NAT and Internet Routing

# CHAPTER 11

NAT and Internet Routing #

1. Introduction #

In Chapter 2, we stated a hard rule: *"Standard routing never changes the Source or Destination IP addresses."* In this chapter, we are going to break that rule entirely. The mathematical structure of IPv4 only contains 4.3 billion unique IP addresses. If every laptop, smartphone, and smart TV required a unique Public IP, the internet would have run out of addresses in the 1990s. To prevent the collapse of the internet, engineers invented a brilliant, aggressive routing hack called Network Address Translation (NAT). In this chapter, we will explore how Edge Routers use NAT to hide thousands of Private IPs behind a single Public IP, enabling modern internet access.

2. Learning Objectives #

By the end of this chapter, you will be able to:

• Explain the critical difference between Public and Private IP addresses.

• Define the primary operational purpose of Network Address Translation (NAT).

• Understand the mechanics of Port Address Translation (PAT / NAT Overload).

• Explain how a router maintains a NAT Translation Table.

• Trace the flow of a packet from a home network out to the internet.

3. Beginner-friendly Explanations #

The Corporate Mailroom Analogy: Imagine a large office building. The building has one official public mailing address: 100 Business Way. Inside, there are 500 employees, each with an internal desk number (Desk 1, Desk 2).

If John at Desk 5 wants to send a letter to a client, he cannot put "Return Address: Desk 5" on the envelope, because the Post Office has no idea where "Desk 5" is. Instead, he drops it in the mailroom. The Mailroom Manager (The NAT Router) intercepts the letter, erases "Desk 5," and writes "100 Business Way." He logs a note in his ledger: *"I sent a letter for Desk 5."* When the client replies to 100 Business Way, the Manager checks his ledger, sees the reply belongs to John, and hands the letter to Desk 5.

4. Public vs. Private IPs #

To make NAT work, the internet governing bodies reserved three blocks of Private IP Addresses that are mathematically banned from the public internet.

• 10.0.0.0/8 (Massive Enterprise networks)

• 172.16.0.0/12 (Medium networks)

• 192.168.0.0/16 (Home Wi-Fi networks)

If a router on the internet backbone (like at AT&T) ever sees a packet with a Destination IP of 192.168.1.50, it instantly drops the packet into the trash. Private IPs cannot be routed.

5. How NAT Alters the Packet #

Your laptop has a Private IP (192.168.1.50). It wants to reach Google.

1. 1. Your laptop creates a packet. Source IP: 192.168.1.50.

1. 2. The packet hits your Home Router (The Default Gateway).

1. 3. The Router knows 192.168.x.x is illegal on the internet.

1. 4. The Hack: The Router forcefully strips off the 192.168.1.50 Source IP and overwrites it with the Router's own ISP-assigned Public IP (e.g., 203.0.113.5).

1. 5. It records this swap in its internal NAT Table and forwards it to the internet.

1. 6. When Google replies, they reply to the Public IP (203.0.113.5). The Router catches the reply, checks its NAT Table, swaps the Destination IP back to 192.168.1.50, and delivers it to your laptop.

6. Port Address Translation (PAT) #

What happens if three laptops in your house all search Google at the exact same millisecond? When three replies come back to the Router's single Public IP, how does it know which reply goes to which laptop?

It uses Port Address Translation (PAT), also known as NAT Overload. When the router rewrites the Source IP, it *also* rewrites the Source TCP/UDP Port to a random, unique number.

• Laptop 1 request -> Sent out as Public IP + Port 50001

• Laptop 2 request -> Sent out as Public IP + Port 50002

When the reply hits Port 50001, the Router checks the NAT table and instantly knows it belongs to Laptop 1.

7. The Natural Firewall Effect #

Because NAT is a one-way street, it accidentally provides massive security. If a hacker on the internet scans your Public IP and tries to connect to Port 445 (a common Windows vulnerability port), the packet hits your Home Router. The Router checks its NAT Table. Because no laptop inside the house ever initiated a conversation on that port, there is no entry in the ledger. The router assumes it is garbage traffic and silently drops it. NAT acts as a default inbound firewall.

8. Best Practices #

• Avoid Double NAT: In complex office environments, a junior engineer might accidentally plug a NAT Wi-Fi Router into the main corporate NAT Firewall. The packets are translated twice. "Double NAT" completely breaks high-level protocols like VoIP phone calls and online gaming. A network should only ever have one Edge Router performing NAT.

9. Common Mistakes #

• Forgetting NAT on Cloud Gateways: When configuring an AWS VPC, you place your web servers in a Public Subnet with a Public IP, but you place your Database in a Private Subnet. The Database needs to download a software update from the internet, but it cannot, because it has no Public IP. You must explicitly configure a "NAT Gateway" in the public subnet and point the Database's Default Route to it, allowing the database to borrow the NAT's Public IP to reach the internet.

10. Mini Project: Simulate Internet Routing (Mental Map) #

1. 1. Laptop (192.168.1.5) sends an HTTP packet to 8.8.8.8.

1. 2. Packet hits Home Router.

1. 3. Home Router performs NAT (Source IP becomes 72.14.20.55).

1. 4. Router uses Default Static Route (0.0.0.0/0) to send to ISP.

1. 5. ISP Router uses BGP to find 8.8.8.8.

1. 6. Google Server 8.8.8.8 replies to 72.14.20.55.

1. 7. Home Router performs reverse NAT, sending the reply to 192.168.1.5.

11. Practice Exercises #

1. 1. Explain the mathematical crisis that forced the invention of Network Address Translation (NAT) for IPv4.

1. 2. How does Port Address Translation (PAT) solve the problem of multiple internal devices utilizing a single Public IP address simultaneously?

12. MCQs with Answers #

13. Interview Questions #

• Q: Explain the mechanical difference between Standard NAT and Port Address Translation (PAT).

• Q: A junior developer deploys an internal database server with an IP of 10.0.5.50. They are frustrated because they cannot access this server directly from their home Wi-Fi across the internet. Explain the physical routing limitation causing this.

• Q: Describe how NAT acts as an implicit, default firewall for inbound internet traffic.

14. FAQs #

Q: Will NAT exist when we finally switch the entire world to IPv6? A: No. IPv6 contains enough unique IP addresses to assign one to every grain of sand on Earth. Every device in your house will receive a globally routable Public IPv6 address, and the NAT "hack" will be permanently retired.

15. Summary #

In Chapter 11, we uncovered the architectural workaround that saved the IPv4 internet. We learned that NAT explicitly violates standard routing rules by modifying the Source IP address in the packet header. We explored the mechanics of the NAT Translation Table and Port Address Translation (PAT), which allow entire office buildings to share a single Public IP address. Finally, we recognized that while NAT was invented for IP conservation, its side-effect as a strict, inbound-blocking mechanism fundamentally shapes modern network security perimeters.

16. Next Chapter Recommendation #

We understand how traffic leaves the building. But how do we organize traffic *inside* the building if we only have one physical switch? Proceed to Chapter 12: VLANs and Inter-VLAN Routing.