ExpressVPN

What is a NAT Firewall?

It is becoming increasingly common to see VPN providers offering NAT firewall services, usually as an optional extra. But what does this mean, and why should I want it? The more tech savvy out there may be even more confused as every home and office router includes basic NAT filtering, so why should you need an additional service?

What is a Firewall?

So let’s start with the basics. A firewall is a ‘thing’ that sits between a secure Local Area Network (LAN) such as a home WiFi setup, and a less secure area such as the internet. Its purpose is to control communications between the two, by analysing the data packets and determining what to do with them. Firewalls are therefore very useful for stopping hackers who use various techniques to insert malicious packets onto computers.

A firewall can be either a piece of software (often called a ‘personal firewall’) or a hardware network device. Most modern Operating Systems, such as Windows (Vista onwards) and OSX have at least a basic personal firewall built in.

What is NAT?

Network Address Translation (NAT) is the process of modifying the IP information in IP packet headers so that the packets can be routed to the required destination. It is used in home routers (such as the typical WiFi router) to allow a number of devices (such as desktop computers, laptops, games consoles, mobile phones, and internet enabled televisions), each with their own network address, to connect to the internet using the one external IP you are assigned by your ISP.

Devices connected to LAN <-> NAT router <-> ISP <-> internet

Because IP packets that are not recognized are discarded, the NAT process acts as a simple but effective firewall, blocking incoming traffic unless it is in response to previously sent outgoing traffic i.e. blocking unsolicited traffic.

VPNs and NAT Firewalls

What all this means is that normally, when you are connected to the internet through a router, you are protected by a hardware firewall which provides a good first line of defense against would-be hackers. The problem with using a personal VPN service, however, is that the encrypted VPN tunnel between your PC and the VPN server also tunnels through the NAT firewall (which cannot read the packets headers, as they are encrypted). This means that you lose the protection afforded by the NAT firewall, and malicious IP packets can enter your system from your public, visible IP address.

Device connected to LAN <=>Home router NAT firewall <-> ISP <=> VPN server <-> Internet

(all connection within the  <=>  are inside an encrypted VPN tunnel).

VPN providers who offer a NAT firewall service place a NAT firewall between the VPN server and the internet so that all internet traffic is filtered through the NAT firewall.

Device connected to LAN <=>Home router NAT firewall <-> ISP <=> VPN server <-> NAT firewall <-> Internet

Can’t I just use a personal firewall like the one that came with my OS?

It is always a good idea to use at least the firewall that came with your OS, as these provide a more sophisticated firewall solution to basic NAT filtering. Indeed, it is encouraged to use a third party firewall solution for even more comprehensive cover. However, not only is a NAT hardware firewall an extra line of defense, but it filters out a lot of potential threats before a more processor intensive firewall has to deal with them, and possibly throw up another annoying ‘Do you want to allow this connection?’ dialogue for you to deal with.

In addition to this, while desktop Operating Systems these days usually have built-in firewalls, other devices (most notable mobile phones) do not, and therefore receive no firewall protection when using VPN.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


5 responses to “What is a NAT Firewall?

  1. I contacted ExpressVPN by their live chat and asked if ExpressVPN’s Mac app has a NAT firewall. The responder said “ExpressVPN does not have a NAT firewall as it does not support port forwarding” What does port forwarding have to do with NAT firewalls?

    1. Hi Guy,

      Port forwarding can be used to direct communications through a firewall (by directing it to open ports), but this should not really be necessary with a NAT firewall as ExpressVPN could simply open the ports used by its client software. I suspect that the support person you spoke to simply doesn’t now what they are talking about (perhaps confusing a NAT firewall with a personal firewall.)

  2. I thought that VPN is enough security against cyber snoopers who mean and are unto no good. What do you mean? then do I still need a NAT? This is abit off for me.

    1. Hi Fred,

      Unfortunately, asking what is ‘enough’ when it comes internet security is like asking ‘how long is a piece of string?’ VPN is one of the most effective tools available for defending against cyber snoopers, but can never be considered a complete solution (nothing can.) That said, NAT firewalls are not something you should worry about too much IMO. It is very possible that your VPN provider implements one by default, and when it comes to VPN this is server-side issue anyway (i.e. it’s for your provider to worry about, not you.) You should be running a personal firewall, but all modern desktop OS’s have one built-in already (if you prefer a more advanced solution, third party offering such as Comodo Personal Firewall are free).

Leave a Reply

Your email address will not be published. Required fields are marked *