What is strict, moderate and open NAT?

It's important first to know how Network Address Translation (NAT) works. You establish a connection to a server on the internet. In reality you send packets to your router, going out from your computer on some randomly chosen port:

Your computer        Router
╔════════════╗     ╔═══════════╗
║            ║     ║           ║
║ port 31746 ╫====>╫           ║
║            ║     ║           ║
╚════════════╝     ╚═══════════╝

Your router, in turn, establishes a connection to the server you want to talk to. It talks out it's own randomly chosen port:

                     Router            www.google.com
                   ╔═══════════╗     ╔════════════════╗
                   ║           ║     ║                ║
                   ║ port 21283╫====>╫ port 80        ║
                   ║           ║     ║                ║
                   ╚═══════════╝     ╚════════════════╝

When Google's webserver sends you back information, it is actually sending it back to your router (since your router is the guy actually on the Internet):

                     Router            www.google.com
                   ╔═══════════╗     ╔════════════════╗
                   ║           ║     ║                ║
                   ║ port 21283╫˂====╫ port 80        ║
                   ║           ║     ║                ║
                   ╚═══════════╝     ╚════════════════╝

A packet arrives at your router, on port 21283 from www.google.com. What should the router do with it?

In this case the router has kept a record of you, and it knows that any traffic arriving on port 21283 from the Internet should go to your PC. So the router will relay the packet to your computer:

Your computer        Router
╔════════════╗     ╔═══════════╗
║            ║     ║           ║
║ port 31746 ╫<════╫           ║
║            ║     ║           ║
╚════════════╝     ╚═══════════╝

Open NAT (aka Full cone NAT, aka the good, right, and correct one)

In open NAT, any machine on the internet can send traffic to your router's port 21283, and the packet will be sent back to you:

Your computer        Router            
╔════════════╗     ╔═══════════╗     ╭www.google.com:80
║            ║     ║           ║     ├www.google.com:443
║ port 31746 ╫<════╫ port 21283╫<════╡serverfault.com:80
║            ║     ║           ║     ├fbi.gov:32188
╚════════════╝     ╚═══════════╝     ╰botnet.cn:11288

Moderate NAT (aka Restricted Cone NAT)

Moderate NAT is where your router will only accept traffic from the same host, but will allow it to come from any port:

Your computer        Router            
╔════════════╗     ╔═══════════╗     
║            ║     ║           ║     ╭www.google.com:80
║ port 31746 ╫<════╣ port 21283╫<════╡www.google.com:443
║            ║     ║           ║       (rejected) serverfault.com:80
╚════════════╝     ╚═══════════╝       (rejected) fbi.gov:32188
                                       (rejected) botnet.cn:11288

Closed NAT (aka Port-restricted cone NAT)

Closed NAT is more restrictive. It won't allow anything in unless it came from the original host and port that you originally communicated with, i.e. www.google port 80:

Your computer        Router            
╔════════════╗     ╔═══════════╗     ╭www.google.com:80
║            ║     ║           ║     ┆ (rejected) www.google.com:443
║ port 31746 ╫<════╫ port 21283╫<════╛ (rejected) serverfault.com:80
║            ║     ║           ║       (rejected) fbi.gov:32188
╚════════════╝     ╚═══════════╝       (rejected) botnet.cn:11288

Teredo, X-Box Live, NAT

Microsoft's book Writing Secure Code has some other definitions of the different types of NAT. It is written in the context of NAT for use by Teredo; the IPv6 transition technology:

• Full cone: A full-cone NAT establishes an external UDP port when sending an outbound packet and will forward traffic sent to that port from any IP address and any port back to the originating port on the internal system.
• Restricted cone: This type of NAT maintains some level of state and requires that replies come from the same IP address as the initial request was sent to.
• Port-restricted cone: Replies must come from the same IP address and port as the request.
• Symmetric: In addition to the requirements for a port-restricted code NAT, the symmetric NAT will create a new mapping of internal IP address and port to external IP address and port for traffic sent to every individual external host.

Some newer NAT devices can also appear to be port restricted under some conditions and symmetric under others:

In particular, we found that many NAT have a 5th strategy, "port conservation." Basically, they will try to keep the same port number inside and outside, unless it is already used for another connection, in which case they pick a different one either sequentially (from a global variable) or randombly. These NATs appear typically "port restricted" during the tests, but behave as "symmetric" under load. (Huitema, personal communication)

If you're interested in the details, consult RFC 3489 (Rosenberg et al. 2003).

Remember: if anyone tries to tell you that Full-code NAT/Open NAT is a security issue, tell them they don't know what they're talking about. NAT is not a security boundary - that is what a firewall is. Anyone using NAT as a security boundary is simply wrong.

See also

• Wikipedia: Network address translation
• Strict, Moderate, and Open NAT
• Error: Your NAT type is set to strict (or moderate)
• RFC 3489 - STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)

All of these NAT terms are used only in the gaming industry. If you ask a network engineer or security engineer about strict nat, they are not going to know what you are talking about.

In the real, pure technical, world of networking there is NAT and PAT and these can be inbound or outbound.

Consumer routers often have a "DMZ" IP setting that sends everything destined to your router public IP straight to your PCs private IP. I can not even begin to tell you how dangerous this is. Gaming companies should at the very least publish a list of Server IPs so you can forward traffic direct to your PC only if it is from a server on the list. I think that the "Moderate NAT" is what the network industry calls PAT (Port address translation).

If you connect on port 80 to the server there is also a source port 4040 for example. Your router is listening on port 4040 after you initiate the connection. If they try to talk to your router on a different port, the router NAT table has no mapping for the new port and drops it. If you allow port 4444 to be forwarded to a specific IP in the NAT/PAT config, outsiders can now initiate connections on that port only. This is less dangerous than a 1 to 1 mapping and allowing everything through.

Gaming companies need to give better guidance. I even saw suggestions to disable the Microsoft firewall entirely rather than give a list of ports. If you want to become part of a botnet or dont mind Ransomware, go ahead and follow their poor guidance.

So I have had the opportunity to thoroughly test this "NAT type" terminology in (broadly) two networking environments.

MikroTik's RouterOS v6 was used to conduct this test and hence I will use MikroTik networking terminologies.

Before we begin I will assume you know the basics of:

1. NAT (including PAT which essentially is just "NAT" in 2021 networking)
2. UPnP
3. CGNAT + basic idea of the port control protocol
4. Publicly routable IP for added measure
5. VPN concept (regardless of protocols used like OpenVPN, WireGuard etc)

• "Port Forwarding/Static Port Forwarding" technically means creating a destination NAT with the source port and destination port (to-port) being equal and to-address (destination address) being the internal RFC1918 IP address of the console/OS box in question. The terminology varies between networking vendors. The concept remains the same.

We are assuming a single uplink/WAN interface with a single source NAT or single masquerade NAT in both environments. We are also assuming that the OS/Console in used is not blocking ports/UPnP at their OS/Console level.

1. Network Environment where the router has publicly routable IP

In this network environment, the three NAT types work in the following ways:

 1. Open NAT only occurs when we have static port forwarding (where all the inbound ports are manually configured based on the game/console) or when we have UPnP enabled and it opens up all the required ports
 2. Moderate NAT only occurs when we have static port forwarding or UPnP partially working (meaning, only some of the ports required are open inbound)
 3. Strict NAT only occurs when static port forwarding is not done correctly or UPnP is not or working, in either case, it means port forwarding does not work whatsoever. 

2. Network Environment where the router has a CGNATted WAN IP

In this network environment, the three NAT types work in the following ways:

 1. Open NAT cannot occur in this environment. The only workaround to achieve open NAT is to use a VPN (host it somewhere with a public IP) and open ports through the VPN tunnel (UPnP can work through the VPN tunnel assuming the OS sends all incoming packets from itself through the tunnel).
 2. Moderate NAT only occurs when we have static port forwarding or UPnP enabled and all the necessary ports are configured to be open at the router level. This is basically the same as "open NAT" configuration done in the first network environment.
 3. Strict NAT occurs when neither the above cases are achieved.

Now the strange part is the "moderate" NAT situation in CGNATted environments. We know port forwarding cannot work behind a CGNAT (unless your ISP is smart enough to deploy Port Control Protocol).

• My theory is, this situation occurs due to the CGNAT device having NAT traversal mechanisms like ALG properly configured and deployed and hence any inbound traffic from downstream is properly traversed through the CGNAT when the CGNAT device translates from internal IP to external IP.
• Cisco seems to have NAT traversal enabled by default for CGNAT mode: https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-3/cg_nat/configuration/guide/cgnat_cg43crs/cgc43cgn.html#30577

As already mentioned here, don't be stupid and use so-called "DMZ" or disable the OS/Console's internal Firewall completely. If it is the OS/Console causing issues, reset the firewall to defaults. Default Firewalls on Windows, Linux Distros etc will not block UPnP/Ports opened manually at the router.