[w7]

What I find common is people conflate NAT with stateful firewalling, and believe that if you lose NAT you lose all forms of edge/perimeter network security. They don't understand that you can still filter and prevent unwanted packets from reaching hosts without NAT.

[otabdeveloper4]

Of course you can. But why would you? You're replacing something that is simple, easy to understand and works perfectly well with a nebulous something that invites user error and security nightmares.

For example, my (modest) home LAN is five routers, a NAS/media server, a media player, two "smart TVs" and dozens of notebooks and phones connected via Wi-Fi.

What do you propose? Manage a firewall on each of those devices?

I suppose you mean setting up a firewall on the WAN link to block all incoming traffic? How is that different from a NAT? Merely a lack of 'masquerade' setting on the firewall rule? What's the benefit to me and why should I care?

Or do you propose some sort of hybrid scheme to intelligently block traffic while making all my countless devices pingable from the Internet? Not in this timeline, sorry.

[femiagbabiaka]

Your home network and a cloud datacenter aren’t comparable. Many clouds have host level firewall policies as a core feature, and anyone competent is managing them profile-style using Terraform or an equivalent. It’s really quite easy from that perspective.

[otabdeveloper4]

> Your home network and a cloud datacenter aren’t comparable.

Of course they are. I didn't need to think about firewall automation before, and now I do. For what gain?

> anyone competent

Not an option for most people. Let's make networking and security things more foolproof, not less, okay?

[jiggawatts]

You really are refusing to listen to what people are telling you.

I have an Internet router, which uses NAT for IPv4, same as everyone else. If I want to punch a hole through for something like RDP or SSH, I have to use unique port numbers because I only have one Internet-facing IP address. Because there are only 3 billion IPv4 addresses for the whole World, all of them are regularly scanned by Bad People for open ports, making this RISKY.

I also have IPv6 enabled on it. No NAT. If I want to punch a hole through for RDP or SSH, I can use the standard ports because each device has a unique Internet-facing IP address. My router alone has 2^64 (millions of trillions) of unique addresses, of which a random 5 or 6 have been allocated. There is no way anyone ever is going to be able to scan these. I can SAFELY open standard port numbers and not have to worry about drive-by attacks.

THERE IS NO OTHER DIFFERENCE.

The router works the same, the firewall works the same, the Internet works the same, the GUI is the same. IT IS ALL THE SAME!

NAT is not magic. It is not a firewall. It is not necessary. It is not beneficial.

[otabdeveloper4]

Security by obscurity?

This problem is (correctly) solved by VPN.

[femiagbabiaka]

Nobody is stopping you from running a NAT gateway until 2120 at home. IPv6 solves specific problems in a datacenter context, namely address exhaustion. You'll never run into that problem at home.

[w7]

Nothing new needs to be proposed. Nothing is being replaced. The current state of things is that whatever your edge device is provides actual security with stateful firewalling and translation with NAT, already. It's simple to understand because most home router products and projects like pfsense make them look like inseparable things that perform the same function. Removal of NAT won't even require a UI change for consumers because all these port forwarding UIs add both a DNAT/PNAT rule and a firewall rule already. You can keep the exact same user interfaces and "port forward" terminology when removing NAT.