Dear all,
I want to publish a server within the LAN zone to the Internet. In addition to DNAT I also want the rule to SNAT traffic from the Internet to the XG's LAN interface so I don't have to set the default gateway of the published server to the XG.
For that I have created the following NAT rule:
Everything works fine but I have two questions for better understanding what is happening here:
1) I noticed that DNAT is not working if the outbound interface is set to the interface of the LAN zone. It has to be set to Any, otherwise the XG will not accept the packets. Despite the interface not being set to the LAN interface the XG still is able to correctly SNAT the source address of the packets to the IP address of the LAN interface by selecting MASQ as translated source. I guess the XG chooses the outgoing interface based on which zone the translated destination is belonging to - is that correct? I however don't understand why the outgoing interface must be set to Any even though it's clear which outgoing interface will be used.
2) For SNAT I can either just choose MASQ as translated source or leaving it to Original and enabling "Override source translation (SNAT) for specific outbound interfaces" instead, selecting the outbound interface and choosing MASQ there. Is there any difference or recommendation as to which method to choose for SNAT in combination with DNAT?
Thanks and Best Regards
Michael
This thread was automatically locked due to age.
