HTTP request to web server from client using private ips - http

I'm curious why a client(android or c# based program, etc) behind a private router(or gateway, anyway with a private ip such as 192.168.xx.xx) can get a response from a request to a http server.
I know that this works, but just want to know how.
Is the client which is getting back the response need port forwarding unless it's not using a public ip?

He doesn't need port forwarding.
This can work by using NAT or PAT (Network Address Translation or Port Address Translation) configured in the Router mostly configured by the ISP's in the edge router.
-EDIT (more explanation added):
The edge router has some public IP (mostly pool of IP's) configured to communicate in internet (public network).
When the request that comes from internal network with private IP it takes that and changes the source IP (private IP) to one of the public IP's that has configured, thus the request would look like is made by the router itself.
Mostly will attach also a port number and save it in a database table (local db in router) with the private IP of the device who originally made the request and will forward the request to the internet.
Then, when the response is received by public server in that router, it will map it by the port with the private IP that had saved it in local db earlier, so it will know to whom it belonged originally, and will forward that to the IP

Related

Fritzbox public ip address with DS-Lite

I am struggeling to connect to my home server that is connected via a Fritzbox router to the internet. I want to connect to the home server from outside of the home net, as it serves as a NAS and provides HTTP(S) services.
The problem is, that I don't understand how to connect to the server over the internet. My Fritzbox is connected to my internet provider via DS-Lite internet connection. As far as I understood, this means that my Fritzbox has no public IPv4 address and therefore the server is not reachable.
Is it still somehow possible to connect to the server?
Reading your question, I can see that there are multiple steps to solve this.
figure out if your internet provider allows you to have incoming connections
I do not know, what a ds lite connection is. Depending on your connection type, e.g. glass fibre, dsl, mobile and your provider incoming connections might be allowed or not. Also specific ports might be forbidden.
Enable port forwarding for incoming connections to your lan server.
Your fritzbox does not know, where to route the incoming connection to.
Make your lan server ip address static. Go to your fritzbox admin page and create a port forwarding rule and map data incoming on port 80(HTTP) and 443(HTTPS) to the lan server ip address.
You can read further here: https://en.wikipedia.org/wiki/Port_forwarding
Figure out the fritzbox's public ip address by checking out this website from within your lan. https://whatismyipaddress.com/
Connect to your server via http(s)://publicip
setup dynamic dns to have a public domain, which you can use instead of the ip address.
Usually private customer internet connections use dynamic ip addresses. So your ip address changes regularly. This is annoying, because you need to lookup the ip address before you can connect again. To avoid this issue, you can use a dynamic dns provider to give you a domain name, which you can use instead of the public ip address. Your fritzbox should have this kind of functionality already. If not, you can also configure it on your server with a cron job.
You can read further here: https://en.wikipedia.org/wiki/Dynamic_DNS
This provider is easy to use and for free: https://freedns.afraid.org/
use the dynamic dns domain name instead othe public to access your server from anywhere
Be aware, that having open connections to your local network gives attack surface from the public internet. So people might steal or delete data on your server or abuse it in other ways.

How gateway router delivers the packet for host in its local network (with only private IP address like 192.168.2.101)?

When I send a request to web-server from one of my computers connected to home wi-fi router - how the response packet finds its way back to my computer and not to the other?
All computers in my local network have only one public IP and different private Ips (starting with 192.168...) - but source address in outgoing IP packet will be that public IP, so the destination IP for response packet will be also that public IP.
Where is the information about private IP (like 192.168.2.101) stored?
Thanks to NAT, several private IP addresses can share single public IP.
In both TCP and UDP each packet contains a source IP and a source port (along with a destination IP and port). When a machine in private network sends request to public server, NAT device/router overwrites private source IP+source port in the request packet with the public IP of the router and some unique port, and stores original source IP+port pair and overwritten source port in Translation Table. Remote server responds to public IP of the router+overwritten port number, router does a search in Translation Table by overwritten port number, and put original private ip+port into response packet and sends it to private machine (to original IP+port). Image from Wikipedia:
(more detailed on Wikipedia)
So the answer is: Translation Table on router allows to distinguish computers in local network and deliver responses to correct local machines.

How to reach to a specific computer in a newtork?

Let's say that I have a home network of 5 computers. They all share the same external IP address.
Suppose a machine that is outside the network sends a request (as a client) to one of the 5 computers (this computer will be the server) in this home network. It sends its message to the external IP address. Then, how does the router know to what computer in the home network the message has to be routed to?
Typically when you talk about NAT, there are two main “flavours” - Source NAT & Destination NAT. There is another function called “PAT” (or Port Address Translation).
Source NAT is utilised when all your 5 computers are trying to reach out to the public (Internet) network. At this point your 5 computers get MASQUARADED with your public IPv4 address.
Destination NAT is what you’re asking for. In this case, you must configure your router/firewall (device that holds your public address & maintains your public connection) to “REDIRECT” or “DNAT” all incoming packets destined to a specific application (or port). For instance, if you have an HTTP server running on your private network server with address 10.0.0.3, you simply instruct your router to send all (or selective) TCP packets that have been sent to the public IP on ports 80/443 & send those to 10.0.0.3.
In DNAT scenario you must explicitly instruct your router/firewall about every type of expected, incoming connection. Another example can be that same public address is been used for SMTP server and thus sending all TCP packets received on port 25 to be sent to local server 10.0.0.4 this time. And so on and so forth
That’s in short how it works.
Network Address Translation (NAT) allows a single device, such as a router, to act as an agent between the Internet (or public network) and a local network (or private network), which means that only a single unique IP address is required to represent an entire group of computers to anything outside their network.
ADDRESS TRANSLATION (NAT) OVERLOAD allows your 5 computers to communicate with your router. Each computer has unique private IP address.
When computer1 tries to communicate with website, it sends packet to router.
Router replace the private IP address (example: 192.168.1.1) with single public IP address (example: 205.65.45.100) but uses same source port number (for example Port 5000) which is used by computer. It won’t change the source port number. And Router maintains entry in NAT table.
The reply from the (web server) internet arrives at your public interface of your router.
The router accepts packet and check the destination port entry. With the help of the NAT table, your router understands that it belongs to computer1. Router changes single public IP address (example: 205.65.45.100) with your internal private address (example: 192.168.1.1) and your computer receives it.
This process is applicable for all 5 computers.
Above scenario is only applicable if your computers act as a client. If your computer acts as a server then the solution is “Port forwarding”.
Port forwarding is needed when a machine on the Internet needs to initiate a connection to a machine that's behind a firewall or NAT router.
Refer video for detail information.
https://www.youtube.com/watch?v=-K6jMYBfuIY

Why can't I access a local file from my public ip address if I can from my private ip address?

I'm able to open the website being served on port 4568 on 127.0.0.1 (localhost) and my private ip address, but I can't seem to do so on my public ip address. I've tried to access the website by typing :4568 after my public ip like I did for my localhost and private ip.
Is it possible to open a site running locally on my computer through my public IP? If so, how? If not, why not?
NOTE: I'm not exactly clear what tags are appropriate. Feel free to add or remove any you deem inappropriate.
You are likly behind a NAT. What this means is that your public IP address and private IP address are not necessarily mapped to each other fully. To explicitly map your application to your public address, try the following:
Go to your modems management page
Look for a 'Port Forwarding' tab (might be under an advanced or
router menu)
There will probably be two or three field to enter:
The port on the public ip address to forward traffic from
The IP address to forward traffic to (your private IP)
(might be there) The port to send it to on the private IP
Assuming this works, all traffic going to your public IP address on that port will now go to your private IP address.
WARNING This is a simple rule and everyone on the internet can now access that port
Also make sure your web server is listening on 0.0.0.0 (all IP addresses) and your local firewall is allowing remote connections on the port in question.

Port forwarding with private IP

I use a static IP connection, Configured to TPLINK router.
I have a local server running which i can access from my network, but i want it to be accessed outside network.
So I did port forwarding. and its Successfully running.
Now the problem is :: The IP address of my WAN is also a private address like 10.10.X.X, so when am entering http://10.10.X.X, i can access my site, but not outside my network. Please guide me how to fix this?
If your WAN address is a private address, your ISP is using CGN. This is becoming more common since the RIRs have, or soon will, run out of public IP addresses to assign to ISPs. It sounds like your ISP has run out of public addresses and needs to use private addresses for its residential customers, reserving its remaining public addresses for its business customers which are willing to pay for public addresses.
Basically, your ISP is using NAT, too. You would need to have the ISP forward your port on its NAT router, but the odds of that are zero since it probably has a policy you agreed to to not host servers on your residential LAN (buried in the fine print of the ISP agreement). This situation will play out more and more over time.
You have to use the "Virtual Server" settings. Port triggering is used for.
Once the modem router is configured, the operation is as follows: 1. A local host makes an outgoing connection to an external host using a destination port number defined in the Trigger Port field. 2. The modem router records this connection, opens the incoming port or ports associated with this entry in the Port Triggering table, and associates them with the local host. 3. When necessary, the external host will be able to connect to the local host using one of the ports defined in the Incoming Ports field.
It is not used for incoming connections which are triggered from outside!
Of course, to have it working you have to have an application listening on that port not only having the firewall on Windows allowing the port.
After you set up the "Virtual Server" a port scanner should show you the port is open (even without having a running application listening) - it will try to port forward it. I use ShieldsUp for testing.

Resources