Educational ICT Virtualisation Specialist

Twitter LinkedIn E-mail
Precedence Technologies Ltd
Technology House, 36a Union Lane
Cambridge, CB4 1QB, United Kingdom
T: +44 (0)8456 446 800 / +44 (0)1223 359900
F: +44 (0)8456 446 899 / +44 (0)1223 359459

Jump To: Support > KB > NetManager > Firewalling > NAT

NAT (Network Address Translation)

NAT allows you to hide a whole private network (which may contain thousands of machines) behind a single IP address. This has a number of benefits:

  • If your Internet connection (and thus external IP address) changes, you do not need to re-configure any machines except the NetManager.
  • All internal machines are protected from access from the outside
  • You can easily filter outbound traffic from internal machines using firewalling.
  • You can have many more internal machines than your ISP have allocated you IP addresses for. Some LEA-provided school connections may have only 256 addresses. Real Internet connections have even fewer (perhaps only 1 or 5).

NAT is easily enabled in webadmin by going to Network > NAT

To allow access to internal machines from outside, you will need to use Port Mapping.

Advanced settings

If NAT is enabled, the default action is to determine the external network interface (based on the default gateway that is set) and then map through all other interfaces to the first IP address on that external interface. Internally, this create a lists of interface pairs to map between. For example, if wm2 is your external interface and wm0 and wm1 are internal, this will generate a setting of wm0>wm2 wm1>wm2. You can override this automatically-created list by setting nat_advanced. For instance, you might not want to map the networks attached to wm1 (i.e. you don't want them to have any Internet access).

The syntax is a space-separated list of from>to rules. There are currently two rule formats understood:

  • from-interface>to-interface, e.g. wm0>wm2
  • packet-matching-rules>IP-address. Packets that match the specified rules will be mapped to the IP address given. Rules are given as a comma-separated list of flags. Valid flags are:
    • src= - source IP address(es) (i.e. client IP). Can include netmask, e.g. src=
    • dst= - destination IP address(es) (i.e. what is being talked to). Can include netmask, e.g. dst=
    • port= - destination port number (i.e. what service is being talked to). Can be used to map particularly services to a different external IP address, e.g. port=80
nat_advanced="wm0>wm2 src=,port=80>"

If we assume the main IP address on wm0 is and the main IP address on wm2 is then all traffic from (e.g. client will go out from IP address, except for client speaking http (port 80) which will go out on

© Copyright Precedence Technologies 1999-2019
Page last modified on December 05, 2018, at 11:34 AM by sborrill