6.6. Choosing the appropriate NAT for your network

So by now you may be thinking "so what kind of NAT do I need?", to which the answer is "it depends."

If you do not make any of your internal servers available to the Internet then you do not need anything more than the default Outgoing NAT. This allows all of the computers on your network to share the single IP address that is assigned by your Internet Service Provider.

If you will be publishing on or more internal servers on the Internet and only have one public IP, the only option is Inbound NAT, since that public IP will be assigned to m0n0wall's WAN interface.

For networks with multiple public IP addresses, the best choice is either 1:1 NAT, or Server and Inbound NAT, or a combination of both. If you have more servers than public IP addresses, you will need to use Server and Inbound NAT, or 1:1 NAT combined with Server and Inbound NAT. If you have sufficient public IP addresses for all of your servers, you should use 1:1 NAT for them all.

Inbound and Server NAT is most suitable when you have more servers than public IP addresses. For example, if you have three servers, one HTTP, one SMTP, and one FTP, and have only two public IP addresses, you must use Server and Inbound NAT. For small deployments, this isn't bad to deal with. As the number of hosts increases, things get far more complicated. You'll end up having to remember things like for public IP address 1.2.3.4, port 80 goes to server A, port 25 goes to server B, port 21 goes to server C, etc.

If you are using software applications that open many rrandom ports to the Internet, such as certain video/voice IP software, you might need to use 1:1 NAT to be sure that whatever port is needed can get through to your computer.

If you can't clearly picture a network in your head while troubleshooting problems, things become much more difficult. With ports going all over the place like this, once you get a number of ports forwarded it's extremely difficult to picture the network in your head. Given the complexity introduced by such a configuration, we recommend having one public IP address per publicly-accessible host.