LANCOM Support Knowledgebase Document No. 1806.1210.2217.RHOO - V1.70

Configuring WAN policy-based NAT


As of LCOS version 10.20, it is possible to operate WAN policy-based NAT.

WAN policy-based NAT allows address translation (masking) of connections based on firewall rules. You can now configure which WAN-IPv4 address assigned by the provider is used to mask internal addresses.

This feature is ideal for scenarios where a provider assigns multiple static IPv4 addresses, e.g. for operating mail servers and web servers with different WAN addresses.


  • The ISP provides the subnet on the WAN side.
  • The address is the network address and is the broadcast address in this subnet, resulting in it six usable public addresses, one of which is reserved for the gateway (provider device).

    In this example, the
    gateway has the public IP address The public IP addresses – can be used freely. Defined for this address range is an IPoE remote site, which is masked.
  • There are three local networks. The local network INTRANET is to be masked behind the IP address, the local network PUBLIC behind the, and the local network FON behind the
  • The “return connection” of the masquerading, i.e. the accessibility of a server from the outside, is realized via one or more port-forwarding entries, which are not a part of this example (see Database 'SP Knowledgebase', View '03. Edit Documents\by Responsible, Status', Document 'Port forwarding: Setting up a web- and ftp-server behind the masked connection of a LANCOM router').


1) Under Firewall/QoS -> IPv4 rules -> Action objects, create a new firewall action object for each of the three public IP addresses.

2) On the Actions tab, set the Packet action to Transmit and then enable Policy-based NAT for each of the public IP address.
  • The parameter must be entered as a fixed IP address. Dynamic IP addresses are not supported.
  • NAT is only possible if a WAN interface is involved. NAT is not supported between two LAN interfaces..

3) Under Firewall/QoS -> IPv4 rules -> Station objects, add a new station object for each of the IP address ranges for each of the three local networks.

4) You then create a separate firewall rule for each local network and the associated public IP addresses.

This is shown as an exemple in the following figure for the local network INTRANET and the public IP address

5) The new firewall rules should then appear as follows:

6) Write the configuration back to the LANCOM router.

Catchwords: wan; nat; masking. firewall
Please review this document! This document was helpful This document was not helpful