{{ $t('productDocDetail.updateTime') }}: 2025-12-29

On the IPv4 DNAT panel, you can configure the device to perform DNAT for data. For example, publish an intranet server and map the services of this server to the public network so that Internet users can access these services. See the following figure.

Example 1: An intranet server 192.168.1.2 provides HTTP services. There are two public network lines on the device. The customer requires that Internet users can access the HTTP services provided by the intranet server over a public network line.

1. On the IPv4 DNAT panel, click Add and select Basic Rule or Advanced Rule, as shown in the following figure.

The Basic Rule option sets a simple IPv4 DNAT rule for which only necessary conditions need to be set, whereas the Advanced Rule option applies to complex IPv4 DNAT requirements. In this example, select Basic Rule. In the displayed dialog box, select Enabled and set the rule name.

2. In Protocol, set the data conditions of this DNAT rule and the destination IP address and port.

In Protocol: select the type of protocol data for which IPv4 DNAT needs to be performed. In Dst Port, seta destination ports. In this example, NAT needs to be performed for HTTP service access data. Therefore, select TCP from Protocol and set Dst Port to 80. Set the IP address to which the destination IP address will be translated in Mapped IP Address, and the port to which the destination port will be converted in Mapped to Port. In this example, the destination IP addresses of access data to service port 80 will be translated to 192.168.1.2. See the following figure.

Select Allow, and TCP port 80 access data in six directions will be allowed: LAN<->WAN, DMZ<->WAN, and LAN<->DMZ.

3. Modify the IPv4 DNAT rule if required. Select the rule and click Delete to delete the rule. Click Enable to enable the rule. Click Disable to disable the rule. Click Move Up or Move Down to change the priority of the rule. A rule with a smaller priority value will be preferentially matched.

To edit a rule, click the rule's name and then edit the rule in the displayed dialog box.

Example 2: A server with the IP address 192.168.1.80 exists on the intranet. The device operates in route mode. WAN1 connects to the intranet through a fiber. A public network IP address 202.96.137.89 exists, and the domain name is www.Sangfor.com. A DNAT IPv4 DNAT rule needs to be configured to publish the intranet server to the public network so that users on the LAN (192.168.1.0/255.255.255.0, connected to the LAN interface) can access 192.168.1.80 by visiting the domain name www.Sangfor.com.

1. On the IPv4 DNAT panel, click Add and select Advanced Rule. On the displayed IPv4 DNAT page, select Enabled and set the rule name.

2. In the WAN interface, set a WAN interface, and DNAT will be performed for the data forwarded over this WAN interface to the device. In this example, the public network IP address corresponding to the domain name www.Sangfor.com is the IP address of WAN1. Therefore, select WAN1.

3. In Source Address, set the source IP address in the DNAT rule. In this example, the intranet server is mapped to the public network, and the public network IP address is not fixed. Therefore, select All.

4. In Destination Address, set the destination IP address in the DNAT rule. In this example, DNAT is performed for access requests to the IP address of WAN1. Therefore, select Specified interface IP and WAN1.

5. In Protocol, set the protocol and port for DNAT. In this example, DNAT is performed for access requests to service port 80. Therefore, selecting All in Src Port as the source port is usually random.

6. In Mapped IP, set the IP address to which the IP addresses of data meeting the conditions are translated. In this example, the IP address of the destination server is 192.168.1.80. Therefore, select Specified IP and enter 192.168.1.80.

7. In Mapped Port, set the port to which the ports of access requests meeting the conditions are converted. In this example, the port of the destination server 192.168.1.80 is 80. Therefore, select Specified and enter 80.

8. Select Allow firewall automatically allows data, and TCP port 80 access data in six directions will be allowed: LAN<->WAN, DMZ<->WAN, and LAN<->DMZ.

LAN server accessible to internal user on WAN IP needs to be selected when intranet users need to access a server on the same network segment by using public network IP addresses. After this option is selected, the source IP addresses of data from the intranet are translated into the corresponding interface IP address of the device. Intranet users cannot access this server by using public network IP addresses. The device will automatically create a SNAT rule for source IP address translation. In this example, users on the LAN need to access a server on this LAN by using public network IP addresses. Therefore, select 10.88.69.49 (LAN).

9. Modify the IPv4 DNAT rule if required. Select the rule and click Delete to delete the rule. Click Enable to enable the rule. Click Disable to disable the rule. Click Move Up or Move Down to change the priority of the rule. A rule with a smaller priority value will be preferentially matched.

To edit a rule, click the rule's name and then edit the rule in the displayed dialog box.

The IPv4 DNAT settings only apply when the device is deployed in route mode.