Douglas Crawford

Douglas Crawford

मार्च 15, 2013

It is becoming increasingly common to see VPN providers offering NAT firewall services, usually as an optional extra. But what does this mean, and why should I want it? The more tech savvy out there may be even more confused as every home and office router includes basic NAT filtering, so why should you need an additional service?

What is a Firewall?

So let’s start with the basics. A firewall is a ‘thing’ that sits between a secure Local Area Network (LAN) such as a home WiFi setup, and a less secure area such as the internet. Its purpose is to control communications between the two, by analysing the data packets and determining what to do with them. Firewalls are therefore very useful for stopping hackers who use various techniques to insert malicious packets onto computers.

A firewall can be either a piece of software (often called a ‘personal firewall’) or a hardware network device. Most modern Operating Systems, such as Windows (Vista onwards) and OSX have at least a basic personal firewall built in.

What is NAT?

Network Address Translation (NAT) is the process of modifying the IP information in IP packet headers so that the packets can be routed to the required destination. It is used in home routers (such as the typical WiFi router) to allow a number of devices (such as desktop computers, laptops, games consoles, mobile phones, and internet enabled televisions), each with their own network address, to connect to the internet using the one external IP you are assigned by your ISP.

Devices connected to LAN <-> NAT router <-> ISP <-> internet

Because IP packets that are not recognized are discarded, the NAT process acts as a simple but effective firewall, blocking incoming traffic unless it is in response to previously sent outgoing traffic i.e. blocking unsolicited traffic.

VPNs and NAT Firewalls

What all this means is that normally, when you are connected to the internet through a router, you are protected by a hardware firewall which provides a good first line of defense against would-be hackers. The problem with using a personal VPN service, however, is that the encrypted VPN tunnel between your PC and the VPN server also tunnels through the NAT firewall (which cannot read the packets headers, as they are encrypted). This means that you lose the protection afforded by the NAT firewall, and malicious IP packets can enter your system from your public, visible IP address.

Device connected to LAN <=>Home router NAT firewall <-> ISP <=> VPN server <-> Internet

(all connection within the  <=>  are inside an encrypted VPN tunnel).

VPN providers who offer a NAT firewall service place a NAT firewall between the VPN server and the internet so that all internet traffic is filtered through the NAT firewall.

Device connected to LAN <=>Home router NAT firewall <-> ISP <=> VPN server <-> NAT firewall <-> Internet

Can’t I just use a personal firewall like the one that came with my OS?

It is always a good idea to use at least the firewall that came with your OS, as these provide a more sophisticated firewall solution to basic NAT filtering. Indeed, it is encouraged to use a third party firewall solution for even more comprehensive cover. However, not only is a NAT hardware firewall an extra line of defense, but it filters out a lot of potential threats before a more processor intensive firewall has to deal with them, and possibly throw up another annoying ‘Do you want to allow this connection?’ dialogue for you to deal with.

In addition to this, while desktop Operating Systems these days usually have built-in firewalls, other devices (most notable mobile phones) do not, and therefore receive no firewall protection when using VPN.

Douglas Crawford
August 28th, 2015

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

8 के उत्तर “What is a NAT Firewall?

  1. Hi, I personally subscribe to VYPRVPN (Goldenfrog) using THEIR NAT Firewall & chameleon AES 256bit encryption, which I was led to believe would be suitable for all items connected to my secure (mix of alpha, numerous & spec character password protected) Wi-Fi router.
    Does anyone recommend any further ‘belt & braces’ security measures that I may require?
    As a footnote I’ve also controlled my router to only accept connections from
    “Pre~appreved” MAC Id’s set by myself. I like to think I’ve got most of the ‘bases’ Covered, on PC, GOOGLE’S Android Phones & hopefully Amazon Fire Tablets {dunno if you’ve ever noticed, but regardless of the font\capitalisation, that you want to use ~ IT. ALWAYS DISPLAYS
    AS AMAZON!!!!!!!!!!!!!!!!!!!!!!!!, can anyone find a way to STOP IT!!!!!!!!!!!!
    – although I’d love to hear from someone, obviously more intellectually inelegant than me to point out & please help, plug any gaps in my security regime that;
    a) I’m too Stoopid to see
    b) I don’t have the knowledge to fix,

    I assume that both A & B will be correct to certain degrees, I’m just hoping that a
    “White Hat” may be kind. & honest enough to come to my aid & help, although being disabled i cannot work & as such cannot offer them a financial reward, however I’ve run my own ‘Martial Arts Academy’ since I was 13 – youngest nightclub bouncer in the UK!!!!!!!! (Ok it was an under 16’s disco, so they needed an under 16yr old bouncer, as an 18+yr old, throwing a 12\13yr old PHYSICALLY {Honestly, some had to be picked up ~ when they were KICKING OFF!!
    & They MUST be physically EJECTED FROM THE CLUB, NEVER TO RETURN AGAIN – at least on MY WATCH!!!!!!!!!!!!

    1. Hi Guy,

      Port forwarding can be used to direct communications through a firewall (by directing it to open ports), but this should not really be necessary with a NAT firewall as ExpressVPN could simply open the ports used by its client software. I suspect that the support person you spoke to simply doesn’t now what they are talking about (perhaps confusing a NAT firewall with a personal firewall.)

    1. Hi Fred,

      Unfortunately, asking what is ‘enough’ when it comes internet security is like asking ‘how long is a piece of string?’ VPN is one of the most effective tools available for defending against cyber snoopers, but can never be considered a complete solution (nothing can.) That said, NAT firewalls are not something you should worry about too much IMO. It is very possible that your VPN provider implements one by default, and when it comes to VPN this is server-side issue anyway (i.e. it’s for your provider to worry about, not you.) You should be running a personal firewall, but all modern desktop OS’s have one built-in already (if you prefer a more advanced solution, third party offering such as Comodo Personal Firewall are free).

प्रातिक्रिया दे

आपका ईमेल पता प्रकाशित नहीं किया जाएगा. आवश्यक फ़ील्ड चिह्नित हैं *