[ILUG] Somewhat OT: Dynamic vs. Static NAT?

[Giulivo Navigante]

> Nothing to do with security. Folk on the outside only see your Internet 
> IP, which can be static or dynamic. Neither dynamic IP nor  even MAC 
> based access list helps security, even on LAN/WiFi. You can sniff ARP 
> packets to see which IPs & MACs are in use and  spoof MAC later.

I think this is wrong,
you can't see arp traffic if you're not connected at the same layer 
where arp is propagated, so you can't get mac address of a computer not 
attached to the same switch (trunk) where you are ... so in the specific 
case you're assuming were you have an external public IP and an internal 
IP to be natted, you router which is also NATTING is actually 
introducing a certain kind of security

> If you have a fixed small number of PCs then Static.
> Any servers or print servers want to be static.
> Port forwarding sort of needs static (see below).

static or dynamic depends on one-to-one or one/group-to-group 
requirements, in fact ...

> You can use DHCP (which normally infers Dynamic) but with a MAC table. 
> Then the clients can be DHCP (no per client config) yet from point of 
> view of portforwarding look like static.

... this nothing seems to have in common with NAT ...

> My Internet IP is like this too. The modem uses DHCP to get IP & DNS & 
> GW & SN, but the ISP makes sure based on Modem MAC that it is always the 
> same.

... you have to use a dynamic NAT to masquerade on the outside your 
internal IP addresses with a POOL of STATIC PUBLIC IP ADDRESSES or to 
have a group of internal DYNAMICALLY or STATICALLY ASSIGNED PRIVATE IP 
ADDRESSES translated into a single public IP

hope to be on the right way :+)
Giulio