Skip to main content

NAT Variants

When using a separate firewall or security gateway behind a Centro Business, various operating modes are available. Choosing the right mode is crucial for network stability, VPN compatibility, and the use of additional Swisscom services such as blue TV or internet backup.

This guide compares the five available methods: IP Passthrough, PPP Passthrough, DMZ, 1:1 NAT, and Port Forwarding. It serves as a basis for IT specialists to ensure the optimal connection of their own infrastructure to the Swisscom network.


Overview

FeatureIP PassthroughPPP PassthroughDMZ1:1 NATPort Forwarding
WAN IP Host172.31.255.6Public IPPublic IPPriv. LAN IPPriv. LAN IP
MTU Size15001492150015001500
Login (PPPoE)Centro BusinessOwn FirewallCentro BusinessCentro BusinessCentro Business
Centro Business FirewallInactiveInactiveDMZ FirewallLAN FirewallLAN Firewall
Port AssignmentPort 1*/5**Port 1*/5**Port 1*/5**AnyAny
Fixed IPs requiredNoneMin. 1 Fixed IPMin. 4 Fixed IPsMin. 4 Fixed IPsMin. 4 Fixed IPs
Internet BackupYesNoYesYesYes
Blue TVYesYes with restrictions***YesYesYes

* Centro Business 2.0 / ** Centro Business 3.0

*** Radio and all apps such as Netflix, Youtube, etc., do not work.

IP Passthrough (Swisscom Special Case)

In this process, the Centro Business terminates the internet connection but passes the traffic through a dedicated transfer network to the downstream firewall.

  • Technical Implementation: Swisscom uses a transfer subnet (172.31.255.4/30) for this purpose. The downstream firewall is configured with the static IP 172.31.255.6, while the Centro Business performs an automatic 1:1 NAT of the public IP to this address.

  • Advantages: Full support for the standard MTU of 1500. Additionally, all router-based services such as VoIP and blue TV remain fully functional without additional configuration.

  • Special Feature: In contrast to standard implementations, the firewall does not see the public IP on the WAN interface, but the IP of the transfer network. This must be considered during VPN configuration (NAT Traversal).


Click here for the IP Passthrough page.

PPP Passthrough (PPPoE)

danger

Announcement

The use of PPP Passthrough will be phased out over the next two to three years, as the PPPoE method is considered obsolete and is increasingly unsupported by modern network infrastructure.

Our Recommendation:
Plan to replace this requirement in the medium term with the DMZ function or IP Passthrough.

In this mode, the Centro Business acts as a transparent mediator for the PPPoE protocol (Point-to-Point Protocol over Ethernet).

  • Configuration: The downstream firewall handles the active dial-in to the Swisscom network using the ISP credentials (username/password).

  • Advantage: The firewall receives the public IP address directly on its WAN interface, simplifying the management of VPN endpoints and port releases.

  • Disadvantage: The usable packet size is reduced to an MTU of 1492 due to protocol overhead. Without correct adjustment (MSS clamping), this can lead to significant performance loss or connection drops.

  • Status: This method is considered obsolete and will not be supported in the medium term as part of a phase-out.


Click here for the PPP Passthrough page.

DMZ / Public Addresses

This mode allows the direct assignment of public IP addresses to internal endpoints without any NAT interference.

  • Requirement: Requires the paid "Fixed IP Addresses" option with a subnet of at least 4 static IP addresses (e.g., a /30 network).

  • Functionality: A specific device (e.g., server or firewall) is assigned a public IP from the leased subnet. The Centro Business acts as a transparent Layer 3 router for this subnet.

  • Security: To protect the internal network, access from the DMZ to the local LAN (default subnet of the router) is blocked by default.

  • Advantages: No NAT-related packet conflicts, full MTU of 1500 bytes, and full support for Swisscom Internet Backup (LTE Failover).


Click here for the DMZ (Public Addresses) page.

1:1 NAT (Standard)

1:1 NAT maps an internal, private IP address permanently to an external, public IP address. Unlike conventional port forwarding (PAT), all ports and protocols are passed through transparently.

  • Bidirectional Communication: The mapping between the private and public address remains permanent:

    • Inbound: Incoming traffic to the public IP is fully forwarded to the specific internal IP.

    • Outbound: Outgoing traffic from the internal host appears on the internet consistently under the assigned public IP.


Click here for the 1:1 NAT page.

Port Forwarding

Port forwarding is the most common method to make specific services of an internal host (e.g., web server on port 80/443) accessible via the public IP of the Centro Business.

  • Functionality: Incoming connection requests to the public IP address of the router are forwarded to a specific internal, private IP address based on a defined port number.

  • Security: In contrast to DMZ or Passthrough modes, the Centro Business firewall remains active. Only the explicitly released port is opened; all other traffic to the internal host remains blocked.

  • Limitation: Since the public IP address is shared (Port Address Translation - PAT), a specific port (e.g., TCP 443) can only be forwarded to exactly one internal device.


Click here for the Port Forwarding page.

info

Is something missing here? Give us feedback! pilot@swisscom.com Please describe in which area you would expect something or what we could do better.

Last updated on