To the point of Network Address Translation (NAT), allow me to take away some confusion and unneeded complexity here.

There are two types of NAT. The first one is known as Destination NAT (DNAT) and what it does is forward whatever is received to a specific other address. The second one is known as Source NAT (SNAT) and this changes the address where the reply should go to. There are a lot of crazy things you can do with SNAT and most will not work but the most common usage of SNAT is where a router replaces the reply address with its own address, a method that is generally referred to as Masquerading and every firewall application accepts this as shorthand for SNAT <my internal|external|whatever IP> which also prevents misconfiguration. So my tip is that you forget about (S)NAT and just remember MASQ which offers a visual interpretation of what it does - pretty cool that it happens to be carnival as I write this.

I didn't really mean weird from a how IP networks function perspective, but weird from what the user experiences. Like "hmmm, that's weird, it worked at the last campsite but now when I connect the WAN port the web UI stops responding."
Or, "hmmm, that's weird, the web UI times out and when I ping the router I'm getting like 90% packet loss, until I disconnect the WAN port and then everything starts working again."
Or, "hmmm, that's weird, when I connect the WAN port, the router reboots."
Or, "hmmm, that's weird, the WAN port has a steady amber light on, I've never seen that before."
Or, as P Nelson mentioned, maybe some or most routers detect this situation and automatically reconfigure the built in DHCP server to use a non-conflicting network internally, in which case in might be:
"hmmm, that's weird, my neighbor's Ubiquiti router is working fine and my Trendnet router keeps rebooting."
Or... whatever. Not only have I never actually experienced this specific scenario in real life, I haven't tested it with every make and model of router in circulation either, so I can't say that the symptoms would always be the same. I would say with some confidence that if I did run into the issue I would figure it out fairly quickly, however, I might initially respond to my wife's complaints of the internet not working with "give me a minute, there's something weird going on..."

I'm not confused on the way the vast majority (all?) of home routers translate multiple internal private IPs to a single publicly routable IP or the way they keep track of which inbound packet goes to which host internally. I am, however, under the (perhaps mistaken) impression that most casual home network users have heard the abbreviation NAT to refer to the technique, regardless of whether a term like Masquerading may be more precise or descriptive. I feel like "NAT" was in the feature list on the back or side panel of every home router box from the last couple decades but I admit to doing a quick google image search and I didn't immediately find a good example, so maybe I'm making it up.

I like how Linux folks used to refer to NAT as "mangling" the packets, which seems right.

DNAT vs SNAT: and sometimes you do both at the same time. Fun.

I didn't state you were confused. In my experience however NAT means absolutely nothing to someone who is not a computer nerd, which I believe is the case with OP and as such I would have preferred it had not been mentioned at all because this type of jargon doesn't help in understanding that an untouched ISP router already provides more than sufficient security to everything you connect to the side that is marked `LAN`. In other words there is no point in enabling security to any specific machine inside your LAN, unless you have a trust issue with people that you do trust to be on your LAN.

A couple of comments

I mentioned NAT because if you Google it you’ll get lots of useful info whereas if you Google masquerading you get lots of info about pretence.

To say that an “untouched ISP router already provides more than sufficient security” is, I’d suggest, a little bit of a dangerous statement. I agree that they should but I’m sure you know that there are quite a few examples of ISP issued routers that have been found to have security flaws in them and have remained unpatched by the ISP for years - largely because they have no means of applying firmware updates and replacement (at a cost to them) is the only solution.

I’m in Uk. Sometimes people ask us to recommend an ISP and before we give a recommendation we always preface it by stating that you get what you pay for both in the choice of ISP and the cost of the router.

For the record it’s Zen and a Draytek Vigor.

Thank you all for the advice.

However, this is quickly becoming a specialist discussion!

In fact, what should I do?

I connect my Raspberry to my switch and that's it?

yes. That’s what I do. I’m assuming your router has typical firewall. I’ve personally never seen one that doesn’t.

You can change the password for your Pi from the default.

Sent from my Pixel 3a using Tapatalk

Yes, that is one of the morals of the (30+ year old) tectonic plate barrier joke: don't overdo security as it only harms yourself. Trust that the connections on the internet router are purposely marked internet and internal network respectively and that this implies that it provides the security you need to prevent people on the outside accessing your machine(s) on the inside. Also, worrying too much only makes you sick.

That is a clear case of YOMV. In fact I replaced my ISP provided router with my own precisely for the reason that it contained a backdoor to allow the ISP such updates and the first time they used it to update something in the router it destroyed my work VPN and I was disconnected from the office for quite some time before thinking of checking that ISP router - because that couldn't be it, right? I was seriously pissed off to find literally hundreds of silly internet game firewall profiles having been reinstated and my VPN profile removed.

YOMV? Google didn’t help. I understand the VPN issue. I use a VPN but I’m the only one of my family and friends that even know what a VPN is.

YMMV? Your Mileage May Vary?

Aha. That makes sense.

But it would be an unlikely typo, M is a fair distance from O [emoji2]

Sent from my Pixel 3a using Tapatalk

It's next to "Y" in Your?