Help Center Help Articles Professional Support Professional Integrators Community RMA & Warranty Downloads Tech Specs

UniFi Gateway - Network Address Translation

NAT on UniFi Gateways provide control over translating traffic to and from the WAN and other interfaces. 

Requirements

NAT Types

The following NAT types are available:

Destination NAT (DNAT)

Specific translation between one or more IP addresses for all or specific ports, matching on traffic that enters an interface. When used on the WAN, DNAT redirects incoming traffic from a public IP to specific private IP addresses based on criteria such as ports, protocols, or source IPs, making services hosted on private servers accessible from the internet.

DNAT is often used for 1:1 NAT, which provides a fixed mapping of one public IP address to one private IP address.

Source NAT (SNAT)

Specific translation between one or more IP addresses for all or specific ports, matching on traffic that exits an interface. When used on the WAN, SNAT allows you to specify how private IP addresses are translated to specific public IPs, providing control over which public IP addresses your devices use. This is particularly useful when multiple public IP addresses are assigned to the same WAN interfaces, enabling different devices to appear with different public IPs.

SNAT is often used for 1:1 NAT, which provides a fixed mapping of one private IP address to one public IP address.

Masquerade NAT

Translates a group of IP address to the main (primary) IP address associated with an interface. This NAT type is commonly used to provide internet access to devices using private IP addresses. When used on the WAN, multiple devices on a local network can share a single public IP address by assigning each session a unique port number. 

Masquerade can also be referred to as NAT Overload or PAT.

Note: NAT relies on traffic being routed out of an interface in case of Source and Masquerade NAT, and to an interface in the case of Destination NAT. NAT does not force traffic out of or to an interface. Routing traffic to an interface is done by a static, default, Policy-Based or dynamic route.

Source NAT

The Source NAT type translates traffic between one or multiple IP addresses and allows customizing the IP address and port that traffic is translated to. Source NAT applies when matching traffic exits an interface.

  • Interface - The interface that is used to translate matching traffic as it exits.
  • Translated IP Address - The address that matching traffic is translated to.
  • Translated Port - Translate traffic to a specific port or port range. 
  • Source - The source of the traffic, for example a subnet and/or port. Typically, this will be a local network.
  • Destination - The optional destination of the traffic sent by clients, for example a public IP address on the internet.

Masquerade NAT

The Masquerade NAT type is similar to Source NAT but does not allow customizing the IP address. This type is used by default when translating traffic from virtual networks to the internet. 

  • Interface - The interface that is used to translate matching traffic as it exits.
  • Translated Port - Translate traffic to a specific port or port range. 
  • Source - The source of the traffic, for example a subnet and/or port. Typically, this will be a local network.
  • Destination - The optional destination of the traffic sent by clients, for example a public IP address on the internet and/or port.

Note: Masquerade may also be referred to as Many-to-One NAT, PAT or NAT Overload.

Destination NAT

The Destination NAT type translates traffic between one or multiple IP addresses and allows customizing the IP address and port that traffic is translated to. 

  • Interface - The interface that is used to translate matching traffic as it enters.
  • Destination - The address that clients sent the traffic to, for example the IP address of the WAN interface.
  • Destination Port - The optional port that traffic is sent to.
  • Source - The source of the traffic, for example a subnet and/or port. 
  • Translated IP Address - The address that matching traffic is translated to.
  • Translated Port - Translate traffic to a specific port or port range. 

Examples

Setting up Destination and Source NAT for an Internal Server

In this example, there is an internal server that needs to be associated with the secondary public IP addresses assigned to the UniFi Gateway's WAN interface.  To do so, create two NAT rules, one Destination and one Source rule.

The DNAT rule ensures that traffic destined for the secondary public IP address entering the WAN is always mapped to the private IP address. The SNAT rule ensures that traffic from the server is always mapped to the secondary public IP address. If the SNAT rule is not created, outgoing traffic from the server is mapped to the main instead of the secondary IP address.

UniFi Gateway's Public WAN IP Addresses

  1. 198.51.100.1 (main)
  2. 192.51.100.2 (secondary)

Destination NAT Rule

  • Name - Internet Traffic to Internal Server 
  • Protocol - All
  • Interface - WAN1
  • Destination - 198.51.100.2 (secondary public IP address)
  • Destination Port - Not selected
  • Source - Not selected
  • Translated IP Address - 192.168.50.2 (server private IP address)
  • Translated Port - Not selected

Source NAT Rule

  • Name - Internal Server Traffic to Internet
  • Protocol - All
  • Interface - WAN1
  • Translated IP Address - 198.51.100.2 (secondary public IP address)
  • Translated Port - Not selected
  • Destination - Not selected
  • Destination Port - Not selected
  • Source - 192.168.50.2 (server private IP address)
  • Source Port - Not selected

Setting up Source NAT for a Client to use a Specific Public IP 

In this example, there is an client for which outgoing internet traffic needs to be associated to the secondary public IP addresses assigned to the UniFi Gateway's WAN interface.  To do so, create a Source NAT rule. The SNAT rule ensures that traffic from the server is always mapped to the secondary public IP address. 

UniFi Gateway's Public WAN IP Addresses

  1. 198.51.100.1 (main)
  2. 192.51.100.2 (secondary)

Source NAT Rule

  • Name - Client Traffic to Internet
  • Protocol - All
  • Interface - WAN1
  • Translated IP Address - 198.51.100.2 (secondary public IP address)
  • Translated Port - Not selected
  • Destination - Not selected
  • Destination Port - Not selected
  • Source - 192.168.234.2 (client private IP address)
  • Source Port - Not selected

Frequently Asked Questions

1. What is the difference between Source NAT and Masquerade?
Source NAT can be used to translate to specific IP addresses.
2. What is the difference between Destination NAT and Port Forwarding?
Destination NAT can be used to translate to specific IP addresses and offers more customization options. Port Forwarding only applies to TCP and UDP traffic. 
3. Is it possible to disable NAT ?
Yes, NAT can be disabled on all or specific networks using the Global NAT Settings.  Note that this is for advanced setups where the UniFi Gateway forwards traffic but doesn't translate it. The upstream gateways needs to be configured with appropriate routing if NAT is disabled. For example, if the UniFi Gateway uses the 198.51.100.1 IP address on the WAN and 192.168.1.0/24 on the LAN, the upstream gateway needs to use a route for 192.168.1.0/24 to 198.51.100.1.
4. What do the built-in Source and Masquerade rules do?
The Masquerade NAT rules are created automatically for each virtual network and for each individual WAN. These rule ensures that clients on the LAN using private IP addresses can connect to the internet. The Source NAT rules are automatically created depending on the Internet Source IP / NAT configuration on virtual networks when using multiple IP addresses on the WAN.
5. My NAT rule is not translating the traffic, what should I do?
Verify that traffic is sent to the interface specified in the NAT rule in the case of Source and Masquerade NAT, and received on the interface in the case of Destination NAT. If the traffic is not seen on the interface, NAT cannot translate it.

For example, if a Source NAT rule is applied to the WAN2 interface in a failover-only setup, traffic only matches this rule during a failover or if a Policy-Based Route for WAN2 is configured.
Was this article helpful?