This article provides step-by-step instructions for configuring 1-to-1 NAT on Teltonika RUTX routers. This setup allows mapping one external (WAN) IP address to one internal (LAN) IP address—commonly used to expose services (e.g., email servers, PLCs, HMIs) to the Internet while maintaining secure LAN communication.

Firmware Note: This guide is based on firmware version R_00.07.02.1 or newer. For firmware 7.13.1+, additional packages may be required (see below).

Tip: If you can't find certain settings in the WebUI, make sure Advanced Mode is enabled. Click the “Basic” button at the top-right corner of the WebUI to toggle modes.

Prerequisites

• A Teltonika RUTX series router
• A LAN device acting as a server or control equipment (e.g., PLC or HMI)
• A PC or laptop for configuration

Overview of Configuration

This method uses source NAT (SNAT) and destination NAT (DNAT) rules to forward all incoming WAN traffic to a LAN device. It exposes the server (or PLC/HMI) entirely to the WAN, bypassing WAN firewall restrictions, so please ensure that only required ports are open on the internal device(s).

Step 1: Install NAT Extras

From version 7.13.1, support for NETMAP-based NAT rules requires an optional package.

1. Go to System → Package Manager
2. Search for and install iptables NAT extras

Step 2: Configure Static IP Addresses

Assign fixed IPs to both the router's WAN and LAN interfaces, as well as to the connected LAN devices. In this specific example, we are using a PLC and HMI connected behind a Teltonika RUT241 router.

Device IP Configuration

• RUT241 WAN IP: 10.1.100.250
• RUT241 LAN IP: 192.168.1.1
• PLC LAN IP: 192.168.1.2
• HMI LAN IP: 192.168.1.3

Steps:

1. Navigate to Network → Interfaces
2. Click Edit next to the WAN interface
3. Switch from DHCP to Static
4. Set IP to 10.1.100.250 and netmask to 255.255.255.0
5. Save & apply the settings

Add Additional WAN Interfaces for NAT Mapping

By default, the RUT241 uses a single WAN IP (e.g., 10.1.100.250). If you need to map multiple LAN devices (such as a PLC and HMI) using 1:1 NAT, you will require additional IPs from the same WAN subnet (10.1.100.0/24). These additional WAN IPs will serve as external identities for internal devices.

Example IP Mapping

• PLC: 192.168.1.2   ⇄   WAN IP: 10.1.100.2
• HMI: 192.168.1.3   ⇄   WAN IP: 10.1.100.3
• Router's default WAN IP: 10.1.100.250

Steps to Add Additional WAN Interfaces

1. Login to the RUT241 WebUI.
2. Go to Network → Interfaces.
3. Click Add new interface.
4. Set a name (e.g., wan_plc or wan_hmi).
5. Under Protocol, select Static.
6. Set the IPv4 address:
   • 10.1.100.2 for PLC mapping
   • 10.1.100.3 for HMI mapping
7. Leave IPv4 gateway and DNS server empty (optional for NAT-only use).
8. Click the Physical Settings tab.
9. Under Interface, select the same physical interface used by the main WAN (e.g., eth0.2).
10. Click Save & Apply.

Repeat these steps to add both additional WAN IPs:

• Interface Name: wan_plc → IP: 10.1.100.2
• Interface Name: wan_hmi → IP: 10.1.100.3

Once configured, these WAN IPs can be used for NETMAP 1:1 NAT mappings, allowing any device in the 10.1.100.0/24 network to access the PLC and HMI via their respective external IPs.

Step 3: Configure 1-to-1 NAT with NETMAP Rules

Now you'll add NETMAP-based custom firewall rules to implement bi-directional 1-to-1 NAT.

Steps:

1. Navigate to Network → Firewall → Custom Rules
2. Add the following lines, replacing the IPs as needed for each device:

#Templates
#Using PLC as device in this case 

iptables -t nat -I PREROUTING -d [PLC'S_WAN_IP] -j NETMAP --to [PLC'S_LAN_IP]
iptables -t nat -I POSTROUTING -s [PLC'S_LAN_IP] -j NETMAP --to [PLC'S_WAN_IP]

#If you want to Access Router from external IP

iptables -t nat -I PREROUTING -d [ROUTER'S_WAN_IP] -j NETMAP --to [ROUTER'S_LAN_IP]
iptables -t nat -I POSTROUTING -s [ROUTER'S_LAN_IP] -j NETMAP --to [ROUTER'S_WAN_IP]

# PLC Mapping: WAN IP to PLC
iptables -t nat -I PREROUTING -d 10.1.100.2 -j NETMAP --to 192.168.1.2
iptables -t nat -I POSTROUTING -s 192.168.1.2 -j NETMAP --to 10.1.100.2

# (Optional) HMI Mapping: If you want a second WAN IP to reach HMI, you'll need another WAN alias or static public IP
# Example:
# iptables -t nat -I PREROUTING -d 10.1.100.3 -j NETMAP --to 192.168.1.3
# iptables -t nat -I POSTROUTING -s 192.168.1.3 -j NETMAP --to 10.1.100.3

Click Save to apply the rules.

Step 4: Apply Firewall Changes via CLI

1. Go to System → Maintenance → CLI
2. Login as root using your router credentials
3. Execute:

/etc/init.d/firewall restart

To verify:

iptables -t nat -L -n -v | grep NETMAP

Important Notes

• This setup bypasses WAN firewall rules.
• Ensure that PLC and HMI devices are protected with credentials
• Note: Ping might not working, but try testing the web interface or ssh or required ports.
• If mapping multiple LAN devices, you need additional WAN IPs or port forwarding instead of 1:1 NETMAP.

Let us know if you're ready to proceed to the next step (e.g., mapping to HMI or using port-based forwarding instead of NETMAP).