Network Address Translation - Computerphile

Sooo, this 10 minute discussion of NAT made way more sense then the 1 week discussion of the same topic in my networks course at my university. I'm not sure how I feel about that

To put it a little simpler, imagine your house with 10 devices on the internet (laptops, desktops, game consoles, etc). Those don't have their own external IP address (the one on the internet). You only have 1 for your modem/router, and your router then forwards a packet to each device based on the port # and internal IP address.
This is why you need to set up port forwarding if you've ever played an online game, so that when a packet hits your router on a certain port, it knows which computer to send it to

I would appreciate subtitles. He's talking quite quietly and quickly about complex things.

University of Notingham is awesome. you guys have conversant professors! I also love Nottingham for the fact that Robbin lived there!! Regards from Sri Lanka.

If you want a computer inside your network to accept connections, it must be configured in NAT. This is called “port forwarding” and it instructs NAT that if it gets a connection to (say) port 80, it should direct it to (say) 10.0.0.1:80 in the private network. If there is no such configuration, incoming connections will be dropped. If incoming packet is part of already established connection, NAT just looks at destination port and maintains a state mapping it to ip:port in local network.

what he explained was overloading, or PAT(port address translation). But it was still a very nice explanation of PAT. just clarifying.

There are now also ISPs that use IPv4 NAT instead of upgrading to IPv6, so it could happen that your "external" address of your router is in fact an IP address in a private range. This can severely impact some software, for example games or remote desktop solutions. A colleague of mine had the problem with Teamviewer on one of the German cable networks.

The first time I ran into a NAT problem I was trying to host a Warcraft 3 map online. Port forwardings at my router didn't work, I had to use something called "port triggering".

What tools did you use for creating this animation? Amazing!

can you please amplify the voice data? hardly able to hear.

I am a new IT Consultant @ the Veteran's Community Resource Center located in Miami FL. How much does it cost to rent your brain? I went to the library and took out a book called EXAM CRAM 2 Network+, it sucks. I need a good book that will actually explain it the way you do. I'm actually looking at all of the Computerphile videos on TH-cam.

7:06 I run a server behind a router. I've had to deal with all of these problems at one point or another. It's really annoying when my router is all like "CHANGE PLACES!!" and remaps all the private addresses.

nice, keep up the good work computerphile

Im starting a degree in Computer Science in a couple of weeks and these videos are getting me really excited for my course - brilliant videos, every single one :)

because they use old line printer paper

thankyou for uploading more of this guy. he explains things so clearly (as do all the others). going to rewatch them all soon. keep up the awesomeness.

Finally, a rational, clear explanation of how NAT works and how it's implemented. Thanks !!

Age of empires, anyone?

Brady, it would be helpful to have a video focused on NAT or IPv6, or port-forwarding. I've been trying to solve a networking problem: connecting from a remote unix machine (a laptop--meaning I could be anywhere) to a database engine (SQL server) residing on my home network. I've learned more about networking than I ever wanted to know--just in tinkering to get to my database! But now I'm intrigued...

Port forwarding. Now I understand you :)))

👏👏thx i have that question for so long time, noone had explained me before that the translation not just translate the IP local to global, but also it translate THE PORT number!

IPv6 is superior to v4 in almost every way. The transition will occur naturally as older devices are replaced and it becomes more cost effective to implement IPv6 and cover any gaps with dual stacks.

for most home routers the ip is 192.168.1.254, some of you guys at home type that into your address bar and press enter you will be directed to your home router

As a person who had very little computer science knowledge, I found this harder to understand than quantum physics, and I love it.

Yes. allow all firewall rules below.
attacker -- internet -- router -- computer
attacker could connect to and exploit any service listening on the interface connected to the router.
attacker -- internet -- NAT -- computer
attacker need user to run exploit of some kind for attacking the computer behind NAT.
If you know a way (not theoretical) that would penetrate NAT where modern operating systems are being used, please enlighten me.

yes and no.
yes: in that ports are mapped and translated directly via the router (it doesn't need to care what they contain).
no: in that the higher-level (application) protocols often need to be more aware what the public IP and ports are in order to work correctly, so sometimes the protocol needs some mechanism to figure this out (usually during a "handshake" process or similar).
OTOH, with TCP, more of the details are often abstracted over, so it is less often an issue.

MAC addresses are not sent over the internet.
The source and destinaion MAC address inside a packet is changed whenever the packet passes a networking device. This way the devices have an idea on how the packet can return to it's destination, only the source and destantion IP addresses stay the same throughout the entire "journey". So the MAC of your PC can never be used to locate you, it is simply never transmitted.

Yeah, they'd have to send out new hardware to their customers which would be expensive (and if you're an ISP that lets customers use their own hardware what do you do then?). I also suspect since "The Internet" works at the moment, getting the millions of non-technical users to even understand the problem is a big challenge.
It'd be like when BT re-numbered the UK phone system... but for the entire planet.

Portforward in a nutshell:
Behind your router you have computer A, B, C, D, and E.
All 5 of those computers are behind one single public IP address.
When a computer somewhere else on the internet connects to your IP, it doesn't know which of your 5 computers to connect to. Portforward makes your router say "If it's this type of request, send it to computer B, if it's that type of request, send it to computer D"

The website I maintain at work has had visits from a 10.*.*.* address - I contacted the hosting provider of our server and they say the connection didn't come from their network - so this private IP address must have been used on the public internet, and I was unable to track down where it came from. I assume this must be because of NAT? It's really a problem when tracking down suspicious behaviour.

it seems my comment is one of the top comments, and because of it, i've gotten many responses (and emails) as to why there is no brown paper, all i've got to say is, ok, got it, its computerphile and not numberphile, its printer paper which fits in the theme, and others, so please, no more replies, thank you

Suppose my ISP is doing NAT because it's run out of its allocation of IP addresses for the number of customers it has... what IP addresses is it going to give out to new customers? It can't give out 192.168.x.x or other private ones because that'd confuse the NAT in everyone's router, but that means it needs to give out public IP addresses... but they're all gone...

It is for the same reason that many industries and companies still use XP and haven't moved to Win7, which is because it simply works. Moving to IPv6 would require a huge amount of work an cooperation across the globe, and you can't guarantee that each computer/server/mainframe/workstation is compatible with IPv6.

UDP doesn't need any special trickery to be address translated. The PAT process isn't looking for sessions, it's looking at source and destination port pairs. Since UDP packets still have a source and destination port, they're translated without issue. Incoming port forwarding is the same.

Part of it is technological, part of it is legal. Your internet service provider knows exactly who you are and what you connect to, so (depending on the laws of your country) if the police can go to your ISP and demand information about you, they'll find out who you are.

I get the outgoing translation, but how does the incoming translation process work? I don't get how the hub knows to which local IP to send the data to if there's no indication where it is coming from. Especially since you're limited to the amount of ports.

so we basically need to make IPV5 so that we will have several times the capacity, we just need to make the move, we have to upgrade computers soon enough anyways because the internal clocks are counting down

He has to be more conceptual and not so technical, this is too much confusing for someone without knowledge, NAT is very simple.
Even for someone with knowledge he goes back and forth and is hard to keep up with the idea.

128.243.*.* is reserved for the University of Nottingham which is enough addresses for 70,225 computers (256*256) and that isn't enough? I know where I want to go to University.

Those terms are somewhat ambiguous, and different games will have different meaning for them. Generally with open NAT the game is able to request your router to forward an incoming port to the game, you effectively become a server. Strict means it was unable to do so. Moderate may mean it was able to "punch through" your firewall using a variety of tricks (UDP, not TCP), but such solutions may be sub-optimal or flakey.

If it came from public Internet, it means that your hosting providers routers are misconfigured. Packets whose source or destination address falls within a private address space, must be dropped by the router that connects private network to public Internet. It's far more likely, that the packet did originate from within the hosting site's network.

How about raising the level on computerphile? i guess numberphile and the other channels have pretty clever and complex questions when this is beginner stuff.

i had a lot of trouble with my XBOX because my NAT type was closed. and port forwarding didn't work. after i seen this video i suddenly solft it :o thank you!

My opinion on what MUST appear on this channel is what actually is an algorithm. We had lesson about sorting algorithms, but not on algorithms in general.

NAT dose give you a layer of security because any unsolicited incoming packet gets blocked simply because the router doesn't know what to do with it.

You should've explained Class A/B/C Networks for that matter, but I haven't watched all the video yet, so you might have, but I haven't watched it yet.

NAT and PAT are OK until you have more than one machine behind the NAT router that is trying to open the same port to the outside world.

I guess NAT gained the upper hand over the introduction of ipv6 because it can be implemented on one party without the other noticing it?

yeah, still they'll get your mac adress, so if they search your house they can identify you as the downloader, except you fake your mac...

Except for the fact that IPv6 has the capability of having a unique address for every cubic centimetre of the planet. We won't need a replacement until we become an interstellar civilization.

So how does NAT come into play when you're playing games online and it tells you that you have either strict, moderate or open NAT?

Why aren't ISPs using ipv6? It would solve some big problems, wouldn't it? And I don't understand what problems it would some with.

A single computer doesn't need a router, but you still need a modem.
Most ISPs now give you a modem/router combo anyway though.

There will always be a source and destination IP and Port, and generally the connection wont be initiated from the public space.

Why would that be a problem? I fact that seems to be a common scenario in the real world. google.com:80 for example.

nope, it just did many years ago, and if you haven´t changed yours since then, you can still have GIFs as avatar

Computerphile uses this kind of paper instead of the regular numberphile brown paper so as to differentiate itself

Classful Network design isn't really a thing anymore. It's probably just better to explain CIDR/Subnet Masks....

See 802.3 ethernet frame structure. Both source and destination MAC are packaged near the start of the frame.

...Because this isn't numberphile. They've been using the paper they used in this video since the beginning.

Subtitles please!

Maybe because he wanted to be more correct and not be lazy about it? That ever cross your mind as well?

@10:03 public address AND port number

May be true, not sure. I know for sure that your PC sends the MAC but I don't know 'bout the Router.

because the NAT makes it hard to discover a private address does this add a layer of security?

I doubt they would use those addresses for the internal private network.... there's no need to.

...Why don't they just upgrade to IPv6 already? It would seem to make everything simpler.

Because it's not Nubmerphile. It's Computerphile, they use old perforated printer paper, which is appropriate.

So, the NAT makes the addresses bigger on the inside?
NAT: Network Address Tardis.

From what they are saying it will cost a lot to upgrade to whole infrastructure.

Because it's Computerphile not Numberphile. Here they use the old Printer-Paper.

That privacy benefit sounds a bit weird, aren't there things like tor for that?

That address space supports 65536 addresses and at most 65534 host addresses.

good question, i have no idea. Maybe it never made it off the drawing board?

Found this kind of boring. NAT is not really that interesting when you get right down to it.

no, you can get a direct modem, though they are rare these days.

That's why Nat is so broken on the devices I used. It's "hacked together". :P

OH SHIT<
IPv4 ran out of space??!?
when?!??
i knew it was coming but i didn't know so soon

'cause this is not Numberphile. Brady already adressed that.

RINA! Recursive InterNetwork Architecture. Check it out.

They talked bit of it in this video /watch?v=L6bDA5FK6gs

Because Sean likes people asking that on every video.

It is computerphile.
They are using line printer paper.

his analogy was kinda unrelated or wrong. If something in the application layer refered the ip address, it is breaking the abstraction layers. The software should have referenced its location abstractly in the abstraction layer. But then NAT is wrong for requiring ip and tcp or udp layers. But unrelated to what he talked about.

You guys are my heroes, me who has no computer science background but I am learning how to develop softwares by myself. These videos are extremely helpful. God bless you all

Was Brady a bit sick during the time of this video??

Great video but why didn't you talk about ipv6 ...?

I know that he meant that? It would still take a while to wright them all and then sync them, I have done it once, and just syncing them took like an hour or something, it's really time consuming. Also, if everyone can upload subs, there would be a lot of stupid onces. Maybe brady can have the ability to make subs and sent them to him, then he can see if they are good and add them.

But, this will only hold out for so long. IPv6 has many benefits over IPv4, besides more addresses.

Or... we just get more ISPs to deliver IPv6 to end-users.

this is great, the cissp textbook only explains how ip addresses are translated but never mentioned port number translation.

NAT messes up matchmaking on Xbox LIVE, very annoying :)

Ah, but you also open your computer up to direct attack…

because it's computerphile and not numberphile

Your name makes me not want to answer this....

It's because it's an expense for no benefit.

how do i switch my strict nat type to open?... my ps4 says that my router has a nat type of 2 but when i go to play games it says my ant type is strict and i cant connect to my friends.. i dont get it...

but where do they connect to the internet?

translation would take A LOT of time to make. The filming and editing already take a lot of time, so I don't think this is a possibility :/

while IPv6 is probably the eventual solution, I have wondered sometimes if an IP-suffix system could have also worked (as a compromise). basically, packets would daisy-chain 2 IP headers, with the first having the global IP and the second a local IP. ex:
243.119.24.31-10.0.169.173:6942.
this would then effectively give a 64-bit address space, while still being routable over IPv4. then things are fudged in the network stacks to make it all work...
also, sort of like an inverted VPN...