NAT for trusted interface

Dear sirs,
We currently have a Firebox M400 which has two external interfaces directed to two separate ADSL services and they provide internet connection to two trusted interfaces via multiWAN and crossed failover configuration.

For the next step in order to replace one of the routers that is downstream on one of the trusted interfaces and has a single IP (e.g., we would need to have NAT in that interface to route traffic to packets coming from three different subnets (e.g.,,

From what I have seen, the Firebox allows to setup NAT only for external interfaces (I am probably wrong with this, as I am a newbie).

Is there a way to assign NAT to run in this trusted interface, in order to make it work as the old router? The TP-Link router that we want to replace calls this feature 'Multi-nets NAT', but I am not sure which is the correct name.

Thank you!
Best regards,


  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    You add change NAT rules in Network -> NAT. By default they only NAT traffic from RFC1918 addresses (192.168.x.x, 172.16.x.x, 10.x.x.x) to Any-External. You can specify rules for other interfaces and IP ranges here if needed.


    *Make sure that the option to use global NAT settings is enabled in your policies if you change the global NAT settings.

    -James Carson
    WatchGuard Customer Support

  • Options
    edited July 2023

    I think that all you need to do on the firewall is to add static routes for subnets behind the new router with the trusted IP addr of the router.
    As a result the firewall knows how to route traffic to/from the subnets behind the new router .

Sign In to comment.