Enabling NAT. NAT - setting up network address conversion. b) file server

Our apartments are more and more different digital devices - laptops, tablets and smartphones. While the computer in the apartment was alone and connected directly to the provider's network - did not arise. And now, when you got a problem - how to connect a new laptop or tablet to the Internet. Here to help and comes nAT technology. What is the essence of NAT technology?
NAT.Network Address Translation - Translated into Russian, it sounds like this: "Conversion network addresses». NAT. - This is a mechanism in TCP / IP networks that allows you to convert IP addresses of transit packages.
Be agreed simple language - then there are several computers on the local network, then thanks to the technology NAT. they can all go to the external Internet network using one external ip address (IP).

What is the IP address?

Routerrouter - works at the third level of the OSI system, respectively used iP protocol - The TCP / IP network layer router protocol. An integral part of the protocol is to address the network. In accordance with the existing rules - all devices on the network are assigned IP addresses (Ai-Pi addresses) - Unique network identifiers of the node address. Used 2 types of IP addresses - gray and white. Gray addresses - This is part of the address space allocated for a local network - subnet IP addresses 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 . All other subnets are used on the Internet and are white IP addresses.

How to provide shared Internet access for devices on the network.

In order to connect to the Internet all devices on the local network you need router. Router - This is a device that can connect through the provider's network to the Internet and distribute it to the connected devices due to the fact that it has at least 4 LAN-Port and Wi-Fi Module. Do not confuse a router with a simple Ethernet switch, which is essentially a stupid "splitter" of the network. Due to the fact that an operating unix-like system is installed on the router, you can raise on the device various services, including service NAT.. To do this, when configuring a router put a tick Enable nat. .

So what is next router For each request, which passes through it, puts a specific label containing the data on the sender on the local network. When the answer comes to this request, router By a label determines which IP address on the local network to send the package. Here's actually all the principle of operation of NAT technology in a nutshell.

2 32 or 4 294 967 296 IPv4. Addresses are it a lot? It seems yes. However, with the distribution of personal computing, mobile devices And the rapid growth of the Internet soon became obvious that 4.3 billion IPv4 addresses would not be enough. Long-term solution was IPv6.But a faster solution was required to eliminate the shortage of addresses. And this decision was NAT (Network Address Translation).

What is NAT.

Networks are usually designed using private IP addresses. This address 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 . These private addresses are used inside the organization or platform to allow devices to communicate locally, and they are not routing on the Internet. To allow the device with a private IPv4 address to access devices and resources outside the local network, a private address must first be translated into a publicly accessible public address.

And just like NAT translates privacy addresses into publicly available. This allows the device with an IPv4 private address to access resources outside its private network. NAT combined with private IPv4 addresses was useful method Saving public IPv4 addresses. One public IPv4 address can be used by hundreds, even thousands of devices, each of which has a private IPv4 address. NAT has an additional advantage that consists in adding the degree of privacy and security to the network, since it hides internal IPv4 addresses from external networks.

NAT support routers can be configured with one or more valuable publicly available IPV4 addresses. These publicly available addresses are called the NAT bullet. When a device from the internal network sends traffic from the outside, the NAT support router translates the internal IPv4 address of the device to a public address from the NAT pool. For external devices, all traffic incoming and leaving the network looks having a publicly accessible IPv4 address.

NAT router usually works on the border Stub.-Seti. Stub-network is a dead-end network that has one connection with a neighboring network, one input and output from the network.

When the device inside the Stub network wants to bind to the device outside its network, the package is sent to the border router, and it performs the NAT process, translating the internal private address of the device to a public, external, router address.

Terminology NAT.

In NAT terminology, the internal network is a set of networks to be translated. The external network refers to all other networks.

When using NAT, IPv4 addresses have different designations based on whether they are on a private network or in a public network (on the Internet), and whether traffic is incoming or outgoing.

NAT includes four types of addresses:

  • Internal Local Address (Inside Local Address);
  • Internal Global Address (Inside Global Address);
  • External local address (Outside Local Address);
  • External Global Address (Outside Global Address);

When determining what type of address is used, it is important to remember that the NAT terminology is always applied from the point of view of the device with a translated address:

  • Internal address (Inside Address) - address of the device that is broadcast by NAT;
  • External address (OUTSIDE ADDRESS) - address of the appointment device;
  • Local Address (Local Address) - this is any address that is displayed in the inside of the network;
  • Global Address (Global Address) - this is any address that is displayed in the outer part of the network;

Consider this on the example of the scheme.


In the picture PC has an internal local ( Inside Local) Address 192.168.1.5 and from its point of view, the web server has an external ( outside) Address 208.141.17.4. When packets are sent to the PC to the global web server address, internal local location ( Inside Local) The PC address is broadcast in 208.141.16.5 ( inside Global.). Address external device It is usually not translated because it is a public IPv4 address.

It is worth noting that the PC has different local and global addresses, while the web server has the same public IP address. From his point of view, traffic coming from PC comes from the internal global address 208.141.16.5. The NAT router is a demarity point between domestic and foreign networks and between local and global addresses.

Terms, inside and outsidecombined with terms local and globalTo refer to specific addresses. In the picture, the router is configured to provide NAT and has a pool of public addresses for assigning internal hosts.

The figure shows how traffic is sent from an external PC to an external web server, through a router with NAT support, and sent and translated in the opposite direction.


Internal local address ( Inside Local Address) - the address of the source visible from the internal network. In the figure, the address 192.168.1.5 is assigned a PC - this is its internal local address.

Internal global address ( Inside Global Address) - the address of the source visible from the external network. In the figure, when traffic from a PC is sent to a web server at 208.141.17.4, the router translates the internal local address ( Inside Local Address) on the internal global address ( Inside Global Address). In this case, the router changes the address of the IPv4 source from 192.168.1.5 at 208.141.16.5.

External global address ( Outside Global Address) - address of the addressee, visible from the external network. This is a globally routable IPv4 address assigned to the host on the Internet. The web server is available at 208.141.17.4. Most often, external local and external global addresses are the same.

External local address ( Outside Local Address) - The address of the recipient visible from the internal network. In this example, the PC sends traffic to a web server at 208.141.17.4

Consider the entire path of the package. PC with address 192.168.1.5 Attempts to establish a connection with a web server 208.141.17.4. When the package arrives in the NAT support router, it reads the IPv4 package destination address to determine whether the package specifies the criteria specified for translation. In this example, the source address corresponds to the criteria and translated from 192.168.1.5 ( Inside Local Address) at 208.141.16.5. ( Inside Global Address). The router adds this mapping of local to the global address to the NAT table and sends a package with the source address to the destination. The web server responds with a package addressed to the PC internal global address (208.141.16.5). The router receives a package with the destination address 208.141.16.5 and checks the NAT table in which the entry is recorded for this comparison. It uses this information and translates the internal global address (208.141.16.5) to the internal local address (192.168.1.5), and the packet is redirected towards PC.

Types nat.

There are three types of NAT broadcast:

  • Static address broadcast (Static Nat) - mapping of addresses one to one between local and global addresses;
  • Dynamic address translation (Dynamic Nat) - comparison of "Many to many" addresses between local and global addresses;
  • Port Address Translation (NAT) - Multicast mapping of addresses between local and global addresses using ports. Also this method is known as Nat Overload;

Static NAT uses matching local and global addresses one to one. These comparisons are configured by the network administrator and remain constant. When the devices send traffic to the Internet, their internal local addresses are translated into customized internal global addresses. For external networks, these devices have publicly available IPv4 addresses. Static NAT is especially useful for web servers or devices that must have a consistent address available from the Internet, such as the company's web server. Static NAT requires a sufficient number of publicly available addresses to meet the total number of simultaneous user sessions.

Static NAT Table looks like this:


Dynamic NAT uses a pool of public addresses and assigns them according to the principle "first came, the first is served." When the internal device requests access to the external network, the dynamic NAT assigns the available publicly available IPv4 address from the pool. Like the static NAT, the dynamic NAT requires a sufficient number of publicly available addresses to meet the total number of simultaneous user sessions.

Dynamic NAT Table looks like this:


Port Address Translation (PAT)

Pat. Translines several private addresses to one or more public addresses. This is what the majority of home routers do. The Internet provider assigns one address to the router, but several family members can simultaneously access the Internet. This is the most common form of NAT.

Using PAT, several addresses can be mapped to one or several addresses, since each private address is also tracked by the port number. When the device initiates a session TCP / IP.it generates the value of the source port TCP. or UDP. For unique session identification. When the NAT router receives a client package, it uses the number of its source port to uniquely identify the specific NAT translation. PAT ensures that devices use a different TCP port number for each session. When the answer returns from the server, the source port number, which becomes the destination port number in the back path, determines which device the router redirects packets.

The picture illustrates the PAT process. Pat adds unique numbers Source ports to the internal global address to distinguish translations.


Since the router processes each package, it uses the port number (1331 and 1555, in this example) to identify the device from which the package has been sent.

Source address ( Source Address) - This is an internal local address with the added port number assigned to TCP / IP. Destination address ( Destination Address) - This is an external local address with the added number of the service port. In this example, the 80 service port: HTTP.

For the source address, the router translates the internal local address to the internal global address with the port number added. The destination address does not change, but now it is called an external global IP address. When the web server responds, the path is reverse.

In this example, the number of client ports 1331 and 1555 did not change on the NAT router. This is not a very likely scenario, because there is a good chance that these port numbers have already been attached to other active sessions. PAT tries to save the source source port. However, if the source source port is already used, the PAT assigns the first available port number, starting from the beginning of the corresponding port group 0-511, 512-1023 or 1024-65535 . When the ports are no longer there, and in the address pool there are more than one external address, the PAT goes to the following address to try to highlight the source source port. This process continues until the available ports or external IP addresses are available.

That is, if another host can choose the same port number 1444. This is acceptable for the domestic address, because the hosts have unique private IP addresses. However, on the NAT router, the port numbers must be changed - otherwise the packages from two different hosts will come out of it with the same source address. Therefore, PAT assigns the following port available (1445) to the second host address.

Let's summarize in comparison NAT and PAT. As can be seen from the tables, NAT translates IPv4 addresses based on 1: 1 between private IPv4 addresses and public IPv4 addresses. However, PAT changes both the address itself and the port number. NAT redirects incoming packets to their internal address, focusing on the incoming IP address of the source specified by the host in the public network, and with PAT there is only one or very few publicly open IPv4 addresses, and incoming packets are redirected, focusing on the NAT router table.

And what about IPv4 packages containing data other than TCP or UDP? These packages do not contain a port number 4. PAT translates the most common IPv4 protocols that do not use TCP or UDP as a transport level protocol. The most common of them are ICMPV4. Each of these types of protocols is processed differently. For example, ICMPV4 request messages, echo requests and answers include a request identifier. Query ID. ICMPV4 uses Query ID. To identify an echo request with an appropriate answer. The query identifier increases with each sent echo request. PAT uses the query ID instead of the level number 4 number.

Advantages and disadvantages of NAT

NAT provides many advantages, including:

  • NAT retains a registered addressing scheme that resolve the privatization of the intranet. With PAT, internal hosts can share one public IPv4 address for all external communications. In this type of configuration, very few external addresses are required to support many internal hosts;
  • NAT increases the flexibility of connections with publicly available network. Numerous Pools, Pools reserve copy and load balancing pools can be implemented to ensure reliable public network connections;

    • NAT provides consistency for internal network addressing schemes. On a network that does not use private IPv4 addresses and NAT, changing the general IPv4 address scheme requires the redirection of all hosts in existing network. The cost of forwarding hosts may be significant. NAT allows an existing IPv4 private address scheme to remain, allowing you to easily change the new chart of publicly available addressing. This means that the organization can change providers and do not need to change any of its internal clients;

  • NAT provides network security. Since private networks do not advertise their addresses or internal topology, they remain quite reliable when used in combination with NAT to obtain controlled external access. However, it is necessary to understand that NAT does not replace firewals;

But Nat has some drawbacks. The fact that the hosts on the Internet seems to directly interact with the device with NAT support, and not with the actual host inside the private network, creates a number of problems:

  • One of the disadvantages of using NAT is associated with network performance, especially for real-time protocols, such as Voip.. Nat increases switching delays, because the translation of each IPv4 address in the packet headers takes time;
  • Another disadvantage of using NAT is that through addressing is lost. Many Internet protocols and applications depend on end-to-end addressing from the source to the destination. Some applications do not work with NAT. Applications that use physical addresses, and not qualified domain name, do not reach the addressees that are broadcast via the NAT router. Sometimes this problem can be avoided by realizing static nat comparisons;
  • End-to-end IPv4 tracing is also lost. It is more difficult to trace packets that are subject to numerous changes in package addresses for several NAT transitions, which makes it difficult to troubleshoot problems;
  • Using NAT also makes it difficult to the tunneling protocols, such as IPsec, since NAT changes the values \u200b\u200bin headlines that interfere with the integrity checks performed by IPSec and other tunneling protocols;
  • Services requiring initiation of TCP connections from an external network, or stateless protocols, for example, using UDP, can be violated. If the NAT router is not configured to support such protocols, incoming packets cannot achieve their addressee;

Do you use this article?

Please tell us why?

It is a pity that the article was not useful for you: (please, if it does not make it difficult, indicate for what reason? We will be very grateful for the detailed answer. Thank you for helping us become better!

NAT or network address transmission is a method for reassigning one address space in another by changing network addresses in Internet Protocol or IP. Package headers are changing at a time when they are on the path through the routing devices. This method It was used initially for simpler traffic redirection in IP networks without the need to number each host. It has become an important and popular tool for the distribution and preservation of the global address space in the conditions of an acute lack of IPv4 addresses.

What is NAT?

Using the broadcast of network addresses is to display each address from one address space to the address, which is in another address space. This may be needed if the service provider has changed, and the user does not have the opportunity to publicly announce a new route to the network. NAT technology In the conditions of global depletion of the address space since the late 90s, it is still used more and more. Typically, this technology is used in combination with IP encryption. IP encryption is a method for switching multiple IP addresses to one space. This mechanism is implemented in the routing device using the translation table to be preserved to display in one IP address of hidden addresses. It also redirects all outgoing IP packets at the output. Thus, these packets are displayed from the routing device. Replies in the reverse link channel are displayed in the source IP address using the rules that are stored in the translation tables. In turn, the translation table is cleaned after a short time expiration if the traffic will not update its state. That is the main NAT mechanism. What does this mean? This technology Allows you to organize communication through the router only when the connection occurs in the encrypted network, as this creates the conversion tables. Inside such a network, the web browser can view the site beyond its borders, but being installed outside it, it cannot open the resource that is posted. Most NAT devices today allow the network administrator to configure the translation table entries for continuous use. This function is particularly often referred to as port redirection or static NAT. It makes it possible to traffic proceedings in the "external" network to achieve the appointed hosts in the encrypted network. Due to the fact that the method used to preserve the address space IPv4 is popular, the term NAT has practically become synonymous with the encryption method. Since the broadcast of network addresses changes information about the address of IP packets, it may have serious consequences For connection quality. So it requires close attention to all the items of implementation. Methods of using NAT differ from each other in their specific behavior in various situations that relate to influence on network traffic.

Basic Nat.

The simplest NAT type allows you to translate "one-to-one" IP addresses. The main type of this broadcast is RFC-2663. In this case, only IP addresses are changed, as well as the checksum of IP headers. You can use basic broadcast types to connect two networkips that have incompatible addressing.

Most of the varieties of NAT is capable of making several private hosts to one IP address, which is publicly indicated. The local network in a typical configuration uses one of the designated "private" subnet IP addresses. In this network, the router has a private address in space. Also, the router connects to the Internet using a "public address", which is assigned to the Internet provider. Since traffic passes from the local Internet, the source address in each package is translated from private to public on the fly. Also, the router monitors the basic data on each active compound. In particular, this concerns such information as the address and port of destination. When the answer returns to it, it uses the connections that are saved during the field stage. This is necessary in order to determine the private address of the internal network to which the answer must be sent. The main advantage of such a functionality is that it is a practical solution to the problem of the IPv4 address space exhaustion. With one IP address to the Internet, even large networks can be connected. All packet datagrams in IP networks have two IP addresses - this is the source address and destination address. Packages passing from a private network to the network common usewill have the address of the source of the packages, which changes during the transition from a public network to a private. More complex configurations are also possible.

Features NAT settings

Setting up NAT. May have certain features. To avoid the difficulties associated with the transfer of returned packages, their further modifications may be required. Most of the Internet traffic will go through the UDP ITCP protocols. Their numbers are changed in such a way that the IP addresses and the port number when reverse data is started to compare. Protocols that are not based on UDP or TCP require other translation methods. As a rule, ICMP or the communication management protocol on the Internet relates the transmitted information with the available compound. This means that they should be displayed using the same IP address and the number that was established initially. What should I consider? NAT setting in the router does not provide it with the capabilities of the connection from the end to the end. For this reason, such routers cannot participate in some Internet protocols. Services requiring the initiation of TCP connections from an external network or users without protocols can be simply not available. If the NAT router does not make much effort to support such protocols, then incoming packets may not reach the destination. Some protocols can be placed on one broadcast between the hosts involved sometimes using the application-level gateway. However, the connection will not be established when both systems with NAT are separated from the Internet. Also, the use of NAT complicates tunnel protocols, such as IPsec, as it changes the values \u200b\u200bin headlines that interact with the integrity of requests.

NAT: Existing problem

The basic principle of the Internet is the connection "from the end to the end". It exists from the moment of its development. The current state of the network only proves that NAT is a violation of this principle. The professional environment has serious concerns associated with widespread use in IPv6 broadcast network addresses. Thus, today the question raises how this problem can be eliminated. Due to the fact that the tables that retain the status of the broadcast in NAT routers are not forever, the internal network devices lose the IP connection during a very short time period. We must not forget about this circumstance talking about what NAT is in the router. This significantly reduces the operation of compact devices that work on batteries and batteries.

Scalability

When using NAT, only those ports that can be quickly depleted are tracked. internal applicationsthat use multiple simultaneous connections. These can be HTTP requests for pages with a large number of built-in objects. Suitable this problem It is possible by tracking the IP address in the destinations in addition to the port. One local port in this way can be divided by a large number of remote hosts.

NAT: Some difficulties

Since all internal addresses are disguised under one publicly available, for external hosts it is impossible to initiate the connection to a specific internal node without setting up a special configuration on the firewall. This configuration Should redirect connections to a specific port. Applications for IP telephony, video conferencing and similar services for their normal functioning should use NAT bypass methods. RAPTA translation port The return address allows the host from which the IP address is changing from time to time, to remain accessible as a server using a fixed IP address. home network. This in principle should allow configuring servers to save the connection. Despite the fact that such a solution is not ideal, it can become another useful tool in the network administrator arsenal when solving tasks associated with setting up on the NAT router.

PAT or PORT ADDRESS TRANSOTION

Port Address Translation is a Cisco RAPT implementation that displays several private IP addresses in the form of one public. Thus, several addresses can be displayed as an address, because each of them is tracked using the port number. PAT uses unique source port numbers on internal global IP to distinguish between the direction of data transfer. These rooms are whole 16-bit numbers. The total number of internal addresses that can be translated into one external address, theoretically can reach 65536. In reality, the number of ports to which a single IP address can be assigned is approximately 4000. PAT, as a rule, tries to keep the original source port "Original" . In the event that it is already used by the Port Address Translation assigns the first available port number, starting from the beginning of the corresponding group. When the available ports do not remain and there is more than one external IP address, the PAT goes to the next to highlight the source port. This process It will continue until the data is not completed. The Cisco service displays the address and port. It combines the address of the port port and the IPv4 packet tunneling data on the internal IPv6 network. In essence, it alternative option CARRIER GRADE NAT and DS-Lite, which supports IP broadcast ports and addresses. This avoids the problems associated with the installation and maintenance of the connection. It also allows us to provide a transition mechanism for IPv6 deployment.

Translation methods

Several basic ways to implement the transfer of the network address and port are known. In certain application protocols, it is required to determine the external address of NAT, used at the other end of the connection. It is also often necessary to study and classify the type of transmission. As a rule, this is done because it is desirable between two clients located behind individual NAT, create a direct communication channel. For this purpose, a special RFC 3489 protocol was developed, which ensures simple UPD bypass through Nats. It is already considered obsolete today, since today such methods are considered insufficient to properly evaluate devices. In 2008, the RFC 5389 protocol was developed, in which new methods were standardized. This specification is called Session Traversal today. It represents special utilityDesigned for NAT.

Creating a bilateral connection

Each UDP and TCP package contains the IP source address and its port number, as well as the coordinates of the end port. The port number is very important to obtain such public services as mail servers functionality. So, for example, port 25 connects to SMTP mail Serverand port 80 connects to software Web server. The IP address of the public server is also essential. These parameters must be reliably known to those nodes that intend to establish a connection. Private IP addresses matter only in local networks.

IP addresses are a scarce resource. The provider may have / 16-address ( former class C), giving the ability to connect 65,534 hosts. If customers are becoming more, problems begin to arise. Hosts connecting to the Internet from time to time along the usual telephone line, you can highlight the IP addresses dynamically only for the connection time. Then one / 16-address will serve up to 65,534 active users, and this may be enough for a provider who has several hundred thousand customers. When the communication session is completed, the IP address is assigned to a new compound. Such a strategy can solve the problems of providers that have a not very large number of private clients connecting on the telephone line, but will not help providers, most of whose clientele of which are organizations.

The fact is that corporate clients prefer to have a permanent connection with the Internet, at least during the working day. And in small offices, such as tourist agencies, consisting of three employees, and in large corporations there are local networks consisting of a certain number of computers. Some computers are employee workstations, some serve web servers. In the general case, there is a LAN router connected to a dedicated line provider to provide a permanent connection. Such a solution means that one IP address is associated with each computer. In fact, even all together combined computers available from corporate clientscannot block the IP addresses available from the provider. For the length of the length / 16, this limit is equal to, as we have already noted, 65 534. However, if the provider of Internet service provider the number of corporate clients is calculated tens of thousands, then this limit will be achieved very quickly.

The problem is aggravated by the fact that all more Private users want to have an ADSL or cable connection with the Internet. The features of these methods are as follows:

a) users get a permanent IP address;

b) There is no timeless payment (only the monthly subscription fee is charged).

Users of this kind of service have a permanent connection to the Internet. Development in this direction leads to an increase in the deficit of IP addresses. Assign IP addresses "on the fly", as is done when telephone connected, it is useless, because the number of active addresses at each moment of time can be many times more than the provider.

Often the situation is even more complicated due to the fact that many ADSL users and cable Internet Have houses two or more computers (for example, one for each family member) and want all cars to have access to the Internet. What to do - after all, there is only one IP address issued by the provider! This solution: You must install the router and combine all computers to the local network. From the point of view of the provider, in this case the family will act as an analogue of a small company with several computers. Welcome to Pupkin Corporation!

The problem of the deficit of IP addresses is not theoretical and does not apply to the remote future. She is already relevant, and it comes to fight here and now. The long-term project involves the total translation of the entire Internet to the IPv6 protocol with a 128-bit addressing. This transition is indeed gradually happening, but the process is so slow, which is delayed for years. Seeing this, many realized that it is urgent to find some decision at least for the near future. Such a solution was found in the form of a network address broadcast method, NAT (Network Address Translation)described in RFC 3022. The essence of it we will look later, and more detailed information can be found in (Butcher, 2001).

The main idea of \u200b\u200bthe broadcast of the network address is to assign each company of one IP address (or at least a small number of addresses) for Internet traffic. Inside the company, each computer receives a unique IP address used to routing internal traffic. However, as soon as the package leaves the limits of the company's building and is sent to the provider, the address is being broadcast. For the implementation of this scheme, three ranges of so-called private IP addresses were created. They can be used within the company at its discretion. The only restriction is that packages with such addresses in no case should appear on the Internet. These are these three reserved range:

10.0.0.0 - 10.255.255.255/8 (16,777,126 hosts)

172.16.0.0 - 172.31.255.255/12 (1,048,576 hosts)

192.168.0.0 -192.168.255.255 / 16 (65,536 hosts)

The work of the method of broadcasting network addresses is shown on the prolonged scheme. Within the territory of the company, each machine has its own unique address of the form 10.x.y.z. Nevertheless, when the package goes beyond the ownership of the company, it passes through the NAT block translating the internal IP address of the source (10.0.0.1 in Figure) to the real IP address obtained by the company from the provider (198.60.42.12 for our example) . The NAT block is usually a single device with a firewall that provides security by strictly tracking the incoming and outgoing-sensitive company. The NAT block can be integrated with the company router.

We still managed one small detail: when it comes to a request (for example, from a web server), it is addressed to 198.60.42.12. How does the NAT block find out what domestic address is to replace the company's general address? This is the main problem of using network addresses broadcast. If the header of the IP package was a free field, it could be used to memorize the address of the one who sent a request. But in the title remains unused only one batch. In principle, it would be possible to create such a field for the true address of the source, but it would require changes to the IP code on all machines throughout the Internet. Is not best exitEspecially if we want to find a quick solution to the problem of lack of IP addresses.

Actually happened that's what. The NAT developers noted that most of the useful load of IP packets is either TCP or UDP. Both formats have headlines containing source and receiver ports. The port numbers are 16-bit integers showing where the TCP connection ends and where it ends. The storage location of port numbers is used as a field needed to work NAT.

When the process wants to install a TCP connection with a remote process, it binds to a free TCP port on its own computer. This port becomes a source port that tells the TCP code information about where to direct the packages of this connection. The process also defines the destination port. Through the destination port, it is reported to whom to give the package on the remote side. Ports from 0 to 1023 reserved for well-known services. For example, the 80th port is used by web servers, respectively, remote clients can be focused on them. Each Outgoing TCP message contains information about the source port and port of the destination. Together they serve to identify processes at both ends using a compound.

We will draw an analogy that will somewhat clarify the principle of using ports. Suppose the company has one common telephone number. When people are gaining it, they hear the voice of the operator, who asks who exactly they would like to connect, and connect them to the appropriate email telephone number. The main telephone number is an analogy of the company's IP address, and the addition at both ends is similar to the ports. To address ports, a 16-bit field is used, which identifies the process receiving the incoming package.

Using the source port field, we can solve the address mapping problem. When the outgoing package comes to the NAT block, the source address of the source of the form is 192.168.c.c.d is replaced by this IP address. In addition, the TCP source port is replaced by the index of the NAT-block translation table containing 65,536 entries. Each entry contains the original IP address and source port number. Finally, recalculate and inserted into the package control sums TCP and IP headers. It is necessary to replace the source port field, because machines with local addresses 10.0.0.1 and 10.0.0.2 may accidentally wish to use the same port (5000 minutes, for example). So, for unambiguous identification of the sender process of one field, the port of the source is not enough.

When the package arrives at the NAT block from the provider, the field value of the TCP header source is retrieved. It is used as the NAT block display table index. According to the record found in this table, the internal IP address and this port of the TCP source are determined. These two values \u200b\u200bare inserted into the package. Then the TCP and IP checksums are re-counted. The package is transmitted to the main route of the company for normal delivery with the address of the view of 192.168.y.z.

If an ADSL or cable Internet is applied, network address transmission can be used to facilitate the fight against the shortage of addresses. Assigned to users addresses have a view of 10.x.y.z. As soon as the package leaves the limits of the provider's possessions and goes online, it falls into the NAT block that converts the internal address to the real IP address of the provider. On the way back is performed reverse operation. In this sense, for the rest of the Internet, the provider with its customers using ADSL and cable: interview is presented in the form of one large company.

Although the scheme described above partially solves the problem of lack of IP addresses, many IP adherents consider NAT as some kind of infection spreading on the ground. And they can be understood.

First, the principle of broadcasting addresses does not fit into the IP architecture, which implies that each IP address uniquely identifies only one machine in the world. The entire Internet structure is built on the use of this fact. When broadcasting network addresses, it turns out that thousands of machines may (and so happens in reality) to have address 10.0.0.1.

Secondly, NAT turns the Internet from the network without establishing a connection into something similar network-oriented network. The problem is that the NAT block must support the display table for all connections passing through it. Storing the connection status is a connection oriented networks, but not networks without establishing connections. If the NAT block breaks and its display tables lose, then about all TCP connections passing through it can be forgotten. If there is no broadcast of network addresses, the failure of the router does not have any effect on TCP operation. The sending process simply seals a few seconds and sends all unconfirmed packages. When using NAT, the Internet becomes as susceptible to failures as a network switched channels.

Thirdly, NAT disrupts one of the fundamental rules for constructing multi-level protocols: the level K should not build any assumptions about what the level K + 1 placed in the payload field. This principle determines the independence of the levels from each other. If a TCR-2 ever comes to replace TCP, which will have a different header format (for example, 32-bit port addressing), then the broadcast of network addresses will be in fiasco. The whole idea of \u200b\u200bmulti-level protocols is that changes in one of the levels could not affect the remaining levels. Nat destroys this independence.

Fourth, the processes on the Internet are not at all obliged to use only TCP or UDP. If the user of the machine A decides to come up with a new transport link protocol to communicate with the user of the machine in (this can be done, for example, for some multimedia application), he will have to somehow deal with the fact that the NAT block will not be able to correctly process the TCP source port correctly.

Fifth, some applications insert IP addresses to the message text. The recipient extracts them from there and then processes. Since NAT does not know anything about such a way of addressing, he will not be able to correctly process packages, and any attempts to use these addresses with a remote party will lead to failure. File Transfer Protocol, FTP (File Transfer Protocol) uses this method that can also be refused to work when broadcasting network addresses, unless special measures are taken. The Internet telephony protocol H.323 also has a similar property. You can improve the NAT method and make it work correctly with H.323, but it is impossible to refine it whenever a new application appears.

Sixth, since the source port field is 16-bit, then approximately 65,536 local machines can be displayed on one IP address. In fact, this number is somewhat less: the first 4096 ports are reserved for service needs. In general, if there are several IP addresses, each of them can support up to 61,440 local addresses.

These and other problems associated with broadcasting network addresses are discussed in RFC 2993. Usually opponents of using NAT say that the solution to the problem of lack of IP addresses by creating a temporary patch only interferes with the process of real evolution, which consists in going to IPv6. But if you return to reality, we will see that in most cases NAT is just an indispensable thing, especially for small offices with the number of computers from several pieces to several dozen. NAT can be implemented on their own in OS Linux using

The principle of operation of the router (router)

Reading this article, I think everyone understands what a router is and why he is needed, but did someone think about how he works? In this article I will try as much as possible available language Tell the basic principles of the router. This article will be useful and system administrators and simple users.

The main function that works in any router - NAT

NAT. - Network Address Translation serves to replace IP addresses. In local networks, the addresses of type 192.168.1.xxx or the like, and this generates the routing problem in global Network The Internet, as IP addresses on the network should not be duplicated. The solution of this problem is NAT - the local network computers are connected to the local router interface, receive an IP address and gateway from it (a router is the gateway), and Wan interface The router connects to the Internet.

Now consider the principle of NAT broadcast:

  • From any computer on the local network there is a request, for example, you are trying to exit any site - the computer sends this request to the address of the gateway, that is, our router;
  • Router, having received this request, writes your computer as a connection initiator, after which a copy of your package is created and sent at the destination address, but already on behalf of the router, and with its IP address, and your package is simply destroyed;
  • A server that was sent request is processed and sends a response, naturally to the router address. And the router of this was already waiting, as it created a record that the response should come to your computer, and directs it to your computer. As you can see, according to this scheme, the connection initiator can only be a computer from the local network, and the answer from the server will get to the computer only if the router will wait for this (response to the request). In other words, all attempts connect from outside will dwell on the router, and will be successful only if the router provides a resource on the requested port or it is configured by the Port Forwarding rules, which we will talk now.

Port Forwarding

Port Forwarding - It is essentially the same as NAT, but in the other way, and therefore only static NAT, that is, certain requests only on certain computersAfter all, the global network cannot know the IP addresses for the router. For example, you created FTP or HTTP server On the computer and want to provide access to these resources, for this you need to register this rule in the router, in which it will be indicated that all incoming packets for the desired port (21 or 80 in our case) will be transferred to the IP address of our computer to a specific port ( The port can be changed).

NAT - DMZ.

NAT - DMZ. - This is absolutely also as Port Forwarding, but with the difference that you do not need to prescribe a rule for each port, it is enough to simply configure the NAT - DMZ to be transmitted to required computer All requests included on WAN router. Change ports of course no longer.

Routing

To simplify the idea of \u200b\u200bwhat it is, we can say that this is the same as NAT, but only in both directions. With this scheme, the router should have more than 2 LAN interfaces (not ports, and interfaces), with different address spaces, for example, in one IP interface - 192.168.0.1, and in the other - 192.168.1.1. Consequently, computers of one network will receive IP types of 192.168.0.xxx, and on another network 192.168.0.xxx, and they will have gateways, respectively, 192.168.0.1 and 192.168.1.1. So it turns out two-way routing.

Do not forget to leave