NAT 1:1 with specific open ports

acj · February 22, 2021, 5:31pm

Hi, I have followed directions to set NAT 1:1 and map Device IP (LAN) to Mapped IP (WAN). I understand this allows an ‘outside’ device on the WAN side to communicate with the LAN device, as if the ‘outside’ device was on the ‘inside’ LAN.

My question is if this will also allow the LAN device which is mapped 1:1 to be able to have outside WAN internet access on specific ports (Port 80 and 443), or if the LAN device still does not have outside access on these ports?

Is there a way to open these ports up, without granting full internet access on the LAN (by way of ‘NAT and TF on WAN’)?

Thanks.

Tim_hms · February 22, 2021, 6:03pm

Hi @acj,

The only way to give devices on the LAN side internet access would be to follow these steps

However this will not limit it so that only certain devices on the LAN side can have internet access. This will give all devices on the LAN side internet access if they set their gateway to be the LAN IP address of the Ewon device, and give a DNS such as something like 8.8.8.8 or 1.1.1.1

-Tim

acj · February 23, 2021, 6:59pm

Thank you. Follow up question - is it possible to use NAT 1:1 to access a device w/ static IP address located on the WAN side, but using the LAN side NAT address?

Ex. if WAN device is 192.168.100.11 and I use NAT 1:1 to assign to LAN side 192.168.1.11, can my devices on LAN read data from the 192.168.1.11 address?

Is this possible?

Tim_hms · February 23, 2021, 7:30pm

I’m not quite sure what you’re meaning with your example.

If you have a device on the WAN side with the address 192.168.100.11/24 and you want to be able to reach a device on the LAN side with the address 192.168.1.11/24 then you’d need to give the device on the LAN side an address in the 192.168.100.xxx/24 range.

This document might help explain the NAT 1:1 routing to you.
NAT 1to1 without vpn.docx (685.6 KB)

acj · February 23, 2021, 7:44pm

Hi Tim,

The link you provided doesn’t work. Could you call me (or could I call you) to discuss?

acj · February 23, 2021, 7:48pm

Basically instead of exposing a LAN device on the WAN with NAT 1:1, I want to do the opposite (expose a WAN device onto the LAN).

Does that make any sense?

Tim_hms · February 23, 2021, 7:52pm

That’s not possible unless you have another device that is doing the routing. The Ewon cannot route devices from the WAN side onto the LAN.

acj · February 24, 2021, 1:00pm

I only need to enable outbound communication for ports 80 and 443 of devices on the LAN - is this possible?

Tim_hms · February 24, 2021, 3:29pm

If the goal is just to get the devices on the LAN side to have access to the internet you can follow the doc above with KB-0068-00. This will give all devices on the LAN side internet access if they set their gateway to be the LAN IP address of the Ewon device, and give a DNS such as something like 8.8.8.8 or 1.1.1.1

acj · February 24, 2021, 3:53pm

that is not my goal - my goal is to enable outbound communication for ports 80 and 443 (only) of devices on the LAN.

Tim_hms · February 24, 2021, 5:07pm

We cannot limit it to specific ports on the LAN side. However if you do give the device internet access to devices on the LAN side, you could make restrictions on your network (assuming this isn’t a 3G/4G Flexy) and control the port that way