Questions tagged as ['nat']

In computer networking, network address translation (NAT) is the process of modifying network address information in datagram (IP) packet headers while in transit across a traffic routing device for the purpose of remapping one IP address space into another.
Score: 0
Sharper avatar
UFW blocks Https NAT response
cz flag

I've got a setup with OpenVPN that routes two network to WAN. On the setup below Fedora Linux server provides OpenVEN access to WAN, while Mikrotik 1 router routes (not NATted) traffic to specific hosts via OpenVPN server.

The issue is that Https is not avalible vie Fedora router since I got rid of the NAT for and 89.0/24 networks.

The problem is that UFW seems to block NAT r ...

Score: 0
RRAS NAT on specific fixed IP address
ng flag

I have an AWS EC2 VPC-based Windows Server instance that has two private IP addresses and two elastic IP addresses on a single network interface with IP addresses:

IP Role Primary Secondary

I have configured in the NIC the primary IP address and under the advanced tab I have added the secondary IP address however this has caused an undesired effect under R ...

Score: 0
Rémy Bauduin avatar
Unable to SSH into my proxmox hypervisor from a VM
cz flag

to start, here is my infra in summary :

I have a Proxmox server with an IP public, I created a vmbr1 bridge from Proxmox ( and I use IP for my VM.

Here is the route : dev vmbr1 proto kernel scope link src

I deleted all iptables rules, I have this one left for NAT:

Chain POSTROUTING (policy ACCEPT 786 packets, 36868 bytes)

pkts bytes target pro ...

Score: 0
Esmail Amini avatar
Configuring PFSense to exclude specific external ip address
id flag

Pfsense is installed on top of five dedicated servers, NAT rules are already defined and everything works fine. Now, I want to have one of the external IP addresses to be ignored by pfsense gateway. In other words, for that IP, there is no Pfsense installed, no address translation is done, no internal IP exists, etc.

Is/how it possible.


Score: 1
mon avatar
GCP - why cloud NAT needs cloud router?
ng flag

Why GCP Cloud NAT needs BGP/Cloud Router?

enter image description here

Cloud Router documentation

Cloud Router enables you to dynamically exchange routes between your Virtual Private Cloud (VPC) and on-premises networks by using Border Gateway Protocol (BGP)

Cloud NAT overview

You configure a NAT gateway on a Cloud Router, which provides the control plane for NAT, holding configuration parameters that you specify.

Each C ...

Score: 0
Georg Schölly avatar
What happens with MASQUERADE and packets that origin on the host itself?
us flag

Given the following network:

                     +-- endpoint 1
internet -- server --+-- endpoint 2
                     +-- endpoint 3

where the endpoints are on subnet and they route their traffic through the server.

For this, we require a NAT rule on the server for the interface connected to the internet:

iptables -t nat -A POSTROUT ...
Score: 0
HMH avatar
Issue with TFTP and IPTables and (s)-NAT
bd flag

I've some issues with TFTP download behind NAT using IPtables and i could really use your help. I'm familiar with networking pricipals, but pretty new to IPtables, so i'm sorry if i'm doing something completly wrong.

I have a server running Ubuntu 20.04 with two nics and which tries to connect to a TFTP-server. While everything else work perfectly okay, i'm getting a timeout, when trying to TFTP. ...

Score: 0
Will Roberts avatar
RHEL 7 in Hyper-V with Proper NAT Configuration Issues
gf flag

I have a RHEL7 VM running on Hyper-V. In my VM, I have a web-based program the I need to access over port 11000. In the VM, the software is configured and is accessible by

I've tried setting up an external v-switch and internal v-switch, both have not been successful as I cannot even ping the virtual switch from within the VM. I am trying to configure this using a NAT Switch. ...

Score: 1
ppenguin avatar
pfSense NAT to server in a second LAN subnet behind an internal second router (not working)
tr flag

I have a pfSense firewall/router that is exposing some services to my public ip.

This is working fine, as long as the service is on the primary LAN subnet (, let's call it LAN-A.

E.g. this works:

public_ip:443 -> pfSense (NAT) -> (reverse proxy)

I additionally have a second LAN, let's call it LAN-B, that is behind a Mikrotik router on 192.168.1 ...

Score: 1
theburntcrumpet avatar
How can I configure Wireguard running in a docker container on a VPS to allow communication between its' connected clients?
br flag

I have a VPS running WireGuard as a server in a docker container, where I've given it the devices I intend on adding as peers.

I have a home server running WireGuard as a client in a docker container using the host network mode. IP Forwarding is enabled on each of these servers.

When I connect with my laptop to the WireGuard host on the VPS, I'm unable to access my home server.

Am I approaching this wr ...

Score: 0
Gnujeremie avatar
NAT source IP in Strongswan IPSEC VPN on Amazon EC2
in flag

Ok so first of all, networking is really not my strong suit...

I have an Amazon Linux EC2 instance, ip, connected to a IPSEC VPN using strongswan :

conn aws-to-other
        # IP locale serveur
        # IP publique serveur
        # Sous réseau lo ...
Score: 0
average_coder25 avatar
Flushing IP table doesn’t flush NAT
kr flag

When I execute sudo iptables -F,my iptable rules for the nat table are not flushed. Why is this the case? What does the above command do?

I believe there are three tables: filter, nat, and mangle. I don’t think any of these tables are affected by sudo iptables -F. Is this correct?

Score: 0
ivan.ukr avatar
MikroTik - configure NAT behind NAT
in flag

I have primary Mikrotik router connected to Internet provider and serving internal network I also have second Mikrotik router which I want to plug into my internal network of the first router and server its own internal network. I can control both routers.

I have configured second one to serve its own internal network using QuickSet, and allocated IP address for i ...

Score: 0
Menas avatar
How to toubleshoot port blocking issue
cn flag

I'm forwarding port 80 of a web server to the public interface of the firewall, which is then mapped to a domain name so that the server can be accessible from that domain name.

I did this process too many times but this time I'm in a different country and connected to the internet using a different kind of firewall.


  1. When I try to access the website from any other networks, it shows " ...
Score: 0
FreeBSD: How can I tune the lifetime for TCP/UDP for in kernel NAT?
ph flag

There used to be these sysctls in older versions of FreeBSD, viz:


now on FreeBSD 12 sysctl reports that these don't exist.

How can I tune the lifetime for TCP/UDP for in kernel NAT?

Score: 0
DevopsinAfrica avatar
how can I NAT a NAT IP
kz flag

I have a server on AWS with a floating (secondary) IP. During integrations with a partner I provide my secondary IP to be whitelisted and define a POSTROUTING rule to SNAT my IP to the secondary IP to reach to destination such as

sudo iptables -t nat -A POSTROUTING -d partnersip/32 -s myprivateip -j SNAT --to-source secondaryip 

But now I've come to a scenario where my partner is also using NAT and I ...

Score: 0
VietDuc19 avatar
Allow IP NAT for Mod GeoIP on Apache
vn flag

I have web server is running Apache 2.4.46 under Centos 7 server.

Currently, I have configured mode GeoIP for it, used MaxMind GeoLite2 Database and only allow access from specific countries.

It's running OK but today, a few customers cannot access my website and got 403 Error (Permission Denied).

I checked on web server and saw that: These customers is living at my allowed countries but their public I ...

Score: 11
S.B avatar
What happens if two local systems download the same resource on same port?
cn flag

I'm aware of NAT table. I just want to know what happens if two clients in a private local area network want to download exactly the same resource on the same port? In other words , When a packet comes from the server, how can the router decide which client is supposed to get this packet?

If I'm not wrong, the incoming packet from the server has destination IP address of the router which is publi ...

Score: 0
Jonas Metzger avatar
Route all internet traffic through vsock channel
in flag

I can run arbitrary code on both a Linux server instance and a Linux VM inside the server. Both can only communicate to each other through vsock channels. Only the server instance has internet access.

I'd like to run one program on the server and one on the VM that connect to each other through vsock. The VM part intercepts any outgoing internet traffic and sends it to the server part via vsock w ...

Score: 0
Policy/Routing of URL with Virtual Server connected to two different external switch
ng flag

I am trying to create a policy/routing on the virtual machine. My host physical machine with Hyper V is connected with three NIC (One for internal, external switch1 (for internet and port 80), external switch 2(connected to a router with AutoVPN enabled). I want to make a policy or routing that when someone types a it takes the, internal IP address as a source and use port 443 an ...

Score: 0
OttoEisen avatar
Choice of NAT64 prefix
br flag

I'm about to deploy NAT64 and I noticed that it's possible to use your own prefix instead of the "well-known prefix". Now I can imagine complex scenarios with multiple NAT64 gateways serving different prefixes where that would be necessary. But for a rather simple configuration with 2 VRRP routers, is there any advantage to using your own prefix?

Score: 0
OttoEisen avatar
NAT64 on Debian
br flag

Update 2: I wrote a quick&dirty tutorial for Jool on Debian 11, since their website is very thorough, but also slightly confusing and the examples too complex for most cases.

I'm looking to go IPv6 native and need a NAT64 implementation on my Debian routers. Is tayga still the way to go, as it's in the user space and all? Is there no kernel equivalent to "iptables ... -j MASQ" for NAT64?

Also with t ...

Score: 0
Se ven avatar
Connecte to VPN server via VPN client which is a NAT instance
jp flag

Main question is how to connect to a vpn server via a vpn client which is a NAT instance, let me describe about it.

Scenes 1:

I have a group of service instance(ubuntu 18.04) named A

One instances which i use for NAT instance named B

both group A and instance B are in same vpc, A has no public ip ,B has one pulibc ip, and which i did is use B as a NAT and set SNAT in vpc so group A can access internet  ...

Score: 0
sebastien dontneedtoknowthat avatar
How to prevent netfilter to automatically change the source ports
jp flag

I observed that netfilter changes the source port when a connection is established in the conntrack module. I need to prevent this behavior.

Here is what I have done to reproduce my problem:

  1. I create a netfilter rule that will perform DNAT from port 2002 to 2003

sudo iptables -w -t nat -A OUTPUT -s -d -p udp --sport 2001 --dport 2002 -j DNAT --to-destination :2003

  1. I t ...
Score: -1
t09 avatar
KVM nat command line
wf flag

What is the correct way to setup NAT networking between KVM vm and host?

KVM vm:

No firewall Installed

$ sudo arp-scan -r 5 -t 1000 --interface=eth0 --localnet     52:55:0a:00:02:02    locally administered     52:55:0a:00:02:03    locally administered

$ ip r

default via dev eth0 proto dhcp metric 100 dev eth0 proto kernel scope link src metric 100
Score: 2
Dainii avatar
Conntrack, failed to NAT its own TCP packets from another VRF
us flag

I came across a tricky problem with source NAT when using multiple VRF on a Debian based router. It's a bit complex to explain, so I will try to be clear, but it will not be short, sorry for that. The problem should be easy to reproduce though.

To isolate the "management" part of the router (ssh and other services) from its router job (routing and NATing packets), I tried to set up the "mgmt" VRF ...

Score: 0
G_Hosa_Phat avatar
Access SonicWALL Public Management Interface from firewalled LAN subnet
ec flag

I'm attempting to work with the SonicOS API in a project to try and automate the renewal and deployment of SSL certificates from Let's Encrypt. However, I'm unable to establish a connection to the API endpoint from behind the firewall, no matter how I try to get there:

  • By LAN (X0) IP address - The connection rejects the HTTPS connection because the installed SSL certificate is for a public subdomain add ...
Score: 0
How to redirect DNS request to a remote systemd-resolved?
ve flag

I was trying to make system-resolved as a remote DNS caching server (I know it is not intended to do so). I added the changed the net.ipv4.conf.br0.route_localnet to 1 and added the following nftable rules:

table ip nat {
    chain prerouting {
        type nat hook prerouting priority 100; policy accept;
        iif "br0" udp dport 53 counter packets 6 bytes 366 dnat to

    chain ...
Score: 0
Vinayak S avatar
Udp punchhole between two instances behind two different cloud NAT on GCP
ru flag

Hi I'm trying to achieve UDP punchhole concept between two compute instances (on different networks with no public IP) behind two different cloud NATs for their respective networks. It seems that in logging I can see the connection being established but cannot see the message/packet being transferred on the terminal. I dont quite understand what is going on here, can someone help me please? Thanks in ad ...

Score: 0
Arman180 avatar
bz flag

I'm trying to implement the same arch in the image below on Windows.

I tried many different ways with no luck. (I can achieve this on Linux with the following commands)

sudo sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g" /etc/sysctl.conf

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo netfilter-persistent save
sudo systemctl enable netfilter-persistent.service

VPN Arch Image