Tuesday, February 28, 2012

NAT Routers

Remember telephone modems?  You had to wait for your modem to dial in to your ISP, and once you were connected, it was agonizingly slow.

Typically with this setup, you have only one computer with a modem inside.  When you dial into your ISP, a DHCP server assigns your modem a unique IP
address
.  This IP address identifies your computer and your ISP on the Internet.

Frustrated with these slow modem speeds, many telecom and cable companies began offering DSL and Cable modems, which are much faster than modems, and you never have to wait to dial in with them.

About this time, people also started getting new computers.  Instead of having to fight over one computer, a family can have one computer for the parents and another for the kids.  Now, what could be done to get both computers on the Internet?

The cable companies' solution was to sell you another IP address.  That way, you could buy a switch, connect all your computers and your cable modem to the switch, and everyone could access the Internet at the same time.

However, consumers didn't like the idea of spending five, ten, or even as much as twenty extra dollars per month per additional IP address.  So companies like Linksys and Netgear came out with routers.

How NAT Routers Work

A router allows several computers to share the same IP address and therefore connect to the Internet at the same time.  Here is how it works:

  1. Every computer on the network is assigned a local (LAN) IP address by the router.  These IP addresses are not unique and only apply to the LAN (local area network).
  2. The router has two IP addresses: a LAN IP and a WAN (wide area network) IP address.  Computers on the LAN communicate with the router by connecting to its LAN IP address (the default gateway).  Computers on the Internet communicate with the router's WAN IP address.
  3. When you request data from a server on the Internet, your router replaces your LAN IP address in the return header with its WAN address.  Then, when the data comes back, it changes the return address back to your LAN IP.

This process is called network address translation, or NAT.

Separating Applications into Ports

Every computer (or router) has 65,535 ports.  When one computer establishes a connection with another computer, it sends data to its IP and port.  The other computer must be listening on the port the data was sent to for it to receive anything.

Established standards usually dictate which ports should be used for specific types of services.  For example, HTTP services usually run on port 80.  FTP services are usually on port 21, and America Online uses port 5190.  Though these are the standard ports for these services, it is not a requirement to run those services on those ports.  You could, for example, run an HTTP server on port 21 and an FTP server on port 80.

So, when two computers establish a connection, the client opens a connection with the server on a certain port.

How NAT uses Ports to Share a Single IP Address

Most of the time, the server will need to send data back to the client.  So the client must also be able to accept connections on a port.  Note that this does not need to be the same port that the server is listening on.  In fact, it almost never is.

When the client sends a packet to the server, it specifies in that packet the IP address and return port of the client.

So let's see what happens when you access CNN.com.  For this example, we'll assume your IP address is 192.168.0.1. 

  1. First, your computer will find out the IP address of www.cnn.com from a DNS server.
  2. Next, it will request the file index.html from 64.236.24.12:80 (CNN's IP address, on port 80).  The request packet also includes the IP address and port your computer is listening on for the file.  We'll say it's 192.168.0.1:4000
  3. CNN will send index.html to 192.168.0.1:4000.
  4. The process will be repeated for pictures and other files that appear on index.html

The Caveat of NAT

What happens when someone behind a router is running a server?  Well, if you try to open a connection with someone behind a router, the router won't know which of the possibly hundreds of computers connected to the router you want to open the connection with.

In this case, the router will do one of two things: it will either respond saying that the port you are trying to connect to is closed, or it will not respond at all.  The latter case is called a filtered port.  Filtered ports are supposed to be more secure because a machine with filtered ports takes much longer to port scan.  This involves checking every port on the host to see which ports are open (and available to connect to, and try to hack).

Fortunately, there is a way around this limitation.  And it's a good thing, too, since P2P applications work much better when you can accept incoming connections.

Most routers allow you to set up port forwarding.  This means you can tell the router that you want incoming connection requests on a certain port to be forwarded to a specific IP address on your LAN.  Check your router's documentation for details, or try this site.

If you are unable to set up port forwarding, you will still be able to connect to P2P networks since you can open connections with other hosts that have port forwarding enabled.  However, in order for anyone to download from you, they will need to send something called a push request.  The way this works is their client tells your hub/server to tell your client to open a connection to his computer.

Naturally, you cannot send a push request if you yourself do not have port forwarding enabled.  So you will not be able to download from users who are behind routers (and they, of course, have the fastest connections).

No comments: