NAT is a crappy replacement for what can be done with a simple stateful firewall though… It kind of works for one use case (where you want to block everything or have no more than one host on a single forwarded port) but hinders or breaks literally every other use case! And then if you’re behind CGNAT you’re even more restricted!