Cloudflared vs CGNAT Part 2 NAT Router

Published on April 15, 2023 at 5:59 am by LEW

Introduction

In this installment we are going to discuss your home router, Network Address translation (NAT), and how they interact with devices on your home Local Area Network (LAN) allowing you to access the Internet.

The last free blocks of IPv4 addresses was issued on October 31, 2011. At that point the IPv4 address space was technically exhausted. NAT is one of several  stop gap measure against IPv4 address exhaustion.

Technically, you can not have two devices with the same IP address on the same network. NAT basically allows the use of select groups of addresses on your home network behind your router, segregating them from the rest of the Internet. Because of this design, referred to as a network segment, you can use any number local IP addresses with only one public facing address. These addresses will not interfere with the same addresses on other private LANs.

For the record there are there three common private (reserved) IP address ranges; class A from 10.0.0.0 to 10.255.255.255 (16.7 million addresses), class B from 172.16.0.0 to 172.31.255.255 (1 million addresses), and class C from 192.168.0.0 to 192.168.255.255 (65 thousand addresses).

NAT

There are a few different versions of NAT. The most common form in the home is many to one. That is you have multiple internal IP addresses within your LAN. Your router will use NAT to translate them to a single public IP address that is exposed to the Internet.

NAT Network 
An interesting property of NAT, any traffic coming from the internet that is not in response to an internal query will be automatically dropped. When discussing firewalls, this type of in-bound traffic is known as established or related. Any non related inbound traffic should be automatically discarded.

NAT Example

To better understand how NAT works, we will go over an example. In the below illustration we have a local computer with a private IP address 192.168.7.23. The router has a private IP address of 192.168.7.1 (default gateway) and a public IP address of 68.100.108.12 (which was acquired from the ISP when the modem was turned on, using a process like DHCP). The LAN computer wants to talk to a public server with a public IP address of 95.217.173.52.

NAT ExampleThe NAT process in this case will work as follows.

  1. The LAN computer will send a request to the default gateway. The packet will have a “to” and “from” addresses (and port numbers also). In this case the “to” address is 95.217.173.52, and the “from” address is 192.168.7.23.
  2. The router will examine the header of the packet, and determine that it needs to go to the Internet. It will change the “from” address to its public IP address, 68.100.108.12.
  3. At the same time an entry will be made in a NAT Translation Table maintained by the router. This entry will have the original “to” and “from” information in the packet header, along with ports and any other relevant data.
  4. After this the packet will be forwarded to the internet.
  5. When the server at 95.217.173.52 responds, it will send a packet to the router public IP address, 68.100.108.12.
  6. The router will examine the packet header and compare it to its NAT Translation table. If a matching entry is found, it will change the “to” address to the LAN computer that initiated the communication, in this case 192.168.7.23. If no matching entry is found the packet will be discarded or dropped.
  7. For packets that match entries in the NAT translation Table, they are forwarded within the LAN, to the computer that originated the communication.

Access Local Server From the Internet

Because you have physical possession and control of the router, you can modify, to some extent, how NAT functions. One of the common things to do is create a rule for an internal server, so you can reach it from the internet. This is generally referred to as Port Forwarding.

When you forward a port, you are telling your router that when an external packet comes in, and it is requesting a specific port, check the rules instead of the NAT Translation table. The rule tells the router to forward the packet to a specific IP address on the LAN (your server). Address translation is still done. But there is no check for an originating request.

Conclusion

We have covered a very brief example of NAT, and discussed port forwarding. The major reason to do this is because you are running some sort of server that you need to access form the Internet.

In the next post we will take a look at CGNAT and why it prevents you from connecting with your server from the internet.

Cloudflared vs CGNAT Part 1 Packets

Cloudflared vs CGNAT Part 2 NAT Router

Cloudflared vs CGNAT Part 3 CGNAT Greed

Cloudflared vs CGNAT Part 4 Using Cloudflare

SharePin It!

Add New Comment

Your email address will not be published. Required fields are marked *