NAT - One-to-many (PAT, NAPT...)

calendar Jan 31, 2024 · 4 min read · networking tcp/ip  ·
Share on: linkedin copy

(this post if part of the material I cover in my devops course)

NAT - What problem are we going to solve

  • There are several types of NAT (Network Address Translation)

  • We are going to address here the most complex one, because it is what you would usually encounter in your home/caffee etc.

  • Other types of NAT are usefull as well (we'll cover those in other posts).
    For example, in AWS networking (VPC), public IP addresses assigned to ec2 instances are created by using One-to-One NAT (sometimes called Static NAT). You can read more about that here.

  • The kind of NAT we are goind to address here has several names:

    • One-to-many NAT
    • PAT - Port Address Translation
    • NAPT - Network Address Port Translation, a name mentioned in Cisco documentation, forexample here
    • NAT overload
    • ..
    • I'll be refering to this as PAT

    PAT - presenting the problem

    • Consider the following familiar scenario:
      PAT - The problem
    • Three devices are connected to a home/caffee netowork.
      • Some are using wired Ethernet
      • Some are using wifi
    • A local DHCP server is operating from within the home router, and it configures those devices:

Private IP addresses (RFC 1918 )

  • Those devices from the pervious section got IP addresses from a private IP space.
  • Many of use are familiar with these 3 ranges of private IP addresses:
    • 10.0.0.0/8, i.e 10.0.0.0 <--> 10.255.255.255 (ONE Class A network)
    • 172.16.0.0/12 i.e 172.16.0.0 <--> 172.31.255.255 (16 Class B networks)
    • 192.168.0.0/16 i.e 192.168.0.0 <--> 192.168.255.255 (256 Class C networks)
  • These addresses can be found in most home/workplace metworks, for a very good reason: **YOU DONT HAVE TO ASK PERMITION FROM ANYBODY TO USE THEM".
  • They are marked as private address space by RFC 1917 standard.
  • It means two things:
    • You can assign these addresses to any host you like
    • YOU CANNOT USE THESE ADDRESSES IN THE PUBLIC INTERNET!!!
  • Since a single address (say 192.168.0.1) may appear more then once, an IP packet with this address in its destination-address field will be dropped by most routers in the Internet.
    (after all, where will you send it to ?)
  • ..but also a packet with this address in its source address will be dropped!
    This is because in most cases, a reply would be needed for this packet, and no reply could be sent to a private IP address.

How PAT works

  • The solution to the problem is based on 2 ideas:
    • Private addresses are going to be translater to public addresses (and vice versa)
    • The problem of Many(private) to One(public) addresses is going to be solved by using TCP or UDP port numbers.
  • Intuition:
    If you are on the Internet, and you are receiving TCP connections (or UDP packets) from the home network, it appears to you as if THIS IS A SINGLE COMPUTER WITH MANY APPLICATIONS.
  • In the next sections we'll go into the details

Handling outgoing packets

  • Outgoing packets (going to the Internet) will replace their source IP addresses to public IP addresses
  • This is how it looks:
    PAT-Outgoing packets
    • The red addresses on the left symbolyzes addresses that cannot be used (not allowd on the Internet)
    • The green addresses one the right marks the new addresses, taken from the router own external interface IP address
    • Not that PAT makes sure that source port numbers on the right side are unique.
      (In this example, multiple computers were using port 5000, but translation does not use it twice)

Handling incoming packets

  • Incoming IP packets will replace their destination IP addresses to the original private address used inside the home network.
  • This is how it looks:
    PAT-Outgoing packets
    • The red addresses on the right symbolyzes public addresses that do not exist on the home network
    • The green addresses one the left marks the original private addresses, that the router remembers (recorded before)
    • Note that after IP address were translated, we can again use port 5000 twice (on different IP addresses). So we are changing to the original port numbers again.

Important: NO SERVERS INSIDE (if you don't configure it)

  • PAT is dynamic protocol.
    Until a packet exits the PAT device (home router in this case), the router does not know what IP/port is used by a host-application.
  • Each time a packet (from a new device/app) exits the home network, a new translation line is added to the PAT table.
    • This line is used when a reply is coming back from the Internet
    • The line lives for some time (300 seconds in most cases), and is then deleted (unless more packets are "refreshing" that same line)
  • The meaning of that is:
    TRAFFIC GOING-OUT ENABLES TRAFFIC GOING-IN
  • So no servers inside...
    unless...you manually configure a static PAT table entry.
    (This is sometimes called fort forwarding)