What is strict, moderate and open NAT?

Solution 1:

It's important first to know how Network Address Translation (NAT) works. You establish a connection to a server on the internet. In reality you send packets to your router, going out from your computer on some randomly chosen port:

Your computer        Router
+------------+     +-----------+
|            |     |           |
| port 31746 o====>o           |
|            |     |           |
+------------+     +-----------+

Your router, in turn, establishes a connection to the server you want to talk to. It talks out it's own randomly chosen port:

                     Router            www.google.com
                   +-----------+     +----------------+
                   |           |     |                |
                   | port 21283o====>o port 80        |
                   |           |     |                |
                   +-----------+     +----------------+

When google's webserver sends you back information, it is actually sending it back to your router (since your router is the guy actually on the internet):

                     Router            www.google.com
                   +-----------+     +----------------+
                   |           |     |                |
                   | port 21283o<====o port 80        |
                   |           |     |                |
                   +-----------+     +----------------+

A packet arrives at your router, on port 21283 from www.google.com. What should the router do with it?

In this case the router has kept a record of you, and the traffic it sent to www.google.com:80 from port 21283 on your behalf. So the router will relay the packet to your computer:

Your computer        Router
+------------+     +-----------+
|            |     |           |
| port 31746 o<====o           |
|            |     |           |
+------------+     +-----------+

Open NAT

In open NAT, any machine on the internet can send traffic to your router's port 21283, and the packet will be sent back to you:

Your computer        Router            
+------------+     +-----------+     {www.google.com:80
|            |     |           |     {www.google.com:443
| port 31746 o<====o port 21283o<===={serverfault.com:80
|            |     |           |     {fbi.gov:32188
+------------+     +-----------+     {botnet.cn:11288

Closed NAT

Closed nat is more restrictive. It won't allow anything in unless it came from the original address and port that you wanted to talk to, i.e. www.google port 80:

Your computer        Router            
+------------+     +-----------+     {www.google.com:80
|            |     |           |     | (rejected) www.google.com:443
| port 31746 o<====o port 21283o<====+ (rejected) serverfault.com:80
|            |     |           |       (rejected) fbi.gov:32188
+------------+     +-----------+       (rejected) botnet.cn:11288

Moderate NAT

Moderate NAT is a mixture, where your router will accept any traffic from any port, but only from the same host:

Your computer        Router            
+------------+     +-----------+     
|            |     |           |     {www.google.com:80
| port 31746 o<====o port 21283o<===={www.google.com:443
|            |     |           |       (rejected) serverfault.com:80
+------------+     +-----------+       (rejected) fbi.gov:32188
                                       (rejected) botnet.cn:11288

That's one set of definitions. The other is:

  • Open: allows computers on the LAN to use UPNP to open ports
  • Moderate: some port forwards have been created and are working
  • Closed: no static port forwarding exists

But the terminology really is nebulous.

See also

  • Wikipedia: Network address translation
  • Strict, Moderate, and Open NAT
  • Error: Your NAT type is set to strict (or moderate)

Solution 2:

All of these NAT terms are used only in the gaming industry. If you ask a network engineer or security engineer about strict nat, they are not going to know what you are talking about.

In the real, pure technical, world of networking there is NAT and PAT and these can be inbound or outbound.

Consumer routers often have a "DMZ" IP setting that sends everything destined to your router public IP straight to your PCs private IP. I can not even begin to tell you how dangerous this is. Gaming companies should at the very least publish a list of Server IPs so you can forward traffic direct to your PC only if it is from a server on the list. I think that the "Moderate NAT" is what the network industry calls PAT (Port address translation).

If you connect on port 80 to the server there is also a source port 4040 for example. Your router is listening on port 4040 after you initiate the connection. If they try to talk to your router on a different port, the router NAT table has no mapping for the new port and drops it. If you allow port 4444 to be forwarded to a specific IP in the NAT/PAT config, outsiders can now initiate connections on that port only. This is less dangerous than a 1 to 1 mapping and allowing everything through.

Gaming companies need to give better guidance. I even saw suggestions to disable the Microsoft firewall entirely rather than give a list of ports. If you want to become part of a botnet or dont mind Ransomware, go ahead and follow their poor guidance.

Tags:

Router

Nat

Open