Why disable NAT passthrough?
According to this article NAT passthrough is a router feature enabling outbound VPN connections from LAN computers. My Asus router has NAT passthrough for three VPN protocols: PPTP, L2TP and IPSec. Of these, only PPTP is enabled by default.
What reasons are there for disabling NAT passthrough? It seems like the feature is useful and harmless security-wise to me. In addition, is there any reason why PPTP is the only protocol enabled by default?
Solution 1:
NAT from external network to inside is disabled by default because of security. The VPN pass-through isn't directly same as NAT. VPN is used to join an external network so, that everything between you and the external network thinks that you are part of the other network (Where you have connected with VPN).
By default you don't need to allow users to join other networks (because of security). But I think that Asus has opened the PPTP protocol by default since it's quite commonly used (though it shouldn't since it's security is completely broken) and most users never access the web interface of the router, so they would get angry if their old PPTP-VPN wouldn't work after buying a new router.
Personally I have them all open, but I'm then using a more professional firewall system to filter traffic. If you are not going to use them, leave them all disabled and enable them once you need them.
EDIT: (Why users of my network joining other networks is a security issue?)
VPN is used to join another network remotely in a way that everything between your PC and the VPN server thinks you are part of the VPN server's network. This means that you will get a new internal IP address from the VPN server's pool and you will be "disconnected" from your local LAN, i.e. you can't print to your home's network printer and you're unable to access your NAS-storage (NOTE! <-- is by default, of course you can apply some advanced VPN and interface routing to enable these).
When you become a part of another network and the VPN firewall pass-through is enabled, the connection between your PC and the VPN server will bypass all your router's firewall rules. If the VPN client can contact the VPN server, the server can contact your PC (client) as well. Now this leads to an issue if someone in your network connects to an insecure or malicious VPN server: A hacker at the server can now access your home's LAN through the VPN.
A VPN-tunnel is a two-way tunnel (not always if you do some tricks). And by connecting to a VPN server, a user inside your network can by accident open the whole network to the outside, in case the VPN server is malicious or there is a misconfiguration somewhere. A possible virus on your PC could also open a VPN connection without letting you know about it, which leads to another story what all a hacker inside your LAN could do (from stealing passwords to destroying data).
If you don't necessarily need VPN, keep it closed. That's the basic rule for all firewalling and routing as well: Keep all ports, protocols and interfaces blocked by default, and in case you need them open them.
-AirPett