When I send a request to web-server from one of my computers connected to home wi-fi router - how the response packet finds its way back to my computer and not to the other?
All computers in my local network have only one public IP and different private Ips (starting with 192.168...) - but source address in outgoing IP packet will be that public IP, so the destination IP for response packet will be also that public IP.
Where is the information about private IP (like 192.168.2.101) stored?
Thanks to NAT, several private IP addresses can share single public IP.
In both TCP and UDP each packet contains a source IP and a source port (along with a destination IP and port). When a machine in private network sends request to public server, NAT device/router overwrites private source IP+source port in the request packet with the public IP of the router and some unique port, and stores original source IP+port pair and overwritten source port in Translation Table. Remote server responds to public IP of the router+overwritten port number, router does a search in Translation Table by overwritten port number, and put original private ip+port into response packet and sends it to private machine (to original IP+port). Image from Wikipedia:
(more detailed on Wikipedia)
So the answer is: Translation Table on router allows to distinguish computers in local network and deliver responses to correct local machines.
Related
Let's say that I have a home network of 5 computers. They all share the same external IP address.
Suppose a machine that is outside the network sends a request (as a client) to one of the 5 computers (this computer will be the server) in this home network. It sends its message to the external IP address. Then, how does the router know to what computer in the home network the message has to be routed to?
Typically when you talk about NAT, there are two main “flavours” - Source NAT & Destination NAT. There is another function called “PAT” (or Port Address Translation).
Source NAT is utilised when all your 5 computers are trying to reach out to the public (Internet) network. At this point your 5 computers get MASQUARADED with your public IPv4 address.
Destination NAT is what you’re asking for. In this case, you must configure your router/firewall (device that holds your public address & maintains your public connection) to “REDIRECT” or “DNAT” all incoming packets destined to a specific application (or port). For instance, if you have an HTTP server running on your private network server with address 10.0.0.3, you simply instruct your router to send all (or selective) TCP packets that have been sent to the public IP on ports 80/443 & send those to 10.0.0.3.
In DNAT scenario you must explicitly instruct your router/firewall about every type of expected, incoming connection. Another example can be that same public address is been used for SMTP server and thus sending all TCP packets received on port 25 to be sent to local server 10.0.0.4 this time. And so on and so forth
That’s in short how it works.
Network Address Translation (NAT) allows a single device, such as a router, to act as an agent between the Internet (or public network) and a local network (or private network), which means that only a single unique IP address is required to represent an entire group of computers to anything outside their network.
ADDRESS TRANSLATION (NAT) OVERLOAD allows your 5 computers to communicate with your router. Each computer has unique private IP address.
When computer1 tries to communicate with website, it sends packet to router.
Router replace the private IP address (example: 192.168.1.1) with single public IP address (example: 205.65.45.100) but uses same source port number (for example Port 5000) which is used by computer. It won’t change the source port number. And Router maintains entry in NAT table.
The reply from the (web server) internet arrives at your public interface of your router.
The router accepts packet and check the destination port entry. With the help of the NAT table, your router understands that it belongs to computer1. Router changes single public IP address (example: 205.65.45.100) with your internal private address (example: 192.168.1.1) and your computer receives it.
This process is applicable for all 5 computers.
Above scenario is only applicable if your computers act as a client. If your computer acts as a server then the solution is “Port forwarding”.
Port forwarding is needed when a machine on the Internet needs to initiate a connection to a machine that's behind a firewall or NAT router.
Refer video for detail information.
https://www.youtube.com/watch?v=-K6jMYBfuIY
I know that routers will drop ip packets with private destination ip.Then how to route between private networks?
If there is no solution to that,then how do private networks in a big corporation communicate with each other?
routers will drop ip packets with private destination ip
No. Only when they are configured that way - usually when they route into a public IP range area. Consumer routers may be preconfigured that way in their firmware.
how to route between private networks?
Set up the router with a working routing table and let it do its job.
Routing private destination IP addresses across public IP networks involves tunneling, most often encrypted tunneling (VPN). The local tunnel gateway wraps the actual IP packet in a transport packet that's addressed to the remote gateway. The transport packet is routed normally and on arrival at the remote gateway, the wrapper is removed and the actual packet restored.
I'm able to open the website being served on port 4568 on 127.0.0.1 (localhost) and my private ip address, but I can't seem to do so on my public ip address. I've tried to access the website by typing :4568 after my public ip like I did for my localhost and private ip.
Is it possible to open a site running locally on my computer through my public IP? If so, how? If not, why not?
NOTE: I'm not exactly clear what tags are appropriate. Feel free to add or remove any you deem inappropriate.
You are likly behind a NAT. What this means is that your public IP address and private IP address are not necessarily mapped to each other fully. To explicitly map your application to your public address, try the following:
Go to your modems management page
Look for a 'Port Forwarding' tab (might be under an advanced or
router menu)
There will probably be two or three field to enter:
The port on the public ip address to forward traffic from
The IP address to forward traffic to (your private IP)
(might be there) The port to send it to on the private IP
Assuming this works, all traffic going to your public IP address on that port will now go to your private IP address.
WARNING This is a simple rule and everyone on the internet can now access that port
Also make sure your web server is listening on 0.0.0.0 (all IP addresses) and your local firewall is allowing remote connections on the port in question.
I'm curious why a client(android or c# based program, etc) behind a private router(or gateway, anyway with a private ip such as 192.168.xx.xx) can get a response from a request to a http server.
I know that this works, but just want to know how.
Is the client which is getting back the response need port forwarding unless it's not using a public ip?
He doesn't need port forwarding.
This can work by using NAT or PAT (Network Address Translation or Port Address Translation) configured in the Router mostly configured by the ISP's in the edge router.
-EDIT (more explanation added):
The edge router has some public IP (mostly pool of IP's) configured to communicate in internet (public network).
When the request that comes from internal network with private IP it takes that and changes the source IP (private IP) to one of the public IP's that has configured, thus the request would look like is made by the router itself.
Mostly will attach also a port number and save it in a database table (local db in router) with the private IP of the device who originally made the request and will forward the request to the internet.
Then, when the response is received by public server in that router, it will map it by the port with the private IP that had saved it in local db earlier, so it will know to whom it belonged originally, and will forward that to the IP
In my work, I have a desktop that is connected to internet with ethernet.
It does not have a private IP address but a public one: 172.16.30.208.
My laptop which is connected wireless has IP address which is again NOT private: 128.208.138.125.
when I ping my laptop from the desktop (packets received)
ping 128.208.138.125,
PING 128.208.138.125 (128.208.138.125): 56 data bytes
64 bytes from 128.208.138.125: icmp_seq=0 ttl=59 time=83.788 ms
64 bytes from 128.208.138.125: icmp_seq=1 ttl=59 time=24.384 ms
64 bytes from 128.208.138.125: icmp_seq=2 ttl=59 time=120.292 ms
but when I ping my desktop from laptop (no response)
ping 172.16.30.208
PING 172.16.30.208 (172.16.30.208): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
The questions are:
why the IP address on both the computers are not private? (anything starting with 192.X.X.X and 10.X.X.X are private I suppose)
why I was able to ping from desktop to laptop but not other way?
I understand that both desktop and laptop are in different network.
Addresses in the range 172.16.0.0 to 172.31.255.255 are also reserved, like 192.168.x.x and 10.x.x.x, and are not routed externally. http://en.wikipedia.org/wiki/Reserved_IP_addresses. So the DHCP settings on the ethernet router in question don't match the more common 192.168.x.x or 10.x.x.x defaults, but the router isn't handing out public addresses.
Edit - because the comments are getting long:
The desktop can successfully ping the laptop because of NAT (http://en.wikipedia.org/wiki/Network_address_translation). This is how any machine with an internal IP is able to get data from outside the local network. Continuing with the example from this question: The desktop assembles a ping request packet with the laptop's public IP as the destination. When the local router sees that the destination is external but the source is internal, it swaps the source address for the router's own public address before sending. That means the laptop just replies directly to the router. However, when the router gets the response, it remembers which local device actually requested the ping and swaps the destination address on the response from the router public address to the correct internal address before passing it through to the internal network.
Edit - Elaborating on the laptop side
Quick disclaimer: The public/private question of the laptop IP is pretty specific to the UW network setup, which I haven't actually worked with, so much of the following is conjecture based on my links from the comments.
The short answer:
128.208.135.125 is a public IP address that is owned by UW. It will only be assigned to one device at a time (i.e. your laptop right now).
The long answer:
The UW network runs a different type of NAT that they call "Masquerading". Each NAT setup comes with its own lists of pros and cons; I will only be highlighting a few considerations. The key difference here lies in this step from my previous NAT overview, "[the router] remembers which local device actually requested[...]". Normally, the router "remembers" by keeping a table of local addresses and the recent requests made by the associated devices so it knows which replies go to whom. With this setup, the address translation must always be done to route data between internal and external devices. In the masquerading version, each device has both a public and private address and the table no longer has to track requests; it just maps between the public and private addresses. This means the address translation can be optional depending on the context, and hosts connected to the UW network in this fashion can communicate among themselves using either private or public addresses depending on how the host would like the packets to be treated by the router(s) and firewall(s). However, any device outside the masquerading section of the network needs to use the public address. This also allows an optimization, that UW has taken advantage of, where the table can be implied by convention. In this case, the address translation will always be changing the leading "128" in the address to "10" or vice-versa, so the table doesn't need to be stored anywhere. Your laptop's private address will be 10.208.135.125.