What are the NAT Types?

Quick definition: NAT is an essential networking solution for LANs to communicate with the internet, and there are three types of NAT you should be aware of that are applicable in different specific circumstances.

Network Address Translation (or NAT) is an essential cog in the complex machine that is networking. It is important to understand what it is, how it functions, and how it optimizes network performance, both for your networks at the office and for your online gaming at home. Today we'll dig into the different NAT types and the differences and strengths of each one.

What is NAT?

NAT is a technology that allows multiple devices within a local network to share a single public IP address when connecting to the internet. For a deeper understanding of how NAT works, we'll need a refresher on public and private IP addresses.

Public IPs are, as the name suggests, publicly accessible across the internet. Your router (either at home or at the office) probably has a unique public IP assigned to it. That IP is used to route traffic between the internet and your router.

On your LAN, devices are usually assigned a private IP within one of three reserved ranges. One of these should look familiar: 192.168.0.0-192.168.255.255. Most home routers are set up out of the box to use this network.

NAT is the magic glue that holds private networks with lots of devices using lots of private IP addresses together with the single public IP address assigned to your router. When your laptop accesses a website, the request goes first to your router, which notes four things: 

1. The source IP (your laptop's private IP)

2. The source port (your OS sends an outbound connection using a random port)

3. The source IP (the website's host)

4. The source port (usually 443 for HTTPS)

Your router uses NAT to translate the IP and port of your request to the website's IP and port. The real trick is when the website replies, your router recognizes that connection and translates it back to your laptop's private IP. Multiply this times 10s or 100s of devices on a LAN all accessing the internet at once from a single public IP and things start to get complicated. NAT keeps all those connections going to the right place.

Without NAT, every device on your network would need its own unique public IP address, an impossibility since the number of devices on the internet exceeded the number of assignable IP addresses long ago.

What are NAT types?

Now that we're straight on NAT, let's check out the three different NAT types. Each type defines the level of openness between the private and public networks in a different way.  

Determining your NAT type varies depending on how your router handles configuring its networking. Also, different devices on your network can use different NAT types to meet their individual needs. The three main types of NAT are Open NAT, Moderate NAT, and Strict NAT. Let's explore how they differ. 

What is Open NAT?

The first NAT type is known as Open NAT. This implementation of NAT is the best performing and least restrictive; the device virtually has a direct connection to the internet, bypassing most of the router's functionality.

Sometimes Open NAT is achieved by creating a DMZ on the router and assigning the device to this network. On the DMZ, the device has no protection from the router: no firewall, no security filtering, and no NAT. In some DMZ configurations, the device is actually assigned a public IP address instead of a private one.

A more common (and much safer) way to use Open NAT is with static port forwarding. Port forwarding defines a private IP and a range of ports on the router. That range of ports is always directed from the outside back to that private IP. NAT isn't doing any dynamic translation on the fly, so the process is much smoother and performance is improved.

Port forwarding is a common practice for online gaming, both on PC and consoles. Different games and consoles will have a defined set of ports they will use for online play. If left to handle this traffic without any specific configuration, NAT can actually slow down or sometimes block traffic that the game is expecting to receive from the servers in real time. 

This happens when the servers initiate specific connections back to the console; without an existing connection established via NAT, your router drops the traffic. Port forwarding allows this little-defined slice of traffic to always make it back to the console or computer.

What is Moderate NAT?

The second type of NAT is Moderate NAT. This is a very typical setup for normal internet traffic where your device initiates a connection to the internet, NAT translates that connection to your public IP and the expected ports, and the reply comes back to your router and is translated back to a private IP. Most routers use this out of the box and it can handle a majority of your traffic.

Moderate NAT is more secure than Open NAT. There is no automatic forwarding of ports back to a private IP, so no one on the internet can initiate a connection to any device on your network; every router has a basic firewall that will drop this traffic as not allowed.

Moderate NAT is the most reliable and simplest way to configure NAT for the majority of networks. It is what you should use anywhere, at home or office, in the absence of any particular need requiring Open NAT.

What is Strict NAT?

The final NAT type is Strict NAT. This type only allows connections from remote hosts on specific defined ports.

Strict NAT is used to deny or only allow certain ports. For example, you could only allow 443 for web access, blocking any connections using other ports like SSH or malware calling out to a remote control server. Moderate NAT dynamically translates connection using any port; Strict NAT is used for more sensitive or high-security networks where ports must be restricted.

Which NAT Type to Use

The NAT type to use depends on your needs. For almost every situation, Moderate NAT is fine. When there is no need for a device to bypass NAT or the firewall, or if there are no security needs to lockdown access to ports, then Moderate NAT is a great combination of hands-off configuration and a baseline of security.

Strict NAT is helpful when security is a high concern and access to certain ports and services must be restricted.

Open NAT is used when NAT is detrimental to performance or access, commonly with online gaming. Microsoft and Nintendo both have informative support articles about using the different NAT types with their respective consoles.

Conclusion 

While Moderate NAT fits the bill most of the time, it is very helpful to know how all three work and when a different type might be necessary. NAT is also an essential topic in general to understand networking within the IPv4 address space. 

Hopefully, we've shed some light today on how it works in general and applying the specific NAT types to your networking needs. Want to keep learning? The CBT Nuggets Network Firewall Fundamentals course explores how to use access control lists and network firewalls. 

Not a CBT Nuggets subscriber? Sign up and start learning today.