Can only one VLAN have unrestricted NAT? What if main router NAT is restricted?

Started by Default4408, January 09, 2025, 05:57:08 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 09, 2025, 05:57:08 AM Last Edit: January 09, 2025, 06:24:42 AM by Default4408
Hi, I'm trying to run a standalone Tor snowflake (proxy) and would like to make my firewall's NAT unrestricted only on the unpriviledged VLAN. If
this is possible, how can I achieve it? Also if my network layout is modem > ISP router > OPNsense > personal router (in bridge mode), would it matter if I set OPNsense's NAT to unrestricted if the ISP router has a restricted NAT? Also, how much of a security risk is it to have an unrestricted NAT?

Edit: I read that my ISP uses carrier-grade NAT and opting out of it would require a business account (which is more expensive). I'm assuming there's no way around this?
January 09, 2025, 08:09:46 AM #1
What is restricted/unrestricted NAT?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 25, 2025, 03:06:51 PM #2
I'm not an expert myself but I got this excerpt from online:

"Tor Snowflake relies on Network Address Translation (NAT) types to determine the best way to establish connections between clients and proxies. NAT types are categorized into different categories such as unrestricted, restricted, and symmetric. The NAT type determines how well a proxy can connect to clients, especially in regions with heavy internet censorship.

Unrestricted NAT: This type allows bidirectional communication without any restrictions, making it ideal for running a Tor Snowflake proxy. Proxies with unrestricted NAT can establish connections more reliably and efficiently.
Restricted NAT: These proxies can initiate connections but cannot accept incoming connections without additional configuration. This can limit their effectiveness in helping clients circumvent censorship.
Symmetric NAT: This type is less common and more restrictive, often requiring complex configurations to establish connections. It is not ideal for running a Tor Snowflake proxy.
To ensure your proxy operates effectively, it's important to configure your NAT settings to be unrestricted if possible. If you are running a proxy in a Docker container or on a VPS, you may need to open specific UDP ports and configure your firewall to allow bidirectional communication."

Here are further details on what my setup goal is: Tor Standalone Snowflake proxy.
January 25, 2025, 03:20:39 PM #3
Quote from: Default4408 on January 09, 2025, 05:57:08 AMI read that my ISP uses carrier-grade NAT and opting out of it would require a business account (which is more expensive). I'm assuming there's no way around this?

Quote from: Default4408 on January 25, 2025, 03:06:51 PMRestricted NAT: These proxies can initiate connections but cannot accept incoming connections without additional configuration. This can limit their effectiveness in helping clients circumvent censorship.

So your NAT might be considered as restricted.

A CG-NAT doesn't allow any incoming connections. You can only initiate outbound connections.

But yes, you can only route a single VLAN to the proxy, wherever it's running on.
Print
Go Up Pages1
User actions