What does 'NAT traffic exiting this interface' mean?
This article attempts to provide additional details about the "default NAT" option available in the configuration of an interface in NG Firewall.
What does this do?
If this option is enabled, any traffic leaving the interface will be NAT'd to the IP address of the interface itself. Any incoming traffic destined to this interface would be blocked unless it was allowed via a Port Forward Rule (see Provide access to an internal server or device for more information on setting up port forwarding in NG Firewall).
When should I use it?
As an example, WAN interfaces typically must have this option checked. This is to ensure that traffic destined out to the internet appears to originate from the WAN IP itself. Because the WAN IP is public, traffic can be routed back to it. If traffic were allowed to retain its 'real' (private) address, routing back to the originating device would be impossible because private IPs cannot resolve on the internet.
This option is usually not recommended for internal interfaces. While it's possible to use it to segregate LANs from one another, the better option is to use Filter Rules as outlined here: Blocking Traffic Between Interfaces. This is because any traffic traversing the interface will have its source IP NAT'd to the interface's own IP, rather than the original device's IP: the return traffic is sent to the interface itself and goes no further.Follow
Please sign in to leave a comment.