Network Address Translation

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
Line 35: Line 35:
[[Category:FreeBSD Terminology]]
[[Category:FreeBSD Terminology]]
[[Category:Securing FreeBSD]]

Revision as of 00:45, 14 December 2005

Network Address Translation, aka NAT, is a function which allows privately addressed networks to access publicly addressed namespaces, by using an intermediary publicly addressed gateway as a go-between.

For example, say you have a machine with an IP address of is a private subnet, which means that there may be (and in fact are) thousands or hundreds of thousands of machines all using those IP addresses, all over the world. For this reason, you cannot access the internet directly from this IP address - if you tried to, the web (or other type) server you were trying to talk to wouldn't know which of thousands of identically numbered networks to route its response to! So your privately addressed computer needs a gateway to NAT your traffic for you if that traffic is going to leave your private network.

With standard routing, the source address of the packet is untouched - the remote machine actually knows precisely what machine is speaking to it, and routes its answer directly back to that machine. With NAT routing, however, the NAT machine accepts outbound packets, alters their source address to match its public interface and a particular port, and then when the reply comes back to it on that port, it mangles the destination address and port on THAT packet to match the original source port and address on the LAN machine, then forwards it there.

So a NAT-enabled communication from a private network over a fictitious chunk of the internet and back again might look something like this: sends packet out.           src: dst:
-------------------------------------------------------------------------------------   NATs packet, forwards out.  src: dst:
-------------------------------------------------------------------------------------  accepts packet, forwards.   src: dst:    accepts packet, forwards.   src: dst:    accepts packet, delivers.   src: dst:
-------------------------------------------------------------------------------------    accepts packet, processes.    responds with a new packet. src:       dst:
-------------------------------------------------------------------------------------    accepts packet, forwards.   src:       dst:    accepts packet, forwards.   src:       dst:  accepts packet, forwards.   src:       dst:
------------------------------------------------------------------------------------- accepts packet, NATs it.    src:       dst:
------------------------------------------------------------------------------------- accepts packet, processes.

What the NAT machine is doing here is creating entries in a table on-the-fly so that it will recognize return traffic as it comes in and know which IP and port on the private side of the LAN to forward that traffic to. So for the duration of the conversation, in the example above, an entry is present in the gateway's NAT table to correlate traffic from port 53, targeted to its own WAN interface ( port 58998, with the LAN IP and port

Both the biggest strength AND weakness in NAT is that under normal circumstances, traffic only passes through NAT if it is initiated from the private side - so while there can be two-way communication between and, it can only happen if the communication is INITIATED by

This limitation can be circumvented to some extent by creating permanent mappings of ports on the WAN side of the gateway with IPs and ports on the private side - for example if you wanted to run a web server on a machine on the inside of the LAN with a private IP address, you could tell the gateway to always NAT-and-forward traffic aimed at port 80 of its WAN to the inside machine's port 80. Many NAT devices (including FreeBSD machines running natd) can also map to different inside ports than the WAN port which received the data; so for instance you could route WAN:8080 to port 80 on one inside machine, and WAN:80 to port 80 on a different inside machine.

see also: natd Firewall, Configuring

Personal tools