The following examples demonstrate how to make a host on the internal LAN accessible via two WAN addresses. On the internal LAN the address of the host is 192.168.50.100 and it will be made accessible through the two WAN addresses 198.51.100.5 and 203.0.113.5.
Allow all traffic
Setting the Protocol to ALL will forward all traffic to the LAN host.
Allow specific traffic
By using a combination of the Protocol and WAN Destination Port(s) field only specific traffic can be forwarded to the LAN host. In this example the only traffic that will be forwarded is TCP port 80. All other traffic will be blocked by the firewall.
Both the WAN Destination Port(s) and LAN Destination Port(s) field can be used to perform port translation. Traffic destined for the WAN port will be forwarded to the LAN port. In this example a service listening on the 192.168.50.100 host using port 8080 would be accessible via 198.51.100.5 port 80 and 203.0.113.5 port 80.
Condensing entries using aliases
In the previous examples two entries have been used to allow traffic over two WANs. Multiple IP addresses or ports can be combined into an Alias to reduce the number of firewall entries needed. In the following example the two WAN IP addresses have been combined into an alias named wan-ip-group-1. The single rule using this alias is equivalent to the two rules used in the previous examples.
All inbound traffic is denied by default so it is not necessary to explicitly deny traffic except where it would be allowed by a following entry. In this example all traffic is forwarded to the LAN host except for TCP port 389. The firewall rules are evaluated from top to bottom so first TCP port 389 is blocked. All other traffic, that has not been previously blocked, will then be allowed and forwarded to the LAN host.