NAT is a method of modifying an IP address by changing the information in the IP header. This enables several devices on a private network to use the same gateway to the internet.
Although the devices will share a similar public IP address, they will have unique private IP addresses. Most VPNs and WiFi routers offer these gateways.
An IP address translation firewall is a great way to stay safe online, as computers and servers cannot see your devices’ private IP addresses. This process is also popularly known as IP masquerading.
How IP address translation works
When connecting several computers in a network directly to the internet, each will need a unique IP address. However, the ideal configuration is to route all the computer’s internet communication on a network through a single gateway. As a result, the computers will require IP addresses that are unique on the particular network.
Other private networks could use similar addresses. However, it doesn’t matter as the addresses will be different within their respective networks. Therefore, it is only the gateway IP address that should be unique all over the internet.
The gateway has to recognize the computers on the private network that routes requests over the internet. If the gateway receives a response, it must check its network address translation table to identify which computer sent out the request.
Furthermore, the gateway will replace the private network address with a unique address if a computer on the network sends a request to the internet. When the session is over, the private address will return to the pool to be allocated to another computer. Therefore, the private network’s internet addresses will be masked, making it difficult to know the exact computer that sends the request. The gateway identifies the computer because it checks the records on its network address translation table.
Types of Network Address Translation (NAT)
There are three main types of NAT that include:
1. Static NAT
This is the most basic NAT that involves one-to-one IP addresses translation. For example, an internal private IP address (192.162.20.1) is mapped to a public address (12.15.65.05). The configuration is mainly used in web hosting.
2. Dynamic NAT
With dynamic NAT, the router pools together multiple public IP addresses. It also involves private IP address to public IP address direct mapping. This is where the device that wants to connect to the internet is given the available IP address. In other words, the connection is based on a first-come basis.
3. Port address translation (PAT)
Port Address Translation (PAT) is a technology that maps numerous private IP addresses to a single public IP address. Thus, the traffic is distinguished by the port numbers. This configuration is popular because it is cost-effective as it connects many users to the internet with a single IP address. We have talked more about this above.
How to check whether the NAT firewall is working correctly
Do you want to know if the NAT firewall on your router is active? The process is straightforward. Just connect two different devices to the same WiFi network, like a smartphone and a laptop.
Then, run a Google search for ‘what’s my IP‘ on each of them. The IP address translation firewall is probably enabled if a similar IP address appears on both devices. Usually, your devices will share the same public IP address, although they have different private IP addresses.
It’s more challenging to check if a Network Address Translation firewall is working on a VPN, but you can look at the provider’s documentation. Also, some VPNs come with the option to activate and deactivate the Network Address Translation firewall in the settings.
NAT firewalls and VPNs
A virtual private network (VPN) is an ingenious technology that encrypts your traffic and redirects it through any intermediary server. Since the internet traffic routes through a VPN before reaching its destination, your router’s Network Address Translation firewall cannot differentiate between unsolicited and requested traffic. Everything from the VPN server looks the same because of the encryption, making your router’s NAT firewall useless.
As a result, many VPNs are integrated with Network Address Translation firewalls. So, the VPN will filter out unwanted traffic instead of your WiFi router. Usually, they offer a NAT firewall as an extra option, but sometimes, they build it into the VPN’s software by default. However, some people do not agree that a NAT firewall and VPN combination is good.
Usually, VPN providers either offer Network Address Translation firewalls or PAT firewalls. We will expound further on PAT firewalls later in the article.
A VPN with an inbuilt firewall will allocate a unique private IP address to each user. Thus, it comes with all the advantages of a router’s NAT firewall, as we have discussed above.
On the downside, although you’ll be secured from unsolicited communications, the VPN provider or other third parties can track your device. The alternative solution is to eliminate private IP addresses and assign a similar public IP address to all VPN users on the same server. This adds a vital anonymity layer, as nobody can trace online activities to an individual or device through an IP address.
NordVPN is one top-rated VPN that doesn’t support NAT firewalls. Instead, the company indicates that it uses the port-blocking technique that achieves the same objective as a NAT firewall.
Port address translation (PAT) firewall
PAT firewalls are mostly confused with IP address translation firewalls. However, PAT is an acronym for Port Address Translation that allows a network gateway with a single IP address to represent many computers. The advantage is that each device is allocated a port number rather than a private IP address.
If the network gateway gets an outgoing address from a computer, it substitutes the return address with an internet-compliant address and adds a port number. Then, the gateway enters the connection in its translation table to recognize that the port number denotes a specific computer on the network.
The primary benefit of this system is that it reduces the number of IP addresses that a company requires. It can also be advantageous to VPN providers because all the traffic leaving the VPN gateway has a similar return address. Since hundreds of customers simultaneously connect to the exact location, it is difficult for a VPN service to identify the origin of requests.
NAT firewalls and torrenting
NAT firewalls can be problematic when torrenting since they block unsolicited traffic from reaching the end-user device. As a result, it can be challenging to upload (seed) files for download from other torrent users. Furthermore, connecting to many peers on the network to download (leech) files can also be an issue. Therefore, as a NAT firewall blocks you from a significant number of users in a torrent swarm, so does the PAT firewall.
However, this doesn’t imply that torrenting is impossible with an IP Address Translation firewall. In fact, most NAT firewalls nowadays are not strict, so they won’t impact download or upload performance. More strict firewalls are in public places like schools and hotels, but VPN services and routers won’t affect torrenting as much.
A VPN is a great solution if your local network has a NAT firewall preventing you from torrenting. However, remember that the VPN encrypts all inbound traffic, so your local IP Address Translation firewall won’t differentiate solicited and unsolicited traffic. Therefore, the VPN’s NAT firewall feature will not be as strict as the one on your private network.
Only a few VPNs permit you to use port forwarding to evade NAT firewall restrictions when torrenting. However, it is vital to mention that doing so may compromise your security. Setting up ports makes you more susceptible to cyber-attacks. Also, your traffic is different from that of other VPN users since you are using a particular port, making it easier to track your online activities.
Best VPN with a NAT firewall
1. IPVanish
Key features:
- Apps available for Windows, Android, Linux, iOS, and macOS
- Money-back guarantee: 30 Days
- Simultaneous connections: 10 devices
IPVanish has a relatively modest network of about 1,900 servers in 75 countries. All servers come with a NAT firewall to enable you to share the public IP address. In addition, its apps even allow you to switch IP addresses at intervals.
Unfortunately, the presence of a IP Address Translation firewall prevents you from porting forward to your device while the connection is active. This can be a safety precaution for some people, while it can also be an obstacle to others.
Besides NAT firewall, it is a high-quality VPN service that offers robust security and privacy features as well as a strict no-logs policy. Moreover, it supports up to 10 simultaneous connections. This is double what other premium providers like ExpressVPN and NordVPN offer. Finally, IPVanish has apps for all major devices such as Windows, iOS, macOS, Amazon Fire TV, and Android.
Check out our full IPVanish review.
2. VyprVPN
Key features:
- Apps for: Android, Windows, macOS, iOS, Linux
- Simultaneous connections: 5 simultaneous connections
- Money-back guarantee: 30 days
VyprVPN has a NAT firewall feature to safeguard you from hackers who could take advantage of open ports to reach your system. Nonetheless, it allows you to set the ports that the OpenVPN protocol will use manually. So, this is the best option if you are looking for a VPN that lets you customize your connections.
The provider also offers strong encryption and other security features such as kill switch, DNS leak protection, Chameleon technology, etc. Also, it has a strict zero-logs policy, which means it does retain any of your identifiable information.
VyprVPN offers apps for macOS, Android, iOS, Windows, and Linux. The standard plan allows you to connect three devices, while the premium package allows you to connect five devices.
Check out our full VyprVPN review.
Best VPNs without a Network Address Translation firewall
1. NordVPN
Key features:
- Apps for: Linux, Windows, iOS, macOS, and Android
- Money-back guarantee: 30 days
- Simultaneous connections: 6 devices
NordVPN is a trustworthy VPN service with a network of more than 5,127 servers in over 60 countries. It uses the shared IP address system but also offers a few dedicated IP addresses. All the apps are highly secure, and the provider adheres to a no-logs policy.
The VPN is also excellent at bypassing geo-restrictions of popular streaming services such as Netflix, BBC iPlayer, Amazon Prime Video, etc. In addition, most of the servers provide sufficient speed to stream high-quality videos.
It also offers a few alternative connection types on some of the servers. For example, it has P2P-optimized servers that are designed to improve speed and stability when torrenting. There is also a double VPN and Tor over VPN.
NordVPN provides apps for macOS, iOS, Android, Linux, and Windows. Luckily, it supports up to six simultaneous devices and has an option to install it on your router to add more connections.
Check out our full NordVPN review.
2. ExpressVPN
Key features:
- Apps for: macOS, iOS, Windows, Android, and Linux
- Money-back guarantee: 30 days
- Simultaneous connections: 5 devices
ExpressVPN is another reliable VPN service. It offers shared IP addresses and reinforces your security with AES 256-bit encryption and 4096-bit RSA key exchange protection. This combination ensures that no one can intercept your traffic to snoop or steal your data.
It allows P2P sharing on all the servers to enable you to download torrent files. In addition, the provider does not keep any logs, so your torrenting activities will remain completely private.
ExpressVPN will help you unblock geographically restricted content on streaming sites like Peacock TV, Hotstar, CTV, etc. What’s more, it has an expansive network of over 3,000 servers in more than 94 countries.
The VPN has apps for Windows, Linux, Android, iOS, and macOS. It lets you connect five simultaneous devices and even install the router app to add as many connections as you want.
Check out our full ExpressVPN review.
Limitations of NAT firewalls
Having a NAT firewall does not make your computer immune to viruses. These days, hackers can trick you into installing a Trojan program that will route your requests to their computers. The gateway will allow the hacker’s incoming message to pass as it is sent to respond to a request originating from the network.
Another disadvantage is that a NAT firewall will not safeguard you from phishing scams. This is where you receive an email advising you to click a link to connect to a particular service. However, the email does not originate from the service provider but from the hacker. The trick is to prompt you to provide your credentials to the hacker’s fake page.
Moreover, a IP Address Translation firewall will not secure you from a man-in-the-middle attack. In this case, a hacker runs a fake WiFi hotspot and tricks you into connecting to their servers to steal your data.
Many security vulnerabilities exist in a connection that NAT firewalls cannot secure you from. The advantage of including a VPN is that it uses multiple security procedures like encryption and authentication certificates to keep you completely safe.
Using firewall software with Network Address Translation firewalls
NAT firewall isn’t wholly perfect so do other firewall applications you can install on your computer. However, combining both is a great way to prevent every possible unwanted connection. In addition, hackers are devising new ways to exploit vulnerabilities in the operating systems or HTTP processes every day. So, having several overlapping protection layers will maintain your online security.
Other benefits of NAT
Interestingly, NAT wasn’t developed to become a firewall. It was intended to make networks more portable to eliminate the process of re-addressing every device if the network is moved. Only a NAT device, like a router, would need a new public-facing IP address. However, other devices connected to it could retain the same private IP address.
Nowadays, NAT has become vital in conserving global IP addresses. Unfortunately, the IPv4 protocol, which facilitates how devices communicate through the Internet, has inadequate IP addresses available.
So, if every internet-enabled device requires a unique IP address, the remaining addresses will run out soon. However, connecting multiple devices on a private network via a single NAT gateway requires only one IPv4 address.
Engineers developed IPv6 with a much larger address capacity to replace IPv4 eventually. Unfortunately, adoption has been very slow because significant resources are needed to upgrade routers, servers, and switches using IPv4. Thankfully, NAT has been an essential tool for keeping the internet alive.