Comment by Spivak

8 hours ago

With NAT your device does not have a publicly routable address. Attackers have no way of contacting you at all. Without NAT you have a publicly routable address and attackers can try reaching out to your device. You rely entirely on your device's and your router's firewall.

So it's not really about NAT although it ends up being a consequence—it's about having a truly private network "air gapped" from the public internet.

2 comments

Spivak

Reply
Dagger2  8 hours ago

No, NAT only affects which IP your connections appear to be coming from. It doesn't change which IPs your devices actually have.

The person I replied to said that they only get a single v6 address. If that's true, it doesn't matter whether they have NAT or not; their network isn't going to have publicly-routable addresses either way.

If your network is air-gapped then no connections will be happening at all, in or out... and if you connect a router to both the Internet and to your network, and enable routing on it, then it's not air-gapped any more.

  • Sohcahtoa82  7 hours ago

    > No, NAT only affects which IP your connections appear to be coming from. It doesn't change which IPs your devices actually have.

    Well no shit. The NAT is a requirement for devices without a publicly routable IP because if my router just sends packets out with a source address being my 192.168.1.101 local IP, my ISP is most likely just going to drop the packets.

    You know this, I'm sure, so I'm really unsure what point you're trying to make.

    > The person I replied to said that they only get a single v6 address. If that's true, it doesn't matter whether they have NAT or not; their network isn't going to have publicly-routable addresses either way.

    Correction: It will have ONE publicly-routable IP, and if I assign it to my router, but don't use NAT, then none of my devices on the network will be able to talk to the Internet, either in or out.