4.3.10 · D4Computer Networks

Exercises — NAT — why, how, types (SNAT, DNAT, PAT)

2,121 words10 min readBack to topic

This page is a self-test ladder. Each rung is harder than the last. Read the problem, cover the solution, forecast your answer, then open the collapsible to grade yourself. Everything here builds on the parent NAT note — if a term feels new, we re-earn it right here.

Before we start, one shared picture. Every NAT problem is really a bookkeeping problem: the router keeps a table, and each row remembers "who inside sent this, and what disguise I gave it going out."

Figure — NAT — why, how, types (SNAT, DNAT, PAT)

Level 1 — Recognition

Exercise 1.1 (L1)

Classify each action as SNAT, DNAT, or PAT:

  • (a) A home router hides 30 laptops behind one public IP by giving each a unique source port.
  • (b) A router rewrites the destination IP of an inbound packet so 203.0.113.5:443 reaches internal 10.0.0.9:443.
  • (c) A router rewrites only the source IP of outbound packets, mapping each private IP one-to-one to its own public IP.
Recall Solution 1.1
  • (a) PAT — many hosts, one public IP, disambiguated by port. (PAT is a special SNAT.)
  • (b) DNAT — the destination is rewritten to steer traffic to an inside server (port forwarding).
  • (c) SNAT (plain, 1:1) — only the source IP changes, no port trickery.

Mnemonic check: Source Shields, Dest Delivers, PAT Packs-by-Port.

Exercise 1.2 (L1)

Which of these four header fields does NAT ever touch? Circle all that apply:

Recall Solution 1.2

NAT can rewrite all four of and must then recompute the IP + TCP/UDP checksums. It does not rewrite TTL as part of translation (TTL is decremented by normal routing, a separate mechanism).


Level 2 — Application

Exercise 2.1 (L2)

A /8 prefix fixes the first bits. How many host addresses does 10.0.0.0/8 contain? Show the exponent arithmetic.

Recall Solution 2.1

An IPv4 address is bits total. A prefix /n means "the first bits are locked; the rest are free to vary." Free bits = , and each free bit doubles the count, so: (Same logic gives /12 and /16.) See IPv4 Addressing & Subnetting.

Exercise 2.2 (L2)

Two laptops behind public IP 203.0.113.5 both browse 93.184.216.34:80 from internal source port 51000. Fill in the PAT table so replies can be told apart. Use public ports starting at 40001.

Recall Solution 2.2
Inside (src) Translated (src) Dest
192.168.0.10:51000 203.0.113.5:40001 93.184.216.34:80
192.168.0.11:51000 203.0.113.5:40002 93.184.216.34:80

Why rewrite the port at all? Both inside flows carried the same port 51000. From the outside they'd look identical, so a returning packet couldn't be routed home. Giving each flow a unique public port ( vs ) makes the reverse lookup unambiguous. See Ports & TCP-UDP Headers.

Exercise 2.3 (L2)

A returning packet arrives at the router: src 93.184.216.34:80 → dst 203.0.113.5:40002. Using the table from 2.2, what does NAT rewrite it to before delivering it inside?

Recall Solution 2.3

NAT reads the destination tuple 203.0.113.5:40002, finds the matching row, and reverses it: The packet is delivered to laptop .11. (The 93.184.216.34:80 source is left untouched.)


Level 3 — Analysis

Exercise 3.1 (L3)

Roughly how many simultaneous flows to a single destination IP:port can one public IP support under PAT? State the limiting resource.

Recall Solution 3.1

The limit is the source port space: a port is bits, so there are values (). Low ports are reserved, so in practice roughly: Why per-destination is subtler: a NAT flow is uniquely keyed by the full 5-tuple . If the destination changes, the same public port can be reused. So is the ceiling per (destination IP, destination port, protocol) combination — the total capacity across all destinations is far larger.

Exercise 3.2 (L3)

A home network has 50 devices and 1 public IP. All 50 open a webpage at the same instant. Can plain (IP-only) SNAT handle this? Prove it with the mapping arithmetic.

Recall Solution 3.2

No. Plain SNAT maps inside IPs to public IPs 1:1: With only public IP available, hosts have no mapping. You must use PAT, whose table key is the full tuple — 50 flows fit easily inside the port budget of the single public IP.

Exercise 3.3 (L3)

Given 172.16.0.0/12, is the address 172.20.5.9 inside this private range? Show the boundary check.

Recall Solution 3.3

A /12 locks the first bits. The range spans: Why ? The /12 freezes (first octet, bits) plus the top bits of the second octet. Those bits allow the second octet to vary from () up through (). Since , the address 172.20.5.9 is inside the private range. See RFC 1918 Private Addresses.


Level 4 — Synthesis

Exercise 4.1 (L4)

Design the minimal NAT rules for this office:

  • Inside clients (10.1.0.0/16) must browse the internet, hidden behind public 198.51.100.7.
  • An internal web server 10.1.0.50:8080 must be reachable from the internet at 198.51.100.7:443.

List which NAT type each rule uses and the direction it acts.

Recall Solution 4.1

Rule A — outbound clients: use PAT (SNAT + port). Rewrite every outbound packet's source to 198.51.100.7:<unique port>. Acts on the outbound path; hides 10.1.0.0/16. Rule B — inbound server: use DNAT (port forwarding). Rewrite inbound packets destined 198.51.100.7:44310.1.0.50:8080. Acts on the inbound path. These coexist: A handles client-initiated traffic leaving, B handles server-destined traffic arriving. See Firewalls vs NAT for why B alone is not a security policy.

Exercise 4.2 (L4)

A VoIP call using SIP fails through NAT even though the router forwards the right ports. Explain the root cause and name the fix, using the translation-table picture.

Recall Solution 4.2

Root cause: SIP writes the caller's IP and port inside the packet payload (the body), not just in the header. NAT rewrites the header tuple but leaves the body untouched, so the callee reads the stale private address 10.x.x.x and tries to send media there — which is non-routable. The fix: an ALG (Application Layer Gateway) that reaches into the payload and rewrites the embedded address too, or client-side NAT traversal. See STUN, TURN & NAT Traversal.


Level 5 — Mastery

Exercise 5.1 (L5)

Your ISP moves you to CGNAT (Carrier-Grade NAT): your "public" IP 100.64.0.9 is itself shared and translated again upstream. You run a game server on 10.0.0.5:25565 and set up DNAT on your home router. It still can't be reached from the internet. Explain the two-layer failure and what would fix it.

Recall Solution 5.1

Two NAT layers stacked:

  1. Home router: 10.0.0.5:25565100.64.0.9:25565 (your DNAT — works).
  2. Carrier NAT: 100.64.0.9 is not globally routable (it's in the CGNAT range 100.64.0.0/10) and the ISP performs PAT on it upstream. You do not control that box, so you cannot install an inbound DNAT rule there.

Result: an outsider hitting your real public IP has no forwarding rule at the carrier layer — the inbound packet dies before it ever reaches your router. Your local DNAT is correct but unreachable. Fixes: ask the ISP for a real public IP, use IPv6 (no CGNAT, every host globally addressable — see IPv6), or use a TURN relay so the connection is established outbound-then-relayed (see STUN, TURN & NAT Traversal).

Exercise 5.2 (L5)

Compute the budget claim: with one public IP, if devices each open simultaneous flows to different destinations, does PAT survive? What if all flows target the same server IP:port?

Recall Solution 5.2

Total flows requested: Case A — spread across destinations: each flow's slot is keyed by the full 5-tuple, so different destinations reuse the same source ports freely. flows easily fit. ✅ Case B — all to one server IP:port: now the only free field is the source port, capped at . Since , it still just fits — but barely. Add another flows to that same server and PAT would exhaust the port space and start dropping connections. ⚠️



Connections

  • 4.3.10 NAT — why, how, types (SNAT, DNAT, PAT) (Hinglish) — parent topic
  • IPv4 Addressing & Subnetting — the /8 /12 /16 exponent math
  • RFC 1918 Private Addresses — the ranges checked in 3.3
  • Ports & TCP-UDP Headers — why the 16-bit port budget bounds PAT
  • Firewalls vs NAT — DNAT is not a security policy
  • STUN, TURN & NAT Traversal — SIP/VoIP and CGNAT escapes
  • IPv6 — abundant addresses remove the need for CGNAT
  • Port Forwarding & DMZ — DNAT under its marketing name