Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How Does NAT Work?

//

Regarding your article What’s the difference between a hub, a switch, and a router? your description of routers raised a question. When using NAT, how does the router know which local IP address should receive an incoming packet? Using your example network, suppose computer “A” sends out a packet to someone on the internet. But what if at the SAME time, computer “B” sends out a packet to the SAME someone?

Now, each local IP address (from computers “A” and “B”) both get translated to the same internet IP address (72.134.xx on your diagram) and then sent out to the same someone on the internet. That person then sends back responses for both computer “A” and computer “B” on the same internet IP address. The router receives these response packets, but how does the router know which packet goes to which computer? Both came in from the same place with the same destination internet IP address.

It turns out that NAT, or Network Address Translation, is actually a very simple concept; one that we rely on every day to share a single internet connection across multiple computers as well as to keep those computers safe from internet threats.

Simple in concept, maybe, but difficult – complex even – to explain.

But, I’ll give it a shot.

Become a Patron of Ask Leo! and go ad-free!

Network Connections and Ports

First, we have to understand how a simple computer-to-computer connection works in TCP/IP.

When data is transmitted from one computer to another over TCP/IP, two pieces of information are needed:

  • The IP address of the computer to which the data is being sent.
  • The port number on that remote computer, which is prepared to accept the data.

Port numbers are used to define what kind of data is being sent. For example, port 25 is the default mail sending port number and a server that is configured to receive data on port 25 expects the data to be formatted according to the SMTP mail sending protocol.

A port number is required in both directions.

When a data conversation is to happen – in other words, data is being transmitted in both directions – not only must a computer send to a particular IP address and port number, but responses must also be sent to a specific IP address and port number. (And for the record, almost every TCP/IP connection is a conversation – even if the data coming back is only to periodically say, “Yep, I got that. Send me more”.)

When a connection for a conversation (like sending mail) is established, the initiator of that conversation contacts a specific port at a specific IP address, and also says, “My IP address is x.x.x.x and I’m ready to accept your response on port yyyy.” I’ll refer to “yyyy” as the response-port.

Response-port numbers are not standard – they’re made up and assigned relatively randomly at the time that a connection is created so that the software knows that anything it receives on port “yyyy” is something that’s in response to the conversation that it initiated.

Simple computer-to-computer conversation

In the diagram above, the computer is establishing an email sending connection (port 25) to the computer at the IP address 173.194.79.16 (smtp.googlemail.com, in this example). It includes its own IP address and makes up a port number (12345 above) as the response-port for any data received back as part of the SMTP email sending conversation.

The computer knows how to transmit data to the server and the server knows how to reply.

We have a conversation.

The NAT Router

If we insert a router into the picture, things get interesting.

First, the IP address of the computer changes. It gets a local IP address assigned by the router. In fact, multiple computers can be connected – each gets its own local IP address.

Second, the router actually has two IP addresses:

  • On the local “side” of the router – the LAN – the router typically assigns itself an address of 192.168.1.1, often known as the “gateway” address.
  • On the Internet side of the router, the WAN (the router) is assigned a real internet IP address by your ISP, just as if it were a computer directly connected to the internet itself.

IP address assignments with a NAT router in place

The NAT conversation

Let’s revisit our TCP/IP conversation from above, but this time inserting the NAT router into the mix.

Computer #1 wants to send mail. It gets the IP address of the remote sever and sends a request to connect to port 25 on that server.

But … where does it send it? It’s not actually connected directly to the internet. In fact, the only devices that it can talk to directly are the other computers on the LAN and the router.

That’s where this concept of a gateway comes in. Connections to devices that are not on the local network are sent via the device at the gateway IP address.

In other words, the router.

At this point, then, the computer tells the LAN-side of the router, “I want to connect to 173.194.79.16, port 25, and I’m ready for responses on my IP address, 192.168.1.2, port 45676.”

The router then handles the next leg of the conversation by connecting to that remote service from its internet side. Its conversation looks like this: “I want to connect to 173.194.79.16, port 25, and I’m ready for responses on my IP address, 67.225.235.39, port 51211.”

Note that the router tells the remote service to connect to it – the router – for the return path of the conversation.

When data comes back via that return path, the router accepts it on the response-port number that it provided to the service. The router then passes the data on to the original computer via the IP address and response-port that the computer provided to the router when it started the conversation.

Computer to computer conversation through a router

What’s important to note in the conversation diagrammed above is how the router replaces the “from” IP address and response-port number with its own on outgoing data and how it reverses that on data coming back in the conversation.

That’s translation: Network Address Translation.

And now we have enough background to ask the question in terms that we can answer.

How did the router know that the returned data should be send to that specific computer on the local network?

The router as traffic cop

Recall that I said that the port numbers used for returned data – the response-ports – were simply made up. In “I’m ready to receive your response on my IP address x.x.x.x on port yyyy,” the value of “yyyy” could be anything in acceptable port-number ranges.

Recall also that when a local computer said, “I’m ready to receive your response on my IP address x.x.x.x on port yyyy” – when the router actually sent that on to the internet-side server being contacted, it changed that to be “I’m ready to receive your response on my internet IP address q.q.q.q on port zzzz.”

It used a different response-port number, a number that it made up.

But a number that it remembers and keeps track of.

For each outgoing connection, the router remembers what outgoing response-port is assigned for each local IP and response-port number that it was given.

From the diagram above, the router might remember:

I assigned port 51211 for the connection that goes back to 192.168.1.2 port 12345.

That’s all it has to remember.

Now, as long as that connection remains open, as long as that conversation continues, when anything comes to the router from the internet destined for port 51211, the router knows that it needs to send it along to port 12345 on the computer at 192.168.1.2.

As soon as the connection between the local computer and the remote server is closed and that conversation is over, the router can simply forget this information because there’s no need to use it again.

The next time that a new connection is made, the router will simply assign a different “get back to me here” response-port.

That’s also how the router can handle multiple simultaneous connections from multiple local computers: it simply assigns each connection a different internet-side response port and keeps track of which local computer and port it corresponds to.

Difficult to explain, but conceptually, pretty slick.

But wait! There’s more! NAT security

Now we’re also in a position to understand why NAT routers make such fantastic incoming firewalls.

For every outbound connection established by a local computer, the router keeps track of the ports assigned; based on that, it can route the incoming data back to the computer that’s participating in that conversation.

If there’s no port assigned, there’s no conversation.

If there’s no conversation, there’s no computer to send the data to.

As a result, all data received on all ports on the internet side of the router that is not part of a locally initiated conversation is discarded. Computers elsewhere on the internet simply cannot contact your computers on the local side of your router. Your computers can connect out and initiate conversations, but as far as computers out on the internet trying to initiate a conversation with your computers – it’s like your computers don’t even exist.

That’s pretty darned secure.

21 comments on “How Does NAT Work?”

  1. I have two remarks. First, you originally use 87656 as the response port on the WAN side of the router, but later it becomes 87565. Second, isn’t that an illegal number to begin with, since they only go up to 65535?
    Also, you can still tell the router to accept any data on a certain port and send it to a specific local IP address, thus penetrating the NAT firewall. This is called port forwarding and can, for instance, be used if you want to host your own web server on the local network, or if you want to use peer-to-peer file transfer software.

    Oh, man … I hate when I do that. It’s like seeing an IP address on a TV cop show with a 300 in it. Sigh. I’ve updated the article text to use 51211, which is a legal port. The image should also update once caches get flushed, or for new visitors. Thanks for catching that.
    I was tempted to bring in both DMZ and port forwarding, but I figured this was enough for the basics of a how NAT works. Those might appear as separate articles should it be warranted.

    Leo
    30-Apr-2012
  2. Hello Leo and all.

    Despite the inaccuracies and the other possibilities signaled by Mike, kudos for an excellent, truly comprehensible, response.

  3. Thanks, Leo, I always wondered how that worked. My SIL told me that the router was secure but didn’t explain it either…

  4. You have a gift for teaching Leo. You neither talk down to or over simplify. I’ve read enough of your articles to see what questions are asked the most by users and I am always amazed how succinctly and correctly you answer the questioms. Looking forward to more.

  5. Nicely explained. But post detail technical material in separate articles. Also, take up articles about database etc.

  6. Steven Hanifl said it for me, too: you have a gift for teaching and writing clear explanations. Many thanks for your efforts to educate us.

  7. Leo,
    I generally don’t write comments.
    May be I am more of a internet leech.
    Your explanation made me to write a comment.
    That’s the most I can say.
    You are a great source of knowledge and a greater teacher….
    I wish you can help more American kids, so jobs won’t be outsourced.

    Regards,
    Brajesh

  8. You have created an excellent resource for tech help, thank you. I have a situation that seems like a bit of a catch 22. The server that I want to initiate a conversation with is also behind a router, so why won’t my initial request get blocked by the server’s router?

  9. Great straightforward explanation for a subject that can be difficult to understand. I used to teach this stuff and my examples were not near as good as yours. Well done!

  10. Hi Leo!

    thanks a lot for this explanation but I still don`t get one thing… all this talks about is when I conduct the request, but let`s assume someone from the internet wants to send me an e-mail. how does the NAT know to forward it to the right LAN device? assuming of course inbound traffic is allowed and not dropped. since there is no private IP address, I assume all the devices would get the e-mail but it doesn`t seem to work that way…

    thanx again!

    Willow

    • The NAT router doesn’t forward the email to the device. The device has to be logged on to the email service provider to receive the emails.

    • When you get email it’s not pushed onto your computer – your computer reaches out to fetch it from your email account. Email is not sent to a device, but to an account, and any device on which you read email has to initiate the transfer and go out and get it.

  11. Hi, I am spell bound by your articles, that i am learning the techniques in easy way. Fabulous is the only word i could give. I came back about router configuration and came to this topic, as it was a link in that page. I could go to the inner links page and to know what those actually means and doing in the rounds. Each link is fabulous and also i do not know what is modem, i only know it as a device, but the explanation page of dictionary on Modem link gives much more meaning.
    Long live this Ask Leo Page.
    I will be asking questions, that may have already answers for those, but anyhow congratulations on giving a reply to the already asked questions in a different way. What a site full of technical information explained in detail without any form of word puzzling and in simple english. Long Live Leo and Long live Ask Leo

  12. Hello,

    Nice article but how do other computers on LAN know what response port to ask for, what happens if two LAN computers ask for the same response port ?
    And how does NAT router know when not to expect inbound traffic on particular port which should be passed to a particular local ip address – is there some kind of time threshold or is it event driven ?

  13. we have a database program that uses a server and workstations. When the program starts it reads an .ini file to get the servername so the data can flow between the server and the workstation. All of this happens on the LAN side of the router. Generally we use a server name like SERVERX in the .ini file. However some workstations will not respond and we have to use the server ip address (like 192.168.1.14) before the data will flow. I have assumed that this is a NAT issue. Does NAT translate a name to an ip address? What happens when that works on one work station but not another workstation?.

    • Actually that’s more of a DNS issue. Check that your router is properly configured to provide DNS, or that the DNS settings on the computer are set properly.

  14. Excellent article. My only nit is that you might want to explain briefly what TCP/IP protocol is for the uninitiated. Either that or provide a link to another one of your articles that explains it. I’m an old computer nerd so I get it but many readers aren’t that educated in geek talk. (-:

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Typically that's off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.