Skip to main content

How can we help you?

Search

help Knowledge Base
forum Community
checklist Release Notes
event Events

Create a NAT IP policy

Minetta Gould
  • Updated

    In this article

Use this article to configure NAT IP policies to apply multiple filtering policies behind a single public IP address.

NAT IPs allow policy segmentation based on the DNSFilter resolver IP address configured on devices. This method supports environments that need different filtering policies for separate internal network segments without requiring multiple public egress IPs.

Important notes

This feature does not apply to networks using Active Directory–based DNS forwarding. Windows DNS Server cannot forward DNS traffic based on internal IP address.

NAT IP policies cannot be used with a Global Policy. They must be standard policies within a single Organization.

NAT IPs are different from LAN Subnets. NAT IPs assign policy based on the DNSFilter resolver IP address configured on the device. LAN Subnets assign policy based on internal IP ranges defined in the dashboard.

What NAT IPs do

DNSFilter’s NAT IPs feature allows up to seven different policies to operate behind a single public egress IP address.

This supports separate filtering and threat protection policies for different segments of the network, such as:

  • Guest Wi-Fi
  • Server networks
  • Staff devices
  • Executive devices

Policy assignment is determined by which DNSFilter resolver IP address the device uses when sending DNS queries.

Seven resolver IP address pairs are available. Each pair corresponds to a specific NAT IP policy.

Devices must be configured to use the resolver IP addresses associated with the intended policy.

Create NAT IP policies

  1. Create a filtering policy
  2. Navigate to the Settings tab within the policy
  3. Select one of the available NAT IP address options

Up to seven NAT IP policies can be active.

Do not assign NAT IP policies directly to a Site. Assign the primary Site policy to the network. NAT IP policies are selected by configuring devices to use the associated resolver IP addresses.

Configure NAT IPs on a network

After creating NAT IP policies, configure devices to use the corresponding DNSFilter resolver IP addresses.

DHCP configuration

Configure the DHCP server to assign different DNS resolver IP addresses based on internal network segments.

Example:

  • Guest network: 192.168.10.0/24
  • Staff network: 192.168.20.0/24
  • Executive network: 192.168.30.0/24

Assign the default Site policy to the network. Create separate NAT IP policies for Staff and Executive users. Configure DHCP options for those internal networks to distribute the DNSFilter resolver IPs associated with each NAT IP policy.

Direct assignment

For smaller groups of devices, configure DNS settings directly on the endpoint to use the appropriate NAT IP resolver addresses.

Test NAT IP configuration

Validate configuration by adding a unique test domain to the Block List of each NAT IP policy.

Confirm that devices assigned to each policy receive the expected block page for the corresponding test domain.

 

Was this article helpful?
2 out of 6 found this helpful
Return to top

Comments

0 comments

Please sign in to leave a comment.