If I have a fresh install of OpenWrt 22.03.3 and use my router as a typical internet gateway router for a home network, what kind of NAT does OpenWrt use by default? On the WAN side is a broadband modem for connecting to the internet, and on the LAN side are laptops and smartphones. Is it full-cone NAT, restricted-cone NAT, or symmetric NAT? Is there a way to configure which type of NAT my router uses?
Pretty much symmetric NAT for IPv4 and for IPv6 typically no NAT at all (but still rule based access).
I found the following quite elucidating:
https://learningnetwork.cisco.com/s/question/0D56e0000CWxJ9sCQF/lets-explain-in-details-full-cone-nat-restricted-cone-nat-and-symmetric-nat-terminologies-vs-cisco-nat-terminologies
also this:
For full-cone NAT you need one external IP address for each internal host that is to be visible on the internet, so this is not the situation where most end-users find themselves in... (however a synmmetric NAT with only a single host attached (e.g. the router itself) should behave similar to full cone NAT, IIRC Linux tries to not change port numbers unless that port is already in use).
But I note that OpenWrt allows you to manually (or automatically if you trust UPnP) create port forwarding rules that allow external hosts to reach internal hosts...
Now, the nomenclature from RFC 3489 (that you use above) turned out to be less helpful than thought and RFC 5389 the successor to 3489 stopped using that nomenclature at all.
3 Likes
But iptables and nftables are doing masquerade which is pretty random AFAIK?
By default, nftables doesn't do random mapping, even though it is supported with the flags "random" and "fully-random". But these flags are not set on OpenWrt.
The actual behaviour is what RFC 3489 calls "Port Restricted Cone". One way to test this is using stun-nat-behaviour (you'll need to find a STUN server that supports this test, as the default one doesn't work). Here is the result, using the classification from RFC 4787:
NAT mapping behavior: endpoint independent
NAT filtering behavior: address and port dependent
2 Likes
Thanks for the clarification and detailed explanation, especially for linking.