NAT
Overview
• Use the Network > NAT > Virtual Server Load Balancing screen (Virtual Server Load Balancing) to distribute local user connections over multiple servers, in order to reduce each server’s workload and to decrease overall response times.
NAT Overview
NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. Use Network Address Translation (NAT) to make computers on a private network behind the Zyxel Device available outside the private network. If the Zyxel Device has only one public IP address, you can make the computers in the private network available by using ports to forward packets to the appropriate private IP address.
What You Need to Know
NAT is also known as virtual server, port forwarding, or port translation.
Well-known Ports
Port numbers range from 0 to 65535, but only port numbers 0 to 1023 are reserved for privileged services and designated as well-known ports. The following list specifies the ports used by the server process as its contact ports. See Configuration > Object > Servicefor more information about service objects.
• Well-known ports range from 0 to 1023.
• Registered ports range from 1024 to 49151.
• Dynamic ports (also called private ports) range from 49152 to 65535.
Port | TCP/UDP | Description |
|---|---|---|
1 | TCP | TCP Port Service Multiplexer (TCPMUX) |
20 | TCP | FTP - Data |
21 | TCP | FTP - Control |
22 | TCP | SSH Remote Login Protocol |
23 | TCP | Telnet |
25 | TCP | Simple Mail Transfer Protocol (SMTP) |
42 | UDP | Host Name Server (Nameserv) |
43 | TCP | WhoIs |
53 | TCP/UDP | Domain Name System (DNS) |
67 | UDP | BOOTP/DHCP server |
68 | UDP | BOOTP/DHCP client |
69 | UDP | Trivial File Transfer Protocol (TFTP) |
79 | TCP | Finger |
80 | TCP | HTTP |
110 | TCP | POP3 |
119 | TCP | Newsgroup (NNTP) |
123 | UDP | Network Time Protocol (NTP) |
135 | TCP/UDP | RPC Locator service |
137 | TCP/UDP | NetBIOS Name Service |
138 | UDP | NetBIOS Datagram Service |
139 | TCP | NetBIOS Datagram Service |
143 | TCP | Interim Mail Access Protocol (IMAP) |
161 | UDP | SNMP |
179 | TCP | Border Gateway Protocol (BGP) |
389 | TCP/UDP | Lightweight Directory Access Protocol (LDAP) |
443 | TCP | HTTPS |
445 | TCP | Microsoft - DS |
636 | TCP | LDAP over TLS/SSL (LDAPS) |
953 | TCP | BIND DNS |
990 | TCP | FTP over TLS/SSL (FTPS) |
995 | TCP | POP3 over TLS/SSL (POP3S) |
NAT
The NAT summary screen provides a summary of all NAT rules and their configuration. In addition, this screen allows you to create new NAT rules and edit and delete existing NAT rules.
Label | Description |
|---|---|
Use Static-Dynamic Route to Control 1-1 NAT Route | If you are using SiteToSite VPN and 1-1 SNAT, it’s recommended that you select this check box. Otherwise, you’ll need to create policy route rules for VPN and Destination NAT traffic. Note that the selection of this check box will change the priority of the routing flow (SiteToSite VPN, Static-Dynamic Route, and 1-1 SNAT). See for more information about the routing flow. |
Add | Click this to create a new entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Move | To change a rule’s position in the numbered list, select the rule and click Move to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering. |
# | This field is a sequential value, and it is not associated with a specific entry. |
Status | This icon is lit when the entry is active and dimmed when the entry is inactive. |
Priority | This field displays the priority for the entry. The smaller the number, the higher the priority. |
Name | This field displays the name of the entry. |
Mapping Type | This field displays what kind of NAT this entry performs: Virtual Server, 1:1 NAT, or Many 1:1 NAT. |
Interface | This field displays the interface on which packets for the NAT entry are received. |
Source IP | This field displays the source IP address (or address object) of traffic that matches this NAT entry. It displays any if there is no restriction on the source IP address. |
External IP | This field displays the original destination IP address (or address object) of traffic that matches this NAT entry. It displays any if there is no restriction on the original destination IP address. |
Internal IP | This field displays the new destination IP address for the packet. |
Protocol | This field displays the service used by the packets for this NAT entry. It displays any if there is no restriction on the services. |
External Port | This field displays the original destination port(s) of packets for the NAT entry. This field is blank if there is no restriction on the original destination port. |
Internal Port | This field displays the new destination port(s) for the packet. This field is blank if there is no restriction on the original destination port. |
Apply | Click this button to save your changes to the Zyxel Device. |
Reset | Click this button to return the screen to its last-saved settings. |
NAT Add/Edit
The NAT Add/Edit screen lets you create new NAT rules and edit existing ones.
Label | Description |
|---|---|
Create new Object | Use to configure any new settings objects that you need to use in this screen. |
Enable Rule | Use this option to turn the NAT rule on or off. |
Rule Name | Type in the name of the NAT rule. The name is used to refer to the NAT rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. |
Classification | Select what kind of NAT this rule is to perform. Virtual Server - This makes computers on a private network behind the Zyxel Device available to a public network outside the Zyxel Device (like the Internet). 1:1 NAT - If the private network server will initiate sessions to the outside clients, select this to have the Zyxel Device translate the source IP address of the server’s outgoing traffic to the same public IP address that the outside clients use to access the server. Many 1:1 NAT - If you have a range of private network servers that will initiate sessions to the outside clients and a range of public IP addresses, select this to have the Zyxel Device translate the source IP address of each server’s outgoing traffic to the same one of the public IP addresses that the outside clients use to access the server. The private and public ranges must have the same number of IP addresses. One many 1:1 NAT rule works like multiple 1:1 NAT rules, but it eases configuration effort since you only create one rule. |
Incoming Interface | Select the interface on which packets for the NAT rule must be received. It can be an Ethernet, VLAN, bridge, or PPPoE/PPTP interface. |
Source IP | Specify the source IP address of the packets received by this NAT rule’s specified incoming interface. any - Select this to use all of the incoming interface’s IP addresses including dynamic addresses or those of any virtual interfaces built upon the selected incoming interface. User Defined - Select this to manually enter an IP address in the User Defined field. For example, you could enter a static IP address. Host address - select a address object to use the IP address it specifies. |
External IP | Specify the destination IP address of the packets received by this NAT rule’s specified incoming interface. The specified IP address will be translated to the Internal IP address. any - Select this to use all of the incoming interface’s IP addresses including dynamic addresses or those of any virtual interfaces built upon the selected incoming interface. User Defined - Select this to manually enter an IP address in the User Defined field. For example, you could enter a static public IP assigned by the ISP without having to create a virtual interface for it. Host address - select a host address object to use the IP address it specifies. The list also includes address objects based on interface IPs. So for example you could select an address object based on a WAN interface even if it has a dynamic IP address. |
User Defined External IP | This field is available if External IP is User Defined. Type the destination IP address that this NAT rule supports. |
External IP Subnet/Range | This field displays for Many 1:1 NAT. Select the destination IP address subnet or IP address range that this NAT rule supports. The original and mapped IP address subnets or ranges must have the same number of IP addresses. |
Internal IP | Select to which translated destination IP address this NAT rule forwards packets. User Defined - this NAT rule supports a specific IP address, specified in the User Defined field. HOST address - the drop-down box lists all the HOST address objects in the Zyxel Device. If you select one of them, this NAT rule supports the IP address specified by the address object. |
User Defined Internal IP | This field is available if Internal IP is User Defined. Type the translated destination IP address that this NAT rule supports. |
Internal IP Subnet/Range | This field displays for Many 1:1 NAT. Select to which translated destination IP address subnet or IP address range this NAT rule forwards packets. The original and mapped IP address subnets or ranges must have the same number of IP addresses. |
Port Mapping Type | Use the drop-down list box to select how many original destination ports this NAT rule supports for the selected destination IP address (Original IP). Choices are: Any - this NAT rule supports all the destination ports. Port - this NAT rule supports one destination port. Ports - this NAT rule supports a range of destination ports. You might use a range of destination ports for unknown services or when one server supports more than one service. Service - this NAT rule supports a service such as FTP (see Object > Service > Service) Service-Group - this NAT rule supports a group of services such as all service objects related to DNS (see Object > Service > Service Group) |
Protocol Type | This field is available if Mapping Type is Port or Ports. Select the protocol (TCP, UDP, or Any) used by the service requesting the connection. |
External Port | This field is available if Mapping Type is Port. Enter the external destination port this NAT rule supports. |
Internal Port | This field is available if Mapping Type is Port. Enter the translated destination port if this NAT rule forwards the packet. |
External Start Port | This field is available if Mapping Type is Ports. Enter the beginning of the range of original destination ports this NAT rule supports. |
External End Port | This field is available if Mapping Type is Ports. Enter the end of the range of original destination ports this NAT rule supports. |
Internal Start Port | This field is available if Mapping Type is Ports. Enter the beginning of the range of translated destination ports if this NAT rule forwards the packet. |
Internal End Port | This field is available if Mapping Type is Ports. Enter the end of the range of translated destination ports if this NAT rule forwards the packet. The original port range and the mapped port range must be the same size. |
Enable NAT Loopback | Enable NAT loopback to allow users connected to any interface (instead of just the specified Incoming Interface) to use the NAT rule’s specified External IP address to access the Internal IP device. For users connected to the same interface as the Internal IP device, the Zyxel Device uses that interface’s IP address as the source address for the traffic it sends from the users to the Internal IP device. For example, if you configure a NAT rule to forward traffic from the WAN to a LAN server, enabling NAT loopback allows users connected to other interfaces to also access the server. For LAN users, the Zyxel Device uses the LAN interface’s IP address as the source address for the traffic it sends to the LAN server. If you do not enable NAT loopback, this NAT rule only applies to packets received on the rule’s specified incoming interface. |
Security Policy | By default the security policy blocks incoming connections from external addresses. After you configure your NAT rule settings, click the Security Policy link to configure a security policy to allow the NAT rule’s traffic to come in. The Zyxel Device checks NAT rules before it applies To-Zyxel Device security policies, so To-Zyxel Device security policies, do not apply to traffic that is forwarded by NAT rules. The Zyxel Device still checks other security policies, according to the source IP address and mapped IP address. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to return to the NAT summary screen without creating the NAT rule (if it is new) or saving any changes (if it already exists). |
Virtual Server Load Balancing
Virtual Server Load balancing allows you to distribute incoming connection requests to a virtual server between multiple real (physical) servers. This helps reduce each server’s workload and to decrease virtual server response times.
Virtual Server Load Balancing Process
The following is an overview of how the Virtual Server Load Balancing process works.
1 A client initiates a connection to the virtual server on a specific port.
2 The Zyxel Device matches the request to a set of servers and then determines which server will handle the request using a user-specified load balancing algorithm.
3 The Zyxel Device forwards the request to the chosen server using NAT.
4 The server processes the request, and then replies to the Zyxel Device.
5 The Zyxel Device forwards the reply to the client using SNAT.
Load Balancing Rules
In order to use load balancing, you must create a load balancing rule. Each load balancing rule consists of an incoming interface, an external IP address, a service type, a load balancing algorithm, and a list of real servers.
Note: One real server can belong to multiple load-balancing rules.
Note: You can only add one interface, IP address, and port to each load balancing rule.
Note: Virtual servers and real servers only support IPv4 addresses.
Only certain Zyxel Device models support virtual server load balancing. There are also limits on the maximum number of rules and real servers per Zyxel Device.
Parameter | Model | Limit |
|---|---|---|
Maximum Number of Load Balancing Rules per Zyxel Device | VPN50, USG FLEX 100, USG FLEX 100W, ATP100, ATP100W | 5 |
VPN100, USG FLEX 200, ATP200 | 10 | |
VPN300, USG FLEX 500, ATP500, USG FLEX 700, ATP700, ATP800, VPN1000 | 20 | |
Maximum Number of Real Servers Per Load Balancing Rule | All of the above models | 4 |
Virtual Server Load Balancing Algorithms
A rule’s load balancing algorithm determines which real server is assigned to an incoming connection request. When creating a load balancing rule, you can assign each server a weight, which indicates the server’s processing capacity compared to other servers.
Algorithm | Description |
|---|---|
Round-Robin | The Zyxel Device assigns servers in the reverse order they were added to the rule (Last In First Out). All servers are considered equal, regardless of their weight and current number of connections. For example, if you have three servers, A, B, C and nine requests, the servers are assigned in the following order: CBACBACBA. |
Weighted Round-Robin | The Zyxel Device assigns servers based on a user-specified weight. Servers with a higher weight are assigned before servers with a lower weight. Each time a server is assigned a request, the server’s weight decreases by one point until it finishes processing the request. The Zyxel Device assigns servers with equal weight in the reverse order they were added to the rule (Last In First Out). Servers with zero connections are given priority over all other servers. For example, if you have three servers A, B, C with weights 4, 3, 2 and nine requests, the servers are assigned in the following order: CBAABACBA. C (Weights: A4, B3, C2) CB (Weights: A4, B3, C1) CBA (Weights: A3, B2, C1) CBAA (Weights: A2, B2, C1) CBAAB (Weights: A2, B1, C1) CBAABA (Weights: A1, B1, C1) CBAABAC (Weights: A1, B1, C0) CBAABACB (Weights: A1, B0, C0) CBAABACBA (Weights: A0, B0, C0) |
Least-Connection | The Zyxel Device assigns the server with the least number of current connections. |
Source Hashing | The Zyxel Device assigns a server by checking a static hash table, which permanently maps each client IP address to a specific real server. Servers are mapped to new client IP addresses in the reverse order the servers were added to the rule (Last In First Out). Each server is added N times during each sequence, where N is equal to the server’s weight. For example, if you have two servers A, and B, with weights 1 and 2, the servers are mapped to new client IP addresses in the hash table in the following order: Source_IP_Hash1 = Server B Source_IP_Hash2 = Server B Source_IP_Hash3 = Server A Source_IP_Hash4 = Server B Source_IP_Hash5 = Server B Source_IP_Hash6 = Server A |
The Virtual Server Load Balancer Screen
Use this screen to view the summary of your virtual server load balancer rules.
Virtual Server Load Balancing
Label | Description |
|---|---|
Add | Click this to create a new entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
# | This field is a sequential value, and it is not associated with a specific entry. |
Status | This icon is lit when the entry is active and dimmed when the entry is inactive. |
Health Status | This field displays whether the real server is reachable for a particular service. |
Name | This field displays the name of the entry. |
External IP | This field displays the external destination IP address (or address object) of traffic that matches this entry. |
Protocol | This field displays the protocol used by the packets for this entry. |
External Port | This field displays the external destination port(s) of packets for the entry. |
Load Balancing Algorithm | This field displays the load balancing algorithm for the entry. See Virtual Server Load Balancing Algorithms for more information on load balancing algorithm. |
Virtual Server(s) | This displays the number of real servers. Use MouseOver to see each real server IP. |
Apply | Click this button to save your changes to the Zyxel Device. |
Reset | Click this button to return the screen to its last-saved settings. |
Adding/Editing a Virtual Server Load Balancing Rule
Use this screen to configure settings for you virtual server load balancer rules. This screen’s option change based on the Healthy Check Method selected. Only the PING method screen is displayed here.
Label | Description |
|---|---|
General Settings | |
Create new Object | Use to configure any new settings objects that you need to use in this screen. |
Enable Rule | Use this option to turn the virtual server load balancer rule on or off. |
Rule Name | Type in the name of the virtual server load balancer rule. The name is used to refer to the virtual server load balancer rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. |
Virtual Server Rule | |
Incoming Interface | Select the interface on which packets from the client to the virtual server load balancer rule must be received. It can be an Ethernet, VLAN, bridge, or PPPoE/PPTP interface. |
External IP | This is the IP address of the virtual server. It may be different to the incoming interface IP address. Select a Host, Interface IP or Interface Gateway object already configured in Object> Address/Geo IP> Address> IPv4 Address. or enter a User Defined IPv4 address for the virtual server. |
User Defined External IP | This field is available if External IP is User Defined. Type the IPv4 address of the virtual server. |
Port Mapping Type | Use the drop-down list box to select how many external destination ports this virtual server load balancer rule supports for the selected destination IP address (External IP). Choices are: Service - this virtual server load balancer rule supports a service such as FTP (see Object > Service > Service). For this type, you need to fill in External Service. External Service: Select a service from the drop down list box. Port - this virtual server load balancer rule supports one destination port. For this type, you need to fill in these fields. • Protocol Type: TCP or UDP • External Port: specify a port number for this rule The type of service or port selected automatically updates Healthy Check Method as follows: • HTTP Request: 80, 8080 • HTTPS Request: 443 • SMTP Helo: 25 • DNS Query: 53(TCP/UDP) • Default TCP if protocol is TCP, PING if protocol is UDP You can still change the Healthy Check Method in the next field. |
Healthy Check Method | Select this to periodically check if the real server is still online. The Zyxel Device periodically sends a request to each real server. This request ensures that the server is available, and optionally ensures that a specific service on the server is running. Use the drop-down list box to set the type of status request to send to each real server. For example, select HTTP and the Zyxel Device periodically sends an HTTP request to each real server, ensuring that the server is available and that its HTTP service is running. • HTTP: Web service • HTTPS: Secure web service • TCP: A general network protocol that shows the server is accepting TCP connections • SMTP: Mail service • DNS: Dynamic Name Service • PING: A general network protocol that shows the server is reachable |
PING | Check Period- Sets the health check time interval, in seconds. The default is 60. Connect Timeout- Sets the period of time in seconds that the Zyxel Device waits after sending a health check request before marking the health check as failed. The default is 5. Retry- Sets the number of times the Zyxel Device resends a health check request before marking the server as unavailable. The default is 1. |
HTTP Request | Path- Sets the URL to request when the health check type is set to HTTP or HTTPS.  the Zyxel Device uses this checksum to verify that each HTTP health check request returns the correct webpage, and not an error page.Host- Sets the SNI to send to the real server when the health check type is set to HTTPS. A client sends a Server Name Indication (SNI) when they start an HTTPS session with the server. It allows multiple HTTPS sessions to the same IP address and port number with different certificates with different SNIs. Enable Hash Check- Enables or disables auto-hashing. When enabled, the Zyxel Device sends a HTTP request to each real server, and then calculates and stores the MD5 checksum of the returned webpage. The Zyxel Device uses this checksum to verify that each HTTP health check request returns the correct webpage, and not an error page. Status Code- Sets which status code indicates a successful reply when the health check type is set to HTTP or HTTPS. The default value is range 200-299. Check Period- Sets the health check time interval, in seconds. The default is 60. Connect Timeout- Sets the period of time in seconds that the Zyxel Device waits after sending a health check request before marking the health check as failed. The default is 5. Retry- Sets the number of times the Zyxel Device resends a health check request before marking the server as unavailable. The default is 1. |
HTTPS Request | Path- Sets the URL to request when the health check type is set to HTTP or HTTPS. the Zyxel Device uses this checksum to verify that each HTTPS health check request returns the correct webpage, and not an error page.Host- Sets the SNI to send to the real server when the health check type is set to HTTPS. A client sends a Server Name Indication (SNI) when they start an HTTPS session with the server. It allows multiple HTTPS sessions to the same IP address and port number with different certificates with different SNIs. Enable Hash Check- Enables or disables auto-hashing. When enabled, the Zyxel Device sends a HTTP request to each real server, and then calculates and stores the MD5 checksum of the returned webpage. The Zyxel Device uses this checksum to verify that each HTTP health check request returns the correct webpage, and not an error page. Status Code- Sets which status code indicates a successful reply when the health check type is set to HTTP or HTTPS. The default value is range 200-299. Enable SNI- Enables or disables sending a Server_Name Indication (SNI) as part of the health check request when health check type is set to HTTPS. Check Period- Sets the health check time interval, in seconds. The default is 60. Connect Timeout- Sets the period of time in seconds that the Zyxel Device waits after sending a health check request before marking the health check as failed. The default is 5. Retry- Sets the number of times the Zyxel Device resends a health check request before marking the server as unavailable. The default is 1. |
SMTP Helo | Helo Name- Sets the HELO string to send to the real server, when the health check type is set to SMTP. Typically, the HELO string should contain the fully qualified domain name (FQDN) of the mail server. Check Period- Sets the health check time interval, in seconds. The default is 60. Connect Timeout- Sets the period of time in seconds that the Zyxel Device waits after sending a health check request before marking the health check as failed. The default is 5. Retry- Sets the number of times the Zyxel Device resends a health check request before marking the server as unavailable. The default is 1. |
DNS Query | Query- Sets the fully qualified domain name (FQDN) to send to the real server when health check type is set to DNS. Check Period- Sets the health check time interval, in seconds. The default is 60. Connect Timeout- Sets the period of time in seconds that the Zyxel Device waits after sending a health check request before marking the health check as failed. The default is 5. Retry- Sets the number of times the Zyxel Device resends a health check request before marking the server as unavailable. The default is 1. |
TCP Connection | Check Period- Sets the health check time interval, in seconds. The default is 60. Connect Timeout- Sets the period of time in seconds that the Zyxel Device waits after sending a health check request before marking the health check as failed. The default is 5. Retry- Sets the number of times the Zyxel Device resends a health check request before marking the server as unavailable. The default is 1. |
Load Balancing Algorithm | Sets the load balancing algorithm for this rule. For information about each algorithm, see Virtual Server Load Balancing Algorithms. |
Persistence Timeout | Sets how long a client/server session with no activity stays open. Timeout is measured in seconds, and the default value is 360. Multiple requests from a client within a short time period are directed to the same real server, as part of a persistent client/server session. If there are no incoming requests from a client within the specified timeout period, then the persistent client/server session is closed. Further requests from the client might be assigned to a different real server, determined by the load balancing algorithm. |
Real Server | |
Add | Click this to create a new entry. |
Edit | Double-click an entry or select it and click Edit to modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
# | This field is a sequential value, and it is not associated with a specific entry. |
Server IP | This field displays the IPv4 address of a server on the LAN. |
Port | This field displays the External Port or the port based on the External Service selected above. You may change the port here. |
Weight | The weight represents the processing power of this server compared to other servers. A server with a weight of 2 is considered to be able to handle two times more requests than a server with a weight of 1. See Virtual Server Load Balancing Algorithms for more information on weight in each load balancing algorithm. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to return to the Virtual Server Load Balancer summary screen without creating the virtual server load balancer rule (if it is new) or saving any changes (if it already exists). |