[dijit]

> "you're not allowed to like the NAT"

Well, the bigger question might be why do they like NAT?

If it's about having a single /128 address so they can do ACLs then that's easily fixed by just lowering the CIDR number. (unless you have an ancient version of fortigate on prem, which likely doesn't work with ipv6 anyway).

If it's about not having things poking at your servers through the NAT then the "NAT" really isn't helping anything, it's the stateful firewall doing _all_ the work there and those things are entirely independent systems. -- They're just sold to consumers as a single package.

[otabdeveloper4]

Again: "you're doing it wrong" and "you're not allowed to like the NAT" are not valid criticisms.

People like NAT because it's an easy batteries-included way to manage, secure and understand your LAN.

Taking it away and forcing them to migrate to an incompatible zoo of firewall technologies for no benefit is asinine.

> They're just sold to consumers as a single package.

Exactly. How in the world is this a bad thing now? Do we really want to make network security for the average do-it-yourself home LAN harder?

[w7]

It's less of a "you're doing it wrong" or "you're not allowed to like the NAT" and a more complex "you've incorrectly attributed your protection to NAT"

[otabdeveloper4]

Trying to separate "NAT" from "stateful firewall" is pointless and only causes pain to the end user.

[w7]

If this helps you understand, NAT and stateful firewalling are often the same code base. NAT is basically just a sub-feature, purely for translation, that is it.

The NAT feature solves the problem of:

  - public ipv4 exhaustion

You get in return:

  - higher latency

  - higher user & administrator mental overhead

  - limited public ports

  - protocol breakage (TCP & IPSec)

If you _remove_ NAT:

  - users no longer have to figure out why they can’t connect to their local web/minecraft server using the public address/domain even after a port forward (the very common NAT hairpin problem)

  - do not need to google “what’s my IP” as the machine knows its address in any context

  - do not have to tunnel to a VPS, or use a VPN in cases of CGNAT (ISP provided double-NAT) to expose a server
 
  - no longer have to maintain a split DNS zone for public/private addresses of a *public* server

  - no longer have to google “how do in enable NAT traversal for this VPN”

  - no longer have to learn what addresses are OK and not OK to use locally (rfc1918)

  - no longer get confused into thinking NAT is a hard-requirement for any and all routing (ex: green admins whos only experiance is a basic pfsense install adding 3 layers deep of NAT in labs) 

These are all problems I’ve either been paid to help figure out, or done for free on forums/discord, regularly.

Removal of NAT requires no user interface change, the same “port forward” terminology AND user interfaces can remain. There can still be a port forward tab where you enter an address and port. SOHO firewalls/routers that use stuff like iptables ALREADY add both NAT and normal firewall rules, and hide that fact. The security of user devices with a proper firewall/router does not change, the exposed interfaces do not need to change, everything gets simpler. I repeat, the basic abstraction presented to users does not need to change. The only reason to insist on NAT is ignorance; removal of NAT is removal of complexity.

[dijit]

Nothing changes; the firewall instead says "do you want this port open to this device" [y/N]:

Personally I think this is much easier to reason about.

And all I'm saying is that the NAT part of it absolutely does nothing to defend you, it's trivially defeated, people just conflate the two.

[otabdeveloper4]

> the firewall instead says "do you want this port open to this device" [y/N]

That's exactly what I don't want to do. I have over 20 devices in the home LAN at any given point in time; why do you want to make my life difficult for no good reason?

[dijit]

then don't click the "I want to open this device to incoming traffic" button?

Honestly I think you don't understand what NAT is.

Stateful firewalls basically work by watching your connections and then allowing the return traffic through. All firewalls are stateful, there are "stateless ACLS" in networking which are stupid and don't watch things; we're not talking about those ... in fact 99% of internet users will never interact with a stateless ACL.

What happens when you make a connection is that your router adds your state to it's "state table" _and_ pops open a port on your gateway to allow return traffic through, if you did not have a stateful firewall in place then the whole internet would be able to poke that port.

If you remove the NAT the only thing that happens is that your router doesn't have to pop open a port and route traffic from that port to your device, the stateful firewall stays in place, meaning that random devices on the internet CANNOT TALK to your internal network at all, unless you manually allow that, which is the same as what happens with port forwarding today.

The only thing you "lose" is that your whole house looks like one device.

You gain a significant reduction in latency, online games will work better and p2p networking (such as voip) will have significantly fewer problems, because the whole internet was designed without NAT in mind, because NAT is genuinely a terrible hack.

[otabdeveloper4]

> Honestly I think you don't understand what NAT is.

Yes, I do. It's the "masquerade" rule in my router's firewall rules table.

> The only thing you "lose" is that your whole house looks like one device.

That's a feature, not a bug.

> You gain a significant reduction in latency, online games will work better and p2p networking (such as voip) will have significantly fewer problems

99.99999% of those problems are caused by shoddy Wi-Fi. IPv6 does nothing to fix it. (Directional antennas and a standard way to bridge L2 over Wi-Fi is the real solution; expanding the IPv4 address space does nothing.)

Again: what's the benefit of IPv6 to me? So far I only see downsides.

[dijit]

My dude. Please, I beg you, look at what NAT actually is.

You are so mistaken here I can’t help think you’re intentionally trolling us.