Comment by Dagger2
1 month ago
How does the router rejecting a connection to the router protect the machines behind the router? That doesn't make any sense.
1 month ago
How does the router rejecting a connection to the router protect the machines behind the router? That doesn't make any sense.
Because no one on the Internet can reach my 192.168.0.7 machine if the NAT router doesn't translate the packet. And the NAT router won't send a packet that arrives with its public IP as dstIP to any machine behind it, unless the port its ports correspond to an open connection, or to an explicitly forwarded port.
You could turn NAT off completely and still no-one on the Internet could reach your 192.168.0.7. There's no security perimeter coming from NAT here.
> And the NAT router won't send a packet that arrives with its public IP as dstIP to any machine behind it
Yes, of course. The problem is when a packet arrives with the IP of a LAN machine.