Cloud Gateways Switching WiFi Physical Security Integrations
What's New Support
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Phone Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
Cloud Gateways Switching WiFi Physical Security Integrations

Social

Facebook Twitter Youtube Instagram

Company

Careers Contact Us Investors

Training

Courses Calendar Trainers Become a Trainer

Tools

WiFiman UISP Design Center
  1. Ubiquiti Help Center
  2. UniFi
  3. Gateway & Routing
  4. Features & Configuration

DNAT, SNAT, and Masquerading in UniFi

UniFi Gateways implement Network Address Translation (NAT) to segment your local network off from the internet while allowing bidirectional traffic between the internet and your client. UniFi Gateways also support advanced NAT configuration techniques: SNAT, DNAT, and Masquerade.

For standard Port Forwarding configuration, see here.

For a full overview of UniFi’s Traffic and Policy Management capabilities, see here.

For a full overview of UniFi's Network and Cyber Security capabilities, see here.

Source NAT (SNAT)

SNAT is used to change the source IP of outgoing packets. This allows outbound traffic to take on a particular WAN IP in your IP block.

  • SNAT ensures that all traffic from a specific internal client appears to originate from a designated IP within a WAN IP block.
  • It is useful in multi-IP WAN configurations where different outbound connections need specific public IPs.
  • This provides flexibility for routing and outbound identity management.

To add an SNAT rule in UniFi:

  1. Navigate to NAT Rules: Follow the path depending on your UniFi Network version:
    1. Network 9.4: Settings > Policy Table > Create New Policy > NAT
    2. Network 9.3: Settings > Policy Engine > NAT > Create New
  2. Select Src. NAT.
  3. Select Interface: Traffic exiting your network will be translated as it exits this interface.
  4. Specify Translation Information IP Address and Port: 
    1. Translated IP Address: Traffic will appear to originate from this specified IP address.
    2. (Optional) Translated Port: Traffic will appear to originate from this specific port or port.
  5. Specify ProtocolOnly traffic of the specified protocol will be translated.
  6. Specify Source & Destination: Traffic matching all criteria will be translated according to your configuration in (4). Tunable parameters include:
    1. Any
    2. Network(s)
    3. IP(s) and Port(s)
    4. Object(s)
  7. Click Add.

Destination NAT (DNAT)

DNAT is used to modify the destination IP of incoming traffic. This allows inbound traffic to an IP in your WAN IP block to be forwarded to a specific client in your network.

  • DNAT is commonly used to expose internal services, such as mapping a public IP within a WAN block to a local server.
  • This technique is useful for hosting web servers, remote access applications, or other services that require public availability.
  • By changing the destination IP, traffic is seamlessly directed to the appropriate internal host without requiring direct public exposure of internal addresses.

To add a DNAT rule in UniFi:

  1. Navigate to NAT Rules: Follow the path depending on your UniFi Network version:
    1. Network 9.4: Settings > Policy Table > Create New Policy > NAT
    2. Network 9.3: Settings > Policy Engine > NAT > Create New
  2. Select Dest. NAT.
  3. Select Interface: Translation will happen to traffic entering through this specified interface.
  4. Specify Translation Information IP Address and Port: 
    1. Translated IP Address: Matching traffic will be translated and directed towards this specified IP address.
    2. (Optional) Translated Port: Matching traffic will be translated to use this specified port.
  5. Specify ProtocolOnly traffic of the specified protocol will be translated.
  6. Specify Source & Destination: Traffic matching all criteria will be translated according to your configuration in (4). Tunable parameters include:
    1. Any
    2. Network(s)
    3. IP(s) and Port(s)
    4. Object(s)
  7. Click Add.

Masquerade NAT

Masquerade NAT (also referred to as Many-to-One NAT, PAT or NAT Overload) is the default behavior of UniFi NAT. It is a form of Source NAT (SNAT) that dynamically adapts to the outbound interface's current IP address, making it ideal for connections where the public IP may change frequently.

To add a Masquerade NAT rule in UniFi:

  1. Navigate to NAT Rules: Follow the path depending on your UniFi Network version:
    1. Network 9.4: Settings > Policy Table > Create New Policy > NAT
    2. Network 9.3: Settings > Policy Engine > NAT > Create New
  2. Select Masquerade.
  3. Select Interface: Traffic exiting your network will be translated as it exits this interface.
  4. (Optional) Specify Translated Port: Traffic will appear to originate from this specific port or port.
  5. Specify ProtocolOnly traffic of the specified protocol will be translated.
  6. Specify Source & Destination: Traffic matching all criteria will be translated according to your configuration in (4). Tunable parameters include:
    1. Any
    2. Network(s)
    3. IP(s) and Port(s)
    4. Object(s)
  7. Click Add.

Disabling NAT

Disabling NAT is typically only used for advanced networks where address translation is unnecessary. Common use cases include deploying the UniFi Gateway as an internal router within a larger enterprise or campus network that relies on upstream NAT, or hosting services like VoIP or VPN servers that benefit from direct IP routing. In both scenarios, devices are typically assigned a public IP address or a statically routed private IP directly on their network interface, with NAT either handled upstream or not needed at all.

To disable NAT:

  1. Go to UniFi Devices.
  2. Select your Gateway.
  3. Navigate to Settings > Global NAT Settings.
  4. Select the desired configuration:
    1. Auto – NAT is applied to all networks (default).
    2. Custom – Manually select specific networks to exclude from NAT.
    3. Off – Disables NAT entirely.

Note: Compared to using DNAT (port forwarding) to expose a service via a public IP, assigning a public IP directly to a device and disabling NAT requires your upstream router to know how to reach that IP, often via static routing or, in larger or multi-site deployments, through BGP.

Was this article helpful?