I am trying to setup almost the exact same thing.   My new ISP has given me a static block that is on a different subnet/range than the wan IP they have given me.   For example (these are not the actual IP's) WAN IP - 66.146.110.242 WAN Subnet - 255.255.255.252 WAN Gateway - 66.146.110.241   The static block is 66.146.105.96/27   I have added the Local VLan (named DMZ) on my mx400 with the interface IP of 66.146.105.97 with vlan ID 500   I have a laptop plugged into a switch on port 23 which is an access port on vlan 500. I set the static IP of the laptop to 66.146.105.110 with a gateway of 66.146.105.97 (the interface IP on the mx 400). the laptop can reach the outside world perfectly but nothing can come into it. my question on the 1:1 NAT is: should the WAN IP and the LAN IP of the NAT rule be the same (66.146.105.110)?   also, any 1:1 NAT rules work fine for the devices that are on my internal 10.1.0.0/16 network (even without the DMZ vlan on the mx400)   Thanks! ... View more