What is an NAT firewall and what does it do?

What is a firewall?

To understand what Network Address Translation (NAT) firewall is, we first need to understand what a firewall is and what it does. The simplest analogy to explain it is this: if your computer is a busy CEO, then a firewall is the CEO’s secretary. He or she sorts the mail and makes sure that the only mail that gets through is the mail that the CEO actually wants to get through.

When you browse online, send emails, or watch movies online, you send requests for information to specific website servers. The firewall stands in between your local network and the wider net. The firewall compares the information that’s returning with the information you requested – everything that’s a match gets through, and everything that it can’t recognize is discarded. This way, the firewall protects you from uninvited malicious internet traffic that might otherwise try to compromise your system.

There are different types of firewalls, which can be split into three categories – software, hardware, and cloud-based solutions. Different firewalls also apply different filtering methods, which make them more reliable than others. To find out more about firewalls and filtering methods, read our “What is a firewall?” post.

What is NAT and how does it work?

NAT stands for Network Address Translation. It was invented to solve a problem presented by the IPv4 protocol – a shortage of IP addresses. Back in the day, IPv4’s founders thought that 4.3 billion IP addresses would be sufficient for all internet-connected devices. However, considering that there are over 7 billion people in the world and many of us have more than one device, it’s evident that we don’t have enough.

So, what exactly is a Network Address Translation firewall?

A Network Address Translation (NAT) firewall operates on a router to protect private networks. It works by only allowing internet traffic to pass through if a device on the private network requested it. A NAT firewall protects the identity of a network and doesn’t show internal IP addresses to the internet.

This is because, when connected to the internet, your router is assigned a single public IP address. It’s visible to the wider net and is needed to communicate with web servers. Any devices connected to the router locally have private IP addresses, which do not allow them to directly ‘communicate’ with the required web servers. This is where NAT comes into play – it directs traffic back and forth.

How does a Network Address Translation firewall work?

1. Your device sends a request to a web server by sending data packets. These packets include information such as the sender and receiver’s IPs, port numbers, and what information is requested.
2. The traffic goes through a router with an NAT firewall. NAT changes the data packet’s private IP to the router’s public IP. It notes this change and adds it to its NAT forwarding table.
3. Data packets reach the web server and get the necessary information.
4. The information travels back to the router. Now it’s the NAT’s job to send the information back to the device that requested it. Otherwise, every connected device would receive the same information. The NAT uses its forwarding table to determine who requested this data.
5. NAT changes the data packet’s public IP to its previous private IP and sends it to the requested device.

For more information, check out our YouTube video, explaining how NAT firewalls work:

How does NAT protect you?

The NAT works as a hardware firewall solution, even though it’s not a security tool by design. So how does it protect you?

1. It hides the IP addresses of any devices on your network from the outside world, giving them all a single address.
2. It requires every incoming packet of information to have been asked for by a device. If a malicious data packet isn’t on the list of expected communications, it gets rejected.
3. Some firewalls can use whitelisting to block unauthorized outgoing traffic, so if you do contract a piece of malware, your firewall may prevent it from communicating with your device.

More sophisticated attacks can make it through, especially ones that employ phishing or social engineering methods. However, that doesn’t mean you shouldn’t use one. Without an NAT, it would be simple for any amateur hacker to access your computer simply by learning your IP address.

NATs and VPNs

Some argue that a VPN shouldn’t be used with an NAT. Why? A VPN encrypts your traffic before it reaches the internet, making it indecipherable. The NAT needs to know some information about that traffic to do its job. Outdated VPN protocols (PPTP and IPSec) don’t give enough information to the NAT and can be blocked as a result. To solve this problem, your router needs a VPN passthrough.

The good news is that most routers have built-in VPN passthroughs. Even if they don’t, most popular VPN providers offer more advanced protocols that do not require passthroughs. NordVPN, for example, no longer uses these outdated protocols and even uses built-in NAT firewalls on its servers.

Try NordVPN now with a 30-day money-back guarantee!