To recap, a router is a networking device that allows two dissimilar networks (networks of different IP subnets) to communicate.
Most of you have probably handled at least one home router and anyone who's tried to set up a web server inside of their home has heard the term NAT. But what is NAT?
NAT stands for "Network Address Translation" can be defined as the act of re-writing the source and/or destination addresses of IP packets as they pass through a router or firewall.
OK, that sounds simple enough. But how does your router do this, and more importantly, WHY would you want your router do this?
Let's tackle the "Why" before the how.
There are many reasons that you would want to implement NAT on a router. You may want to host a web server or FTP server on your home computer but you don't want to purchase a static IP, you may be hosting a game server or TeamSpeak server, or you may just want an easy way to connect to your PC from outside the home.
So why do you need NAT to do this? Well, for this you need to understand a VERY fundamental difference between a WAN (Wide Area Network) environment and a LAN (Local Area Network) environment. A WAN environment (like the Internet) consists of distributed networking devices (routers, switches, servers, etc...) that are assigned PUBLIC IP addresses. A public IP address is an address that can be routed and is PUBLICLY visible to the outside world. A LAN environment consists of networking devices (routers, switches, servers, desktops, etc...) that are assigned PRIVATE IP addresses. A private IP address is an address that is NON-ROUTABLE and is COMPLETELY hidden from the outside world under normal conditions.
When you sign up with an ISP and get an Internet connection established, your ISP will assign a PUBLIC IP address to your modem (this goes for all connections, Cable, Dial-up, Satellite, DSL, T1...if you're connected to the Internet you've got a public IP somewhere) either statically or via DHCP. When you make a request to the Internet (say for a web page) your computer will hand the request to your router (if you have one), the router will then encapsulate that request inside of another request to your modem which will then encapsulate that request ONE more time and send the request on down the chain. This last request that just left your modem is the one that we're interested in here.
When a device issues a request it does so by issuing a block of data called a "Packet". This packet is like an envelope you send in the mail, it's got a destination address and a "source" or return address. During packet transmission the destination address will always stay the same. The source address, however, will change depending on where the packet is in the transmission process. When the packet leaves your computer, the source address matches your computer, when your router receives and forwards the packet on to your modem it will stick the original packet inside of another packet that now has the router's address as the source address, then when your modem receives and forwards on this packet it will once again encapsulate the packet into it's own packet that now has the modem as the source address. When the destination device returns the request it will get back to your modem which will strip off its packet info and hand the packet to the router which will strip off its packet info and hand the packet back to the source PC. In a home scenario your router and modem do all the OUTBOUND NAT setup for you, if the device sees traffic on it's INSIDE interface (the LAN interface) it will automatically translate the IP to the OUTSIDE interface (WAN interface).
This process works extremely well when the SOURCE machine is the one making requests to the outside world. However, when it's the outside world making requests to a machine inside the LAN, things don't tend to work so well. Remember, a LAN has PRIVATE IPs so no one in the WAN world (PUBLIC IPs) has any way of connecting to something inside the LAN, all the outside world can connect to is your modem (or Edge router in a corporate environment). This is where NAT comes in.
NAT allows you to tell your modem or router to redirect traffic that meet certain criteria to the proper destination. This is done by making a NAT rule that illustrates the chosen criteria (usually an IP match or protocol match) and the desired destination. In the post office analogy, NAT is like using a "Care of" address where you would mail a letter to a specific person in a company by addressing the letter to the person you want the letter to go to, but still using the company's name and address (John Smith, Care of, Johnson's widgets 1100 widget way etc...). When you mail a letter this way, the letter will show up at the front desk first, then the receptionist will find John Smith and deliver the mail to him directly (unless she works at my company, in which case who knows who will get that letter).
I'm going to clarify two more things before continuing on. There is a bit of a difference between NAT (Network Address Translation) and PAT (Port Address Translation). While NAT's main criteria for translation is IP address, PAT's main criteria is PORT. The use of PAT is often known as Port Forwarding, and it works much the same way as NAT.
In a NAT environment, your router or firewall is set up so that when it sees a request either from (outgoing NAT) or to (incoming NAT) a specific IP address it will translate the source or destination IP to match the desired outcome.
An example of a NAT scenario in a corporate environment (about the only real place that you're going to find custom NAT rules) would be a corporate web server (which should be in a DMZ but let's not get too hairy here). This web server has a PRIVATE LAN IP so it cannot be accessed directly from the outside world. To solve this (since you want the web server to serve the web right?) you would acquire a static IP from your ISP specifically for your website, then set up a NAT rule in your firewall to translate all requests that are issued to the static PUBLIC IP to the PRIVATE LAN IP of the server.
So let's watch some traffic in this scenario. User A has a computer connected to the Internet and he wants to view your corporate web page. He types in the address and his machine sends out a packet to your web server. Through the magic of DNS and the interwebs this packet finds its way to your company's edge router. Your company's edge router knows that any traffic that it sees heading to the specific public IP that you selected for your website should automatically go directly to your web server so it hands the packet directly to your web server. Pretty simple eh?
PAT works the same way, but with a single public IP address. With PAT instead of looking for a specific IP address match, the router looks for a PORT match. This means that once you set up the desired rule, any traffic headed for your public IP on a specific port will get directed correctly once it gets inside your LAN.
Let's watch some traffic in this scenario. User A really wants to connect to your TeamSpeak server located on a machine in your house. They put your public IP (the one on your modem) into their connection utility and press connect (i have no idea how TeamSpeak works but it was all that came to mind). Their machine sends out a request to connect to your server. Now you've conveniently set up a PAT rule that states that any traffic on port 8765 (TCP) or 8766 (UDP) should automatically go to your TeamSpeak server so when your router sees the TeamSpeak traffic, it will automatically send it straight to the server. Again, pretty simple eh?
Edited by LindaGail, 18 September 2007 - 05:29 AM.