DNAT, SNAT, and Masquerading in UniFi

UniFi Gateways implement Network Address Translation (NAT) to segment your local network off from the internet while allowing bidirectional traffic between the internet and your client.

UniFi Gateways also support advanced NAT configuration techniques: SNAT, DNAT, and Masquerade.

Source NAT (SNAT)

SNAT is used to change the source IP of outgoing packets. This allows outbound traffic to take on a particular WAN IP in your IP block.

• SNAT ensures that all traffic from a specific internal client appears to originate from a designated IP within a WAN IP block.
• It is useful in multi-IP WAN configurations where different outbound connections need specific public IPs.
• This provides flexibility for routing and outbound identity management.

To add an SNAT rule in UniFi:

1. Navigate to Settings > NAT > Source and select Create Entry.
2. Customize your SNAT settings:
   1. Interface – The interface through which traffic will be translated as it exits.
   2. Translated IP Address – The public IP address to which matching traffic will be translated.
   3. Translated Port – The specific port or port range to which traffic will be translated (optional).
   4. Source – The source of the traffic, such as a subnet or specific port (typically a local network).
   5. Destination – The optional destination of the traffic, such as a public IP address on the internet.
3. Click Add.

Destination NAT (DNAT)

DNAT is used to modify the destination IP of incoming traffic. This allows inbound traffic to an IP in your WAN IP block to be forwarded to a specific client in your network.

• DNAT is commonly used to expose internal services, such as mapping a public IP within a WAN block to a local server.
• This technique is useful for hosting web servers, remote access applications, or other services that require public availability.
• By changing the destination IP, traffic is seamlessly directed to the appropriate internal host without requiring direct public exposure of internal addresses.

To add a DNAT rule in UniFi:

1. Navigate to Settings > NAT > Destination and select Create Entry.
2. Customize your DNAT settings:
   1. Interface – The interface handling traffic translation as it enters.
   2. Translated Port – The specific port or port range to which incoming traffic will be forwarded.
   3. Source – The source of the traffic, such as a subnet or port (optional).
   4. Destination – The public IP address and/or port receiving the incoming traffic before translation.
3.  Click Add.

Masquerade NAT

Masquerade NAT is the default behavior of UniFi NAT. In most cases, it does not need to be customized. An example use case would be a small business that cannot acquire a static public IP address. Since their public IP address is dynamic, the masquerade NAT rule would still apply.

To add a Masquerade NAT rule in UniFi:

1. Navigate to Settings > NAT > Masquerade and select Create Entry.
2. Customize your Masquerade NAT settings:
   1. Interface – The interface handling traffic translation as it enters.
   2. Destination – The IP address that clients are sending traffic to (typically the WAN interface IP).
   3. Destination Port – The optional port to which traffic is sent.
   4. Source – The source of the traffic, such as a subnet or specific port.
   5. Translated IP Address – The IP address to which matching traffic will be translated.
   6. Translated Port – The specific port or port range to which traffic will be translated (optional).
3. Click Add.