how-to block ads
To understand what this is, how it functions and why it is needed, we must first cover how the Internet handles communications between computers.
WARNING: Some of the following discussion is simplified and glosses over some of the nit-picking details on how the Internet actually works. For the purpose of this FAQ, the level of detail used is adequate and any statements that are not 100% accurate are intended to avoid needing to go into extraneous detail.
Every computer using the Internet needs an address of the form X.X.X.X (where each X is a number from 0 to 255). Due to the limited number of such addresses, there can be a need for Private Networks with large numbers of computers/devices to have addresses that do not conflict with the Internet Addresses. To fill this need there are certain addresses (10.X.X.X and 192.168.X.X) that have been designated for use on these Private Networks that are not part of the Internet. No computer on the Internet is allowed to have these addresses. When such a network wants to communicate with the Internet it does it though a NAT gateway (which can often also act as a Firewall) All that will be said here about Firewalls is that they are used to control what types of sessions are allowed to cross the gateway. A gateway is usually a computer or router that functions as part of a broadband modem connection, especially in a home user situation.
When a computer wants to talk to another computer on the Internet it starts a session with that other computer. For a computer to be contacted to create such a session, it must "listen" for the attempt to start a session. The listening is done via Port-Numbers (ie: Listen for an attempt to start a session to my "Port Number X"). There is a list of "Well Know Ports" that tell what port number to use to start different types of sessions. For example if you are web surfing, you connect to the web site through port 80. To send email, you'd request port 25.
The contacting computer also needs a port number so that it can receive the responses. This port number comes from a range that is allocated for stating sessions and is unique for the life of that session. In other words, if you are web surfing and have more than one session open, each session has it own unique port number (allowing the browser to know which window to display the incoming information in). The session is defined by its two endpoints. Thus if you have a web session it would be X.X.X.X:5788<->Y.Y.Y.Y:80. If you open another web window and go to that same site, the session might be X.X.X.X:5789<->Y.Y.Y.Y:80.
The forgoing is what happens when the computers are both on the Internet. What happens if one of the computers (let us for simplicity say the one who is doing the web surfing) is on one of the aforementioned private networks and has an address of 192.168.l.50? When it tries to go to the web site, it will try to start a session 192.168.l.50:5789<->Y.Y.Y.Y:80. The messages destined for Y.Y.Y.Y will be sent to a computer that is acting as a gateway (a computer that can talk to both the private network and the Internet and does NAT). On the private network this computer is know as 192.168.1.1 while on the Internet it is known as Z.Z.Z.Z. When the message gets to it, it will alter the reference in the message that says "I am from 192.168.l.50" to say "I am from Z.Z.Z.Z". It will also assign its own port number from the stating sessions range (let us say 7777). Thus it starts its own session of Z.Z.Z.Z:7777<->Y.Y.Y.Y:80 with the web site. It also adds to a table the fact that it's port 7777 is really 192.168.l.50:5789. This is the reason for NOT keeping the real computer's port number. It must be able to tell who it is acting as and using the real computer's port number can cause problems if another computer (such as 192.168.1.99) wants to start a session as 192.168.l.99:5789 (IOW: using the same Port Number as 192.168.l.50 is using). By assigning a port number of 7778 to 192.168.l.99's request the two attempts to use port number 5789 are kept separate.
To the Internet, the two sessions LOOK like they are the same computer (which in reality they are since they are being sent to/from the gateway computer). As each message comes in from the Internet the gateway computer uses the port number in the incoming message to determine who to send it to on the private network and it sends the message to the private network with the correct 192.168.1.X address and port number). Internet directed messages get the same treatment in the other direction (use the table to get the Internet side address and port and send it on its way).
It is all very elegant. The Internet sees the whole private network as being the gateway computer (and is not even aware of the private network) while the computers on the private network see the gateway as the Internet.
Also read About DSL for lots more information