I feel dumb for not being able to figure this out. I swear all of these settings are correct and it's simply not working. X1 (WAN): External address X0 (LAN): 192.168.168.168/24, device that's plugged into it is configured as 192.168.168.50/24 with .168 as the gateway X3 (LAN): Port shielded to X0, device that's plugged into it is configured as 192.168.168.167/24 with .168 as the gateway With the above, I can browse from the X0 device (a laptop) to the web interface of the X3 device (a media decoder) by going to http://192.168.168.167. The end goal is to make that web interface, and also a couple TCP and UDP ports, accessible over the internet, but only from a certain outside IP. So to start small and test just HTTP I have a NAT rule: Original Source: External address at another location (also tried Any) Translated Source: Original Original Destination: WAN Primary IP (X1) Translated Destination: 192.168.168.167 Original Service: HTTP (will eventually be more but I can't even get HTTP to work) Translated Service: Original Inbound Interface: X1 (also tried Any) Outbound Interface: Any (can't select anything else for a DNAT) Then I have a firewall rule: From Zone: WAN To Zone: LAN Service: HTTP (as above, will eventually be more) Source: External address at another location (also tried Any) Destination: WAN Primary IP (X1) Users Allowed: All Schedule: Always on Enable Logging: checked Allow Fragmented Packets: checked With these rules in place, I cannot hit the web interface of the device from the "external address at another location". I can hover over the statistics icon for both rules and both are being triggered but only TX packets are shown, no RX packets. So it's as if the traffic is making it in but not back out. I started up a packet capture and nothing is being blocked or dropped. I altered both rules to make them wide open and no change. If I take the TZ105 out of the mix and program the X3 device (media decoder) with the external IP address and allow it to go straight out, it works. So I must be missing some setting or have something misconfigured above. Any help would be appreciated. I've made NAT rules for so many floppin' things on Ciscos and SonicWalls and Sophos and never had an issue, so I'm leaning towards the decoder being at fault, but I can't see how that would be the case when it works with the TZ105 removed from the chain.