Hello everyone,
Support chat seems to get the same question a lot when people are self hosting master nodes or running a node from home. This post will go over why mapping you NAT to you public IP is necessary. NAT is for connection not security. Although you can make your network insecure with misconfiguration of your NAT.
NAT (Network Address Translation) is a solve for running out of IP addresses. It is automatically enabled on most home routers for outbound connections. NAT is what takes your public IP and directs it to your local IP on all of your devices and vice versa. When you connect to the internet your computer will send the information to your router, then your router will translate that into your public IP before sending it to the internet. This is what allows people to have multiple devices connect to one public IP address.
Why is this important when running a masternode?
A lot of Firo users tend to use a VPS, your VPS creates many virtual machines and automatically points your public IP to your personal virtual machine. This is why its recommended set up a firewall on your vm and secure your ssh connection (basic UFW rules should be enough).
Some users opt to host from home and run Firod on a virtual machine or buy a block of IP address from their IPS. Normally your router is just translating your outbound traffic and creating a handshake, so it will know where to send the information received back to because the tunnel is already created when the handshake succeeds. But when you are enabling an inbound connection it will need to know where to send it. This is when NAT becomes important. With NAT enabled on your server it will tell the router “I am {PUBLIC IP} and will accept the inbound connections” allowing your router to send traffic to it. When you do this it will allow traffic from ALL ports to that public IP to talk to your server, so long as the port is open on your router.
In short when you run the command iptables -t nat -A OUTPUT -d {PUBLICIP} -s {LOCALSUBNET} -j DNAT --to-destination {LOCALIP} you are telling your server to accept inbound connections from your PUBLIC IP on your LOCAL SUBNET to the machine with LOCAL IP. NOTE: this command does not require a port meaning the LOCAL IP you use will accept ALL traffic to it from ANY port unless blocked by your router and/or server firewall
Why not just use UPnP?
Setting up your masternode with UPnP does seem like a more simple option, just plug and play. But when going with convenience you tend to give up security. UPnP will allow any device connected to your network to open a port on your router for inbound connections without authentication. This is not recommended. NOTE: Some routers have UPnP enabled by default (i.e. Google routers).
Please note that it is not recommended to run a masternode on your home network. This explanation does not go over how a DMZ works or how to set one up and many IoT devices are insecure by default. Convenience when networking usually comes at the cost of security.