Masquerading is a special case of Source Network Address Translation (SNAT) and allows you to masquerade an internal network (typically, your LANClosed Local Area Network with private address space) behind a single, official IPClosed Internet Protocol address on a network interface (typically, your external interface connected to the Internet). SNAT is more generic as it allows to map multiple source addresses to several destination addresses.

Note – The source address is only translated if the packet leaves the gateway system via the specified interface. Note further that the new source address is always the current IP address of that interface (meaning that this address can be dynamic).

To create a masquerading rule, proceed as follows:

  1. On the Masquerading tab, click New Masquerading Rule.

    The Add Masquerading Rule dialog box opens.

  2. Make the following settings:

    Network: Select the (internal) network you want to masquerade.

    Position: The position that defines the priority of the rule. Lower numbers have higher priority. Rules are matched in ascending order. Once a rule has matched, rules with a higher number will not be evaluated anymore.

    Interface: Select the (external) interface that is connected to the Internet.

    Use address: If the interface you selected has more than one IP address assigned (see Interfaces & Routing > Interfaces > Additional Addresses), you can define here which IP address is to be used for masquerading.

    Comment (optional): Add a description or other information.

  3. Click Save.

    The new masquerading rule appears on the Masquerading rule list.

  4. Enable the masquerading rule.

    Click the toggle switch to activate the masquerading rule.

To either edit or delete a rule, click the corresponding buttons.

Note – You need to allow traffic from the internal network to the Internet in the firewall if you want your clients to access external servers.

IPsec packets are never affected by masquerading rules. To translate the source address of IPsec packets create an SNAT or Full NAT rule.