NAT - Nikola's Digital Garden

# Network Address Translation (NAT) ![[Network address translation - Wikipedia#^wjg5n6]] ^q2w4u0 ![[Network address translation - Wikipedia#^blqv68]] For traffic that originates from the local network, the local source address is replaced with the public-facing address of the router. This translation is kept in the NAT table, allowing the router to route reply packets to the correct local host. Important point to note here is that the NAT table keeps both ports and addresses, allowing multiple local hosts to talk to the same remote host at the same time (assuming random source ports). Consider the following NAT table. In this example the public facing address of the router is 203.0.113.123. | Original Source | Translated Source | Destination | | ------------------- | ------------------- | ----------------- | | 192.168.1.100:54267 | 203.0.113.123:54267 | 233.252.0.100:443 | | 192.168.1.101:61145 | 203.0.113.123:61145 | 233.252.0.100:443 | Randomized source ports allow the router to route replies received to port 54267 to local host 192.168.1.100, and those received to port 61145 to local host 192.168.1.101, allowing both to communicate to 233.252.0.100:443 at the same time. This is a typical mapping for traffic that originates from the local network. To ensure unambiguous mapping, the NAT table must have unique entries for combination of translated source and destination. This is generally not a problem, as long as hosts use random source addresses. Some OSes however do a poor job of randomizing source ports, meaning conflicts are possible, and some NAT routers (including pfSense[^1]) mitigate this by rewriting source ports with random ports of their own, leading to the following translation table: [^1]: [[Configuring Outbound NAT on pfSense#^8fb5gr]] | Original Source | Translated Source | Destination | | ------------------- | ------------------- | ----------------- | | 192.168.1.100:54267 | 203.0.113.123:18810 | 233.252.0.100:443 | | 192.168.1.101:61145 | 203.0.113.123:25266 | 233.252.0.100:443 | ## Inbound vs. Outbound NAT So far only one translation has been discussed, but actually there are two distinct NAT tables and therefore two distinct translations: inbound and outbound NAT. *Inbound NAT* is applied to traffic as it enters the router, whereas *outbound NAT* is applied to traffic as it leaves the router. Note that most routers refer to inbound NAT as *port forwarding*, because it is used to forward traffic destined for the router to another device behind the router. While this name is valid it is more accurate to call it *inbound NAT*. What is important to remember is that NAT is always applied BEFORE firewall rules, meaning that firewall rules should use translated addresses only. ![[Ordering of NAT and Firewall Processing#^eaxqvt]] ## NAT for Security or NAT "Firewall" Note the following NAT side-effect: traffic must be initiated from the local network. Traffic from outside the "firewall" must be explicitly forwarded to a destination host behind the "firewall". ![[Network address translation - Wikipedia#^l8asyx]] This is a misnomer because NAT is not a firewall. In fact the two are distinct features (that simply coexist on the same device most of the time). A firewall can operate independently to block or permit traffic in networks that do not use NAT, such as public-facing or IPv6 networks. The reverse is also true: NAT can be configured without any sophisticated filtering capabilities. NAT's primary feature is not security but allowing multiple hosts to share the same [[IPv4]] address. Using NAT in place of a firewall is a case of security through obscurity because devices inside the local network are not directly addressable from the outer network (usually the internet). This perceived security is more a result of address hiding than intentional protection. Real firewalls analyze traffic and enforce rules to explicitly allow or block data based on IPs, ports, protocols, etc., whereas NAT simply modifies packet headers based on a translation table. ## NAT Traversal and STUN STUN was originally specified in RFC 3489 and later refined in RFC 5389. It stands for *Session Traversal Utilities for NAT* as per the later document. ![[Network address translation - Wikipedia#^egrkhz]] ![[How NAT Traversal Works#^25ohkh]] ![[How NAT Traversal Works#^3zksy4]] ![[How NAT Traversal Works#^dzpvms]] ![[How NAT Traversal Works#^a5ax4b]] ![[How NAT Traversal Works#^9lcu5z]] ![[How NAT Traversal Works#^y4c3an]] The TL;DR is if the STUN server sees a different IP address from the destination peer, NAT traversal will fail. This kind of NAT is referred to as *hard NAT*. ## Allowing Hosts to Dynamically Configure NAT One way to alleviate issues caused by hard NAT is to allow hosts behind the router to dynamically configure NAT using protocols such as uPnP and NAT-PMP. ![[UPnP & NAT-PMP#^fc21vg]]