7.2.2. DNAT rules

The DNAT rules are designed for publishing internal network resources on the Internet. For publication of HTTP/HTTPS servers, it is recommended that you use publication based on the reverse proxy rules. For more details on publication of resources using reverse proxy rules, please refer to the Publication of HTTP/HTTPS resources using the reverse proxy section. For publication of non-HTTP/HTTPS servers, consider using DNAT.

Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

To create a new DNAT rule, click Add in the Network policies--> NAT and routing section and specify the following parameters.

Name

Description

Enabled

Enables or disables a rule

Name

Rule name

Comment

Description of a rule

Type

Select DNAT

Enable logging

Logs information about traffic when a rule is triggered. The following modes can be used:

  • Log session start. Only first packet will be logged for every session. This is recommended setting for logging.

  • Log all packets. Every network packet will be logged. It is recommended to enable logging limit to avoid high system utilization for this mode.

Source

A source zone and/or a list of source IP addresses for the traffic.

Destination

One of UserGate's public IP addresses to which external clients will be sending their traffic.

Services

Type of the service that you are going to publish, e.g. HTTP. If no services are specified, the system will publish all services.

Important! The following ports are reserved for UserGate internal use and cannot be used in services: 2200, 8001, 4369, 9000-9100.

DNAT target IP

IP address of the local PC that you are going to publish on the Internet.

Enable SNAT

When this option is enabled, UserGate will be replacing the source address with its own IP address in the network packets coming from an external network to the published server.