Based on my knowledge , I believe following statements are true.
Router can only redirect packet and can interact upto network(internet layer) only.
NAT maps the private ip to public ip. It uses a NAT table in which source private ip is mapped to public ip and also source port is changed with new source port.
My question is regarding NAT function for port . How NAT , that works in router can change something that relates to transport layer(port)?
i.e when the private system sends the source port , how NAT is able to change it with new port before sending it to internet.
I am missing something or maybe I am wrong somewhere . Would appreciate the help.
Thanks
NATs intercept outgoing IP packets (including UDP and TCP) from nodes on the NAT's internal network and can modify the source IP and source port in the UDP and TCP header in place. It will update other fields in the header as well (i.e. checksum).
Similarly, for incoming packets, the NAT will change the destination IP/port after finding an entry in its port mapping table that was created from a previous outbound packet or connection.
As to "how" - it just does. It literally reconstructs a new UDP/TCP/IP header using the exact same payload of what it received. The NAT is registered as the gateway device on the LAN, so all packets bound for the internet will be sent to the NAT's MAC address - if what you are wondering is how the NAT captures the packets to begin with.
Related
Let's say that I have a home network of 5 computers. They all share the same external IP address.
Suppose a machine that is outside the network sends a request (as a client) to one of the 5 computers (this computer will be the server) in this home network. It sends its message to the external IP address. Then, how does the router know to what computer in the home network the message has to be routed to?
Typically when you talk about NAT, there are two main “flavours” - Source NAT & Destination NAT. There is another function called “PAT” (or Port Address Translation).
Source NAT is utilised when all your 5 computers are trying to reach out to the public (Internet) network. At this point your 5 computers get MASQUARADED with your public IPv4 address.
Destination NAT is what you’re asking for. In this case, you must configure your router/firewall (device that holds your public address & maintains your public connection) to “REDIRECT” or “DNAT” all incoming packets destined to a specific application (or port). For instance, if you have an HTTP server running on your private network server with address 10.0.0.3, you simply instruct your router to send all (or selective) TCP packets that have been sent to the public IP on ports 80/443 & send those to 10.0.0.3.
In DNAT scenario you must explicitly instruct your router/firewall about every type of expected, incoming connection. Another example can be that same public address is been used for SMTP server and thus sending all TCP packets received on port 25 to be sent to local server 10.0.0.4 this time. And so on and so forth
That’s in short how it works.
Network Address Translation (NAT) allows a single device, such as a router, to act as an agent between the Internet (or public network) and a local network (or private network), which means that only a single unique IP address is required to represent an entire group of computers to anything outside their network.
ADDRESS TRANSLATION (NAT) OVERLOAD allows your 5 computers to communicate with your router. Each computer has unique private IP address.
When computer1 tries to communicate with website, it sends packet to router.
Router replace the private IP address (example: 192.168.1.1) with single public IP address (example: 205.65.45.100) but uses same source port number (for example Port 5000) which is used by computer. It won’t change the source port number. And Router maintains entry in NAT table.
The reply from the (web server) internet arrives at your public interface of your router.
The router accepts packet and check the destination port entry. With the help of the NAT table, your router understands that it belongs to computer1. Router changes single public IP address (example: 205.65.45.100) with your internal private address (example: 192.168.1.1) and your computer receives it.
This process is applicable for all 5 computers.
Above scenario is only applicable if your computers act as a client. If your computer acts as a server then the solution is “Port forwarding”.
Port forwarding is needed when a machine on the Internet needs to initiate a connection to a machine that's behind a firewall or NAT router.
Refer video for detail information.
https://www.youtube.com/watch?v=-K6jMYBfuIY
When we establish a TCP connection from PC1 to Server and send data through this connection, how does the Router know to which of the two PCs (PC1 and PC2) should it communicate on the way back from Server to PC1?
And
How does ping (ICMP) know to which internal node it should send the answer?
NAT (Network Address Translation) is stateful. It creates a translation table that has the layer-3 and layer-4 protocols and addresses. By looking up the return traffic addresses in the translation table, the NAT process can determine which inside addresses should be placed in the packet.
Edit:
Per the edit to your question, asking about ICMP (it is very bad form to change the question in order to ask a different question because it can invalidate the perfectly acceptable answers already given):
It is all the same as TCP or UDP. NAT creates a state table that is dynamically built as traffic passes from inside to outside. NAPT will allow you to overload a single IP address with traffic from multiple inside addresses, and it will translate the return traffic by looking up where to send it in its state table.
With NAPT, besides looking at and translating the IP address, NAPT looks at the layer-4 protocol (TCP, UDP, ICMP) and translates the layer-4 addresses (TCP or UDP port numbers or ICMP identifies), too, storing the translations in its translation table. When return traffic is destined to a particular layer-3 and layer-4 address combination, from a particular layer-3 and layer-4 address combination, the NAPT process finds that in its translation table, and it can see where to send the traffic on the inside.
NAT is very resource intensive, and it breaks the IP paradigm of end-to-end connectivity, where every host is uniquely identified by its own IP address, which is why it is called a kludge (or worse). NAT was developed to extend the life of IPv4 until IPv6, with its nearly unlimited addressing, can become ubiquitous.
RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations:
4.1.2. Network Address Port Translation (NAPT)
NAPT extends the notion of translation one step further by also
translating transport identifier (e.g., TCP and UDP port numbers, ICMP
query identifiers). This allows the transport identifiers of a number
of private hosts to be multiplexed into the transport identifiers of a
single external address. NAPT allows a set of hosts to share a single
external address. Note that NAPT can be combined with Basic NAT so
that a pool of external addresses are used in conjunction with port
translation.
For packets outbound from the private network, NAPT would translate
the source IP address, source transport identifier and related fields
such as IP, TCP, UDP and ICMP header checksums. Transport identifier
can be one of TCP/UDP port or ICMP query ID. For inbound packets, the
destination IP address, destination transport identifier and the IP
and transport header checksums are translated.
A NAPT router in figure 2 may be configured to translate sessions
originated from N-Pri into a single external address, say Addr-i.
Very often, the external interface address Addr-Nx of NAPT router is
used as the address to map N-Pri to.
There is a large pool of resources describing NAT (Network Address Translation), which is available if you search "nat explained". A great resource is What is NAT and how it work tutorial.
The most important detail is that commonly we use NAPT (commonly used as PAT - Port Address Translation) (Network Address and Port Translation), alongside NAT.
When a device needs to use the Internet, it must open a local (source port) and send the IP request to the other end. For example, a notepad with source IP address 192.168.1.2 needs to communicate with a web server at 216.58.212.35.
It fires up random source port 1234 and requests information from target port 80 (HTTP - Web page).
This goes through the networks NAT device, which stores the information 192.168.1.2/1234 with the next information that it computes, and sends the request as 46.103.93.105 (its own IP public IP) and a new source port, for example 2345.
The web server responds to the NAT device, which in turn finds the correlated information (source port 2345 targets 192.168.1.2/1234). The notepad receives the information and displays it to the user.
The router adds information to the request header sent to the server that allows it to look up the sender when the reply is received. This is usually accomplished by using a table stored in the router's memory that maps the PC's address to the token added to the header.
I have been reading a lot about different NAT traversal techniques, but I am still a little unclear about how it works.
If I open a TCP port on a client machine and send a request to some arbitrary nonexistent server (which won't respond), my client NAT will now have an open channel, correct? Can I then use another (unknown) computer at a different IP address to access that client port if I know both the public and private IP of the client as well as the port number?
Or will my NAT check where my server packet is coming from and block it since it is not from the same IP address as the original request from the client machine?
Thanks in advance!
To answer your question, you need to know a little about NAT's mapping and filtering behavior. First let me state an information about NAT's mapping behavior,
If you send a packet from your internal IP:port through your NAT's IP:port to any address then your NAT creates a MAP between your internal and its IP:port. Other wise no one from outside of your NAT can send you anything.
There are 4 types of NAT,
Full-cone NAT: If you previously sent a packet from your internal IP:port through your NAT's IP:port then any out side host can send packet to your internal IP:port by sending a packet to your NAT's IP:port.
Address restricted cone NAT: An outside host can send packets to your internal IP:port by sending packets to your NAT's IP:port only if from your internal IP:port at least a packet has been previously sent to that outside host's IP address through your NAT's IP:port. Here that outside host's port doesn't matter. Only IP address has to be same.
Port restricted cone NAT: Same as address restricted just this time out side host's port matters. At least a packet previously sent from your internal IP:Port to that outside host's IP:Port through your NAT's IP:Port will allow that out side host to send you packets from its IP:port through your NAT's that IP:port.
Symmetric NAT: Its mapping behavior is a little different than others. For the previous 3 types of NATs, from your internal IP:port no matter where you send your data it will go through the NAT's same IP:Port. But for symmetric NAT for different destination your data will go through NAT's same IP but different Port. And like port restricted cone, incoming packet will be allowed through NAT if a data previously sent to that outside host's IP:port.
So for your scenario only if your NAT is Full cone NAT than some one unknown who knows your NAT's that public IP:port from which you sent a packet to unknown server, can send you data through UDP transport. For other NAT it will be blocked as you did not send any data to that outside host. But for your TCP connection no one can send you any data even if they know your private and public IP:Port as they are behind different NAT. Read details form this answer.
Read details on wiki.
Ignoring other possiblities such as Request.ServerVariables["HTTP_X_FORWARDED_FOR"], does Request.ServerVariables["REMOTE_ADDR"] gives me the "principal" IP of the client?
I'm talking about the IP that made the actual TCP connection.
Will ServerVariables["REMOTE_ADDR"] always be the "real" IP address of the remote endpoint?
Just to clarify: Even if it's a proxy who made the real TCP connection I'd like have its IP, and not a forwarded one.
Yes, except if its been through a NAT firewall. A NAT firewalled address would be masquerading many 192.168.x.x or any other private subnet behind a public IP address. So you'd be looking at the IP address of the NAT firewall (i.e. a Linksys Router or what have you).
Be warned that many cell phone carriers have HUGE NAT networks so they always look like they are coming from one or two public IP addresses.
The REMOTE_ADDR variable will be the IP of the system that directly connected to your web server to request the URL; so it would be the forward-most proxy server, if there is a proxy server.
Just curious about a particular scenario of NAT. Let's suppose we have 4 computers sharing a global IP address under the NAT. I understand that the NAT box keeps an internal record to know which computer to forward requests to. But let's say on computer #2 I'm trying to download a file. And let's say on computer #1, #3, and #4, I'm just browsing the web normally. When the browser initiates a TCP connection to get that file, how does it know which computer to give it to? I mean like, each of the four computers is using port 80 to browse the web right? How does the NAT's record distinguish which "port 80" belongs to which computer?
Each unique TCP connection on the internet is made up of four numbers - {source IP, source port, destination IP, destination port}.
A NAT gateway (GW) translates this to {GW public IP, GW-mapped port, destination IP, destination port} so the outside routers know to return packets to this particular gateway. It also keeps a mapping of these mapped ports back to source IP and port number, along the lines of {GW-mapped port -> {source IP, source port}}, which allows it to figure out what internal machine to send the response packets to.
The concept of "port 80 for http" does not work like these. When a computer browse the web, only the server uses port 80, while the client will use a random port number. The server replies with a destination port, provided by the client, attached. Port 80 is just for knocking the web server's door.
What the NAT does do is translating all those 4 computers outward packets such that their source ports does not duplicate. When the NAT receives a packet, it will check if the attached destination port can be translated and translate it to the LAN if possible.