Which device does the nat mechanism belong to? Network Address Translation (NAT) and SIP. why is NAT needed, how is it used

NAT (derived from the English term Network Address Translation, which translates as “conversion network addresses") using this function in TCP/IP networks, the IP addresses of transit packets are converted. All routers have it, it’s called port forwarding.

The advantage of this technology is that there is no need to change the configuration of routers and final nodes of the internal network. These technologies are not used where many internal nodes are involved in working with external networks.

NAT types

Static NAT

Usually, not used by individuals for their needs, but is used by companies that have many IP addresses with the need for them to remain constant for some servers and be accessible from the outside. To open any service (mail, website, etc.) you need to know 2 parameters: IP address (DNS name) and port. In this case, the port is usually not entered (unless it has been changed), since programs enter it automatically and, therefore, the user does not even think about its presence. In order for other users of the global web to be able to work with a specific computer, they need to know its IP (DNS name) and service port.

If a person has a static Network Address Translation and one computer on the network, then it is not necessary to know the port; knowledge of the IP will be enough. To limit access, you need to install a firewall.

To make it clearer, we can draw the following analogy: an IP address is someone’s house, and a port is his apartment. To find a person, you need to know both.

How it works. Let's say the provider issued 4 IPs for 3 servers. The first one is assigned to the router, and the rest goes to the servers. In order to be able to get to them, it is enough to indicate external IPs, for example, the second one, but the router doesn’t care will redirect to the first server. A person gets to the server, works on it, but does not know that his address is different. A record of this will be stored in the NAT table.

There are positive points: user addresses are not visible, but he himself is visible from the Internet. Cons: it will be easy for any other user to attempt to hack his computer.

Dynamic NAT

Unlike static, it has one exception: from the global web no way to see servers with which you work. The client receives several IPs, but here they are router distributes. When the client is online, the router itself selects one address among those received, issues it and enters it into the Network Address Translation table. But the record itself is not stored for a long time; when the user leaves the Internet, it is erased from the table.

The big disadvantage is that the required number of entries into the global web there can't be more the number of IP addresses issued by the provider. Until free ones are found, new users will not be able to connect to the computer. But compared with the first type there is a great advantage, other users will not be able to freely go to HDD computer, since addresses are constantly changing. Also, the clients themselves do not need to distribute IP addresses; the router will distribute them.

Port Address Translation (PAT), NAT Overload and Masquerading

This type is more relevant to an individual, since a single external address is issued, and the user only assigns a port to any server. Let's say someone needs to be able to access a torrent; for this, they will need not only internal, but also external ports. The program is used internal port only on the computer on which it is installed. From other machines they will connect to external port located on the router. Very often, but not always they coincide.

U this method there is an advantage: access is open to a specific program, everything else is closed. The disadvantage is that very often ports are needed configure manually.

How to change NAT type

Need to . To do this, type 192.168.1.1 or 192.168.0.1 in the browser (or another combination depending on the router). Enter your login and password. There we look at our IP and network settings.

Then you need to contact your Internet connection provider, provide the data you looked at in the router, and he will reconfigure everything.

NAT Terminology

For NAT, it is important to distinguish between the internal and external network. The internal ones include all networks that are necessary for the transformation, and the external ones include all other networks.

The system has 4 types of addresses:


IN internal tasks includes conversion of NAT mechanisms, external serves the address of the device where you need to log in. By local we mean the one that happens in internal networks, and global - in external networks.

How to check if a computer is behind NAT

To do this, it is enough to determine the IP of the user’s computer. If any address falls within the ranges (used only for local networks):

  • 10.0. 0. 0 — 10. 255.255.255;
  • 172.X. 0. 0 - 172. X.255.255 (X takes a value from 16 to 31);
  • 192.168. X. 0 - 192.168.X.255 (X is most often 0 or 1, takes values ​​from 0 to 255).

It means that this computer is on the local network and the user is in NAT.

NAT settings, how to make it open

To configure NAT in the router, you need to go to the browser, type 192.168.1.1 or 192.168.0.1 (router address) and then you will need enter login and password(usually Admin/Admin). Then there is the field Configuration(settings), then Network(network) and Routing(routes or routing). In a new window select Policy Routing(new rule). Routing conditions are set here. You can select by various properties, such as: users, interfaces, source or destination IP addresses, destination port.

We set the traffic conditions, there are several purposes: Auto will redirect traffic to the default global interface, Gateway to the address available in the settings, Trunk- on several interfaces, Interface– to the interface that is specified.

The server is configured as follows: at the beginning there is Server Manager, which is clicked with the mouse, then in a new window on add roles and features, then further, install remote access, then add components and continue. Then select role services and check routing, click on next. At the very end to close.

After connecting your computer to the server, you need to configure it in NAT. In the Start menu there is an Administration - Routing and Remote Access window. To activate you need to click on " enable routing and remote access." Then on “next” and select network address translationNAT. Then click on the Internet and enable basic destination services. We continue to click on “next” several times and last time to "ready".

The provider with whom the client has entered into an agreement for the supply of Internet services can help make NAT open; you just need to contact him with this question.

NAT loopback and NAT Traversal technology

The essence of NAT loopback is that if a packet arrives from the internal network to the router’s IP address, then such a packet will be accepted as external and will be subject to firewall rules for external connections. After the packet has successfully passed through the firewall, Network Address Translation will take over, acting as an intermediary for two intranet machines. It turns out the following:

  • outside the local network you can find out about network service settings;
  • go to the server by domain name that is located on the local network. Without the loopback (or hairpinning) function, these actions would be impossible; you would need to configure the hosts file for any domain;
  • main disadvantage - increase in load to a router with a hub.

NAT Traversal is the ability for network applications to determine that they located outside the boundaries of the device. In this case, Network Address Translation assists in determining the external IP address of this device and map ports so that NAT forwards packets used by applications from an external port to an internal one. All these processes are performed automatically. Without them, the user would have to manually compare port settings and make changes to various parameters. But there are also disadvantages - you need to be careful with such applications - they have the ability to widely control devices, and therefore vulnerabilities may appear.

Good day, dear readers! Well, let's talk about NAT.

Today we will discuss in more detail a somewhat painful and rather incomprehensible topic, but more incomprehensible than painful.

To a greater extent, this problem concerns those who play multiplayer games, and in short, this problem sounds something like this: “WHY DOES NO ONE COME TO ME?” For others, this problem looks a little different, namely:

  • Why doesn't the torrent download?
  • Why can’t users/friends/acquaintances/unknown individuals connect to FTP, WEB, VOIP (TS, Mumble, Bucket) and other servers that you have been trying to set up for so long and even checked that everything is working for you?
  • Why your personal home server empty? Could this be a universal conspiracy?

But, however, there is no conspiracy, the culprit of all these troubles is next to you and slyly winks at you with light bulbs, and his name is... a router, yes, yes, the same one that distributes the Internet to all yours (and maybe your neighbors) devices.

In short, Internet users simply cannot connect to you because your router does not allow them, but it does this not just on a whim, but because it does not know that all these people want to connect to you. So he thinks that they want something from him.

Yes, I just described to you why NAT is needed. And now about what it is.

General definition

NAT (Network Address Translation) is a mechanism that allows the router to determine which services are located behind the router and should be accessible from the Internet so that users from there can use these services (I did not take the definition from the wiki, because it is abstruse and not everyone understands).

NAT is present in all routers and server operating systems in one form or another. In routers this is usually called port forwarding, in Linux iptables, on Windows servers - in special equipment. Now let's talk about various types NAT

Type one, Static NAT

Static NAT is not required for your home, but is needed if your provider has allocated several IP addresses (external or “white” addresses) to your company, and you need some servers to always be visible from the Internet, without their addresses changing .

Those. 1-1 address conversion occurs (one external IP is assigned to one internal server). With this setup, your servers will always be accessible from the Internet on any port.

  • The advantage of this method is that you open access from the Internet specifically for specific program on a specific computer/server, all other ports of the computer/server remain closed;
  • The disadvantage is that you need to open all ports manually (sometimes programs do this for you using UPnP technology, but this does not always happen).

Afterword

It turned out a little chaotic, and the topic is quite complicated, but I hope now the word NAT won’t make you shiver :)

As always, if you have any questions, thoughts, additions, etc., please feel free to comment on this post.

PS: For the existence of the article, special thanks to a friend of the project and a member of our team under the nickname “barn4k“

IP addresses are a scarce resource. The provider may have a /16 address (formerly class B), which makes it possible to connect 65,534 hosts. If there are more clients, problems begin to arise. Hosts that connect to the Internet from time to time via a regular telephone line can be allocated IP addresses dynamically, only for the duration of the connection. Then one /16 address will serve up to 65,534 active users, and this may be enough for an ISP with several hundred thousand clients. When the communication session ends, the IP address is assigned to a new connection. This strategy may solve the problems of providers who do not have a very large number of private clients connecting via telephone line, but it will not help providers whose majority of their clientele are organizations.

The fact is that corporate clients prefer to have a constant connection to the Internet, at least during the working day. Both small offices, for example travel agencies, consisting of three employees, and large corporations have local networks consisting of a certain number of computers. Some computers are employee workstations, some serve as web servers. In general, there is a LAN router connected to the ISP via a dedicated line to provide a permanent connection. This solution means that each computer is associated with one IP address all day long. In fact, even all the computers taken together that are available to corporate clients, cannot block the IP addresses available to the provider. For an address of length /16, this limit is, as we have already noted, 65,534. However, if the Internet service provider has a number of corporate clients in the tens of thousands, then this limit will be reached very quickly.

The problem is further aggravated by the fact that an increasing number of private users want to have an ADSL or cable connection to the Internet. The features of these methods are as follows:

a) users receive a permanent IP address;

b) there is no time-based payment (only a monthly subscription fee is charged).

Users of this type of service have a permanent connection to the Internet. Development in this direction leads to an increase in the shortage of IP addresses. Assigning IP addresses on the fly, as is done with a telephone connection, is useless, because the number of active addresses at any given time can be many times greater than the provider has.

Often the situation is further complicated by the fact that many ADSL and cable Internet users have two or more computers at home (for example, one for each family member) and want all machines to have Internet access. What to do - after all, there is only one IP address issued by the provider! The solution is this: you need to install a router and connect all computers into a local network. From the provider's point of view, in this case the family will act as an analogue of a small company with several computers. Welcome to the Pupkin Corporation!

The problem of the shortage of IP addresses is by no means theoretical and does not at all relate to the distant future. It is already relevant, and we have to fight it here and now. The long-term project involves a total transfer of the entire Internet to the IPv6 protocol with 128-bit addressing. This transition is indeed happening gradually, but the process is so slow that it drags on for years. Seeing this, many realized that it was urgent to find some solution, at least for the near future. Such a solution was found in the form of a network address translation method, NAT (Network Address Translation), described in RFC 3022. The essence of this will be discussed later, and more detailed information can be found in (Butcher, 2001).

The basic idea of ​​network address translation is to assign each business one IP address (or at least a small number of addresses) for Internet traffic. Within the company, each computer receives a unique IP address, which is used to route internal traffic. However, as soon as the packet leaves the company building and is sent to the provider, address translation is performed. To implement this scheme, three ranges of so-called private IP addresses were created. They can be used within the company at its discretion. The only restriction is that packets with such addresses must under no circumstances appear on the Internet itself. These three reserved ranges are:

10.0.0.0 - 10.255.255.255/8 (16,777,216 hosts)

172.16.0.0 - 172.31.255.255/12 (1,048,576 hosts)

192.168.0.0 -192.168.255.255/16 (65,536 hosts)

The operation of the network address translation method is shown in the following diagram. Within the company's territory, each machine has its own unique address of the form 10.x.y.z. However, when a packet leaves the company's premises, it passes through a NAT block that translates the internal source IP address (10.0.0.1 in the figure) into the real IP address the company received from the ISP (198.60.42.12 for our example) . A NAT block is usually a single device with a firewall that provides security by strictly monitoring a company's incoming and outgoing traffic. The NAT block can be integrated with the company's router.

We have so far avoided one small detail: when a response to a request arrives (for example, from a web server), it is addressed to 198.60.42.12. How does the NAT block know which internal address to replace the company's public address with? This is the main problem with using network address translation. If there was a free field in the IP packet header, it could be used to remember the address of who sent the request. But there is only one bit left unused in the header. In principle, it would be possible to create such a field for the true source address, but this would require changing the IP code on all machines across the Internet. This is not the best solution, especially if we want to find a quick solution to the problem of running out of IP addresses.

This is what actually happened. NAT developers noticed that most payload IP packets are either TCP or UDP. Both formats have headers containing source and destination port numbers. Port numbers are 16-bit integers that indicate where the TCP connection begins and ends. The location where the port numbers are stored is used as a field required for NAT to work.

When a process wishes to establish a TCP connection with a remote process, it contacts a free TCP port on own computer. This port becomes the source port, which tells the TCP code where to forward packets for that connection. The process also determines the destination port. The destination port tells who to give the packet to on the remote side. Ports 0 to 1023 are reserved for well-known services. For example, port 80 is used by web servers, so remote clients can target them. Each outgoing TCP message contains information about the source port and destination port. Together they serve to identify the processes on both ends using the connection.

Let's make an analogy that will somewhat clarify the principle of using ports. Let's say a company has one general telephone number. When people dial it, they hear an operator's voice asking who exactly they would like to connect to, and it connects them to the appropriate telephone extension. The main telephone number is analogous to a company's IP address, and the extensions on both ends are analogous to ports. Port addressing uses a 16-bit field that identifies the process receiving the incoming packet.

Using the Source Port field we can solve the problem of displaying addresses. When an outgoing packet arrives at a NAT block, the source address of the form 192.168.c.d is replaced with the real IP address. In addition, the TCP Source Port field is replaced by the index of a NAT block translation table containing 65,536 entries. Each entry contains the source IP address and source port number. Finally, recalculated and inserted into the package checksums TCP and IP headers. It is necessary to replace the Source Port field because machines with local addresses 10.0.0.1 and 10.0.0.2 may accidentally want to use the same port (5000, for example). So to uniquely identify the sender process, the Source Port field alone is not enough.

When a packet arrives at the ISP's NAT block, the value of the Source Port field of the TCP header is retrieved. It is used as an index into the NAT block mapping table. Based on the entry found in this table, the internal IP address and the real TCP source port are determined. These two values ​​are inserted into the package. The TCP and IP checksums are then recalculated. The packet is sent to the company's main router for normal delivery with an address like 192.168.y.z.

In the case of ADSL or cable Internet, network address translation can be used to ease the fight against address shortages. The addresses assigned to users are 10.x.y.z. As soon as the packet leaves the property of the provider and goes to the Internet, it ends up in a NAT block, which converts the internal address into the real IP address of the provider. On the way back, the reverse operation is performed. In this sense, for the rest of the Internet, the provider with its clients using ADSL and cable connections appears as one big company.

Although the scheme described above partially solves the problem of the shortage of IP addresses, many IP adherents view NAT as a kind of infection spreading across the Earth. And they can be understood.

Firstly, the very principle of network address translation does not fit into the IP architecture, which implies that each IP address in a unique way identifies only one car in the world. The entire software structure of the Internet is built on exploiting this fact. When translating network addresses, it turns out that thousands of machines can (and actually do) have the address 10.0.0.1.

Second, NAT transforms the Internet from a connectionless network into something akin to a connection-oriented network. The problem is that the NAT block must maintain a mapping table for all connections passing through it. Remembering connection state is the job of connection-oriented networks, but not connectionless networks. If a NAT block breaks and its mapping tables are lost, then all TCP connections passing through it can be forgotten. In the absence of network address translation, the failure of a router has no effect on TCP activity. The sending process simply waits a few seconds and resends any unacknowledged packets. Using NAT Internet becomes as susceptible to failure as a circuit-switched network.

Third, NAT violates one of the fundamental rules of layered protocol design: layer k should not make any assumptions about what layer k+1 put in the payload field. This principle determines the independence of levels from each other. If TCP is ever replaced by TCP-2, which has a different header format (for example, 32-bit port addressing), then network address translation will fail. The whole idea of ​​multi-layer protocols is that changes in one of the layers cannot in any way affect the other layers. NAT destroys this independence.

Fourth, processes on the Internet are not required to use only TCP or UDP. If the user of machine A decides to come up with a new transport layer protocol for communicating with the user of machine B (this could be done, for example, for some multimedia application), then he will have to somehow deal with the fact that the NAT block will not be able to correctly process TCP Source Port field.

Fifth, some applications insert IP addresses into the text of messages. The recipient retrieves them from there and then processes them. Since NAT does not know anything about this addressing method, it will not be able to process packets correctly, and any attempts by the remote side to use these addresses will fail. The file transfer protocol, FTP (File Transfer Protocol), uses exactly this method and may refuse to work when translating network addresses unless special measures are taken. The H.323 Internet telephony protocol also has a similar property. It is possible to improve the NAT method and make it work correctly with H.323, but it is impossible to improve it every time a new application appears.

Sixth, since the Source Port field is 16-bit, approximately 65,536 local machine addresses can be mapped to a single IP address. In fact, this number is slightly smaller: the first 4096 ports are reserved for service needs. In general, if there are multiple IP addresses, each IP address can support up to 61,440 local addresses.

These and other problems associated with Network Address Translation are discussed in RFC 2993. Typically, opponents of NAT say that fixing the IP address shortage problem by creating a temporary patch only interferes with the real evolutionary process of moving to IPv6. But if we return to reality, we will see that in most cases NAT is simply an irreplaceable thing, especially for small offices with the number of computers from several to several dozen. NAT can be implemented on our own in OS Linux using

A computer connects to the global network in several ways. This can be a direct connection, in which case there is an external IP address (dynamic or static) that is visible from the Internet. Or the connection can be made through a router. With this connection, only the router has an external address, and all users connected to it are clients of another network. The router takes over the distribution of incoming and outgoing traffic between clients and the Internet. A number of problems arise when connecting through a router:

  • torrent clients stop working;
  • there is no way to connect to the online game server;
  • there are no calls to the internal network server from outside using any protocol or port.

Helps solve the problem correct setting router, namely the NAT service on it. In order to understand how to configure NAT on a router, you need to know what address translation is and what it is used for.

NAT: General Definitions

NAT (network address translation) or network address translation is the process of translating internal or local addresses to external ones. NAT is used by absolutely all routers, regardless of their configuration, purpose and cost. By default, the router prohibits direct access to any device located within the network. It blocks access to any ports for incoming connections coming from the Internet.

But NAT and Firewall are two different concepts. A firewall simply denies access to a resource on a specific TCP or UDP port; it can be installed on a local machine to restrict access only to it, or on a server to filter traffic across the entire local network. NAT faces a more comprehensive task. The service denies or allows access within the network to a specific IP address or range of addresses. Thus, the client that accesses the resource does not see the actual IP address of the resource. NAT translates internal IP into an address that will be visible from the Internet.

To check whether the computer is behind NAT or broadcasts a real address to the Internet, you can do the following:

  • in Windows you need to click “Start - Run - cmd” and write ipconfig and press “Enter”;
  • on Linux and MacOS it is executed in the terminal ifconfig.

The command output shows the following:

  • IP- real, valid computer address;
  • Subnet mask- Subnet mask;
  • Gateway- router gateway address.

How can we now determine whether the address is local or directly “looks” at the Internet? According to the specification, there are four ranges of addresses that are under no circumstances used on the Internet, but are exclusively local:

  1. 0.0.0 - 10.255.255.255
  2. X.0.0 - 172.X.255.255, where X is in the range from 16 to 31.
  3. 168.0.0 - 192.168.255.255
  4. 254.0.0 - 169.254.255.255

In the case when the machine's address falls into one of these ranges, it should be assumed that the computer is on a local network or “behind” NAT. You can also additionally use special services, of which there are many on the Internet, to determine the real IP address. Now it has become clearer whether the computer is located behind What is NAT in a router? for the service, and for that he is responsible.

NAT problems and solutions

Since the introduction of NAT, problems immediately began to appear. It was impossible to access via a separate protocol or in operation individual programs. These problems were never completely eliminated; we only managed to find some solutions using only address translation, but not a single solution is correct from the point of view of administration specifications.

As an example, consider the File Transfer Protocol (FTP), which was the most common protocol before the advent of NAT. For file servers (FTP), the key is the real IP address of the computer that sends the access request. Here address translation does not work because the request to the server is sent from an IP that is not visible from the Internet. It is not possible to create a client-server session to download files. Helps to get around the problem using FTP in passive mode. In this mode, a different set of commands is used, and the work is carried out through a special proxy server, which additionally opens another port for the connection and transfers it to the client program. The problem with this solution is that it is necessary to use third-party FTP clients.

It was possible to completely get rid of the access problem only with the advent of the SOCKS (Socket Secure) protocol. This protocol allows you to exchange data through a proxy server in a “transparent” mode. That is, the server will not know that addresses are being replaced from local to global and vice versa. The invention of SOCKS made it possible to get rid of a number of problems and simplify the work of network administration:

  • creates a service on the server that listens for incoming requests, which allows you to serve multi-connection protocols like FTP;
  • there is no need to use and maintain DNS service within the local network. Now this task is assigned to caching proxies;
  • additional authorization methods allow for more efficient packet tracking and filtering. Using NAT, you can filter requests only by addresses.

The use of NAT and SOCKS is not always justified from a network administration point of view. Sometimes it is more appropriate to use specialized proxies, of which there are many for any data transfer protocol.

Setting up NAT on a computer

All modern OS have already built-in NAT. Windows has had this feature since 1999. the advent of Windows XP. NAT is managed directly through the network connection properties. To configure the service you need to do the following:

  • From the Start menu, launch the Control Panel program.
  • Find the “Network Connections” icon and launch it.
  • Click in a new window right click mouse on the active network connection and select “Properties” from the drop-down list.
  • Go to the "Advanced" tab.
  • Check the box next to “Allow other network users to use this computer’s Internet connection.”
  • Confirm the change with the “Ok” button.

If you receive a message that the service cannot be started public access, you need to make sure that the DHCP client service is running. If necessary, you can set the service to start forcefully rather than automatically when requested.

Setting up NAT on a router

What is NAT in a router, the feasibility of its use and the problems that it can create were described above, now you can proceed directly to the implementation of the task. Setting up the service on the router depends on its model, the firmware used and other parameters. But it is enough to understand the mechanism so that there are no difficulties or questions about setting up a separate device. To configure, perform the following steps (as an example, the settings are performed on a Zyxel router on firmware v1):

  • In your browser, go to the router settings page.
  • Go to the “Network - Routing” menu to the “Policy routing” tab.

The page that opens will be the one that manages access policies and routing. Here you need to enable the service by activating the switch to the “Enable” position. The settings themselves are made in the “Criteria” group. NAT parameters are selected according to several filter categories:

  • User - broadcast for a specific user.
  • Incoming - via network interface.
  • Source Address - substitution of the address using the source address.
  • Destination Address - at the address of the final recipient
  • Service - on a specific service port.

You can select the following options as the redirection object:

  • Auto - automatic selection of the destination object. The Wan interface is installed by default.
  • Gateway - gateway specified in advance in the settings.
  • VPN Tunel - respectively through a VPN tunnel.
  • Trunk - a range of interfaces configured to work together.
  • Interface - a specific interface of your choice.

In each individual router, the settings and names of menu items may differ, but the principle of constructing NAT remains unchanged.

NAT Network Address Translation is an IETF (Internet Engineering Task Force) standard. working group Internet Technology Development), whereby multiple computers on a private network (with private addresses in the ranges such as 10.0.x.x, 192.168.x.x, 172.x.x.x) can share a single IPv4 address that provides access to global network. The main reason for the growing popularity of NAT is due to the increasingly acute shortage of IPv4 addresses. Also, many Internet gateways make extensive use of NAT, especially to connect to broadband networks such as DSL or cable modems.

Setting up NAT

In order to act as a router, the server must have 2 network interfaces. The Internet and the network itself, which must be connected to the Internet. I have network connections are called LAN_1 (Internet) and LAN_2 (local area network).

I’ll say right away that the service Windows Firewall/Internet Sharing (ICS) must be disabled.

So, let's start the installation:





NAT setup

So, we have installed the network interfaces, now let’s configure them.

First of all, let's configure External interface (LAN_1):

192.168.0.2 - IP address of the user who will access the network through our server

10.7.40.154 - external IP address of the server

When accessing the Internet using this technology, you will have an IP address of 10.7.40.154. There are different configuration methods; you can reserve addresses for each machine separately. You can specify more than one range of addresses in the reservation or not specify it at all, then any IP on the local network will be able to surf the Internet through the server.

Setting up the client machine

Let's go to Properties local network card, Further TCP/IP Properties. We register the client’s IP, mask, in Default gateway enter the server's IP address. You must enter the IP in the DNS fields DNS addresses provider or IP address of the installed local DNS server.

All! This completes the installation and configuration.



2024 wisemotors.ru. How it works. Iron. Mining. Cryptocurrency.