Is it me or the NAT creation page design is just broken?

I think you are being a bit harsh with the broken bit because the NAT function does work, but the rest of your post is a good summation.

You have picked on another area where the relationships have not been thought through.

The XG is getting better and I would hope by this time next year to see many more improvements and be up to V19 or 20?

As my subject intends, I'm talking about the page design, not how the NAT works.

But, are you able to create a NAT for ICMP? Or re-use the service definitions and not to type every time the port ranges/list?

Thanks

No, I was not able to create a NAT policy for ICMP.

But, I suspect you don't need to because you should create rule with the protocol and use standard NAT (MASQ).

Do you mean this?

As I understand here you can rewrite the source address, not the destination, which is intended for outbound traffic, non inbound.

Having the source rewritten is no use in exposing internal services, I need to rewrite the destination (from the public IP to the internal IP)

Try using a firewall rule.

Hopefully you can see this.

I have not tried this, but you would create a nat policy of the internal address range you want to expose to the outside world. You would then move the rule to the top of your rule list. Then tick the re-write box.

Does this make any sense. You have to remember the thinking for the XG and similar devices is totally different to the UTM. Takes a bit of getting used to.

I am sorry, but I really don't understand what are you showing me.

You are highlighting just the "where the rule will match" (src zone, src subnet/ip, schedule, dts zone, dst subnet/ip, dst service) of a firewall rule.

Where and how do you propose I should use it to make an inbound NAT ??

Thanks

You create the rule for the ICMP. You create a NAT policy for the IP address range you want to expose. You use the NAT policy you created in place of the MASQ policy and tick rewrite and there you have a NAT rule that you wanted.

The MASQ policy is just for rewriting the source address, I really don't understand how to make it rewrite the destination.

So you propose something like this to match the incoming connection from any wan to one of my wan IP

And then how do I rewrite WANs.5:0 to my internal IP?

Thanks

Source and destination need to any. Destination network needs to be any. You tick the box to match known users and add your WANs.5:0 what ever that is?

You create a NAT policy with internal IP addresses you want. Then you tick the re-write source address being the external network. In fact with thic config you might not need to create your own NAT policy.

I have to give up, I can't follow your instructions.

"Source and destination need to any" do you mean SRC and DST zones only? If that's the case why can't I restrict with the proper zones?

"Destination network needs to be any" how this will match my public IP? with SRC and DST zones to any and DST network to any it will math everything apart the filter by the service definition.

"You tick the box to match known users" why do you want to match a known user? This traffic is coming from the WAN, I have no idea who it might.

WANs.5:0 is the fancy name XG decided to assign to my secondary IP on one of my WAN interfaces

"You create a NAT policy with internal IP addresses you want" do you mean like this?

"Then you tick the re-write source address being the external network" I'm sorry, I've lost you. Where do I set this external network here?

Thank you again