Re: People do not want it
If I want to get to your 10.x address from my public 22.214.171.124 address how do I put that in the ipv4 packet?
You put the 10.x address in the dest field, like I said.
You put the dst-ip in the dst-ip header but how does my isp or any intermediary know to send my ipv4 packet to the public ip of your router and not to literally anyone of millions of other public IP’s of end point routers for onward routing?
They don't. Like I said! You'd need to be on the immediate upstream network to arrange for a packet with an RFC1918 address to arrive at your router's WAN interface.
NAT is exactly like that port forwarding but dynamic [...] and forwards to that machine.
Okay, so, here's the big question: what exactly happens when a packet arrives at the WAN interface and it doesn't match an active NAT state table entry?
I've tested this, multiple times. The answer is that the packet is routed based on whatever IP is already in the packet. If that IP is the router's IP, then the packet is delivered to the router itself. If the IP is from the LAN-side network, then the packet is routed to the LAN network.
To be clear, the packet is not dropped, not unless you also configure a firewall that rejects new inbound connections.
If you think I'm wrong about this, then please explain why I see it happen when I test.
NAT MUST be stateful, it keeps track of connections, removing closed, old, & dead ones.
Stateless forms of NAT do exist, but okay, the form of NAT that we're talking about here is indeed stateful. But...
If you nat then you have a stateful dynamic firewall.
As I've said multiple times, no, you don't. You don't automatically get a firewall along with NAT. It's usually very easy to get one, and they're commonly configured together, but they're still separate things.
You can test this yourself if you want. Just set a test network up in a few VMs and watch the behavior. You'll see it matches what I've been describing the whole time.