Hi. I am so confused even after reading a bunch of articles. I am interested into IVACY. They mentioned “NAT Firewall + Port Forwarding” in their website.
Can I get better torrent speed with this same as Port Forwarding in Mullvad and AirVPN?
I honestly can’t understand what is NAT Firewall compared to Port Forwarding, especially when IVACY wrote “Get NAT Firewall + Port Forwarding Now” in their website.
Thanks!
First let’s understand what NAT is and why we need it. It’s used as almost a little bit of a “trick”.
You change a packets source or destination IP so that you can essentially “trick” devices further up or down the transportation path into routing a packet a certain desirable way.
Now one thing to understand is that there are certain IP addresses designated for private use. As in there are ranges of IP addresses that can not route out in the internet. Probably them most common range in consumer networks is “192.168.1.1-254”, your devices on your home network most likely look like that or very close to it. Your home network also has some kind of internet router/firewall. That device does a few things but one of which is that it functions as a “NAT Firewall”. Since your devices are using an ip like “192.168.1.x” and that IP is not routable out on the internet, one thing is for certain; when your device connects to the internet your router/firewall MUST change the source IP (Aka source NAT) to that of the internet IP that your ISP has given to the router/firewall. That way when stuff out on the internet knows to route responses back to your router/firewall.
That sounds simple enough, but then If you have a few devices connecting to the internet how does the router/firewall know what to route the responses back to the appropriate devices on your internal network? Was it your iPad, laptop or Nest thermostat that needs the response back from the internet? The way it does this is every connection that it NATs going out to the internet it keeps a “session table” or sometimes called a “connection table”. Which is basically a spreadsheet of connections that is made and what NATs it has made and it can easily match returning response traffic to entries in this session table.
Finally, the “Firewall” part of it is basically just maintaining a list of rules on the router/firewall that says IF (not can) a connection be made. In consumer networks it’s usually as simple as “is the traffic coming from the internal network? Then cool let the traffic pas”. If traffic is coming from the internet it generally is dropped, period end of story. The exception being if the traffic from the internet matches an entry in the previously mentioned NAT table.
That is the basics of what defines a NAT firewall. The same concept can be applied to VPN provider, just instead of those concepts being on your local network it’s happening in the VPN providers data center and the source IP is getting NATd behind there internet IP instead of your homes ISP IP (this is why governments can’t track what IP address your actually coming from). However in this case the VPN provider may have some rules about what can connect to the internet, sometimes they block torrents for instance, but still same concept as discussed above.
Now we get down to port forwarding. If you only have a single public internet IP address, how do you allow some things to be able to connect from the internet to devices inside your network? Do you want ftp traffic from the internet to your single internet IP to go to your iPad? Your Nest? Or maybe a server you’ve built in your basement? Well you have to tell your router/firewall to point traffic destined for ftp to your server in your basement. Same with your VPN, please point traffic destined to some crazy port to my IP address.
So those are two different features/functions. I’ve no idea if the provider your interested in supports port forwarding but hopefully that helps it not be so confusing. Or maybe I’ve made it more confusing 
Here’s my basic understanding of this. All vpn providers use NAT firewalling. This is what allows the traffic that flows through the vpn providers’ server to have only one IP address (see this explanation by Nord). As datbird was explaining below, the same concept applies to traffic going through your home router. All traffic outbound through your home router shows one IP…same thing with the vpn server. And this leads us to where port forwarding for torrenting comes in. As Nord puts it in the article:
By design, NAT is not a security tool, but it certainly helps improve your security anyway. First of all, it hides the IP addresses of any devices on your network from the outside world, giving them all a single address. Secondly, it requires every incoming packet of information to have been asked for by a device. If a malicious data packet isn’t on the list of expected communications, it is unceremoniously rejected. This secretary doesn’t like junkmail!
This is why you can’t seed well if you try to torrent behind a vpn without port forwarding…the incoming requests from peers looking for those file pieces you have are blocked by the NAT firewall of the vpn server…unless you what…forward a port through the vpn server to your home router and on to your torrent client (which is always listening on that forwarded port). All outbound traffic you initiate flows through the vpn server with no problem so you’re able to connect to seeds/peers and download torrents fine. You’re able to seed during downloading because you are initiating the connection to the peers in the storm during this phase. The problem is with seeding once you’ve completed the download of the file(s). Peers can see you, and send requests for you to upload to them, but your client never gets these requests because they are blocked by the NAT firewall of the vpn server.
Anyway, this is the way I understand it. All you other folks who know a lot more about this than me feel free to correct any mistakes or add clarification as necessary.
Hope this helps.
NAT maps a bunch of private IP addresses to one public IP address, port forwarding is where traffic to one ip and port is redirected to another ip and port.
Nice explanation. But wouldn’t NAT is necessary for every VPN? let say 5 people are connecting to the same server. Wouldn’t NAT is needed to send the response to the correct user? What about VPN services without NAT? or… is “Firewall” the thing that IVACY actually advertise, not NAT?
Wow u should b teaching this or charging ppl
Thanks a lot for the explanation 
I think IVACY webpage made me confused so much. I kind of understand because I have used a few NAT VPS. I got a shared IP address with specific port range. So I believe it won’t help me like port forwarding does for torrent?
That is correct. It is literraly why most ppl are using VPN. To use NAT to hide there real IP.
So there are two technology concepts in play. NAT and Firewall.
Firewall is obvious, what is and isnt allowed to connect.
NAT is a the tricky one to understand. If traffic is getting routed through a VPN and destined for the internet, then it 100% requires NAT in order to function, no exception. So yes all VPN’s require SOURCE BASED NAT.
Not all VPN’s need PORT FORWARDING based NAT. That is a feature to have traffic that is sourced FROM the internet and destined back towards your device THROUGH the VPN. A majority of internet usage does not use traffic SOURCE FROM THE INTERNET. Most of internet usage is SOURCED (initiated) from the user/client, and in those majority of cases all that is needed is SOURCE NAT.
Torrents work better with a forwarded port because remote torrent clients can SOURCE (initiate) connections back towards your torrent client to the forwarded port your Torrent client specifies.
That all make sense?
Edit: Also, when you say 5 people connecting to the same server. If 5 people are connecting to a single server, through a SOURCE NAT connection then after the packets are NAT’d, each one would be uniquely identified by some lesser known things that may start to add confusion, but here goes: When, as previously discussed, the router/firewall creates an entry in the session table for a NAT connection, it can easily distinguish one connection to another utilizing two things (for TCP connections anyway). The Source Port and the TCP sequence numbers. The source ports are all that is typically needed or even used by most devices. You don’t hear about source ports very often, when someone says something like “oh HTTP is port 80” or “FTP is port 21” they’re actually talking about the destination port. Source ports are randomly chosen (sometimes call Ephemeral Ports) typically in the rang of 1024-65535 when a packet is created by the source device. So when 5 devices connect to the same server over the same router/firewall NAT, those source ports can easily be used to distinguish response traffic as being part of one of the 5 sessions in its session table. Again hopefully not adding to confusion
Thanks! I am fully understand it now.