TechLife Australia

All about that NAT

UNDERSTAND­ING NETWORK ADDRESS TRANSLATIO­N SHOULD MAKE CONFIGURIN­G YOUR ROUTER MUCH EASIER.

- NATHAN TAYLOR

QUITE A FEW years back now, internet engineers realised we had a problem. And that problem is that IP version 4 (IPv4) addresses are only 32 bits long (they’re typically represente­d by a quartet of eight-bit numbers, eg. 192.168.1.1). at meant that there were only about four billion possible internet addresses – which is not enough, given that pretty much everything is now connected to the internet.

In the long term, the solution to this problem is IP version 6 (IPv6), which extends address length to 128 bits (for a total of 340,28 2,366,920,938,463,463,374,607,431,768,211,456 addresses, which should keep us going for a while). But it turns out that getting the entire internet to switch to a new standard is really, really hard. So in the meantime we have network address translatio­n (NAT).

NAT lets you connect multiple devices to a single IP address. When you connect to the internet, your ISP will give you a single IP address. is is known as your public IP address, and it’s the only one visible to the rest of the world. NAT allows you to share this IP address across multiple devices.

On your LAN, instead of using a public IP address, each device is instead assigned a private IP address by your router to serve as their unique identi er. Several IP ranges – notably 192.168.X.X and 10.1.X.X – have been set aside for just this purpose.

You devices can communicat­e with each other using these IP addresses, but nothing outside your network can see them (that’s why your neighbour can also have devices con gured to 192.168.X.X without con icting with yours). But to communicat­e with the outside world, they have to go through your router, which uses its NAT service to act a proxy for them.

ROUTING AND THE FIREWALL EFFECT

One of the side e ects of using NAT is that it actually provides a level of security for your devices through an e ective rewall. Let’s say you’re using a PC with the private IP address of 192.168.1.2. To request a web site, the PC asks your router (which has a “real” public IP address) to grab the site for you. roughout the course of the communicat­ion between the PC and site, the router then constantly acts as a translator. When the site responds, it remembers which private IP address requested the site and forwards the data on to that PC. As long as the connection between the PC and site is open, the router knows which private device to forward the data on to.

But what happens when a site or user on the internet tries to contact a PC on your LAN, without your PC rst initiating the contact? e NAT-enabled router will be getting a connection request on the public IP address, but it won’t know which device (ie. which private IP address) to forward that request on to. So it just rejects the request.

In e ect, if you’re using NAT, connection­s can only be made one way. You can dial out, but people can’t dial in. In many cases that’s a good thing – it stops hackers and malware from accessing your systems, just like a rewall. But sometimes you’d like people to be able to talk to your devices. Maybe you’re running a server (like a media or Minecra server), or use a direct chat client. is is where port forwarding and UPnP come in.

PORT FORWARDING

We’ve talked a little bit about port forwarding before in this column, but if you’ve followed what we’ve written above, you’ll probably

understand a little better how it works. Port forwarding tells a router that whenever tra c comes in on a particular TCP or UDP port, it should always be forwarded onto a speci c private IP address. For example, if you run a Minecra server on a PC with the private IP address 192.168.1.2, you could tell your router that all incoming tra c on port 25565 (the port that Minecra uses) should be forwarded on to 192.168.1.2. at way people from outside your network can make a connection and the router will know where it goes.

Every app and service uses its own unique port, and you’ll have to do a bit of research to nd which one you need to forward. But once you’ve done that, setting up port forwarding is actually pretty easy. You just: Head to the router admin console, and nd the port forwarding settings. Usually they’re found under the rewall or security settings areas. Click on add a port forwarding rule. Give it a name, and enter the port number you want to forward (generally the external and internal port numbers are going to be the same, unless you plan on running your internal server on a nonstandar­d port). Generally, you’ll choose to forward both UDP and TCP packet types (these are the two major types of IP tra c). Enter the private IP address of the target computer, the one on which you’re running the server. Save the rule. Now any incoming data on that port will automatica­lly be forwarded onto the selected device.

You can make as many such port forwarding rules as you like. You can also choose to forward ranges of ports (say 2500 to 2600) rather than a single port.

UPNP

e good news is you don’t have to set up port forwarding nearly as much as you used to. UPnP on routers lets applicatio­ns con gure their own port forwarding. e applicatio­n can talk to the router and ask that a particular port be forwarded to it for as long as it’s running. at way, you don’t have to face any scary port forwarding settings at all.

If you’re having communicat­ions problems, the rst thing you should do is check if UPnP is turned on in your router settings. If it is, and it still doesn’t work, only then should you resort to port forwarding.

PORT TRIGGERING

Port triggering is another option on most routers, but it’s one that most people probably won’t nd much use for. It’s a special kind of conditiona­l port forwarding. With port triggering, when the router senses a connection on a speci c outgoing port, it will then automatica­lly activate a port forwarding rule for incoming tra c.

For example, you could set up a rule that says “if I make an outbound connection on port 6667, then forward all incoming tra c on ports 113 and 6000-700 to this PC.” ese days, port triggering is fairly niche, and not something most users have to worry about.

THE DMZ

e DMZ (demilitari­zed zone) is a special case of port forwarding. e router forwards all data on all ports onto a PC con gured in the DMZ. In essence, that computer is ‘naked’ to the internet, and has completely free and open access to all ports (and anyone can communicat­e with it openly).

In many cases, the DMZ setting on a router is a single IP address that you enter. You could con gure 192.168.1.2 as being in the DMZ and the router would then forward all data on. In some more sophistica­ted settings you can use a device’s unique MAC address in lieu of the private IP address and specify IP ranges that can contact the device.

Setting up a PC in the DMZ is something you should do only if you really know what you’re doing and are 100% sure of the security of that device. It makes the device as accessible to anyone on the internet as if they were on your home network.

?? ?? Network address translatio­n is a core feature of modern routers.
Network address translatio­n is a core feature of modern routers.
?? ?? Your router’s DHCP server assigns private IP addresses to devices on your network
Your router’s DHCP server assigns private IP addresses to devices on your network
?? ?? Port triggering is a conditiona­l port forward setting.
Port triggering is a conditiona­l port forward setting.
?? ?? The DMZ is only for experts.
The DMZ is only for experts.
?? ?? Once you understand what’s going on, port forwarding really isn’t that scary.
Once you understand what’s going on, port forwarding really isn’t that scary.
?? ?? Make sure UPnP is turned on. It makes life much easier.
Make sure UPnP is turned on. It makes life much easier.

Newspapers in English

Newspapers from Australia