DNAT rules are normally used to publish internal network resources to the Internet. For publishing HTTP/HTTPS servers, reverse proxy rules are the recommended publishing method. For more details on publishing resources using reverse proxy rules, see the chapter HTTP/HTTPS Resource Publishing Using Reverse Proxy. To publish servers that use protocols other than HTTP/HTTPS, use DNAT publishing.
Note
The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.
Note
The Negate checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).
To create a DNAT rule, go to the Network policies --> NAT and routing section, click Add, and provide the desired settings.
|
Name |
Description |
|---|---|
|
Enabled |
Enables or disables the rule. |
|
Name |
The name of the rule. |
|
Description |
A description of the rule. |
|
Type |
Select DNAT. |
|
SNAT IP address (external IP) |
Explicitly sets the IP address with which the source address will be replaced in case of packet NATing. If left empty, the source address will be replaced with UserGate interface IP address from which the packet was sent. A range of IP addresses may be specified, for example: 192.168.10.10-192.168.10.20 Important! To replace the source address with the specified address, activate the Enable SNAT checkbox in the DNAT tab. |
|
Logging |
Logs traffic information when the rule is triggered. The available options are:
|
|
Source |
The zone, IP address lists, GeoIP address lists, or URL lists of the traffic source. The URL list must include only domain names. Every 5 minutes UserGate resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time‑to‑live (TTL). When the TTL expires, UserGate automatically updates the IP address value. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15. Important! If MAC addresses specified, the Negate checkbox will not work. Important! Traffic processing performed with the following statements:
|
|
Destination |
One of the external IP addresses of the UserGate server, which is available from the Internet and is the destination for the external client traffic. Important! Traffic processing performed with the following statements:
|
|
Service |
The type of service to publish, such as HTTP. If not specified, all services will be published. Important! Services that use the following ports may not be published as these ports are reserved for UserGate's internal services: 2200, 8001, 4369, 9000-9100. |
|
DNAT target IP (published server IP) |
The IP address of a computer in the local network that is being published to the Internet. |
|
Enable SNAT (change source IP to UserGate IP) |
If enabled, UserGate will replace the source address in the packets from the external network with its own IP address. |
|
Usage |
The rule triggering statistics: the total number of triggers, the time of the first and last triggers. To reset statistics, select rules in the list and click Reset hit counts. |
|
History |
The time when the rule was created and last modified, as well as the event log entries related to this rule: adding, updating the rule, changing the position of the rule in the list, etc. |