NAT from trusted to internal

I'm new to watchguard and wonder, how to forward a request from a trusted interface to an internal ip an an other (vlan) interface.

A branch is connected via MPLS to this trusted interface. If a client on this branch does a DNS requests to (internal ip), I want to forward this to (internal ip). SNAT seems not be an suitable option, since it only works for external and optional interfaces. I can NOT change the IP clients behind this trusted interface request (in this case to

Instead I must handle it on our side and forward it to the correct destination. There should be a better option than chaning this interface from trusted to optional or external, right?



  • Options

    There is a DNS forwarding option - for when the DNS packet goes to a firewall interface IP addr.
    Perhaps this will work for you.

    About DNS Forwarding

  • Options

    I tried this but it has no effect, is there any pitfall? Firebox is not DHCP for this interface.

  • Options

    No pitfalls. This only affects DNS packets which go to a selected firewall interface IP addr. Nothing else.

    DHCP should have nothing to do with this.
    Is the primary IP addr of this MPLS connection interface?
    If so, and you have set up the DNS forwarding correctly, then the DNS packets coming to that firewall interface should get forwarded to the DNS server IP addr that you specified.

    Since you say that this is not working, then you should open a support incident on this to get help from WG in resolving this.

  • Options

    No, this MPLS interface has a different IP address on a different subnet. The DNS query just passes this interface but has the destination and should be forwarded to

  • Options

    Can also be assigned to the DNS server?

    SNAT can only apply to an IP addr associated with a firewall interface.
    Is an IP addr on a firewall interface?

  • Options

    What is ?

    Why can't the devices at the end of the MPLS have the DNS server IP addr being used changed from to ?

  • Options ist not an ip address of a WG interface, but a local DNS Server. For this branch not ...1 should answer DNS queris, ...2 should do this job.

    There are no real technical reasons devices at the end of the MPLS can't use ...2 directly, rather political.

  • Options

    I can't think of a solution to your problem via XTM.

    It looks like some DNS servers support views which allow different answers based on the source IP addr/subnet of the DNS query.

Sign In to comment.