Eyeball networks are vastly different from content networks. Even among the tinkerer "homelab" and HN crowds, it is rare to host content from the same connection/address you browse from.

You're confusing cause and effect.

They're very different precisely because of hacky nonsense like NAT.

How is (home) NAT making the problem more complex than a stateful firewall? You never want to have a policy where incoming connections/UDP streams are permitted by default to reach any random device on the network, regardless of whether that device has a routable IP or not.

Now, CGNAT is a different beast and more worrisome from that point of view.

> How is (home) NAT making the problem more complex than a stateful firewall?

ICE/TURN/STUN: the address that your software sees on your laptop, desktop, home NAS is not the address that clients can connect to.

In both NAT and non-NAT you have to use UPnP/PCP to do hole punching, but with NAT you have to do a bunch of address-y stuff as well.

How do you have two different devices running a webserver on two different IPs at home with NAT?

In a decade or two, everyone is going to be behind CGNAT. There are not enough IPv4 addresses.