Let's say that I have a home network of 5 computers. They all share the same external IP address.
Suppose a machine that is outside the network sends a request (as a client) to one of the 5 computers (this computer will be the server) in this home network. It sends its message to the external IP address. Then, how does the router know to what computer in the home network the message has to be routed to?
Typically when you talk about NAT, there are two main “flavours” - Source NAT & Destination NAT. There is another function called “PAT” (or Port Address Translation).
Source NAT is utilised when all your 5 computers are trying to reach out to the public (Internet) network. At this point your 5 computers get MASQUARADED with your public IPv4 address.
Destination NAT is what you’re asking for. In this case, you must configure your router/firewall (device that holds your public address & maintains your public connection) to “REDIRECT” or “DNAT” all incoming packets destined to a specific application (or port). For instance, if you have an HTTP server running on your private network server with address 10.0.0.3, you simply instruct your router to send all (or selective) TCP packets that have been sent to the public IP on ports 80/443 & send those to 10.0.0.3.
In DNAT scenario you must explicitly instruct your router/firewall about every type of expected, incoming connection. Another example can be that same public address is been used for SMTP server and thus sending all TCP packets received on port 25 to be sent to local server 10.0.0.4 this time. And so on and so forth
That’s in short how it works.
Network Address Translation (NAT) allows a single device, such as a router, to act as an agent between the Internet (or public network) and a local network (or private network), which means that only a single unique IP address is required to represent an entire group of computers to anything outside their network.
ADDRESS TRANSLATION (NAT) OVERLOAD allows your 5 computers to communicate with your router. Each computer has unique private IP address.
When computer1 tries to communicate with website, it sends packet to router.
Router replace the private IP address (example: 192.168.1.1) with single public IP address (example: 205.65.45.100) but uses same source port number (for example Port 5000) which is used by computer. It won’t change the source port number. And Router maintains entry in NAT table.
The reply from the (web server) internet arrives at your public interface of your router.
The router accepts packet and check the destination port entry. With the help of the NAT table, your router understands that it belongs to computer1. Router changes single public IP address (example: 205.65.45.100) with your internal private address (example: 192.168.1.1) and your computer receives it.
This process is applicable for all 5 computers.
Above scenario is only applicable if your computers act as a client. If your computer acts as a server then the solution is “Port forwarding”.
Port forwarding is needed when a machine on the Internet needs to initiate a connection to a machine that's behind a firewall or NAT router.
Refer video for detail information.
https://www.youtube.com/watch?v=-K6jMYBfuIY
Related
a server IP is 151.101.129.69
my home PC IP is 192.168.0.1, my office PC IP is also 192.168.0.1, but of course these 2 PCs are in different locations.
If both of my PCs are connecting to server port 80, it has to be 2 TCP connections.
We know that a TCP connect is composed by 4 parts, source IP/port and target IP/port, so it must NOT be like this at the same time (very coincidently both clients start the connect with port 12345):
my home PC connect: 192.168.0.1:12345 <-> 151.101.129.69:80
my office PC connect: 192.168.0.1:12345 <-> 151.101.129.69:80
My guess is, every TCP connect in the world actually does not connect across gateways, it's more like:
192.168.0.1:12345(homePC) <-> 41.100.90.2:33333(homeRouter) <-> 151.0.1.1:44444(someKindOfPublicGateway) <-> 151.101.129.69:80(server)
the example above shows there're 3 TCP connections actually, while it might be for my office PC like this at the same time:
192.168.0.1:12345(officePC) <-> 10.132.10.88:55555(officeRouter) <-> 133.10.100.1:44444(officeNetworkGateway) <-> 140.144.10.1:54321(someKindOfPublicGateway) <-> 151.101.129.69:80(server)
so it's actually different public gateway ip/port connecting to the server.
Is my understanding correct?
My guess is, every TCP connect in the world actually does not connect across gateways
What you describe is NAT, i.e rewriting of source IP and port by gateways. This is not a requirement for TCP. The requirement for TCP is that there is a network route between client and server, i.e. server can be reached by the client and client can be reached by the server.
With private IP addresses like 192.168.0.1 though it is not possible to have such a network route to some host on the internet, since private IP addresses are per definition not routable in the public internet. That's why some kind of translation into public routable IP is needed and NAT provides this.
For TCP connections between systems on the public internet or systems inside the same private LAN such translation isn't necessary though. Thus no gateways are needed here. Note that systems on the public internet are not only servers. Instead many institutions have public IP addresses for their clients too. NAT is mainly used to address the shortage of IPv4 addresses, i.e. used for residential access, closed company networks or in mobile networks. With IPv6 such shortage is no longer a problem and some networks use private IPv4 addresses (requiring NAT) and public IPv6 (no NAT needed) in the same network.
When I send a request to web-server from one of my computers connected to home wi-fi router - how the response packet finds its way back to my computer and not to the other?
All computers in my local network have only one public IP and different private Ips (starting with 192.168...) - but source address in outgoing IP packet will be that public IP, so the destination IP for response packet will be also that public IP.
Where is the information about private IP (like 192.168.2.101) stored?
Thanks to NAT, several private IP addresses can share single public IP.
In both TCP and UDP each packet contains a source IP and a source port (along with a destination IP and port). When a machine in private network sends request to public server, NAT device/router overwrites private source IP+source port in the request packet with the public IP of the router and some unique port, and stores original source IP+port pair and overwritten source port in Translation Table. Remote server responds to public IP of the router+overwritten port number, router does a search in Translation Table by overwritten port number, and put original private ip+port into response packet and sends it to private machine (to original IP+port). Image from Wikipedia:
(more detailed on Wikipedia)
So the answer is: Translation Table on router allows to distinguish computers in local network and deliver responses to correct local machines.
Let's say we have a wifi at home. When I google "whatsmyip", it gives me public IP address, which is essentially IP address of my router on the internet.
Now lets say I have two machines (A and B) both hosting a web server. I want to reach to a web-server on my machine 'A' from outside my local network (from some other corner of the world), how I can ping to that specific machine to my network. I understand for outgoing requests from my machine we have NAT, but what about incoming request to a specific machine? How router resolves it?
How I can check that IP(for incoming requests) in my windows/linux machine?
e.g let's say I have a tomcat server running on port 8080 on machine A. Now if I do localhost:8080/home, it displays "Hello World". Now one of my friend in let's say in Europe wants to access "/home" end point. What ip would he use?{IP}:8080/home. Means how he'll identify my machine, as to the internet only router's IP address is visible
To be able to reach your comptuer on the LAN behind your router you will need to do a port forward.
All connections to your public x.x.x.x:p ip/port address are forward to y.y.y.y:p
You can't forward different connections with the same port to a different machine in your lan, you will have to implement a more sophisticated approach to be able to do that, like a load balancer and apply a rule's base on the domain etc.
To be able to ping, you have to forward ICMP request to your lan machine.
I use a static IP connection, Configured to TPLINK router.
I have a local server running which i can access from my network, but i want it to be accessed outside network.
So I did port forwarding. and its Successfully running.
Now the problem is :: The IP address of my WAN is also a private address like 10.10.X.X, so when am entering http://10.10.X.X, i can access my site, but not outside my network. Please guide me how to fix this?
If your WAN address is a private address, your ISP is using CGN. This is becoming more common since the RIRs have, or soon will, run out of public IP addresses to assign to ISPs. It sounds like your ISP has run out of public addresses and needs to use private addresses for its residential customers, reserving its remaining public addresses for its business customers which are willing to pay for public addresses.
Basically, your ISP is using NAT, too. You would need to have the ISP forward your port on its NAT router, but the odds of that are zero since it probably has a policy you agreed to to not host servers on your residential LAN (buried in the fine print of the ISP agreement). This situation will play out more and more over time.
You have to use the "Virtual Server" settings. Port triggering is used for.
Once the modem router is configured, the operation is as follows: 1. A local host makes an outgoing connection to an external host using a destination port number defined in the Trigger Port field. 2. The modem router records this connection, opens the incoming port or ports associated with this entry in the Port Triggering table, and associates them with the local host. 3. When necessary, the external host will be able to connect to the local host using one of the ports defined in the Incoming Ports field.
It is not used for incoming connections which are triggered from outside!
Of course, to have it working you have to have an application listening on that port not only having the firewall on Windows allowing the port.
After you set up the "Virtual Server" a port scanner should show you the port is open (even without having a running application listening) - it will try to port forward it. I use ShieldsUp for testing.
If I have two internal computers connecting to the same external IP address through a NAT router, how is the router able to get the traffic to the correct internal computer? It is my understanding that NAT forwards incoming packets to the computer that recently sent outgoing packets to the [incoming packet's] sender's IP address. Since both computers are sending to the same address, does the router forward the packet to both? If that is the case, is it the responsibility of the client software to determine which packets are relevant?
Is it possible if both computers are attempting to connect to the same port?
When you open a socket, you need to address a port of the destination system and open a conjugate listening port on your own system to receive any response. You have to send the destination system your listening port.
Having more than one system using the same modem
When you start a web browser, and go to www.google.com:80, your browser obtains/searches for a free non-system conjugate port from the system for listening. Let us say, the conjugate port is 10000. The listener port is for receiving the http stream back from google.
Then your kid sitting next to you incidentally also browses www.google.com:80 and his/her google session of the play station or xbox-whatever also incidentally is assigned conjugate port 10000.
Both of you are sitting behind a cable modem, and behind the cable modem is your wireless router. And both of your systems are behind the wireless router - All sitting in that sequence, network topology-wise.
To prevent port address collision on the router/modem
Let us say that your cable company DHCP assigns your modem ip4 adress 72.72.72.72. But your wireless router DHCP assigns 192.168.0.10 to your system and to 192.168.0.11 to your kid's system.
When the frame carrying the information of your listener ports passes thro your NAT router, it would translate either one or both listening- ports. Let's say port 15000 for your page and port 16000 for your kid's page.
Your wireless router then sends your requests to google server as coming from 72.72.72.72:15000 and 72.72.72.72:16000.
The google server then responds individually to 72.72.72.72:15000 and 72.72.72.72:16000 and when you wireless router encounters the response, it reaches into the mapping that it has stored and translates 72.72.72.72:15000 to 192.168.0.10:10000 to reach your system but translates 72.72.72.72:16000 to 192.168.0.11:10000 to reach your kid's system.
Running web/game/ftp/etc servers
But what if you have a web server or an ftp server running on your system. What if you have two systems and both have a web server and both web servers are listening on port 80?
Let us say the local ip addresses registered/assigned with your wireless router of your first web server system is 192.168.0.30 and your second web server system is 192.168.0.40.
The wireless router would have a configuration web page usually by default 192.168.0.1:80, unless you changed it. There would be a tab to on the page where you could define/reserve application port mappings.
You could register with your wireless router to reserve the mapping
192.168.0.30:80 => outgoing port 8080
192.168.0.40:80 => outgoing port 8088
So that you have to phone your friends your web/game servers are addressable through
72.72.72.72:8080 and 72.72.72.72:8088 respectively,
where the wireless router would preclude its port 8080 and 8088 from its own dynamic NAT usage.
Of course, 72.72.72.72 is as good as only before your ISP DHCP decide to renew the ip4 address of your modem to say, 72.72.90.200. After which you would have to phone/email your friends and say
Hey, the servers' addresses have changed to 72.72.90.200:8080 and 72.72.90.200:8088 respectively. Or you could subscribe to dynamic dns (ddns) service to use a named domain where the ddns service will need you to install a simple heartbeat utility on your system to help them monitor the address variation. DDNS translation is a separate issue/strategy.
NAT modems
Newer ISP contracts supply you with a modem that has NAT. If so, you have to switch off either the one on your modem or the one on your wireless router. You should not use both - what's the point in translating twice because NAT is simply to prevent address collision. When you switch off NAT from your wireless router, it can operate as a hub switch and not a router anymore so that you could connect it to the modem using one of its LAN socket instead of thro its WAN socket.
The router manages "source" ports that are separate for each computer. While you may be connecting to port 80 on the "destination" the router may assign the source port to some high number port.
Wikipedia sums it up as
Network address translation involves
re-writing the source and/or
destination IP addresses and usually
also the TCP/UDP port numbers of IP
packets as they pass through the NAT.
Checksums (both IP and TCP/UDP) must
also be rewritten to take account of
the changes.
Already good answers are provided, but here is another example:
HOST A addr HOST B addr
10.1.0.2:4040 10.1.0.3:4040
-----------------------------------------
NAT 200.50.50.28:4040 200.50.50.28:4041 (what external host sees)
200.50.50.28 is router's global (internet) IP.
Every port number is unique in the NAT table. And of course the router does all the dirty job of modifying the source and destination addresses transparently.
It uses different ports for incoming external traffic, and the NAT then routes the packets on one port to one internal IP address, and the packets from the other port to the other internal IP address... The iniital request from each internal computer, when it goes through the NAT on the way out, establishes which port will be used for the incoming traffic from the external ip address, and it tells the external server what port to send it's traffic back on for that connection.
RFC3022 provides a lot of information on how this works
Since public facing or external IP Address that was given by Internet Service Provider (ISP) has been discussed, I would like to add on this.
You can ask your ISP to have your public IP Address not change. It will become static, so that you do not have to inform your friends to change the IP Address if they want to access your server inside your Network Address Translator (NAT).
As of this writing, static IP Address cost around 100 bucks. Most of the ISP they call it business account.
You can determine your public facing IP Address by googling "what is my ip address".