You are correct, NAT works better if you have a static WAN IP.
Even with dynamic IPs, ISPs often release these for 24+ hours per session. All you have to do is receive an alert any time this changes, along with the new IP.
Or you can use a service like DynDNS.
But you still cant do forward, your isp must do that, public ip is at them.You do not have acess to their equipment.
They must do dstnat but they wont do that.
Buy your own public ip and do with ih what do you like
Your modem, onu or what you have also has dhcp lease, that ip changes and public changes allso becouse most of isp have load balancing thru 2 links with different ip.
you do not know when your packet shall go thru ome off them.It depends from traffic.
My advice, buy public ip, tell provider to put their equipment as a bridge , and take mikrotik router.
Sky is the limit with mikrotik.
You can do anything you like with it.
Sorry mate, you’re mistaken: NAT is used for LANs to address the issues of their only being 4.2Bn IPv4 addresses. It is employed so that multiple devices on a private network can share a single WAN address.
You can configure both NAT and port forwarding on your private firewall.
Mate, i work at internet and tv provider , i know how it works.
I work with,optics,wifi links hfc internet etc.
You hide behind nat whole range of ip.
That range is not visible to outside world. Some port or ip to bee visible from outside , you must have visible public ip / then you do port forwarding (dst nat)
exemple
you have public ip 1.100.100.55
your server is on 192.168.0.1:5500
your server to be visible to world you do dst nat
so logic is , every thing that comes to your wan at port you decide dst nat to adress 192.168.0.1:5500
if you have local ip, you’r not visible to outside world what ever you doo.You can opet ports where ever you whant.Waisting time.
Or ask a provider to add datnat to your ip and make your ip static ( so dhcp wont change it over time) they make static with mac adress or serial depends of devices used.
Spent 12 years as a firewall / internetwork engineer for an ISP… 
Here is a post on using TailScale. You could use it instead of port forwarding.
So tell me how can i acces you private network other way?
The way i descibe it or tell me the other way.
You can use vpn , but allso you need public ip for that
I’m very curious.
I’m not sure that I understand your question.
The way traffic is routed to any device inside a LAN is via a combination of NAT / port forwarding which is handled by the local firewall.
See below for the relevant forwarding rules on my home firewall:
This requires no work on the part of the ISP, it’s all done locally.
The issue in my area is that most of the time the ISP owns the router and doesn’t let the consumer into the router. You have to buy your own router in order to configure the port forwarding rules.
I was wondering about this…
ISP managed routers are a massive pain, do you need to send in a change request for the addition of a new firewall rule?
I have my own router so I’m not sure if they would add a rule for you or not.
I know what i’m talking
Only way to do that is what i have descibed.
You can use that router orwarding , but wan on that router must be public ip.
To do that your isp modem must be in bridge mode so public ip can be on wan of router.
Then you can do port forearding.
Every day i work with litle bit more pro routers.
I even in my house have 500 eur mikrotik
I had an update induced issue with the ASUS that shut down my base.
The more plumber fix was hook a switch at the ISP modem so the base and ASUS share its WAN. This gave the base a direct line out and prevented a double NAT situation for it. The ISP device wants to act as a router, unfortunately a rather poor locked down one.
Telecoms hardware choices 
make me mad.
Now I’m even more confused, Bridge Mode is used for mesh networks and should not be used if you only have one router.
WAN is always public; it is, by definition, your public (routable) IP. If it wasn’t public, then you would not be able to connect to the Internet.
Your WAN is your public address, LAN is private. WAN addresses are unique, LAN addresses are private and arbitrary.
As I say, I spent years as a Cisco engineer…
But I’m wondering why you are so confident about this and it’s possible that we are both kind of correct. What country are you in / what ISP do you use?
Yeah, updates can cause grief!
Trying to picture your setup, is it:
Modem - router - switch?
One big source of confusion in these discussions is the term “router” because most broadband routers are not actually routers! They are hybrid devices containing a modem, router and (Layer 2) switch.
I think i should describe it better
4g ISP router no wifi — switch —- switch ports
Switch port 1 — Asus Router house wifi
Switch port 2 — house powerline extender — shop powerline to wifi adapter — Emlid Base Station
The base is the only thing bypassing the house router.
My ISP also owns the wan facing router. I can log in to my ISP’s customer portal and add a firewall rule, the rules get pushed to routers every night. I’ve had a couple ISPs like that.
The ISP’s router feeds my own router (I’m double NAT’ing), I have a firewall rule set there as well.
Your ISP should be able to set up a firewall rule for you.
My friend
Classic Router has input rj45 wan and out 3-4+ lan’s and wifi interface.
Modem is device witch combines technologies
example
input can bee : 4G, adsl, hfc or optics etc…
output are lan ports and wifi
Bridge mode
is bridge between devices,
device brigged does not getting ip from isp but device witch is connected to it and it’s only one ip.
So you connect router to it and router is getting on wan ip directly from isp’range.
When isp’s modem is at dhcp mode
That modem is getting ip from isp’s range of adress on wan witch is hfc input, optical … and all devices are getting 192.168.9.0/24 range
Becose many of those modems are limitted with posibilities people are putting isp’s device to bridge and getting behind it pro routers.
so , when you buy public ip , modem is at bridge mode, your router on his wan getting public ip, then you can do port forwarding.
This public ip is yours and no one else is using it.
when you do not having public ip, you are nated with along 5-6000 users.All of you have same public ip.
Right, this makes more sense.
It sounds like you are on a privately owned mesh with a shared WAN link, I was assuming a single LAN behind a modem / router.
Is this a corporate service? I have never heard of a managed home router before (actually, there was FON in Spain now I think back), but I have (and still do) managed a fair few corporate networks before where the customer would have to submit change requests for any changes to be made to their network.
@PotatoFarmer, I get you, that makes perfect sense. May I ask why you don’t just get a Wifi router though. My home office setup is similar to yours in design, but I have an ADSL router, modem, switch device connected to a power line (I’m assuming EOP?) Wifi hotspot in the workshop.
That makes sense @daner. I’ve heard of this type of ISP network maybe 10 years ago when ipv4 addresses were scarce and ipv6 wasn’t adopted yet, but never since then. I remember gamers being angry because game servers would ban a user’s IP and it would ban everyone else too.
It’s not a corporate service @bluerabbit, just a residential connection. My ISP own a device in my home which is both a modem and a router. I cannot access that device directly, but I am able to login to my online customer portal and make some limited setting change requests, like port forward rules and local IP. These changes are pushed to the device during maintenance hours in the middle of the night. Since I have trust issues and do not want their firewall to be my protection (and I need a WAP anyway), I’ve simply plugged my own typical homeowner router’s (router/bridge/WAP) wan port into my ISP device’s LAN port, and connect everything in my home to my personal router. That way I at least know that I own my firewall. Anything I want to port forward from my network to the outside world, I have to port forward through both routers. My ISP occasionally reminds me that I’m double NAT’ing and that I may experience issues and should just ditch my router, but I don’t care.
