Networking noob here. I want to prevent all incoming requests except through a specific port, and that traffic is forwarded to a specific device on the network. NAT seems to do that just fine, it’s almost like a kind of firewall by itself. What kind of threats are there that requires more than just NAT for security?
For incoming traffic on IPv4 only, NAT technically is fine. But it won’t block any outgoing traffic, and IPv6 doesn’t use NAT at all.
Not entirely true! It uses a type of NAT to translate IPv4 addresses into comparable IPv6 addresses.
For context for other readers: this is referring to NAT64. NAT64 maps the entire IPv4 address space to an IPv6 subnet (typically 64:ff9b). The router (which has an IPv4 address) drops the IPv6 prefix and does a normal IPv4 NAT from there. After that, you forward back the response over v6.
This lets IPv6 hosts reach the IPv4 internet, and let you run v6 only internally (unlike dual stack which requires all hosts having v6 and v4).
IPv6 can use NAT; there are some unfortunate souls out there whom are only getting a /128 (one address, basically) by their ISP, instead of a /64 or /48