NAT and Port Forwarding
Introduction
Typically, in a home, you have several devices connected to a router. Each device has a private IP address. The router has a public IP address. When a device sends a packet to the internet, it goes through the router. The router keeps track of which device sent which packet. When response packets come back, the router knows which device to send them to. How does this work?
NAT
When one of your devices sends a packet to the router, the router modifies the packet. In particular, it modifies the source port of the packet. It assigns a different source port for each device. The router keeps a table of which source port corresponds to which device. When response packets come back, the router looks at the destination port of the incomming packets. It maps these destination ports to the source ports that it has mapped to devices, and it now knows which device (private IP) to send the packet to.
This process, of allow several devices to share a single public IP address (the IP of the router), is called network address translation (NAT). And the key is that the router modifies the source port of outgoing packets (a different source port is assigned for each device), and keeps a table of which source port corresponds to which device.
Typical home setup consisting of several devices connected to a router:
+----------+ +--------+ +----------+
| Device 1 | | | | |
+----------+ | | | |
| Device 2 | <--> | Router | <--> | Internet |
+----------+ | | | |
| Device 3 | | | | |
+----------+ +--------+ +----------+
The Router has a mapping of source ports to device IPs:
+---------+-------------------+
| Source | IP |
+---------+-------------------|
| 10340 | Device 1's IP |
| 10341 | Device 2's IP |
| 10342 | Device 3's IP |
+---------+-------------------+
Outgoing Connections
So far we’ve only talked about outgoing connections. An outgoing connection has packets going both ways (both to the internet and back), however one of the devices initiated the connection. The connection was not initiated by some other device in the internet, outside of your home. So when a packet comes from the internet to the router, and that packet’s destination port is one of the source ports in the router’s mapping/table, the router knows that this packet is coming in in response to a packet that was sent out by one of the devices in your home, so the router “accepts” this packet (it doesn’t simply throw it away), and uses the mapping/table to know which device to send the packet to.
Incomming Connections
If on-the-other-hand, a packet comes from the internet to the router, and that packet’s destination port is not one of the source ports in the router’s mapping/table, the packet is said to be “unsolicited” and the router simply throws it away. This is the default behavior.
Port Forwarding
However, you can tell the router to keep certain one of these “unsolicited” packets. You can tell the router to forward these unsolicited packets that have a certain destination port, to a certain device in your network. In essense this allows one of your devices to act as a server (something that accepts incomming connections).
This process, of telling the router to accept and forward certain incomming/unsolicited packets to a certain device (private IP), is called port forwarding.