dslreports logo
 
    Hardware All FAQs Site FAQ DSL FAQ Cable Tech
spc


4.1 NAT

NAT stands for Network Address Translation.


To understand what this is, how it functions and why it is needed, we must first cover how the Internet handles communications between computers.


WARNING: Some of the following discussion is simplified and glosses over some of the nit-picking details on how the Internet actually works. For the purpose of this FAQ, the level of detail used is adequate and any statements that are not 100% accurate are intended to avoid needing to go into extraneous detail.


Every computer using the Internet needs an address of the form X.X.X.X (where each X is a number from 0 to 255). Due to the limited number of such addresses, there can be a need for Private Networks with large numbers of computers/devices to have addresses that do not conflict with the Internet Addresses. To fill this need there are certain addresses (10.X.X.X and 192.168.X.X) that have been designated for use on these Private Networks that are not part of the Internet. No computer on the Internet is allowed to have these addresses. When such a network wants to communicate with the Internet it does it though a NAT gateway (which can often also act as a Firewall) All that will be said here about Firewalls is that they are used to control what types of sessions are allowed to cross the gateway. A gateway is usually a computer or router that functions as part of a broadband modem connection, especially in a home user situation.


When a computer wants to talk to another computer on the Internet it starts a session with that other computer. For a computer to be contacted to create such a session, it must "listen" for the attempt to start a session. The listening is done via Port-Numbers (ie: Listen for an attempt to start a session to my "Port Number X"). There is a list of "Well Know Ports" that tell what port number to use to start different types of sessions. For example if you are web surfing, you connect to the web site through port 80. To send email, you'd request port 25.


The contacting computer also needs a port number so that it can receive the responses. This port number comes from a range that is allocated for stating sessions and is unique for the life of that session. In other words, if you are web surfing and have more than one session open, each session has it own unique port number (allowing the browser to know which window to display the incoming information in). The session is defined by its two endpoints. Thus if you have a web session it would be X.X.X.X:5788<->Y.Y.Y.Y:80. If you open another web window and go to that same site, the session might be X.X.X.X:5789<->Y.Y.Y.Y:80.


The forgoing is what happens when the computers are both on the Internet. What happens if one of the computers (let us for simplicity say the one who is doing the web surfing) is on one of the aforementioned private networks and has an address of 192.168.l.50? When it tries to go to the web site, it will try to start a session 192.168.l.50:5789<->Y.Y.Y.Y:80. The messages destined for Y.Y.Y.Y will be sent to a computer that is acting as a gateway (a computer that can talk to both the private network and the Internet and does NAT). On the private network this computer is know as 192.168.1.1 while on the Internet it is known as Z.Z.Z.Z. When the message gets to it, it will alter the reference in the message that says "I am from 192.168.l.50" to say "I am from Z.Z.Z.Z". It will also assign its own port number from the stating sessions range (let us say 7777). Thus it starts its own session of Z.Z.Z.Z:7777<->Y.Y.Y.Y:80 with the web site. It also adds to a table the fact that it's port 7777 is really 192.168.l.50:5789. This is the reason for NOT keeping the real computer's port number. It must be able to tell who it is acting as and using the real computer's port number can cause problems if another computer (such as 192.168.1.99) wants to start a session as 192.168.l.99:5789 (IOW: using the same Port Number as 192.168.l.50 is using). By assigning a port number of 7778 to 192.168.l.99's request the two attempts to use port number 5789 are kept separate.


To the Internet, the two sessions LOOK like they are the same computer (which in reality they are since they are being sent to/from the gateway computer). As each message comes in from the Internet the gateway computer uses the port number in the incoming message to determine who to send it to on the private network and it sends the message to the private network with the correct 192.168.1.X address and port number). Internet directed messages get the same treatment in the other direction (use the table to get the Internet side address and port and send it on its way).


It is all very elegant. The Internet sees the whole private network as being the gateway computer (and is not even aware of the private network) while the computers on the private network see the gateway as the Internet.

by 2kmaro See Profile edited by KeysCapt See Profile
last modified: 2008-05-24 17:30:19


Yes.

Exactly how you share your single DSL line depends on the operating system on your computer, and recently, whether or not your DSL provider is using PPPoE. With a regular DSL line, with a fixed or dynamic IP address, and microsoft windows, if you wish to share web browsing access but have some flexibility to add ICQ and play multiplayer internet games, then you can use one machine as a gateway, and run a NAT (network address translation) software product like Sygate, or similar on that machine. Current versions of windows 98 even come with ICS, which is a microsoft NAT implementation built-in.
Your private network IP addresses are allocated from the IP ranges internationally reserved for private use (10.x.x.x or 192.168.x.x) and your NAT equipped PC with two network interface cards, functions as the gateway to the internet.
NAT re-uses a single public IP address by allocating unused port numbers for other computers on your private network. NAT also is by default very secure, since it does not allow any incoming connection requests that were not part of a conversation you had initiated, but it can be problematic to setup some network intensive programs over NAT without reading manuals and consulting the net.

Finally, you could buy additional IP addresses from your DSL provider. Most standard DSL solutions will allocate up to 255 IP addresses over the one line.

by KeysCapt See Profile
last modified: 2002-07-22 23:19:09

Yes.

The simple option would be to get an IP address from your ISP for each Mac on your network - but the ISP may charge extra for each address.

Another solution is to run Network Address Translation (NAT) software to share a single DSL connection among multiple computers. Several NAT options exist for the Mac. One very good choice is IPNetRouter, which is cheap, and has a great support community.

Also recommended is the companion line monitoring tool, IPNetMonitor.

Using NAT software, you connect your DSL router to a single Mac (the "gateway") and also connect the gateway Mac to an Ethernet hub. You can then connect other computers (Macs and PCs) to the hub, and they all share the DSL connection.

You can also use Apple's AirPort in this setup so the non-Gateway Macs (and PCs) can be connected wirelessly!

Mac OS X also allows software based internet sharing...
Select System Preferences -> Sharing -> Internet Tab

by jwarthman See Profile edited by KeysCapt See Profile
last modified: 2004-10-09 23:47:18

Yes you can, with just a HUB if your ISP has issued you an IP address for each PC. The DSL modem can be connected to the uplink port of the HUB, if a uplink type port is unavailable on the HUB, a crossover cable is needed. Depending on the brand of router the ISP is using some adjustments might be needed in the router configuration. Most of the adjustments in router configuration will be in the areas of bridge groups and NAT entries.

Additionally, some operating systems provide Internet Connection Sharing (ICS). When you use that type system, one machine must be left on to provide the gateway to the internet for the others.

by edited by KeysCapt See Profile
last modified: 2002-07-22 23:16:24

If you wish to use a hardware device rather than a dedicated server to share your internet connection, then a router or switch is necessary. If you want to have computers connected together, but appear as only 1 single computer to the Internet (called Network Address Translation or NAT) you need a router. Typical and popular broadband routers include the Linksys BEFSR11 and BEFSR41; the Netgear RT311 or RT314; or the SMC Barricade (SMC7004BR). There are others, including D-Link that I am not personally familiar with.

A hub or switch is something you use to connect computers together on a single network. A router is a device that you use to connect different networks together. You are creating a small network at home. Your ISP and the Internet is a different network, thus the router is the correct device for the job. The router protects your network from nasty packets on the internet by blocking them (which is called being a firewall) and, perhaps more important to the rest of us and your ISP, it protects the Internet and the ISPs network from stuff that happens on your network. Of the above routers, the Linksys BEFSR41, the Netgear RT314, and the SMC Barricade all have a 4 port (10/100) switch already attached to the router, allowing you to plug in additional devices to share the DSL connection. With these systems you can get everything needed to create a small LAN in 1 device.

There are people who will tell you that you can share an Internet connection with a hub or a switch, and they are correct -- it will work. But you can open a can of beans with a hammer, too -- it's just not the right tool for the job. Without going into too much detail, people who share internet connections directly with a switch place a bunch of unwanted traffic on their local subnet that everyone else on the subnet has to filter, and often leave themselves exposed to security risks from the outside world.

by rhavasy See Profile edited by KeysCapt See Profile
last modified: 2002-07-22 23:17:16

NAT does not accept unexpected incoming connections - it does not know to which machine the data is to be routed.

You must configure NAT for the incoming ports that the server of the program you are using is trying to send you data on.

Most network programs now come with notes for NAT setups, and there are a number of useful pages on the net detailing NAT setups that work with many popular titles.

VPN (virtual private networks) are not comfortable with NAT. Your VPN vendor should provide specialized configuration information. For the popular corporate CheckPoint firewall systems, we refer you to the excellent FAQs at

www.phoneboy.com

by KeysCapt See Profile
last modified: 2002-07-22 23:24:38

When you are behind a NAT firewall, there are a few things you have to do to ensure that you can use IRC. There are several ways of managing this. I'm a former Linksys router user, and I found that when using mIRC, this is the best way:
1. In your mIRC options, under "Local Info", change IP method from "Normal" to "Server". (This gets your actual remote IP, rather than your NAT'd IP, which is sent in a DCC chat request if you don't change it. What would happen then, is in effect, you'd be trying to tell the other person to establish a connection to 192.168.1.3, which is probably an invalid IP for them, since it's reserved for local IP's.)

2. Set the ports DCC will use in DCC options. (1050->1100 should suffice.)

3. Go into your router firmware, and forward the port range of 1050 -> 1100 to the machine's ip you want to allow DCC access to.

4. For all other computers, set DIFFERENT port ranges and forward those as well.

by XJester See Profile edited by KeysCapt See Profile
last modified: 2002-07-22 23:25:46

The center of the universe as far as Checkpoint firewalls and SecurRemote is www.phoneboy.com ... in particular, the SecuRemote FAQ which goes to great lengths to explain the problems and solutions for installations of SecuRemote.

by KeysCapt See Profile
last modified: 2002-07-23 18:52:44

Yes you can, they are just another way of having a home network: whether it is wireless or wires, makes no difference.. the DSL connection is still your shared connection to the Internet.

People have got starcraft "team play" behind NAT working ok using Linux ipchains (which is highly configurable). See http://slashdot.org/askslashdot/99/07/26/0135241.shtml, and search in that discussion for "starcraft", otherwise, the general problem of teamplay on a UDP based multiplayer game where the team is behind a single NAT box, can be a challenge for NAT software and equipment.


Also read About DSL for lots more information