ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

What is a NAT Firewall?

It is becoming increasingly common to see VPN providers offering NAT firewall services, usually as an optional extra. But what does this mean, and why should I want it? The more tech-savvy out there may be even more confused as every home and office router includes basic NAT filtering, so why should you need an additional service?

What is a Firewall?

So let’s start with the basics. A firewall is a ‘thing’ that sits between a secure Local Area Network (LAN) such as a home WiFi setup, and a less secure area such as the internet. Its purpose is to control communications between the two, by analyzing the data packets and determining what to do with them. Firewalls are therefore very useful for stopping hackers who use various techniques to insert malicious packets onto computers.

A firewall can be either a piece of software (often called a ‘personal firewall’) or a hardware network device. Most modern Operating Systems, such as Windows (Vista onwards) and OSX have at least a basic personal firewall built-in.

What is NAT?

Network Address Translation (NAT) is the process of modifying the IP information in IP packet headers so that the packets can be routed to the required destination. It is used in home routers (such as the typical WiFi router) to allow a number of devices (such as desktop computers, laptops, games consoles, mobile phones, and internet-enabled televisions), each with their own network address, to connect to the internet using the one external IP you are assigned by your ISP.

Devices connected to LAN <-> NAT router <-> ISP <-> internet

Because IP packets that are not recognized are discarded, the NAT process acts as a simple but effective firewall, blocking incoming traffic unless it is in response to previously sent outgoing traffic i.e. blocking unsolicited traffic.

VPNs and NAT Firewalls

What all this means is that normally, when you are connected to the internet through a router, you are protected by a hardware firewall that provides a good first line of defense against would-be hackers. The problem with using a personal VPN service, however, is that the encrypted VPN tunnel between your PC and the VPN server also tunnels through the NAT firewall (which cannot read the packets headers, as they are encrypted). This means that you lose the protection afforded by the NAT firewall, and malicious IP packets can enter your system from your public, visible IP address.

Device connected to LAN <=>Home router NAT firewall <-> ISP <=> VPN server <-> Internet

(all connection within the  <=>  are inside an encrypted VPN tunnel).

VPN providers who offer a NAT firewall service place a NAT firewall between the VPN server and the internet so that all internet traffic is filtered through the NAT firewall.

Device connected to LAN <=>Home router NAT firewall <-> ISP <=> VPN server <-> NAT firewall <-> Internet

Can’t I just use a personal firewall like the one that came with my OS?

It is always a good idea to use at least the firewall that came with your OS, as these provide a more sophisticated firewall solution to basic NAT filtering. Indeed, it is encouraged to use a third party firewall solution for even more comprehensive cover. However, not only is a NAT hardware firewall an extra line of defense, but it filters out a lot of potential threats before a more processor-intensive firewall has to deal with them, and possibly throw up another annoying ‘Do you want to allow this connection?’ dialogue for you to deal with.

In addition to this, while desktop Operating Systems these days usually have built-in firewalls, other devices (most notable mobile phones) do not, and therefore receive no firewall protection when using VPN.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.


Dr. Alexander LIvingston {Esq}
on April 16, 2018
Hi, I personally subscribe to VYPRVPN (Goldenfrog) using THEIR NAT Firewall & chameleon AES 256bit encryption, which I was led to believe would be suitable for all items connected to my secure (mix of alpha, numerous & spec character password protected) Wi-Fi router. Does anyone recommend any further 'belt & braces' security measures that I may require? As a footnote I've also controlled my router to only accept connections from "Pre~appreved" MAC Id's set by myself. I like to think I've got most of the 'bases' Covered, on PC, GOOGLE'S Android Phones & hopefully Amazon Fire Tablets {dunno if you've ever noticed, but regardless of the font\capitalisation, that you want to use ~ IT. ALWAYS DISPLAYS AS AMAZON!!!!!!!!!!!!!!!!!!!!!!!!, can anyone find a way to STOP IT!!!!!!!!!!!! LET'S. CALL THIS ANTI~AMAZON DAY NO LOOKING, ADD TO BASCKET, NO PRIME CARD\SUBSCRIPTION ~ WITH OUR BRAINS, SKILLS & COURAGE, & all the tv - although I'd love to hear from someone, obviously more intellectually inelegant than me to point out & please help, plug any gaps in my security regime that; a) I'm too Stoopid to see or b) I don't have the knowledge to fix, I assume that both A & B will be correct to certain degrees, I'm just hoping that a "White Hat" may be kind. & honest enough to come to my aid & help, although being disabled i cannot work & as such cannot offer them a financial reward, however I've run my own 'Martial Arts Academy' since I was 13 - youngest nightclub bouncer in the UK!!!!!!!! (Ok it was an under 16's disco, so they needed an under 16yr old bouncer, as an 18+yr old, throwing a 12\13yr old PHYSICALLY {Honestly, some had to be picked up ~ when they were KICKING OFF!! & They MUST be physically EJECTED FROM THE CLUB, NEVER TO RETURN AGAIN - at least on MY WATCH!!!!!!!!!!!!
on February 27, 2018
gostaria de saber se uma firewall pode ser combinada com NAT e quais são as consequencias..obrigado
Douglas Crawford replied to Nitox
on February 27, 2018
Olá Nitox, Seu sistema operacional provavelmente possui um firewall executando o tempo todo de qualquer maneira. Isso não interferirá com o firewall NAT. A única coisa que o firewall NAT pode fazer é bloquear algumas conexões recebidas antes de chegarem ao seu computador.
on August 5, 2016
Thank you very much for this article. Everything i wanted to know in one concise piece.
on October 11, 2015
I contacted ExpressVPN by their live chat and asked if ExpressVPN's Mac app has a NAT firewall. The responder said "ExpressVPN does not have a NAT firewall as it does not support port forwarding" What does port forwarding have to do with NAT firewalls?
Douglas Crawford replied to Guy
on October 12, 2015
Hi Guy, Port forwarding can be used to direct communications through a firewall (by directing it to open ports), but this should not really be necessary with a NAT firewall as ExpressVPN could simply open the ports used by its client software. I suspect that the support person you spoke to simply doesn't now what they are talking about (perhaps confusing a NAT firewall with a personal firewall.)

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives: