The Great Translator
Deconstructing NAT & Port Overload
1. The Invisible Bridge
A NAT-capable router sits at the border of two worlds: your private LAN and the public internet. Its job is simple in theory but complex in practice: rewrite the IP headers of every packet so that both worlds can talk, without the public internet knowing that your private network even exists.
2. The Three Flavors of Translation
NAT isn't just one thing. It comes in three technical varieties:
- Static NAT (1-to-1): One private IP maps to one fixed public IP. (Used for servers).
- Dynamic NAT (M-to-M): A pool of public IPs is shared by multiple internal machines.
- PAT / NAT Overload (M-to-1): Thousands of private IPs share one public IP by using unique source ports. This is what your home router does.
3. The NAT Session: Five-Tuple Hydraulics
NAT is not a static list of swaps. It is a Stateful process. The router doesn't just look at the IP; it tracks the entire 5-Tuple:
When a packet leaves your network, the router creates a "Hole" in its firewall. This hole is only valid for a specific duration (the NAT Timeout).
- TCP Timeout: Usually long (minutes or hours). The router waits for the FIN or RST packet to close the "Hole."
- UDP Timeout: Usually short (30-60 seconds). Because UDP is connectionless, the router simply guesses when the conversation is over. This is why VoIP and Gaming often require "Keep-Alive" packets to prevent the router from "slamming the door" mid-session.
4. Cone vs. Symmetric: The NAT Spectrum
Not all NATs are created equal. In the world of STUN/TURN (P2P Traversal), we classify NATs by how "Strict" they are in their mapping logic.
Full-Cone NAT
The "Loose" NAT. Once an internal port is mapped to an external port, ANYONE from the internet can send traffic to that external port and it will be forwarded to the host.
Inside-Local -> Inside-Global -> Outside-Global
Symmetric NAT
The "Strict" NAT. Every request to a DIFFERENT destination IP/Port results in a DIFFERENT external port being used. This makes P2P hole-punching architecturally impossible and requires a TURN relay.
5. NAT64 & DNS64: The IPv6 Lifeline
How does an IPv6-only smartphone talk to an old IPv4 web server? It uses NAT64.
The DNS server (**DNS64**) synthesizes a fake IPv6 address by prepending a prefix (like 64:ff9b::/96) to the destination's IPv4 address. When the host sends a packet to this fake IPv6 address, the **NAT64 Gateway** catches it, strips the IPv6 header, swaps it for an IPv4 header, and sends it on its way.
6. ALG: Fixing the Broken Protocol
Some protocols are "NAT-Unfriendly." They embed the IP address inside the data payload (Layer 7). When NAT changes the header IP (Layer 3), the application still thinks its private IP is valid, and the connection fails.
Application Layer Gateway (ALG)
An ALG is a feature on a router that performs Deep Packet Inspection (DPI). It looks inside the packet, finds the embedded IP string, and replaces it with the public IP on the fly.
- FTP: Uses PORT commands to tell the server where to send data. ALG must rewrite these.
- SIP (VoIP): Embeds IPs for media streams. If the ALG is broken, you get "One-Way Audio."
7. NAT Hairpinning: Talking to Yourself
What happens when a computer on your LAN tries to access your web server using your Public IP? Without NAT Hairpinning (or NAT Loopback), the request goes to the router, the router sees its own IP, and simply drops the packet because it doesn't know how to route "to itself" from the inside.
A router with Hairpinning support realizes the request is for an internal service, performs the DNAT swap, and "reflects" the packet back into the LAN. Without this, users inside an office cannot use the same URL (e.g., https://portal.company.com) as users outside.
8. Technical Encyclopedia: Translation Logic
Application Layer Gateway. A router feature that rewrites IPs inside the data payload of specific protocols.
Destination NAT. Used for port forwarding to allow external access to internal services.
The ability of a router to translate internal requests to its own public IP back to an internal host.
Another term for PAT. Multiple internal IPs sharing one public IP via port multiplexing.
Port Address Translation. The core technology of modern internet connectivity.
Session Traversal Utilities for NAT. A protocol used to discover NAT types and public IPs.
The strictest NAT type where each unique destination results in a unique port mapping.
A technique where both the source and destination IPs are translated simultaneously to resolve overlaps.
9. CGNAT & NAT444: The ISP Wall
When even ISPs ran out of public IPs, they implemented Carrier-Grade NAT (CGNAT). This creates a NAT444 architecture: Private (Customer) -> Private (ISP) -> Public (Internet).
Bulk Port Allocation
To scale to millions of users, ISPs don't assign ports dynamically one-by-one. They use **Bulk Port Allocation (BPA)**, giving each user a pre-assigned block of 512 or 1024 ports. If a user opens more connections than their block allows (e.g., via a BitTorrent client), their traffic is dropped. This is the primary cause of "Connectivity Flapping" in modern residential fiber links.
10. ICE, STUN & TURN: P2P Hole Punching
Because NAT blocks unsolicited inbound traffic, two computers behind different NATs cannot talk directly. We use a suite of protocols known as **ICE (Interactive Connectivity Establishment)** to find a way through.
STUN (Discovery)
The host asks a public STUN server "What is my Public IP and Port?" It then tells its peer to connect back on that port. This works for Cone NATs but fails for Symmetric NATs.
TURN (Relay)
The "Last Resort." Traffic is relayed through a public server. It always works, but adds latency and cost. Most VoIP providers (like Zoom/Teams) use TURN for about 10-15% of their calls.
11. Case Study: The NAT Table Exhaustion
The Incident
An enterprise firewall started dropping all new connections, though existing sessions (like SSH) remained active.
Forensic Discovery: An internal machine had been infected with malware that was performing a "Syn-Flood" against random internet IPs. Because NAT creates a state entry for every unique destination, the firewall's 1-million-entry NAT table was filled in seconds.
Remediation: We implemented **NAT Connection Limits** per internal IP, ensuring that no single host could consume more than 2,000 slots in the translation table.
12. Mapping & Filtering: The Behavior Spectrum
To an application, the most important aspect of a NAT is its Mapping Behavior. This defines how the router chooses an external port when multiple internal connections are made.
Endpoint-Independent
The NAT uses the same external port for all requests from the same internal IP/Port, regardless of where they are going. This is the "Gold Standard" for P2P gaming.
Address-Dependent
The NAT only uses the same external port if the destination IP is the same. If you talk to a different IP, you get a new port.
Address/Port-Dependent
The most restrictive. Any change in destination IP or Port triggers a new external mapping. This is Symmetric NAT.
13. UPnP & NAT-PMP: The Auto-Hole Punch
Manually configuring port forwarding is a chore. Protocols like UPnP (Universal Plug and Play) and NAT-PMP (NAT Port Mapping Protocol) allow applications (like Skype or Call of Duty) to talk to the router and say: "Please open Port 3074 for me."
The Security Trade-off
While UPnP is convenient, it is a massive security risk. Any malware on your network can use UPnP to open a hole in your firewall without your knowledge. Professional security engineers usually disable UPnP on corporate firewalls, favoring PCP (Port Control Protocol) which is the modern, more secure successor.
14. PCP: The Professional Choice
As CGNAT became more common, the old UPnP protocol failed because it couldn't talk through the ISP's "Double NAT." Enter **PCP (Port Control Protocol)** (RFC 6887).
PCP allows a host to negotiate port mappings not just with its own home router, but with the upstream CGNAT gateway as well. It provides a standardized way for an application to request a "Public Face" for its connection. Unlike UPnP, PCP includes advanced security features like **Third-Party Mappings** and **Strict Lifetime Management**, making it the only viable solution for P2P traffic in a CGNAT-heavy world.
Port-Preservation Logic
High-end CGNAT gateways attempt to perform **Port Preservation**. If an internal host uses Source Port 5000, the NAT tries its best to use Public Source Port 5000. This is critical for protocols that expect symmetric port numbers. If the port is already taken by another user, the NAT falls back to "Port Multiplexing."
15. Architectural Impact Summary
In the final analysis, NAT is a masterpiece of "Good Enough" engineering. It solved the IP exhaustion crisis without requiring a single line of code to change on the world's web servers. It provided a scalable way to handle the explosion of mobile devices, IoT sensors, and household gadgets.
However, the cost of NAT is complexity. Every layer of translation is a layer of potential failure, increased latency, and broken transparency. For the network architect, the goal is always to minimize the number of "NAT-Hops" while maximizing the efficiency of the translation table.