Regarding your article What’s the difference between a hub, a switch, and a router? your description of routers raised a question. When using NAT, how does the router know which local IP address should receive an incoming packet? Using your example network, suppose computer “A” sends out a packet to someone on the internet. But what if at the SAME time, computer “B” sends out a packet to the SAME someone?
Now, each local IP address (from computers “A” and “B”) both get translated to the same internet IP address (72.134.xx on your diagram) and then sent out to the same someone on the internet. That person then sends back responses for both computer “A” and computer “B” on the same internet IP address. The router receives these response packets, but how does the router know which packet goes to which computer? Both came in from the same place with the same destination internet IP address.
It turns out that NAT, or Network Address Translation, is actually a very simple concept; one that we rely on every day to share a single internet connection across multiple computers as well as to keep those computers safe from internet threats.
Simple in concept, maybe, but difficult — complex even — to explain.
But, I’ll give it a shot.
Become a Patron of Ask Leo! and go ad-free!
Network Connections and Ports
First, we have to understand how a simple computer-to-computer connection works in TCP/IP.
When data is transmitted from one computer to another over TCP/IP, two pieces of information are needed:
- The IP address of the computer to which the data is being sent.
- The port number on that remote computer, which is prepared to accept the data.
Port numbers are used to define the kind of data being sent. For example, port 25 is a port used to send email. A server configured to receive data on port 25 expects it to be the SMTP mail sending protocol.
A port number is required in both directions.
When a data conversation is to happen — in other words, data is being transmitted in both directions — not only must a computer send to a particular IP address and port number, but responses must also be sent to a specific IP address and port number. (And for the record, almost every TCP/IP connection is a conversation – even if the data coming back is only to periodically say, “Yep, I got that. Send me more”.)
When a connection for a conversation (like sending mail) is established, the initiator of the conversation contacts a specific port at a specific IP address, and also says, “My IP address is x.x.x.x and I’m ready to accept your response on port yyyy.” I’ll refer to “yyyy” as the response-port.
Response-port numbers are not standard — they’re made up and assigned when a connection is created so the software knows anything it receives on port “yyyy” is something in response to the conversation it initiated.
In the diagram above, the computer is establishing an email sending connection (port 25) to the computer at the IP address 188.8.131.52. It includes its own IP address and makes up a port number (12345 above) as the response-port for any data received back as part of the conversation.
The computer knows how to transmit data to the server and the server knows how to reply.
We have a conversation.
The NAT Router
If we insert a router into the picture, things get interesting.
First, the IP address of the computer changes. It gets a local IP address assigned by the router. In fact, multiple computers can be connected – each gets its own local IP address.
Second, the router actually has two IP addresses:
- On the local “side” of the router – the LAN – the router typically assigns itself an address of 192.168.1.1, often known as the “gateway” address.
- On the Internet side of the router, the WAN (the router) is assigned a real internet IP address by your ISP, just as if it were a computer directly connected to the internet itself.
The NAT conversation
Let’s revisit our TCP/IP conversation from above, but this time inserting the NAT router into the mix.
Computer #1 wants to send mail. It gets the IP address of the remote sever and sends a request to connect to port 25 on that server.
But … where does it send it? It’s not actually connected directly to the internet. In fact, the only devices that it can talk to directly are the other computers on the LAN and the router.
That’s where this concept of a gateway comes in. Connections to devices that are not on the local network are sent via the device at the gateway IP address.
In other words, the router.
At this point, then, the computer tells the LAN-side of the router, “I want to connect to 184.108.40.206, port 25, and I’m ready for responses on my IP address, 192.168.1.2, port 45676.”
The router then handles the next leg of the conversation by connecting to that remote service from its internet side. Its conversation looks like this: “I want to connect to 220.127.116.11, port 25, and I’m ready for responses on my IP address, 18.104.22.168, port 51211.”
Note that the router tells the remote service to connect to it – the router – for the return path of the conversation.
When data comes back via that return path, the router accepts it on the response-port number that it provided to the service. The router then passes the data on to the original computer via the IP address and response-port that the computer provided to the router when it started the conversation.
What’s important to note in the conversation diagrammed above is how the router replaces the “from” IP address and response-port number with its own on outgoing data and how it reverses that on data coming back in the conversation.
That’s translation: Network Address Translation.
And now we have enough background to ask the question in terms that we can answer.
How did the router know that the returned data should be send to that specific computer on the local network?
The router as traffic cop
Recall that I said that the port numbers used for returned data – the response-ports – were simply made up. In “I’m ready to receive your response on my IP address x.x.x.x on port yyyy,” the value of “yyyy” could be anything in acceptable port-number ranges.
Recall also that when a local computer said, “I’m ready to receive your response on my IP address x.x.x.x on port yyyy” – when the router actually sent that on to the internet-side server being contacted, it changed that to be “I’m ready to receive your response on my internet IP address q.q.q.q on port zzzz.”
It used a different response-port number, a number that it made up.
But a number that it remembers and keeps track of.
For each outgoing connection, the router remembers what outgoing response-port is assigned for each local IP and response-port number that it was given.
From the diagram above, the router might remember:
I assigned port 51211 for the connection that goes back to 192.168.1.2 port 12345.
That’s all it has to remember.
Now, as long as that connection remains open, as long as that conversation continues, when anything comes to the router from the internet destined for port 51211, the router knows that it needs to send it along to port 12345 on the computer at 192.168.1.2.
As soon as the connection between the local computer and the remote server is closed and that conversation is over, the router can simply forget this information because there’s no need to use it again.
The next time that a new connection is made, the router will simply assign a different “get back to me here” response-port.
That’s also how the router can handle multiple simultaneous connections from multiple local computers: it simply assigns each connection a different internet-side response port and keeps track of which local computer and port it corresponds to.
Difficult to explain, but conceptually, pretty slick.
But wait! There’s more! NAT security
Now we’re also in a position to understand why NAT routers make such fantastic incoming firewalls.
For every outbound connection established by a local computer, the router keeps track of the ports assigned; based on that, it can route the incoming data back to the computer that’s participating in that conversation.
If there’s no port assigned, there’s no conversation.
If there’s no conversation, there’s no computer to send the data to.
As a result, all data received on all ports on the internet side of the router that is not part of a locally initiated conversation is discarded. Computers elsewhere on the internet simply cannot contact your computers on the local side of your router. Your computers can connect out and initiate conversations, but as far as computers out on the internet trying to initiate a conversation with your computers – it’s like your computers don’t even exist.
That’s pretty darned secure.