0 Kudos

Request for NAT Moderate aka Restricted Cone NAT

Submitted by
Status: New Idea

Following this explanation https://serverfault.com/questions/208522/what-is-strict-moderate-and-open-nat

what is required is this:


When a connection is open from internal IP address A1 and its port P1 to an external address A2 and its port P2, then the router (firewall) need to accept not only incomming connection from the external address A2 and its port P2, but also connection from any port Px from the external address A2. That will create NAT type Moderate and we need this option.


As this is a general rule (it is not for specific DNAT rules) for all incomming connections, it need to be implemented as an option how firewall will recognize "related" connections.


Normally all routers support only NAT Strict or NAT Open, when you port forward ports, but we need NAT Moderate support, so more than one clients behind a router can operate better than NAT Strict.


This is required for gaming and other applications, and it is requested by clients. EdgeRouter can be first to do it, it's huge plus for sales of course (specially for ER-X as replacement for dumb routers, as addition to welcome feature Smart QoS).


thank you and you are welcome Man Happy

on ‎04-03-2019 03:39 PM

Is port forwarding or UPnP not an option for you? 

MiniUPnPd already supports multiple clients behind the gateway for a fully open NAT.

on ‎04-04-2019 04:16 AM
clients has a routers and that routers are not sending UPnP on WAN side, so that is not an option
‎04-05-2019 09:04 PM - edited ‎04-05-2019 09:31 PM

That sounds like you’ve got double NAT going. Just eliminate the second NAT.


Also the current NAT implementation is Port Restricted Cone NAT which is already is Moderate. I know you are asking for Host Resticted Cone NAT but there is very little benifit for that...


What you actually want is a Full Cone NAT like some other TP-Link, Netcomm and Billion routers provide as an option.


Here is a link on how to implement the different types of NAT using iptables. You can do this manually using the Edgerouter web interface or command line.




But it would be nice to see a button in the basic configuration wizard.

on ‎04-11-2019 02:11 AM

Ok I got around to testing this today and what I linked above works by deafault as a 1:1 NAT (full cone) but only for a single device. This is more on the sisde of the so called DMZ feature of consumer routers. 


I just came across this kernel module and netfilter extention for iptables, which is what we would need to do a proper multi device Full Cone NAT implimentation. 




‎04-11-2019 04:18 AM - edited ‎04-11-2019 04:21 AM

Hi majibow,


unfortunatelly I can not "Just eliminate the second NAT". There is main router for the source of the internet and the client devices have own routers, as it can't be one big LAN. That is why I need this NAT Moderate implementation.


"Port Restricted Cone NAT which is already is Moderate", following sources I read Port Restricted Cone NAT is called NAT Strict, and NAT Moderate is the (Host) Restricted Cone NAT. Just to be sure we are on the same naming.


Yes, DMZ aka Full Cone NAT is not what I need as there are more than one client. Btw I belive ISPs are solving this with the gateways, as I see my non-public IP's hostnames are nat01.myprovider.com nat02.myprovider.com etc.


Still as you wrote if this can be achieved just with different configuration of the iptables, this can be added to EdgeRouters, so any chance Ubiquiti?



on ‎04-12-2019 01:54 AM

Both Host and Port Restricted Cone NATs are Moderate....Moderate means they are Hole Punchable to other users with the behind similar NAT types and Open types.

Symetric NATs are Strict because they are not Hole Punchable, and can only connect to Open types and Direct (no NAT, public IP Adress).  


Full Cone NATs are Open because once a hole is punched it behaves exactly like static port forwarding.... 


Hole Punchable is Hole Punchable whether host or port restricted doesnt make any practical difference.


I hope thats clear. 


You are going to need to trust me about this, you want a Full Cone NAT. As I said before there is very limited benifit of Host Restricted over Port Restricted Cone NAT.


Your only hope to get Full Cone NAT working on an edgerouter is if UBNT include the iptables netfilter extension: 



What you are going to have to do in the mean time is ONE of the following:

  1. try to compile the extension yourself and see if you can get it working in EdgeOS,
    (if you do please share with the comunity detailed instructions how to do it), OR
  2. purchace a block of ip adresses from your ISP and do 1:1 NAT for each of your client routers, OR 
  3. make seperate VLANs, either Tagged or Physical, and share the internet, that way all your clients do not end up on one big lan but they will need to deligate routing to you and not use their own routers, OR
  4. either purchace a different router that supports Full Cone with Stock firmware or put Open WRT on a router for your information the git hub page I linked is the official impilementaion of Full Cone NAT for Open WRT, OR
  5. move to IPv6

Happy Hunting!