Comment by phaker

Then you are using NAT as a simple firewall. You could have the firewall part without the translation part (or with deterministic two-way translation), which would eliminate 99% of problems. let me explain:

A NAT "hides the network" behind it because it does two things:

1. drops incoming connections (or more precisely, incoming traffic when there was no outgoing traffic from that ip:port on that protocol)

2. obscures internal network addresses

Dropping incoming connections is what makes it a simple firewall and you could set up a "real" firewall to do the same (there are probably products doing that out of the box). Most firewalls are more complex than that, but they don't _have to be_.

What makes NATs different is the address translation that obscures the structure of the network behind it. Traditionally this is needed because you have lots of internal addresses and few external addresses (often just one). But if you have more hosts than external IPs then you can't have a static mapping without collisions because you have more internal ip:port pairs than external ip:port pairs. Which is why NAT generates internal-external mappings as it goes and why old mappings need to be discarded and why it needs to drop incoming connections (it can't know where to forwarded it to if there is no mapping). THIS is the part people hate, because it means you can't reliably connect two NATed hosts. If hole punching worked reliably it wouldn't be a problem, it feels like a hack, but the internet is a patchwork of much worse hacks.