4.3.10Computer Networks

NAT — why, how, types (SNAT, DNAT, PAT)

1,693 words8 min readdifficulty · medium1 backlinks

WHY does NAT exist?

The solution was private address ranges (RFC 1918) that are not routable on the public internet:

WHY a /8 has 2242^{24} hosts: the prefix /8 fixes the first 88 bits, leaving 328=2432-8=24 host bits, so 2242^{24} addresses. (Same logic for /12 → 2202^{20}, /16 → 2162^{16}.)


WHAT NAT actually does

It changes one or more of these four header fields:

(src IP, src port, dst IP, dst port)(\text{src IP},\ \text{src port},\ \text{dst IP},\ \text{dst port})

…and recomputes the affected checksums (IP + TCP/UDP).


HOW it works — the translation table

When a packet leaves, NAT stores a mapping. When the reply returns, NAT looks up that mapping in reverse.

Figure — NAT — why, how, types (SNAT, DNAT, PAT)

The TYPES


Forecast-then-Verify

Recall

No. IP-only SNAT maps each private IP to a public IP 1:1, so 50 devices need 50 public IPs — defeating the purpose. You need PAT, which differentiates the 50 flows by port number (each gets a unique source port on the single shared public IP). The table key becomes the full tuple (IP,port)(\text{IP},\text{port}), giving up to ~64000 simultaneous flows per public IP.


Common mistakes (Steel-man)


Feynman

Recall Explain to a 12-year-old

Your house has one mailbox address but lots of people inside. When you mail letters, the doorman writes the house address as the return address and notes "this reply is for Anya, reply ticket #40001." When the reply comes back to the house with ticket #40001, the doorman knows to hand it to Anya, not her brother. NAT is that doorman, and the ticket number is the port.



Flashcards

Why was NAT created?
To let many private (RFC1918) hosts share scarce public IPv4 addresses, working around the 2322^{32} address limit.
What three private IPv4 ranges does RFC 1918 define?
10.0.0.0/810.0.0.0/8, 172.16.0.0/12172.16.0.0/12, 192.168.0.0/16192.168.0.0/16.
How many hosts in a /8?
2328=2242^{32-8}=2^{24} addresses.
What does SNAT rewrite and when?
The source IP of outbound packets when inside hosts initiate connections (hides clients).
What does DNAT rewrite and when?
The destination IP of inbound packets, to redirect outsiders to an internal server (port forwarding).
What does PAT additionally rewrite vs plain SNAT?
The source port, enabling many private hosts to share one public IP (many-to-one).
Why can't IP-only SNAT serve 50 devices with one public IP?
It maps IPs 1:1, so 50 devices would need 50 public IPs; you need PAT to distinguish flows by port.
What four header fields can NAT modify?
src IP, src port, dst IP, dst port (plus checksum recompute).
Is NAT a security feature?
No; hiding is a side effect, not policy. It inspects nothing and DNAT opens holes.
Which protocols break under NAT and why?
FTP active, SIP/VoIP — they embed IP/port inside the payload, which header-only rewriting doesn't fix; need ALGs/STUN.
Roughly how many simultaneous flows can one public IP support under PAT?
~64000 (limited by the 16-bit port space per protocol).

Connections

  • IPv4 Addressing & Subnetting — prefixes, /8 /12 /16 math
  • RFC 1918 Private Addresses
  • Ports & TCP-UDP Headers — why ports enable PAT
  • Firewalls vs NAT — security distinction
  • STUN, TURN & NAT Traversal — fixing P2P under NAT
  • IPv6 — abundant addresses reduce NAT need
  • Port Forwarding & DMZ

Concept Map

motivates

not routable, need

rewrites

keeps

reverses mapping for

recomputes

type

type

type

hides

exposes via port forwarding

makes flows unique via

lets many share

IPv4 address shortage 2^32

NAT translation

Private ranges RFC 1918

src/dst IP and port fields

Translation table

Return traffic

IP + TCP/UDP checksums

SNAT source rewrite

DNAT destination rewrite

PAT port + IP rewrite

Inside hosts initiate outbound

Internal server

Distinct ports per flow

One public IP

Hinglish (regional understanding)

Intuition Hinglish mein samjho

Dekho, IPv4 me sirf 2322^{32} (~4.3 billion) addresses hain, par duniya me devices usse kahin zyada. Isliye har ghar me hum "private" addresses use karte hain jaise 192.168.0.x (RFC 1918 ranges). Ye addresses internet pe travel nahi kar sakte. To router ek doorman ki tarah kaam karta hai — jab packet bahar jaata hai, router uska private source address hata ke apna ek public IP laga deta hai, aur ek table me note kar leta hai ki "ye reply kiske liye aayega." Yahi NAT hai.

Ab types samjho. SNAT matlab outbound packet ka source badalna — clients ko chhupana. DNAT matlab inbound packet ka destination badalna — bahar wale ko apne andar ke server tak pahunchana (port forwarding). Aur PAT (NAT overload) special hai: ye source IP ke saath source port bhi badalta hai, taaki 50 devices ek hi public IP share kar sakein. Port unique hota hai, isliye reply ko sahi laptop tak bhej dete hain.

Ek common galti: log sochte hain "NAT firewall hai, secure ho gaya." Nahi bhai — chhupana side effect hai, security policy nahi. Real firewall alag cheez hai. Doosri galti: SNAT aur PAT ko same samajhna — PAT actually SNAT ka extension hai jisme port bhi rewrite hota hai. Yaad rakho: Source Shields, Dest Delivers, PAT Packs-by-Port. Exam aur real networking dono me yeh concept bahut kaam aata hai.

Go deeper — visual, from zero

Test yourself — Computer Networks

Connections