NAT variants
When using your own firewall or a security gateway behind a Swisscom Centro Business, various operating modes are available. Choosing the right mode is crucial for network stability, VPN compatibility, and the use of additional Swisscom services such as blue TV or internet backup.
This guide compares the five available methods: IP-Passthrough, PPP-Passthrough, DMZ, 1:1 NAT, and Port Forwarding. It serves as a decision-making basis for IT specialists to ensure the optimal connection of their own infrastructure to the Swisscom network.
Overview​
| Feature | IP-Passthrough | PPP-Passthrough | DMZ | 1:1 NAT | Port Forwarding |
|---|---|---|---|---|---|
| WAN-IP Host | 172.31.255.6 | Public IP | Public IP | priv. LAN IP | priv. LAN IP |
| MTU Size | 1500 | 1492 | 1500 | 1500 | 1500 |
| Login (PPPoE) | Centro Business | Own Firewall | Centro Business | Centro Business | Centro Business |
| Centro Business Firewall | Inactive | Inactive | DMZ Firewall | LAN Firewall | LAN Firewall |
| Port assignment | Port 1*/5** | Port 1*/5** | Port 1*/5** | Any | Any |
| Number of fixed IPs required | none | min. 1 Fixed IP | min. 4 Fixed IP | min. 4 Fixed IP | min. 4 Fixed IP |
| Internet Backup | Yes | No | Yes | Yes | Yes |
| Blue TV | Yes | Yes with restrictions*** | Yes | Yes | Yes |
* Centro Business 2.0 / ** Centro Business 3.0
* Radio as well as all apps like Netflix, YouTube etc. do not work
DMZ / Public Addresses​
This mode allows the direct assignment of public IP addresses to internal devices without any NAT interference.
-
Prerequisite: Requires the paid "Fixed IP Addresses" option with a subnet of at least 4 static IP addresses (e.g., a /30 network).
-
Functionality: A specific device (e.g., server or firewall) is assigned a public IP from the rented subnet. The Centro Business acts as a transparent Layer 3 router for this subnet.
-
Security: To protect the internal network, access from the DMZ to the local LAN (default subnet of the router) is blocked by default.
-
Advantages: No NAT-related packet conflicts, full MTU of 1500 bytes, and full support for Swisscom Internet Backup (LTE failover).
Click here for the DMZ (Public Addresses) page.
IP-Passthrough (Swisscom special case)​
In this process, the Centro Business terminates the internet connection but passes the traffic through a dedicated transfer network to the downstream firewall.
-
Technical implementation: Swisscom uses a transfer subnet (172.31.255.4/30) for this. The downstream firewall is configured with the static IP 172.31.255.6, while the Centro Business performs an automatic 1:1 NAT of the public IP to this address.
-
Advantages: Full support for the standard MTU of 1500. Additionally, all router-based services such as VoIP and blue TV remain fully functional without additional configuration.
-
Special feature: Unlike standard implementations, the firewall does not see the public IP on the WAN interface, but the IP of the transfer network. This must be considered during VPN configuration (NAT traversal).
Click here for the IP-Passthrough page.
PPP-Passthrough (PPPoE)​
Announcement​
The use of PPP-Passthrough will be phased out over the next two to three years, as the PPPoE process is considered obsolete and is increasingly unsupported by modern network infrastructure.
Our recommendation:
Replace the requirement in the medium term with the DMZ function or IP-Passthrough.
In this mode, the Centro Business acts as a transparent intermediary for the PPPoE protocol (Point-to-Point Protocol over Ethernet).
-
Configuration: The downstream firewall handles the active dial-in to the Swisscom network using the ISP access data (username/password).
-
Advantage: The firewall receives the public IP address directly on its WAN interface, which simplifies the handling of VPN endpoints and port releases.
-
Disadvantage: The usable packet size is reduced to an MTU of 1492 due to protocol overhead. Without correct adjustment (MSS clamping), this can lead to significant performance losses or connection drops.
-
Status: This process is considered obsolete and will no longer be supported in the medium term as part of a phase-out.
Click here for the PPP-Passthrough page.
1:1 NAT (Standard)​
1:1 NAT permanently maps an internal, private IP address to an external, public IP address. In contrast to conventional port forwarding (PAT), all ports and protocols are passed through transparently.
-
Bidirectional communication: The assignment between the private and the public address remains permanent:
-
Inbound: Incoming traffic to the public IP is completely forwarded to the specific internal IP.
-
Outbound: Outgoing traffic from the internal host appears on the internet consistently under the assigned public IP.
-
Click here for the 1:1 NAT page.
Port Forwarding​
Port forwarding is the most common method to make specific services of an internal host (e.g., web server on port 80/443) accessible via the public IP of the Centro Business.
-
Functionality: Incoming connection requests to the router's public IP address are forwarded to a specific internal, private IP address based on a defined port number.
-
Security: Unlike DMZ or Passthrough modes, the Centro Business firewall remains active. Only the explicitly released port is opened; other traffic to the internal host remains blocked.
-
Limitation: Since the public IP address is shared (Port Address Translation - PAT), a specific port (e.g., TCP 443) can only ever be forwarded to exactly one internal device.
Click here for the Port Forwarding page.