This article will show you how to configure and the differences between Virtual Server, 1:1 NAT, Many 1:1 NAT and Virtual Server Load Balancer when you want to forward a port to a internal server. NAT menu in the USG FLEX / ATP / VPN is used to make internal devices reachable from the internet.
Table of Content
Differences between Virtual server, 1:1 NAT and Many 1:1 NAT
1) Configure Port Forwarding
1.1 Create the Virtual server rule
1.1.1 Mapping rule for Virtual Server
1.1.2 Create objects to insert into the NAT rule
1.2 Add a Firewall rule to allow the NAT (Port Forwarding)
1.2.1 Create a new service object
1.3 Test the result
1.4 Configure 1:1 NAT
1.4.2 Use-case scenario for 1:1 NAT vs. Virtual Server
2) Configure Many 1:1 NAT
2.1 Create the Many 1:1 NAT rule
2.1.1 Mapping Rule for Many 1:1 NAT
3) Configure Virtual Server Load Balancer
3.1 How does the Virtual Server Load Balancer work?
3.1.1 The Load Balancing Process
3.1.2 Load Balancing rules to follow
3.1.3 Virtual Server Load Balancing Algorithms
3.2 Virtual Server Rule Mapping
Differences between Virtual server, 1:1 NAT and Many 1:1 NAT
Virtual Server makes computers on a private network behind the firewall available to a public network outside the firewall (like the internet).
1:1 NAT is used if the internal server will initiate sessions to outside clients. Then select this to have the firewall translate the source IP address of the server's outgoing traffic to the same public IP address that the outside clients use to access the server.
Many 1:1 NAT is used if you have a range of internal servers that will initiate sessions to the outside clients and that have a range of public IP addresses. One many 1:1 NAT rule works like multiple 1:1 NAT rules, but it eases configuration effort since you only create one rule. Select this to have the firewall translate the source IP address of each server's outgoing traffic to the same as the public IP addresses that the outside clients use to access the server.
When to use Virtual server and 1:1 NAT?
Virtual server is used when WAN interface address is used.
1:1 NAT is used when the WAN subnet interface is used.
1) Configure Port Forwarding
Virtual server is most commonly used and is used when you want to make the internal server available to a public network outside the Zyxel Device (like, but not limited to, the internet).
For a more detailed description please see our video:
1.1 Create the Virtual server rule
First start by log in to the device to start the configuration and navigate to Configuration > Network > NAT and create a new rule by clicking on the "Add" button
Then create a rule name and select the port mapping type to "virtual server" and also select your incoming interface to WAN
1.1.1 Mapping rule for Virtual Server
Incoming interface - the interface that the traffic is coming from
Source IP - From where the users are connecting from (e.g. trusted IPs)
External IP - the IP Address of the WAN interface
Internal IP - The IP address of the server where you want to forward the ports to
Port Mapping Type
any -all traffic on will be forwarded
Service - Select a service-object (a protocol)
Service-Group - Select a service-group object (a group of protocols)
Port- Select a port that needs to be forwarded
Ports- Select a port range that needs to be forwarded
1.1.1.1 External vs. Internal ports
The external port is the port that the external user is using to get to the firewall on WAN
The internal port is the port that is forwarded internally on LAN
This can both be a 1:1 translation (port 443 to 443) or port 4433 to 443 for example
1.1.2 Create objects to insert into the NAT rule
1.1.2.1 Add two new objects by clicking on"create new object" > "address"
1.1.2.2 Add your WAN and NAS IP
1.1.2.3 Set the created objects as external and internal IP
1.1.2.4 Set the port mapping type
Set the port mapping type to port and configure them (i.e. port 50000 - please see video for reference)
1.1.2.5 NAT loopback
NAT loopback is used inside the network to reach the internal server using the public IP. Check if NAT loopback is enabled and click OK (allows users connected to any interface to use the NAT rule too)
1.2 Add a Firewall rule to allow the NAT (Port Forwarding)
1.2.1 Add the Firewall Rule to Allow the NAT
Note! You need to allow the internal port and not the external port. Because it's the internal port that is forwarded to the LAN interface of your firewall and needs to be allowed.
Then click on "Create new Object" to create a new service object by navigating to Configuration > Object > Service.
Add the port you want to forward (in this example: 50000) and name it as desired:
Then save the rule and now if possible, test the NAT rule from a different remote network.
From: WAN to LAN, Destination: NAS IP, Service: HTTP_NAS Action: allow
You should have access to your NAS via WAN.
1.3 Test the result
Open a browser and type in the WAN IP of your USG and the configured port. Now the NAS is behind the USG and reachable through port forwarding.
Example for our WAN IP https://[yourWAN-IP]:50000
1.4 Configure 1:1 NAT
When to use 1:1 NAT:
-
Hosting Servers: When an organization hosts servers (e.g., web server, mail server, FTP server) within the private network that need to be accessed from the Internet, 1:1 NAT can be used to expose those servers with public IP addresses. This allows external users to access the servers using the public IP addresses, while the servers themselves maintain private IP addresses within the local network.
-
Application Compatibility: Some applications or services may require static, public IP addresses to function correctly. With 1:1 NAT, you can provide these applications with dedicated public IP addresses while keeping the rest of the internal network hidden behind the firewall's primary public IP.
-
IP-based Access Control: Organizations may need to enforce specific access controls based on IP addresses. 1:1 NAT can be used to create separate rules and access policies for devices using the public IP addresses mapped through the 1:1 NAT configuration.
To configure 1:1 NAT, please follow the same guide above but choose the 1:1 NAT in the "Add NAT" menu shown below:
1.4.1 Mapping rule for 1:1 NAT
Incoming interface - the interface that the traffic is coming from
Source IP - From where the users are connecting from (e.g. trusted IPs)
External IP - the IP Address of your WAN / outgoing interface of your firewall
Internal IP - The IP address of the server where you want to forward the ports to
Port Mapping Type
any -all traffic on will be forwarded
Service - Select a service-object (a protocol)
Service-Group - Select a service-group object (a group of protocols)
Port- Select a port that needs to be forwarded
Ports- Select a port range that needs to be forwarded
1.4.2 Use-case scenario for 1:1 NAT vs. Virtual Server
Question
I would like to publish an internal server for external users, so I created a NAT rule for it.But I can decide between Virtual Server and 1:1 NAT.Which one should I choose?What's the difference between Virtual Server and 1:1 NAT?
Answer
The Virtual Server and 1:1 NAT are able to publish internal servers to the internet.But the difference between Virtual Server and 1:1NAT is: 1:1 NAT has an additional SNAT (source NAT), which virtual server hasn't.
e.g. when set as 1:1 NAT
Original IP: 10.214.30.188, Mapped IP: 192.168.1.33.
Then the outgoing interface for the server 192.168.1.33, will use 10.214.30.188 to access Internet.
In the packet flow explore, you can find the SNAT status.
The source IP 192.168.1.33 access the internet with a SNAT routing.
Then outgoing address will be replaced by Original IP.
2) Configure Many 1:1 NAT
Note! The private and public ranges must have the same number of IP addresses.
The many 1:1 NAT are used to forward all traffic from many external IPs (public IP) to many internal IPs (private IPs) that is in a range. Note that you cannot select ports, but all ports are forwarded in the Many 1:1 NAT function.
2.1 Create the Many 1:1 NAT rule
First log in to the device and navigate to Configuration -> Network -> NAT and click "Add" button to add a new rule
2.1.1 Mapping Rule for Many 1:1 NAT
Incoming interface - the interface that the traffic is coming from (usually wan1 (or wan1_PPPoE))
Source IP - From where the users are connecting from (e.g. trusted IPs)
External IP Subnet/Range - the range of IP addresses of your WAN / outgoing interface of your firewall (Only Ranges and Subnets allowed - not host objects)
Internal IP Subnet/Range - The IP addresses of the server where you want to forward the public IP addresses to
Port Mapping Type
any -all traffic on will be forwarded (note that the Many 1:1 NAT function will only forward "ALL traffic"
NAT Loopback - NAT loopback enables users to connect to the public IPs when they are behind the firewall.
3) Configure Virtual Server Load Balancer
The virtual server load balancer screen is used to distribute local user connections over multiple servers, in order to reduce each serve's workload and to decrease overall response times.
3.1 How does the Virtual Server Load Balancer work?
3.1.1 The Load Balancing Process
1. A client initiates a connection to the virtual server on a specific port
2. The firewall matches the request to a set of servers (Server 1/2/3 in example above), and determines which server will handle the request using a user-specified load balancing algorithm
3. The firewall forwards the request to the chosen server using NAT
4. The server processes the request and then replies back to the firewall
5. The firewall forwards the reply to the client using SNAT
3.1.2 Load Balancing rules to follow
1. One real server can belong to multiple load balancing rules
2. You can only add one interface, IP address, and port to each load balancing rule
3. Virtual servers and real servers only support IPv4 addresses
3.1.3 Virtual Server Load Balancing Algorithms
Round-Robin - Last in, first out rule, all servers are divided equally (e.g. Server A, B and C will be divided CBACBACBA)
Weighted Round Robin - Assigns servers based on specified weight. Servers with a higher weight are assigned before servers with lower weight. (e.g. 4:1 on server 1 & 2 weight means 75% load on server 1 and 25% on server 2).
Least-Connection - Assigns the connection to the server with least number of current connections
Source Hashing - Assigns the connection based on a static has table
e.g. Server A (weight 1) and Server B (weight 2) are mapped like this:
3.2 Virtual Server Rule Mapping
Incoming interface - the interface that the traffic is coming from (usually wan1 (or wan1_PPPoE))
External IP - the IP Address of your WAN / outgoing interface of your firewall
Service - Select a service-object (a protocol)
External Service - The external service (protocol) wanting to be forwarded internally
Port - Select a port that needs to be forwarded
Protocol Type - Choose between the TCP or UDP port for the port
External Port - The external port (number) wanting to be forwarded internally
Healthy Check Method - The system will perform a connectivity check to see if the NAT rule and load balancer is working properly. Here you can choose between ping, HTTP(S) request, SMTP Helo, DNS Query and TCP connection depending on what connection type is used to reach the server from the outside
Comments
2 comments
Hi, my request was to configure PPTP-VPN software on old Apple server in the local network behind Zyfirewall....before reading article I have already done everything years ago and have a working configuration on Zywall 2Plus model. something is not clear in that moment when port 1723 is opened, do i need also PPTP Tunnel ? and combine them in a group? maybe problem is in Policy Control? thanks for attention





Every tutorial I have seen tells you to use wan1 as the incoming interface value for the NAT. In our case we had to use wan1_ppp as the incoming source, and then everything works as expected. In the Dashboard you will see the Interface Status Summary, and see the wan1 with a small plus sign. Open the tree list object, and use that object that is associated with the external IP address of the router as the incoming interface of the NAT.
NAT
Security Policy 1 Allow
Security Policy 2 Deny
The first policy will only allow a NAT from the allowed source IP addresses
The second policy, which must be after the first object in the policy list, will explicitly deny any access to the port from a non-allowed IP address.
Please sign in to leave a comment.