iphonogasm Posted August 12, 2011 Posted August 12, 2011 ok, so i know im posting alot, but ive got alot going on haha yea nah sorry about that, but heres todays question Its about NAT, ive researched about NAT, and really TRIED to understand it, but just cant grasp it. I cant understand what NAT does. It appears it somehow changes the ip addresses? Maybe you could just write up and explaiin to me exactly how NAT works and what is does..i see theres many different types of NAT because at the moment, my server has windows firewall disabled and NO NAT, and i beleive it is something to do with security. (this probally explains my other post where i think someone else is logged onto my server haha!) Thanks!! you ROCK! Quote
ICTCity Posted August 12, 2011 Posted August 12, 2011 NAT: Network Address Translation. Everyone has a LAN with a PRIVATE ADDRESS. At home you have a LAN with the address 192.168.1.0 (example), now you are in your office and your LAN's address is 192.168.1.0 (example again). Most of people at home have that address (192.168.1.0) this is a PRIVATE ADDRESS and it CANNOT BE USED on internet. Now, when you go to the internet, you must have a PUBLIC ip address which is assigned by your ISP (there're RIPE, ARIN and so on which decide which country / region / nation have the class XXX.XXX.XXX.XXX). This class is then assigned to the "local" ISP (there are 3 levels of ISPs). Now, let's go back to your ISP. Your router receive a PUBLIC address: 212.243.60.10 (example), you can surf the internet and everything works fine. Nothing special is configured on your router, and everything works! One day you decide to connect another pc to your home network and you notice that that you can surf only with one computer at time, not both together. Here comes the NAT. Your router has ONE public IP and it MUST use this address in order to surf. If you try 2 PCs at the same time, your router says: "Hei! My public IP is already used by PC1 with the PRIVATE IP 192.168.1.10, I cannot bring another pc to the internet... I HAVE NO MORE IP ADDRESSES AVAILABLE". To resolve this problem, you can buy another public IP from your ISP, or, better, you can use NAT or IP MASQUERADING. Let's write some data: LAN address: 192.168.1.0 PC1: 192.168.1.10 PC2: 192.168.1.20 ROUTER: 192.168.1.1 PUBLIC IP: 212.243.60.70 Your router now has a NAT TABLE activated and PC1 (192.168.1.10) want to surf to a website (so, port 80). On the NAT table, your router will write: 192.168.1.10:80 ---> www.freepchelp.forum:80 Now, PC2 wants to open google.com, on the NAT table of your router you will see: 192.168.1.20:80 ---> www.google.com:80 Now the NAT table looks like this: 192.168.1.10:80 ---> www.freepchelp.forum:80 192.168.1.20:80 ---> www.google.com:80 The problem persists because of your router doesn't have 2 public IPs and cannot give the internet to both PCs. This process is called NAT. Now, you need that EACH PRIVATE IP IS TRANSLATED TO A SINGLE PUBLIC IP. You need the IP MASQUERADING technology. Everytime you create a connection, this is made of 2 sockets, your client will send a request to the public address 195.90.100.30 (example) on port 80 with its PRIVATE IP and port (80). THE ROUTER NOW must translate (or better, masquerade) the PRIVATE IP AND PORT with the public one and change the port number to a higher value. This process is saved on the NAT TABLE. [code]192.168.1.10:80 ---> 195.90.100.30:80 192.168.1.10:80 ---> 212.243.60.70:20100 212.243.60.70:20100 ---> 195.90.100.30:80 When the server responds, the router will process the nat table backward. NAT or IP masquerading are almost invisible to the computers. DNAT is used when you have more than one public IP to use to surf (load balancing...). SNAT CAN BE: specify a group of private address to use a specific public IP (static NAT) or Secure NAT which is a secure connection on ISA server OR it can also be STATEFUL NAT in the CISCO's WORLD. I think it's all... I hope my explanation is not too boring. If you need further help let me know :) Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted August 13, 2011 Author Posted August 13, 2011 thanks heaps for you help ill just begin with the top NAT: Network Address Translation. Everyone has a LAN with a PRIVATE ADDRESS. At home you have a LAN with the address 192.168.1.0 (example), now you are in your office and your LAN's address is 192.168.1.0 (example again). Most of people at home have that address (192.168.1.0) this is a PRIVATE ADDRESS and it CANNOT BE USED on internet. Now, when you go to the internet, you must have a PUBLIC ip address which is assigned by your ISP (there're RIPE, ARIN and so on which decide which country / region / nation have the class XXX.XXX.XXX.XXX). This class is then assigned to the "local" ISP (there are 3 levels of ISPs). Now, let's go back to your ISP. Your router receive a PUBLIC address: 212.243.60.10 (example), you can surf the internet and everything works fine. Nothing special is configured on your router, and everything works! One day you decide to connect another pc to your home network and you notice that that you can surf only with one computer at time, not both together. Here comes the NAT. Your router has ONE public IP and it MUST use this address in order to surf. If you try 2 PCs at the same time, your router says: "Hei! My public IP is already used by PC1 with the PRIVATE IP 192.168.1.10, I cannot bring another pc to the internet... I HAVE NO MORE IP ADDRESSES AVAILABLE". To resolve this problem, you can buy another public IP from your ISP, or, better, you can use NAT or IP MASQUERADING. Let's write some data: LAN address: 192.168.1.0 PC1: 192.168.1.10 PC2: 192.168.1.20 ROUTER: 192.168.1.1 PUBLIC IP: 212.243.60.70 Your router now has a NAT TABLE activated and PC1 (192.168.1.10) want to surf to a website (so, port 80). On the NAT table, your router will write: 192.168.1.10:80 ---> www.freepchelp.forum:80 Now, PC2 wants to open google.com, on the NAT table of your router you will see: 192.168.1.20:80 ---> www.google.com:80 Now the NAT table looks like this: 192.168.1.10:80 ---> www.freepchelp.forum:80 192.168.1.20:80 ---> www.google.com:80 surely this is related to DHCP and/or assigning static ip, and gateways etc. take 192.168.1.5 and 192.168.0.24 and assign them both DNS of 192.168.1.1 (router) they would both use the same PUBLIC IP? Thanks Quote
ICTCity Posted August 13, 2011 Posted August 13, 2011 Of course this is up to you. Because of the address is on a different network, your router must route correctly the traffic, anyway once the client reaches the router it goes outside in the same way :) Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted August 14, 2011 Author Posted August 14, 2011 i must be really dumb :( i still dont get it Quote
ICTCity Posted August 14, 2011 Posted August 14, 2011 You have 2 LANs: LAN1 = 192.168.1.0 LAN2 = 192.168.0.0 Now, your router is on the FIRST lan (192.168.1.1), so it must know something regarding the other LAN. Let's say your router has 2 internal interfaces, one is on LAN1 and the other is on LAN2. Usually you assign the IP of 192.168.0.1 on the second interface, so the clients will contact the gateway on 192.168.0.2 (same LAN). If you don't want (or can't) do that, you MUST add a static route ON YOUR ROUTER which says that traffic coming from 192.168.0.0 goes to internet or LAN1 (depending on your needs). If you router supports this, you can set that traffic comining from 192.168.0.0 will go out with IP 212.243.60.70 and traffic from 192.168.1.0 will go out with IP 212.243.80.90. Otherwise, both LANs will go out with your public IP address. If you still don't understand, re-write the question :) Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted August 15, 2011 Author Posted August 15, 2011 ok like this? [ATTACH]134.IPB[/ATTACH] Thanks Quote
ICTCity Posted August 15, 2011 Posted August 15, 2011 This is exactly what I said before. 2 LANs, 1 router. On the router you have 3 cables: LAN1, LAN2 and WAN. It routes connections OUTSIDE with the same public ip, unless you specify something different. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted August 15, 2011 Author Posted August 15, 2011 right, thats basic. what has this got to do with "security" then. How is NAT a security measure? Thanks Quote
ICTCity Posted August 15, 2011 Posted August 15, 2011 NAT is considered secure because of the "hiding" process, it doesn't expose your clients to the internet. The problem starts with IPSec, in certain cases, the traffic could be routed to the wrong device (there's also a KB of microsoft somewhere). The process is called NAT-T (traversal). Here you can a find a simple explenation: http://www.computerworld.com/s/article/102985/NAT_Traversal_NAT_T_Security_Issues I heard that there're routers which are vulnerable to NAT traversal without using the IPSec, but I never tried. Cheers Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted August 23, 2011 Author Posted August 23, 2011 ok thanks, im not 100% sure i know this NAT stuff yet...somethings no registering this is the hardest thing ive come accross in IT yet... is it even hard lol its just like somethings missing THANKS!!! Quote
ICTCity Posted August 23, 2011 Posted August 23, 2011 ok thanks, im not 100% sure i know this NAT stuff yet...somethings no registering this is the hardest thing ive come accross in IT yet... is it even hard lol its just like somethings missing THANKS!!! Sorry, what's the question? :P Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
ICTCity Posted August 23, 2011 Posted August 23, 2011 But I can't understand which is your question :P Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted August 24, 2011 Author Posted August 24, 2011 i just still dont understand NAT..i still dont get it.. SORRY haha im sure its simple im just getting confused Quote
ICTCity Posted August 24, 2011 Posted August 24, 2011 It's like a spokesman. There's a group of 100 people which want all the same thing: "CHANGE SOMETHING SOMEWHERE", to change this thing they need the authorization from mayor. Now, all the people design a spokesman which is responsible for bring the "people voice" to the mayor. The spokesman is NAT, the mayor is INTERNET and people are computers... better now? The hell... what a beautiful example... ahahah Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
Recommended Posts