NAT Mapping forced to specific outbound WAN

In trying to solve a problem with a nintendo Switch Lite and NAT-PNP / UPnP (see UPnP port forwarders for VLan gateways ) I ended up solving it a using NAT Mapping rule.

However, I was still getting weird behavior, and I realized there’s something unexpected about NAT Mapping.

Here is my setup:

And when using this setup, you can see that outgoing traffic is going out on WAN2:

This is very unexpected to me: Isn’t the entire point of NAT Mapping to lock one device to one IP address?

I solved this by adding a second Outbound Policy rule to force that specific IP address to use only WAN1:

And now it works.

However, this seems weird - why cant I simply disable WAN2 using the NAT Mapping UI? Why do I have to add this second rule?

It seems a simple solution would be to give a “None” option on the popup menu for Outbound connections inside the NAT Mapping UI.

It is normal to do a NAT for all WANs, if you wanted to failover for example. The entire point of NAT mapping is to lock one device to one public IP address, however you have a multi-WAN router that can use multiple public IPs for inside devices. NAT mapping builds a path, outbound policy determines which path to use.


Thanks, I think I now understand the design, but I feel the UI/UX is not optimal.

For example, it would be so much simpler to have the Outgoing section of Outbound Policy mirror the Inbound connection - with a list of every IP for every interface, allowing me to configure it all on one page.

Instead, I have to switch back & forth between two screens, and there is some inconsistency: for example, you’ll notice that on the Outbound policy screen there’s no ability to choose which specific IP address to use.

I’m not sure how this does work - if I use NAT mapping for a specific IP address, and then also set an Outbound Policy as shown, does it lock the outbound connections to that specific IP? Or can it use any IP on that WAN?

Here’s a list of suggestions for NAT Mappings

  1. Have the Outbound section mirror the Inbound section, with checkboxes to set specific IP addresses, including the ability to de-select an entire WAN if desired.
  2. If #1 is not possible, please add some Help info explaining how to set an Outbound policy rule to accomplish this.
  3. Allow me to set a name for each NAT-Mapping setting, like I can already name Outbound Policy rules, Firewall rules, etc.

Thanks for listening!