UniFi Hairpin NAT

An internal client wants to access an internal server using the WAN IP of the UniFi Gateway. This is useful if you are using a public DNS server, as it will return the server's external IP address.

Port forwarding

A) Client and Server are on different VLANs

NAT will work exactly the same as for external clients, since routing will occur between the VLAN bridge interfaces. The destination IP will be translated to the server's internal IP.

This works because the DNAT rule that is created when port forwarding is configured is applied to all interfaces and not just the WAN interface.

Chain UBIOS_PREROUTING_USER_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    40 DNAT       tcp  --  any    any     anywhere             anywhere             match-set UBIOS_KEY_ADDRv4_ppp0 dst tcp dpt:http /* 00000000004294967298 */ to:10.6.0.200:80
  

B) Client and Server are on the same VLAN

As no routing would take place, both the source and destination IPs will be translated.

A Masquerade SNAT rule is automatically created to translate the source addresses to the outbound interface's IP address. This rule is only applied to addresses on the server VLAN.

Chain UBIOS_POSTROUTING_USER_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 150K   87M MASQUERADE  all  --  any    ppp0    anywhere             anywhere             ! match-set UBIOS_ALL_ADDRv4_ppp0 src /* 00000001095216660481 */
    0     0 MASQUERADE  tcp  --  any    any     anywhere             10.6.0.200           match-set UBIOS_ALL_NETv4_br0 src tcp dpt:http /* 00000000004294967299 */

One-to-One NAT

Neither the DNAT or SNAT will be applied, so no NAT will happen and the packet will be undeliverable.

An internal DNAT rule will need to be created for this to work.

If the devices are on the same VLAN then a Hairpin SNAT rule will also be needed.