1:1 NAT with IP RANGE

We have 3 Public IP’s on our WAN, and 2 LAN networks.

LAN 1 : [DHCP:]
LAN 2 : [DHCP:]

We have been attempting to configure sNAT so that traffic from each LAN routes follows the route of a specific Public IP. We cannot see IP Ranges in the Local Host dropdown.

How can we configure our sNAT for a Range per IP Alias.

See Image: http://puu.sh/o0N2n/1ffb9792ab.png

HOw many NICs have your NethServer instance? This one is your gateway?
Your WAN has three public ip adress… But it’s 3 phisycal links, or these 3 ip are on 1 link only?

All 3 are on a single NIC. I have the 2 other IPs added as Aliases

Can anyone assist me with this?

EDIT: if you could share more details I’d offer a better solution.

I think you could find all the information you need in the shorewall manual:

Something like:
ethX pu.bl.li.c1
ethX pu.bl.li.c2
where ethX is your wan interface.

When you have a working configuration, I can assist developing a custom template if needed.

P.S. is not a valid rfc1918 address.

1 Like

Our network is setup as follows:

We would like our traffic from eth1 to be via eth0:0, and traffic from eth2 to be via eth0:1.

Ah, you’re right, I should really change that.

I appreciate your help!

I think you can add the two following lines at the top of /etc/shorewall/masq:


Maybe there’s a better syntax, but, please, confirm it’s what you need, then we’ll fix it later.

@filippo_carletti that is exactly what I need, I have added it to the configuration and reloaded/restarted the shorewall service, however when checking my public IP it is still returning the .178. Any ideas?

Thanks again!

Have you put those lines at the top?
Could you post the output of
shorewall show nat


Output: http://puu.sh/o6Yzy/cec4eb8f98.png

Nevermind! It just started working (oddly), i refreshed the public ip check page a few hundred times and it randomly popped up.

You’re the best! Thanks so much!

Great. But wait a minute, we have to “fix” the customization with a custom template (the e-smith way):

mkdir -p /etc/e-smith/templates-custom/etc/shorewall/masq/
echo -e "eth0\neth0" >/etc/e-smith/templates-custom/etc/shorewall/masq/18alias


expand-template /etc/shorewall/masq

and check that the masq file has the same content.


Complete! =D

1 Like

Is there any way to send DNS requests only over .178?

I see the Spec shows for PORT, but I don’t see how to wildcard for address.

dnsmasq supports sending queries with a custom source ip, but nethserver doesn’t allow that particular option.
Again, I’d try the syntax to see if it does what you need, then we can develop an enhancement.

You have to search /etc/dnsmasq.conf for the line:
server= (or your dns server)
and modify it to
Then restart the service:
service dnsmasq restart

Great @Adam_Reed please mark this topic as solved.

Again @filippo_carletti, you are the best! I believe these would be definite feature to add to NethServer.

This was specifically useful for us, as we use OpenDNS for content filtering on our network, and it binds per IP, instead of having to have two accounts now, we were able to send DNS Requests out via that IP and keep a single account for OpenDNS.


1 Like

Creating a custom template to “fix” the source-ip is not as easy as the masq template.
I’m thinking about supporting this feature by default.
Please give me some time to work on this issue.