cancel
Showing results for 
Search instead for 
Did you mean: 

NAT. Wot is it?

N/A

NAT. Wot is it?

I was basically wanting to get access from college to my home PC thorhg my solwise router. Any ideas on how to do this use something called NAT or port forwarding. Tried forum at Solwise but they dont say anything.
12 REPLIES
N/A

NAT's or Non NAT's

Hi,
First of all on the subject of access from an external location such as college or work etc. You might need to check with your colleges IT people (IT Dept) if they allow this process. It can be quite a sensitive subject for some companies or organisations for purely security reasons, so do check first with them as to what there policy is on this issue.

Secondly, NAT stands for Network Address Translation Table. This is a very clever technique which allows you to have one device such as a router which would have one publicly facing IP address such as for example 198.77.67.09
behined this IP address you could have many other computers or servers, each one would have its own IP or a range of IP address's. So again a server with an address of 192.67.81.10.05 behined your router, NAT or port forwarding allows your server to be accessed (inbound connections or outbound connections) from your public IP address (198.77.67.09) In other words anyone wanting access to your server would only be allowed to use your public IP they wouldnt see or know about the servers actual real IP address. This is a very useful & powerful way to shield and protect important and costly servers.


Example ->> server 1 (IP 192.168.77.01) NAT on router IP would be 178.09.76.06 (this is what an external user would see from the internet).

NATs translates one internal server's IP to the routers public facing IP
so server 1 at 192.168.77.01 doesnt exsist but what does is 178.09.76.06.

Hope this helps Ivan Smiley
N/A

NAT. Wot is it?

Thanks a lot that really helped. Do you know how to enable an address on a network in the form of 192.168.7.x to be translated into the routers face address. I have a solwise router that was supplied from F9
N/A

NAT. Wot is it?

I thought the Solwise Forum does, in fact, contain at least one topic which deals with this issue -- try opening doors/online gaming. It seems you may need two rules: a NAT RDR Rule and a "filter" rule.

Carrying on from what Ivan / "cyteck" said, "NAT" as implemented in consumer ADSL routers is really Network Address and Port Translation (some manufacturers do refer to it as NAPT) in that both network addresses and network ports are translated at the ADSL Router's external interface.

As Ivan said, hosts inside your home network use (or should use) "private" IP addresses. These are addresses in certain ranges which have been earmarked for the purpose, and which anyone is free to use without having to lay special claim to them. Any addresses starting 10, 172.16 .. 172.31, or 192.168 are all deemed "private" and they're free for anyone to use as they wish -- you don't have to ask anyone for permission. Since they're private, they're not "public", which means they cannot be used on the Internet (as distinct from an internet), because loads of people use them, and if someone sent to (say) 10.0.0.1 it would not be clear which of many hosts in the world using that address was the intended recipient. In fact, Internet routers are supposed to drop packets destined for "private" addresses.

So, if your local hosts use "private" addresses, but "private" addresses are not allowed on the Internet, how do you get round this? The answer is Network Address Translation. Your router has two network interfaces, one (the ADSL one) connected to the Internet, and one (the Ethernet one) connected to your LAN (an internet). The ADSL interface has a "public" IP address, an address assigned to you by Force9 from a set of public addresses which, in turn have been allocated for them to use. On the LAN interface, you can set any address you like from the private ranges (the router would have come with that interface set to one of these addresses in the factory, and many people will stick with that, unless they need to change it to be compatible with an existing network). By default, your router will perform Network Address Translation at the ADSL interface.

So, for the sake of illustration let's assume a PC in your network has the address "Private-1" and your ADSL router has an address "Private-2" on its LAN interface and "Public-1" at its ADSL interface. From your PC's web browser, you now send a request for a webpage from "RemoteHost". In all likelihood, the address of "RemoteHost" will have to be looked up, which will involve network requests flowing out from your network, and replies coming back containing the answer. We won't go into the detail of this, but assume that the IP address of "RemoteHost" comes back as "Public-2". So your web browser now knows it needs to send to address "Public-2" and port 80 (the standard port on which Web servers listen for incoming requests). But your PC does not have a direct connection to "Public-2", and it sees from its routing table, that to reach address "Public-2" it has to send the request to your router, "Private-2" for onward transmission. So the request reaches the router at its LAN interface ("Private-2") and it now looks at the destination address and realises it needs to send it on its way by transmitting it from its ADSL interface. The router also knows that "NAT" is operative on its ADSL interface, so it looks at the request's header data and changes some of the data it finds there. The header contains the destination address ("Public-2") and port (80) and the source address (Private-1) and port (say, X). The router replaces the source address (Private-1) with the address of its own network interface (Public-1) and may also change the source port (X) with a different port number (Y) if its own port X is already in use for something else. It keeps track of these changes by entering them in its "NAT table", as mentioned by Ivan. For this connection, the NAT table would contain an entry telling the router that any traffic arriving on its port Y needs to be changed to reflect the address Private-1 and port X. Having made the change in the header, the router now sends the packet on its way.

A while later, a reply comes back and is received by the router at its public interface on port Y. It looks in its NAT table, and finds that for port Y, the header needs to be changed so that destination address "Public-1" becomes destination "Private-1" (the address of your PC) and destination port Y needs to be changed to port X (the port being used by your web browser). It makes these changes and then consults its routing table and determines that to reach "Private-1" the packet has to be sent from its LAN interface. Thus, the reply gets back to the web browser.

The web server thinks it's talking to address "Public-1", but, in fact, the browser it's talking to is at "Private-1", an address that's not even permissible on the Internet! So, NAT has "hidden" your real IP addresses from the Internet at large!

Now consider an unsolicited request arriving from somewhere on the Internet, say address "Public-3" and destined for port 445 at "Public-1" (the IP Address of the router). You may recall that port 445 was one of the ports being exploited by a recent "worm". So it arrives at port 445 at your router, and your router does its usual thing: scans its NAT table to find a match telling it what to do with traffic arriving on port 445. But, because there wasn't a previous outgoing request relating to this, there is no entry in the table. The router has no information about what to do with this traffic, and so it drops it. The incoming request never reaches a destination. Even if your PC would have fallen prey to that request, it's effectively been blocked by the NAT function of the router, and that's as close as the worm gets to your PC.

Thus, NAT allows traffic out of your network, and any replies coming back (because it can then find a match in the NAT table), but requests originating from outside have no entry in the table, and are dropped. In this way, NAT acts as a natural kind of firewall.

So, what happens if you want traffic to be able to come in to your network, without it having been initiated by a prior request from you? For example, you want to connect to your home machine from college, and the college machine will initiate the connection? This is where "port forwarding" comes in. In effect port forwarding "punches a hole" through NAT, enabling an externally originated connection request to be forwarded to a local host.

Port Forwarding creates the necessary entry in the NAT table so that when a new connection request arrives at its public interface, the router can scan its NAT table and find out what to do with the request. The request will arrive at the router on a given port, so you need to know which port (or ports) that's going to be. You also need to tell the router the local address of the host to which to forward the request ("Private-1") and the port at that host. This will depend on the application to which you want to connect at that host.

For port forwarding, the port you target at your router's public address ("Public-1") is not necessarily the same as the port the application is listening on at the PC on you home LAN. For example, you might have two PCs, both running web servers which you want to be able to access from a remote system. By default, the web servers will listen on port 80. But the router only has one port 80 (for the tcp protocol) and if it receives traffic on port 80 the entry in the NAT table can point either to one PC or to the other, it can't point to both. So to be able to access two webservers, at least one of them will have to be targeted at a different port number, say, port 8080. You would then have two NAT port forwarding entries, one for port 80 and directing the traffic to port 80 at the first PC's address, the second for port 8080 and directing the traffic to port 80 at the second PC's address. From the remote host, if you point your browser to http://Public-1, you will see the web pages from the first PC; point your browser to http://Public-1:8080 to see the webpages from the second PC. Both PCs are listening on their normal ports, but NAT is performing both address and port translation.

[2004-09-16: Edit -- Couple of corrections, most notably the inclusion of the word "not"!]
realsense
Newbie
Posts: 7
Registered: 26-06-2007

NAT. Wot is it?

Very good explaination given, task. Thanks.
N/A

Yep! Well explained

Hi,
Yep! well done "task" a very nicely explained outline of NAT & IP addressing. This is a very complex technical subject and is not easy to explain, if you havent come across these issues before. So yes! my compliments yes! well done.

Best Regards
Ivan
N/A

okay

right okay i've set up both a filter and an rdr thingy to make it so when the router receives any ip address it dorwards to a private address. however, whenever i enter my ip address of the router it jsut goes straight to the configuration menu of the router...not my private address. what am i doing wrong?
N/A

Have you??

Hello Again,
Have you checked to ensure you have a Default Gateway set or setting's for the router, also worth checking the sub-net mask settings are correct too at the same time. If you have any documentation for your router it should give you the IP address to be used for default gateway or subnet masking.

**Might be in an online guide either .pdf file or shown on the makers website (not much help if you cannot access it though!!).

**To check your current TCP/IP settngs including the D.Gateway & subnet masking. Open a DOS window and from the command prompt type ipconfig /all this should show you the current configuration. Your router's IP should be set as the default gateway.

**PS:- If your using a Fix IP its usually the ISP who assigns you the IP for ADSL connections, if you get really stuck F9 support should be of some help here I would have thought?

Hope this is of some help?
Ivan
N/A

Re: okay

Quote
what am i doing wrong?


You're testing it from inside your network. You need a way of testing it from an address which is considered to be outside (ie on the Internet at large). Ways of doing this are to ask a friend to try it, or to use a dial-up account (not your "jhutti" account) on a different PC.
N/A

NAT. Wot is it?

As well as asking a friend to try it etc, as task correctly pointed out, you can pretend to be outside your network even though you are inside by using a public proxy server. That way, you can enter your public IP address in your browser and have the proxy server send you whatever outsiders would see.

You can find a list of public proxy servers at www.publicproxyservers.com

To configure Internet Explorer to use a proxy server, go to Tools --> Internet Options --> Connections (tab) --> LAN Settings (button) --> "Use a proxy server..." (checkbox). Then type the IP address and port number of the proxy server you wish to use.

One from the website mentioned above which is based in the UK is 195.171.200.235 port 80.

This always works for me when I want to try accessing the outside of my LAN from the inside.
N/A

Thankyou soooo much

Guys I honestly gave up after reading your posts. However, I've read it all from start to finish and have understood evrewything and I reckon I can get this going quite easily now. Thanks especially to task who made the whole ordeal much more clear. Thanks again guys!
N/A

NAT

Cheesy Superb reply from task. I've just read this and within minutes had my PC set up as a public server. This should be made into a tutorial
N/A

NAT. Wot is it?

Thanks, I appreciate those comments!

By the way, I noticed the omission of the word "not" in one place, which completely reverses the intended point, and probably doesn't make much sense to anyone reading it! I'll go back and fix it!

Should any of the tutorial team wish to use it as the basis of an article, please feel free to do so.