SNAT from Trusted

It would be nice to have the ability to create an SNAT action for trusted networks, (or to go one step further, an SNAT action that applies to all interfaces).

I've been playing around with some plans for VLAN segregation and a graylog server lately, and one thing I thought would be clever would be to configure all devices that send logs to use the gateway address as the log server IP, and let the firewall static NAT it to the graylog server wherever it happens to be. That way, the firewall can act as gateway, DNS forwarder (for VLANs with no dedicated DHCP/DNS server), NTP server, and also as a faux target syslog server.

Additionally, since binding to port 514 is a little quirky with graylog due to the way inputs are configured as non-root, an SNAT would allow me to redirect port 514 to the graylog input port for syslog.

So a policy example would be From:"Any-Trusted,Any-Optional" To:"SNAT->Any:514->mylogserver.mydomain.com:1514"


  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Chris_Kelly

    You can do this. See the article here.

    (NAT Loopback and Static NAT (SNAT))

    -James Carson
    WatchGuard Customer Support

  • Options

    Hi James,

    Thanks for that - I use NAT loopback on some SNAT policies already for some internal services that are also internet accessible, but it would be a lot nicer to be able to specify the gateway address rather than a public IP for internal-only services.

    Is there a technical reason that SNAT is not allowed to come from trusted interfaces?


  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Chris,

    You can use SNAT loopback for just trusted.

    The rule would read

    From: Any-Trusted
    To: (SNAT) (external/optional IP or alias -> internal IP)

    If you were using a trused IP, you can alrady access the policy by using that IP, there's no need to use NAT loopback.

    -James Carson
    WatchGuard Customer Support

  • Options
    edited July 2021

    I think one of us is missing something here.

    If I could create an SNAT action that listens on a trusted interface address, i could do something like this:

    Firewall Addresses (mock-ups):

    VLAN (VLAN10)-Trusted:
    VLAN (VLAN11)-Trusted:
    VLAN (VLAN12)-Trusted:
    VLAN (VLAN13)-Optional:

    If I'm configuring a network switch that's in VLAN10, and the syslog server is in VLAN11, I'd like to configure the switch with the following settings:

    syslog: <-- same address as all other services that the firewall either provides directly, or forwards to where it actually lives.

    this scheme would be consistent in all VLANs, where any device would simply use that VLAN's gateway address for syslog, as well as DNS/NTP. E.g. a security camera system in VLAN12 would be configured thusly:


    Correct me if I'm wrong, I currently need to do this for any device in any VLAN:

    ip: 10.0.xx.2
    gateway: 10.0.xx.1
    dns: 10.0.xx.1
    ntp: 10.0.xx.1
    syslog: <--- this is less desirable

  • Options

    currently syslog : needs to be the real IP addr of the syslog server or if using SNAT, the public IP addr that can access the syslog server.

  • Options

    Just to circle back, syslog (for me) is just the flint that sparked the question. I see utility in being able to use the gateway address for lots of things.

    The enhancement request is more generally for SNAT actions that can listen on trusted interface addresses (plus an option to listen on all firebox address).


Sign In to comment.