According to jbahillo's explanation of SNAT (which is the second posting in this entire thread), there are two type of Network Address Translation (NAT) in Zentyal:
1) Destination Network Address Translation (DNAT), which is call “Port-Forwarding” under Zentyal's Firewall menu. This is intended to be used on INBOUND ( or in other words INCOMING traffic ). Or in other words still, it is used for traffic that's source is EXTERNAL from Zentyal's perspective and whose DESTINATION IP/port must be translated before it can be routed internally. A practical example to consider, is mine, where I have a windows webserver inside my Zentyal network which is assigned a private IP address. This web server has no knowledge of any Public IP addresses. Therefore, without Zentyal's help, no request from the internet can possibly be routed to this webserver, because it will not answer for any public IP address on the internet, and furthermore (without Zentyal's help through port-forwarding) no public traffic would ever be routed to this internal windows web server. In order for this web server to received a request from the internet on port 80, the traffic would first be routed to a public IP address utilized by the Zentyal gateway which is on its external interface (a Public IP address must be assigned to Zentyal's external interface directly, or virtually assigned to Zentyal's external interface by adding an additional virtual public IPs to Zentyal's public interface). DNAT port-forwarding is used, so that a request from the internet, made to a public IP on Zentyal's external interface, is then passed to a private internal IP of the windows webserver connected to Zentyal's private internal interface.
This port-forwarding rule has now facilitated INBOUND traffic to the web server using a Zentyal gateway. But, now, what about OUTBOUND traffic, for when the windows webserver replies to the request from its own internal private IP address? Again, without Zentyal's help, the source IP of that reply would be an internal IP address. So therefore, on the way out of the Zentyal gateway, another network address translation is needed, so that when the user on the Internet receives the webpage, it is sourced from a public IP. Well, if your Zentyal server only has one public IP address, Zentyal is smart enough to do that outbound source network translation automatically. However, if you have multiple public IP addresses assigned to Zentyal's external interface, is Zentyal smart enough to outbound-sourceIP-translate replies from the webserver's private IP address to the same public IP address that the request initially was port-forwarded from? I don't think it is, and that's why you need SNAT.
2) Source Network Address Translation – located at Zentyal > Firewal > SNAT. While DNAT port-forwarding is used for translating destination IP/ports for incoming traffic, SNAT is used to translate SOURCE IP/ports for outgoing traffic. This is particularly necessary in circumstances where Zentyal has muliple Public IP addresses assigned to its external interface, and it ensures that packets with a particular private-sourceIP-addresses are converted to a particular public-sourceIP-addresses before being routed through the Zentyal gateway.
To me, it seems the essence of comparing the SNAT to Port-forwarding, is that one is used to translate sources and the other is used to translate destinations. If you want to make sure that outbound traffic is source from a particular public IP addresss and port, use SNAT. If you want to make sure that INBOUND traffic gets routed to a particular private IP address and port, use port-forwarding (DNAT).
@half_life – When you add a port-forwarding entry, there is a check box that says "Replace source address" ( Replaces the original source address of the connection with the Zentyal's own address. This could be necessary when the destination does not have a return route or has restrictive firewall rules)
I have not tested this feature. To me, the description given (for this checkbox) is unclear. I'm not sure it be sophisticated enough to replace the source IP address with the correct public IP when mulitple public IPs are assigned to Zentyal's external interface.