This page is out of date and only applies to the old network! The new "DHCP" static network will be different.

Howto 1:1 Nat an external IP with a BEBox 

This guide shows you how to setup the bebox so that you can Map one of your external IP's (In the case of having multiple Ip's) to an internal device on your network whilst leaving the bebox in routing mode.

Port translation can be setup for incoming/outgoing or both.

Tested on 585v7 firmware 8.2, it should work on others but the interface name may be different:

This should only work if you have multiple IP's since it is unlikely that 1:1 nat would work properly for the first IP (the one you configured via the setup wizard). Since it would interface with the NATP the bebox does by default to it's main external IP.

Adding the Extra IP's to the BEBox

Telnet into the bebox and running the following commands to add your extra ips

ip ipadd intf=Internet addr=94.193.xxx.x2/21 addroute=enabled

ip ipadd intf=Internet addr=94.193.xxx.x3/21 addroute=enabled
:saveall

The /21 is the CIDR notation for the subnetmask, 255.255.248.0, if your subnet mask is different please enter the appropriate entry for yours (http://www.rjsmith.com/CIDR-Table.html)

If you prefer you can use the command ip menu which should give you a menu where you can select ipadd and be guided through adding the Ip's, you need to enter the IP and subnet and set addroute to enabled

Mapping the IP's to a Device

We now need to tell the bebox we want to send traffic for a given ip to a set destination.

nat mapadd intf=Internet type=nat outside_addr=94.193.xxx.x2 inside_addr=192.168.1.xx mode=auto
:saveall

Mode= determines if the rule is applied to inbound traffic, outbound traffic or both (Auto).

Modify the firewall

If we actually want people to connect to the device we've mapped the IP to from the outside world

You can either turn the firewall off (allows everything through)

Or you can add an entry to allow the port though.

NOTE: The Firewall Filtering happens AFTER the NAT translation, the destination address is your machines INTERNAL ip not the external ip

This can be done either through the webui or via the CLI

CLI:

You can either do firewall menu and get a menu where you select rule add or you can do it manually

:firewall rule add chain=forward_level_Standard index=1 name=allowhttp srcintf=wan dstintf=lan dstip=192.168.1.64 serv=http log=disabled state=enabled action=accept
:saveall

Note: The chain for the default firewall settings is forward_level_Standard, the index will change as you add rules, the name is a reference, and the service is the port (although you may first need to add it to the services list if its not there, it may be easier to use the WEBUI as it lets you define custom types more easily)

Webui:

The webUI will not allow you modify the standard firewall ruleset so you need to create a custom one, this is done via toolbox > firewall > configure (click create new security level) you then need to set the firewall to your new level, and then you can use configure to edit the rules.