5.5 NAT and ports
In this part you will see how the IP port address allows the router to separate traffic intended for different devices in its private LAN.
Now watch the video below, which is about 5 minutes long.
Note that at 02:41 the speaker says ‘would then be 192.168.1.100, port 4321’ but meant to say ‘would then be 192.168.0.100, port 4321’; and at 03:12 says ‘in my case, 192.168.100, port 4321’ but meant to say ‘in my case, 192.168.0.100, port 4321’.
Box _unit4.1.6 NAT and ports
You’ve seen how network address translation at the gateway router allows devices with private addresses to access the internet by systematic swapping of the original private address with the router’s internet address.
But that’s not quite the full story. What happens now if I ask for the same web page, once from my desktop and once from my laptop? The gateway is going to do its network address translation and change the source IP address in both requests to be its own. The web server will get two requests so it will send two replies. That’s fine, but when the replies come back to the gateway, one of these should be sent to my desktop and one to my laptop. Well, how is it going to sort them out?
There is a way to deal with this. I have been taking a liberty by only talking about IP addresses as the source and destination of traffic. But strictly I should also include the IP port number. IP port numbers are used to keep different streams of traffic separate on one computer. So for example, my PC may have one stream open to a website, another open to my email account. Traffic will come back to my IP address and be delivered to my PC, but it still needs to be delivered to the correct application. And it’s the port number that’s used to do that.
By the way, there’s possible confusion here with the network port as meaning the hole in which a cable’s going to be plugged – so here we’re talking about a software thing, not hardware. But the port is similar in the sense that both types of port are ways to keep connections separate.
Now, there are well-known port numbers for some traffic, for example port 80 is used for HTTP, that is web page traffic. So a request for a web page at MegaCorp will be to 184.108.40.206 port :80, while a mail request at MegaCorp might be to 220.127.116.11:23. The two port numbers, 80 and 23, will keep the traffic separate.
So my source address will also have a port number as well as an IP number. What will that be? Even if I’m asking for a web page, it won’t be port 80: the well-known numbers are reserved for server hosts, but there are many others available. My browser is acting as a client, so it will simply ask for a new unused port number from the operating system when it opens a connection to the website – it might get 4321 as the port number, so the full source address would then be 192.168.0.100:port 4321.Audio mistakenly says 192.168.1.100
Now, the gateway, when it replaces my IP address in outgoing packets, can also replace the port number. It will of course keep a record of what translations it’s handling in a table, so when packets come back to the router, it can be used to look up the port number it used, and change the port number and IP address back to, in my case, 192.168.0.100:port 4321.Audio mistakenly says 192.168.100
That means the two requests, one from my laptop and one from my desktop, as they go out can be given different port numbers. When the replies come back with different port numbers, the router can look up the port number in its table to decide which device, desktop or laptop, the request originally came from.
I can have a look at the NAT table in the gateway router. For example, this originated on my desktop 192.168.0.100 with a port number of 4321, which has been translated to 18.104.22.168; in this case it didn’t change the port number. Another request, that was actually going to the same destination web server 22.214.171.124:80, but was coming from my laptop with address 192.168.0.101 and port number of 1027, that’s been translated to 126.96.36.199 with a port number of 1033. So we have two distinct port numbers, 4321 and 1033, both sending requests to the same web server, 188.8.131.52:80. When the replies come back in from 184.108.40.206:80, we can use the port number there, 4321 or 1033, to decide which was the required destination IP address.
So we’ve seen how network address translation with port numbers allows me to browse from my desktop and from my laptop, to the same website, at the same time, without the traffic getting messed up.
The gateway router may be performing network address translation for many devices within a private LAN. To distinguish between streams of traffic intended for different devices, the router may change the IP port number as well as the IP address.
IP port numbers are used in normal IP traffic because a single device may have many different network streams operating at the same time; the port number can be used to separate packets destined for different applications (e.g. email or web browsing) or components (e.g. tabs in a web browser). Some well-known port numbers exist that must be preserved; for example port 80 is always used by HTTP traffic to request a web page from a web server. But for many purposes the port number is obtained at random from a pool, so there is no problem caused by replacing the port number by a different value.
Study note _unit4.1.1 IP port numbers and hardware ports
Note that the term port is used in two different senses in networking. The IP port number referred to here is a software device; it has no connection to a hardware port which is a socket into which a cable is plugged. But there is some similarity: different hardware ports are used for traffic from different devices, and different IP port numbers are used for traffic from different programs running on a single network device.
The router maintains a table of network address translations it has carried out. This records the original IP address and port, and the replacement IP address and port. A different port number is used for every network stream. When incoming packets arrive, the router will look up the port number in the table to find the appropriate reverse translation and then replace the IP address and port number before the packet is switched over the LAN.
Activity _unit4.1.7 Activity 7 Test yourself
Here is a NAT table which has entries for several current streams of network traffic. It shows the addresses of both ends of the stream, one of which is inside the LAN while the other is outside on the internet. For the inside, both the original private and translated public address for the device are shown.
|Inside: private address||Inside: translated address||Outside address|
Traffic leaving the LAN
Some IP packets arrive at the router from the LAN for destinations on the internet. Translate the original private addresses to the appropriate source address so that the IP packet can be routed onto the internet.
Using the following two lists, match each numbered item with the correct letter.
IP packet source: 203.0.113.56:55628
IP packet source: 203.0.113.56:54602
IP packet source: 203.0.113.56:53899
IP packet source: 203.0.113.56:57978
a.Inside private address: 192.168.3.45:63156
b.Inside private address: 192.168.3.36:51874
c.Inside private address: 192.168.3.23:53245
d.Inside private address: 192.168.3.10:51562
- 1 = d
- 2 = c
- 3 = a
- 4 = b
In this activity you are carrying out network address translation by hand for packets leaving the LAN.
Packets from the LAN arrive at the router with the source address of the sending device; this is a private address and needs to be replaced by the address of the router itself. The port address may also change to ensure that streams of traffic are kept separate. By looking up the private IP address and port number in the table, you can identify the translation needed to give the new source IP address and port number. For example, packets sent originally by 192.168.3.10:51562 should have their source address translated to 203.0.113.56:55628 before being routed on to the internet. The address 203.0.113.56 is the external IP address of the router; 55628 has been (randomly) allocated to identify this stream of network traffic.
Traffic arriving at the LAN
IP packets are also returning to the router from the internet. Replace the destination addresses in the IP packet with that of the intended device on the LAN.
Using the following two lists, match each numbered item with the correct letter.
Inside private address: 192.168.3.10:51562
Inside private address: 192.168.3.23:53245
Inside private address: 192.168.3.45:63156
Inside private address: 192.168.3.36:51874
a.IP packet destination: 203.0.113.56:53899
b.IP packet destination: 203.0.113.56:54602
c.IP packet destination: 203.0.113.56:55628
d.IP packet destination: 203.0.113.56:57978
- 1 = c
- 2 = b
- 3 = a
- 4 = d
In this activity you are carrying out the reverse step of network address translation by hand.
Packets from the internet arrive at the router with a destination address of the router itself but need to be delivered to devices on the LAN. By looking up the port number in the table, you can identify which private address needs to be placed in the packet to deliver it to the intended destination. For example, packets arriving at the router with the destination address 203.0.113.56:55628 need to have this address changed to 192.168.3.23:51562 to be delivered to the correct device on the LAN.