When a Lan user initiates a connection to the internet, Nat works really well, remembering the local address so that incoming data to that address can be automatically forwarded to the correct network device. But when the connection is initiated from outside, the Nat server has no way of knowing which local system to forward it to. While this is good news if it's a hacker trying to access your system, it's bad if you want to host your own web or email server or connect to your network from a remote location.

One way around this issue is to set up a demilitarized zone (DMZ) on the router to which you can connect things such as web, email and VPN servers. The rest of the network will still be Nat-protected, but anything in the DMZ will be treated as though it were directly connected to the internet with separate public addresses.

A DMZ can be implemented using separate Wan interfaces or in software, but very few home routers will have this as an option, plus you'll need additional public addresses for which there might be a charge. A more common alternative is port forwarding. This is where you simply tell the Nat server to direct all traffic received on a particular port to a preset local address.