source IP address", I would like to move your request to the ideas section."
    Charlie
  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    I think USG does not support NAT port forwarding by source IP address in current version.
    Not sure if this could be enhance in the future.

  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 2018

    This is whats needed

    Then a rule for incoming source IP 50.10.10.20 to mapping IP 192.168.1.20

Security Highlight