19

NAT options on domestic routers often come configured as strict. What does this mean? What do moderate or open do? Port-forwarding/DMZ access works properly on strict so why bother with the other two?

A look through the router suggests this affects the firewall. When spending a large amount of your time securing networks using Cisco/iptables such a limp non-descriptive answer is nothing but infuriating and leaves no clues as to what effect upon a firewall this has.

Please can someone shed some light.

Metalshark
  • 517
  • 1
  • 5
  • 16
  • Some makes\models would be helpful, question seems more aimed at the superuser market. Are you planning on using these for some business purpose, seems more likely to be a superuser type question? – Helvick Dec 02 '10 at 20:44
  • 1
    I am sorry, but I believe these terms are most commonly used by a consumer gaming system, and are not commonly used by system administrators. Perhaps you should be asking Microsoft what precisely the meant in their dumbed down terms. http://support.microsoft.com/kb/908880 – Zoredache Dec 02 '10 at 20:49
  • A NetGEAR WNDR3700 in this current case, but the Drayteks (used by quite a few SoHo's and showroom offices) also have the same option. I'd just like to know what every option, that many need investigated when trouble strikes, does. This one in particular seems increasingly common across models. Although if its better asked at SuperUser, I'll try there instead. – Metalshark Dec 02 '10 at 21:16

3 Answers3

39

It's important first to know how Network Address Translation (NAT) works. You establish a connection to a server on the internet. In reality you send packets to your router, going out from your computer on some randomly chosen port:

Your computer        Router
╔════════════╗     ╔═══════════╗
║            ║     ║           ║
║ port 31746 ╫====>╫           ║
║            ║     ║           ║
╚════════════╝     ╚═══════════╝

Your router, in turn, establishes a connection to the server you want to talk to. It talks out it's own randomly chosen port:

                     Router            www.google.com
                   ╔═══════════╗     ╔════════════════╗
                   ║           ║     ║                ║
                   ║ port 21283╫====>╫ port 80        ║
                   ║           ║     ║                ║
                   ╚═══════════╝     ╚════════════════╝

When Google's webserver sends you back information, it is actually sending it back to your router (since your router is the guy actually on the Internet):

                     Router            www.google.com
                   ╔═══════════╗     ╔════════════════╗
                   ║           ║     ║                ║
                   ║ port 21283╫˂====╫ port 80        ║
                   ║           ║     ║                ║
                   ╚═══════════╝     ╚════════════════╝

A packet arrives at your router, on port 21283 from www.google.com. What should the router do with it?

In this case the router has kept a record of you, and it knows that any traffic arriving on port 21283 from the Internet should go to your PC. So the router will relay the packet to your computer:

Your computer        Router
╔════════════╗     ╔═══════════╗
║            ║     ║           ║
║ port 31746 ╫<════╫           ║
║            ║     ║           ║
╚════════════╝     ╚═══════════╝

Open NAT (aka Full cone NAT, aka the good, right, and correct one)

In open NAT, any machine on the internet can send traffic to your router's port 21283, and the packet will be sent back to you:

Your computer        Router            
╔════════════╗     ╔═══════════╗     ╭www.google.com:80
║            ║     ║           ║     ├www.google.com:443
║ port 31746 ╫<════╫ port 21283╫<════╡serverfault.com:80
║            ║     ║           ║     ├fbi.gov:32188
╚════════════╝     ╚═══════════╝     ╰botnet.cn:11288

Moderate NAT (aka Restricted Cone NAT)

Moderate NAT is where your router will only accept traffic from the same host, but will allow it to come from any port:

Your computer        Router            
╔════════════╗     ╔═══════════╗     
║            ║     ║           ║     ╭www.google.com:80
║ port 31746 ╫<════╣ port 21283╫<════╡www.google.com:443
║            ║     ║           ║       (rejected) serverfault.com:80
╚════════════╝     ╚═══════════╝       (rejected) fbi.gov:32188
                                       (rejected) botnet.cn:11288

Closed NAT (aka Port-restricted cone NAT)

Closed NAT is more restrictive. It won't allow anything in unless it came from the original host and port that you originally communicated with, i.e. www.google port 80:

Your computer        Router            
╔════════════╗     ╔═══════════╗     ╭www.google.com:80
║            ║     ║           ║     ┆ (rejected) www.google.com:443
║ port 31746 ╫<════╫ port 21283╫<════╛ (rejected) serverfault.com:80
║            ║     ║           ║       (rejected) fbi.gov:32188
╚════════════╝     ╚═══════════╝       (rejected) botnet.cn:11288

Teredo, X-Box Live, NAT

Microsoft's book Writing Secure Code has some other definitions of the different types of NAT. It is written in the context of NAT for use by Teredo; the IPv6 transition technology:

  • Full cone: A full-cone NAT establishes an external UDP port when sending an outbound packet and will forward traffic sent to that port from any IP address and any port back to the originating port on the internal system.
  • Restricted cone: This type of NAT maintains some level of state and requires that replies come from the same IP address as the initial request was sent to.
  • Port-restricted cone: Replies must come from the same IP address and port as the request.
  • Symmetric: In addition to the requirements for a port-restricted code NAT, the symmetric NAT will create a new mapping of internal IP address and port to external IP address and port for traffic sent to every individual external host.

Some newer NAT devices can also appear to be port restricted under some conditions and symmetric under others:

In particular, we found that many NAT have a 5th strategy, "port conservation." Basically, they will try to keep the same port number inside and outside, unless it is already used for another connection, in which case they pick a different one either sequentially (from a global variable) or randombly. These NATs appear typically "port restricted" during the tests, but behave as "symmetric" under load. (Huitema, personal communication)

If you're interested in the details, consult RFC 3489 (Rosenberg et al. 2003).

Remember: if anyone tries to tell you that Full-code NAT/Open NAT is a security issue, tell them they don't know what they're talking about. NAT is not a security boundary - that is what a firewall is. Anyone using NAT as a security boundary is simply wrong.

See also

Ian Boyd
  • 5,131
  • 14
  • 57
  • 79
  • 1
    Good explanation. That is just one type of NAT and is called PAT (Port Address Translation) – J.Money Jun 20 '16 at 21:16
  • "only from the same host" - only from the same host *as what*? – B T Jun 03 '19 at 00:37
  • @BT "only from the same host *as what*" - as the host we're talking to. (e.g. google.com) – Ian Boyd Jun 03 '19 at 14:08
  • @J.Money, PAT is a vendor-specific (Cisco) term. _[RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations](https://datatracker.ietf.org/doc/html/rfc2663)_ defines the terminology, and it is actually NAPT (Network Address Port Translation), which is a variant of NAT. Basic NAT does not translate port numbers, only the network (IPv4) addresses, but NAPT also translates the port numbers. – Ron Maupin Feb 09 '22 at 22:54
4

All of these NAT terms are used only in the gaming industry. If you ask a network engineer or security engineer about strict nat, they are not going to know what you are talking about.

In the real, pure technical, world of networking there is NAT and PAT and these can be inbound or outbound.

Consumer routers often have a "DMZ" IP setting that sends everything destined to your router public IP straight to your PCs private IP. I can not even begin to tell you how dangerous this is. Gaming companies should at the very least publish a list of Server IPs so you can forward traffic direct to your PC only if it is from a server on the list. I think that the "Moderate NAT" is what the network industry calls PAT (Port address translation).

If you connect on port 80 to the server there is also a source port 4040 for example. Your router is listening on port 4040 after you initiate the connection. If they try to talk to your router on a different port, the router NAT table has no mapping for the new port and drops it. If you allow port 4444 to be forwarded to a specific IP in the NAT/PAT config, outsiders can now initiate connections on that port only. This is less dangerous than a 1 to 1 mapping and allowing everything through.

Gaming companies need to give better guidance. I even saw suggestions to disable the Microsoft firewall entirely rather than give a list of ports. If you want to become part of a botnet or dont mind Ransomware, go ahead and follow their poor guidance.

bjoster
  • 4,423
  • 5
  • 22
  • 32
Steve
  • 41
  • 1
1

So I have had the opportunity to thoroughly test this "NAT type" terminology in (broadly) two networking environments.

MikroTik's RouterOS v6 was used to conduct this test and hence I will use MikroTik networking terminologies.

Before we begin I will assume you know the basics of:

  1. NAT (including PAT which essentially is just "NAT" in 2021 networking)
  2. UPnP
  3. CGNAT + basic idea of the port control protocol
  4. Publicly routable IP for added measure
  5. VPN concept (regardless of protocols used like OpenVPN, WireGuard etc)
  • "Port Forwarding/Static Port Forwarding" technically means creating a destination NAT with the source port and destination port (to-port) being equal and to-address (destination address) being the internal RFC1918 IP address of the console/OS box in question. The terminology varies between networking vendors. The concept remains the same.

We are assuming a single uplink/WAN interface with a single source NAT or single masquerade NAT in both environments. We are also assuming that the OS/Console in used is not blocking ports/UPnP at their OS/Console level.

  1. Network Environment where the router has publicly routable IP
In this network environment, the three NAT types work in the following ways:

 1. Open NAT only occurs when we have static port forwarding (where all the inbound ports are manually configured based on the game/console) or when we have UPnP enabled and it opens up all the required ports
 2. Moderate NAT only occurs when we have static port forwarding or UPnP partially working (meaning, only some of the ports required are open inbound)
 3. Strict NAT only occurs when static port forwarding is not done correctly or UPnP is not or working, in either case, it means port forwarding does not work whatsoever.
  1. Network Environment where the router has a CGNATted WAN IP
In this network environment, the three NAT types work in the following ways:

 1. Open NAT cannot occur in this environment. The only workaround to achieve open NAT is to use a VPN (host it somewhere with a public IP) and open ports through the VPN tunnel (UPnP can work through the VPN tunnel assuming the OS sends all incoming packets from itself through the tunnel).
 2. Moderate NAT only occurs when we have static port forwarding or UPnP enabled and all the necessary ports are configured to be open at the router level. This is basically the same as "open NAT" configuration done in the first network environment.
 3. Strict NAT occurs when neither the above cases are achieved.

Now the strange part is the "moderate" NAT situation in CGNATted environments. We know port forwarding cannot work behind a CGNAT (unless your ISP is smart enough to deploy Port Control Protocol).

As already mentioned here, don't be stupid and use so-called "DMZ" or disable the OS/Console's internal Firewall completely. If it is the OS/Console causing issues, reset the firewall to defaults. Default Firewalls on Windows, Linux Distros etc will not block UPnP/Ports opened manually at the router.