On Thu, Jun 18, 2026 at 10:02 AM Gary Sparkes <gary@kisaracorporation.com> wrote:
I mean, it's precisely why technology like STUN/TURN/ICE exist. As to your ask, with two firewalls, inbound default deny, accept related/established only (So, standard SMB/residential CPE setup), and one having NAT and the other not having NAT, I can.....
Drop a box (raspberry pi, for example) inside the network and VPN into it without having to establish a reverse tunnel first.
I'm sorry, Gary, you're going to establish a VPN to the Pi behind the NAT _without_ the Pi initiating outbound packets and establsihing connection state in the 1:many NAT firewall first? I don't think so. You're going to at least send a set of packets from the Pi to establish state in the NAT firewall. That's how STUN works. TURN flat out defies your conditions: it fully establishes the connection for a reverse tunnel via the external TURN server. And that same set of packets establishes the same state in the non-NAT firewall. You haven't demonstrated your claim that the NAT version is -more- vulnerable to the attack. Meanwhile, I don't claim that the NAT firewall makes a network less vulnerable to this sort of physical infiltration. Merely that there are other common attacks to which it is less vulnerable, even when misconfigured. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/