NAT and Port Forwarding
What is NAT and what does it do?
NAT is Network Address Translation. There are different types of NAT, but we’ll stick to the easy non-technical explanation of ‘Many to One’ NAT.
Your router is a Gateway, or ‘door’ to the Internet. There are two sides to the router, the External (WAN) side and the Internal (LAN) side.
Your computer should be connected on the inside (LAN) with an Internal or private address.
Your computer will only communicate with IP addresses that are on your same subnet. (Address range)
Everything on the outside of the router uses different IP addresses and Subnets – the router allows you to communicate with other devices in other subnets.
OK, so what does all of that mean?
Your computer can not communicate with another computer that does not have an address in the same ‘subnet’.
The router ‘translates’ different subnets for you, allowing you to communicate outside of your subnet.
NAT serves three main purposes =
1. Provides a type of firewall by hiding internal IP addresses.
Even though your computer shows an address of 192.168.1.115 – when you browse the Internet – your address shows as something entirely different to any Internet computer.
Your routers’ External address is what shows up. This is also called ‘IP Masquerading’. This helps keep your computer ‘anonymous’ on the Internet.
2. Enables a company to use more internal IP addresses.
Since they’re used internally only, there’s no possibility of conflict with IP addresses used by other companies and organizations.
A company using a hundred computers or more only needs 1 Internet address. Internal address ranges are hidden from the public and are not part of the Internet address scheme.
This is where the term ‘Many to One’ comes from. Since the router is the only connection to the Internet, it’s address is the only one visible to the Internet. 100 or more computers using that router show up as 1 single address to the Internet (Many addresses to One address)
3. Allows a company to safely set up a device on the Internal Network for access from the Internet.
Using ‘Port Forwarding’ allows a company to set up Internet access to a device on the LAN. The porting guides the incoming signal to the correct device. The benefit of this is the Internet user sees only your ‘Public IP Address’ (your modem or router) and can not see your ‘Internal IP Address’ so they have no direct access to the device other than through the software they are using to access it. (IP Masquerading again)
So, in a nutshell – NAT allows you to ‘see’ other IP Subnets while keeping you anonymous to those other networks.
Now you have a very basic understanding of what NAT is and does, and hopefully, you already know how to set an IP Address on your LAN so your device can communicate.
So how do you set it up to be accessed from the Internet? This is where ‘Port Forwarding’ comes into our picture.
When you are accessing your device from a remote location, in 99% of all instances, you will actually be accessing the router or modem. The router then guides your incoming signal to the correct device on your LAN. The only exception to this rule will be when your device is set with an Internet IP Address and exposed directly to the Internet. This is always risky – and this is why Internet Security companies make the big bucks. Putting a Windows based computer directly on the Internet with no protection is an open invitation to bad things happening, and bad things WILL happen within a very short time. We tested a PC connected to the Internet with an External address – in 45 SECONDS we had been infected with SQL Slammer virus. (This PC was running Microsoft SQL with listening ports set to defaults) So protecting your computer from the Internet is important, to say the least. This is why you need a router to ‘mask’ your computer and hide it.
So, how does your remote query to 220.127.116.11 end up connecting you to a device with an address of 192.168.1.120? The answer is ‘Port Forwarding’. My favorite analogy to describe a router is to think of it as a Hotel. The Hotel has a ‘Street Address’ – the same as your routers ‘Internet Address’ The rooms in the Hotel all have different numbers – the same as computers on your LAN.
When you send mail to the Hotel, you send it to the ‘Street Address’ of the Hotel. If you don’t have a room number or customer name – the Hotel does not know where to send that incoming mail. You can’t add an Internal IP Address (room number) to an Internet query, so you’ll need some other kind of information for the router to direct your incoming signal. Ports provide that extra information for your router.
Setting up Port Forwarding is pretty easy when you have all the necessary information.
You will need the IP address of the Router to access it for programming.
You will need the IP address of the device you are forwarding to.
You will need the port numbers required by the software.
The hard part is figuring out where to go on the router to get it set up. You will find that different models of routers sometimes use completely different terminology for the same thing. To set up port forwarding on your router, look for ‘Advanced Configuration’, ‘DHCP’, ‘NAT’, ‘Applications and Gaming’, ‘Virtual Servers’ or ‘Pinholes’ depending on the router model and manufacturer.
Sometimes they actually call it ‘Port Forwarding’, but you’ll usually find it hidden in one of those other sections.
Here you can see the information requested –
Application = call it what ever you want, but use something descriptive in case you have to come back for a service call a year later.
Start = The starting port or lowest number port in a range.
End = The ending port or highest number port in a range.
(If you are only forwarding two ports, 80 and 37777 for instance, then create two entries instead of a range – Start Port = 80 / End Port = 80 for the first one and Start Port = 37777 / End port = 37777 for the second one. Avoid using a range when the port numbers are so far apart. In this case entering a range of Start Port = 80 / End Port = 37777 would work, BUT you would be opening over 37000 ports. That is a security breach just waiting to happen.
IP Address = the Internal IP address of your device.
Enabled = Turn it on !
Save = Always look around for a ‘Save’ or ‘Apply’ button – if you forget or miss it – the router may ‘dump’ all your hard work and you’ll have to do it all again..
While you are logged in to the router, try to find the WAN status or Internet Address. This will tell you if you are connected directly to the Internet or if you are routing through another device, such as another router or a modem that is also routing. (A modem with only one network port can still be a router, handing out a private address range.)
If you see an address there that falls into the “Private” range of addresses, then there is another device between your router and the Internet performing NAT and you’ll need to Port Forward that device as well. When you have more than one router to pass through before you get to the Internet, then you also have a situation called Double NAT or Triple NAT, where each router is translating for it’s unique subnet. When you have a double or triple NAT situation, then you also have to do double or triple port forwarding to route your incoming signal back to your device.
In my next article, I will show you how to discover Double NAT and Triple NAT situations, and how to map your way through them to establish Port Forwarding. Happy Networking!