UniFi Gateway - Network Address Translation
NAT on UniFi Gateways provide control over translating traffic to and from the WAN and other interfaces.
Requirements
- An independent UniFi Gateway or UniFi Cloud Gateway
NAT Types
The following NAT types are available:
Destination NAT (DNAT)
Specific translation between one or more IP addresses for all or specific ports, matching on traffic that enters an interface. When used on the WAN, DNAT redirects incoming traffic from a public IP to specific private IP addresses based on criteria such as ports, protocols, or source IPs, making services hosted on private servers accessible from the internet.
DNAT is often used for 1:1 NAT, which provides a fixed mapping of one public IP address to one private IP address.
Source NAT (SNAT)
Specific translation between one or more IP addresses for all or specific ports, matching on traffic that exits an interface. When used on the WAN, SNAT allows you to specify how private IP addresses are translated to specific public IPs, providing control over which public IP addresses your devices use. This is particularly useful when multiple public IP addresses are assigned to the same WAN interfaces, enabling different devices to appear with different public IPs.
SNAT is often used for 1:1 NAT, which provides a fixed mapping of one private IP address to one public IP address.
Masquerade NAT
Translates a group of IP address to the main (primary) IP address associated with an interface. This NAT type is commonly used to provide internet access to devices using private IP addresses. When used on the WAN, multiple devices on a local network can share a single public IP address by assigning each session a unique port number.
Masquerade can also be referred to as NAT Overload or PAT.
Note: NAT relies on traffic being routed out of an interface in case of Source and Masquerade NAT, and to an interface in the case of Destination NAT. NAT does not force traffic out of or to an interface. Routing traffic to an interface is done by a static, default, Policy-Based or dynamic route.
Source NAT
The Source NAT type translates traffic between one or multiple IP addresses and allows customizing the IP address and port that traffic is translated to. Source NAT applies when matching traffic exits an interface.
- Interface - The interface that is used to translate matching traffic as it exits.
- Translated IP Address - The address that matching traffic is translated to.
- Translated Port - Translate traffic to a specific port or port range.
- Source - The source of the traffic, for example a subnet and/or port. Typically, this will be a local network.
- Destination - The optional destination of the traffic sent by clients, for example a public IP address on the internet.
Masquerade NAT
The Masquerade NAT type is similar to Source NAT but does not allow customizing the IP address. This type is used by default when translating traffic from virtual networks to the internet.
- Interface - The interface that is used to translate matching traffic as it exits.
- Translated Port - Translate traffic to a specific port or port range.
- Source - The source of the traffic, for example a subnet and/or port. Typically, this will be a local network.
- Destination - The optional destination of the traffic sent by clients, for example a public IP address on the internet and/or port.
Note: Masquerade may also be referred to as Many-to-One NAT, PAT or NAT Overload.
Destination NAT
The Destination NAT type translates traffic between one or multiple IP addresses and allows customizing the IP address and port that traffic is translated to.
- Interface - The interface that is used to translate matching traffic as it enters.
- Destination - The address that clients sent the traffic to, for example the IP address of the WAN interface.
- Destination Port - The optional port that traffic is sent to.
- Source - The source of the traffic, for example a subnet and/or port.
- Translated IP Address - The address that matching traffic is translated to.
- Translated Port - Translate traffic to a specific port or port range.
Examples
Setting up Destination and Source NAT for an Internal Server
In this example, there is an internal server that needs to be associated with the secondary public IP addresses assigned to the UniFi Gateway's WAN interface. To do so, create two NAT rules, one Destination and one Source rule.
The DNAT rule ensures that traffic destined for the secondary public IP address entering the WAN is always mapped to the private IP address. The SNAT rule ensures that traffic from the server is always mapped to the secondary public IP address. If the SNAT rule is not created, outgoing traffic from the server is mapped to the main instead of the secondary IP address.
UniFi Gateway's Public WAN IP Addresses
- 198.51.100.1 (main)
- 192.51.100.2 (secondary)
Destination NAT Rule
- Name - Internet Traffic to Internal Server
- Protocol - All
- Interface - WAN1
- Destination - 198.51.100.2 (secondary public IP address)
- Destination Port - Not selected
- Source - Not selected
- Translated IP Address - 192.168.50.2 (server private IP address)
- Translated Port - Not selected
Source NAT Rule
- Name - Internal Server Traffic to Internet
- Protocol - All
- Interface - WAN1
- Translated IP Address - 198.51.100.2 (secondary public IP address)
- Translated Port - Not selected
- Destination - Not selected
- Destination Port - Not selected
- Source - 192.168.50.2 (server private IP address)
- Source Port - Not selected
Setting up Source NAT for a Client to use a Specific Public IP
In this example, there is an client for which outgoing internet traffic needs to be associated to the secondary public IP addresses assigned to the UniFi Gateway's WAN interface. To do so, create a Source NAT rule. The SNAT rule ensures that traffic from the server is always mapped to the secondary public IP address.
UniFi Gateway's Public WAN IP Addresses
- 198.51.100.1 (main)
- 192.51.100.2 (secondary)
Source NAT Rule
- Name - Client Traffic to Internet
- Protocol - All
- Interface - WAN1
- Translated IP Address - 198.51.100.2 (secondary public IP address)
- Translated Port - Not selected
- Destination - Not selected
- Destination Port - Not selected
- Source - 192.168.234.2 (client private IP address)
- Source Port - Not selected
Frequently Asked Questions
For example, if a Source NAT rule is applied to the WAN2 interface in a failover-only setup, traffic only matches this rule during a failover or if a Policy-Based Route for WAN2 is configured.