| It is true that for incoming connections you normally have to include in the NAT configuration the local IPv4 address to which the connection requests should be sent. Otherwise the NAT would have to guess if they should be sent to one of the local addresses already seen to be in use. In any case there is no difference between what happens when you use NAT and what happens when you have only public addresses in your internal network, either IPv6 or IPv4, it does not matter. If you have internal public addresses, the incoming connections cannot reach them anyway, until you add a firewall rule allowing a connection with a certain protocol for a certain port and internal host, which is done exactly like when adding the same rule in the NAT case. If the NAT does not allow incoming connections without express configuration, then it has correct default firewall filtering rules. The fact that there may be multiple internal computers, is not something that would block the connection, because the NAT can choose the first of the internal addresses that it has seen, maybe rotating the addresses for the next connection requests. So what blocks the incoming connections is the lack of permission to do that, not the fact that the NAT could not do that if allowed. It would not surprise me if there are some NAT implementations that attempt to be too helpful so they might send the incoming connections to your local computer even without any configuration for this. |