1:1 vs Outbound NAT, Which takes precendence



  • Hello,

    I am using a setup here with a several blocks of Class C public addresses externally, and internally use several blocks of Class B addresses for the subnets.  I am using 1.2-Release.

    One block of Class C's I use for one to many NAT, so every IP on each subnet will map to at least one public IP.

    I have a network range set up with an outbound NAT similar to:

    Source net: 10.100.0.0/16 -> xx.xx.240.10/32
    Source net: 10.101.0.0/16 -> xx.xx.240.11/32
    Source net: 10.102.0.0/16 -> xx.xx.240.12/32

    I'd also like one class C of the internal class B networks to 1:1 NAT similar to:

    10.100.9.0/24 -> xx.xx.241.0/24
    10.101.9.0/24 -> xx.xx.242.0/24
    10.102.9.0/24 -> xx.xx.243.0/24

    It may seem like a strange setup, but I use this so in DHCP I can determine which hosts get their own 1:1 NAT for gaming/ftp, and which can have just a 1-to-many.

    The question I have is, which gets processed first in the NAT rules?  Does the 1:1 get read before the 1-to-many?  This configuration seems to work in testing, but I don't want to put it into production until I can verify that the 1:1 will always take precedence over the outbound 1-to-many.

    For DHCP, in each of the subnets, I use a scope of roughly 8 class C's.  I suppose if I had to, I could create several 1-to-many rules to encapsulate each subnet, but I don't want to create that many rules if I don't have to.

    Thanks in advance for any help.



  • 1:1 takes precedence over the outbound NAT rules.



  • Thanks Drees,

    I put this system in production yesterday, and it seems like what you are saying is exactly correct.  I was just making sure there were going to be no surprises down the road, and since 1:1 and outbound are in different tabs, there was no way to "order" the rules to act like I wanted.


Log in to reply