Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Basic Routing question

    Scheduled Pinned Locked Moved NAT
    2 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alimovz
      last edited by

      I might be asking this question at a wrong forum but here it goes:
      Can somebody please explain to me how big corporate routers conduct NAT?
      Let's say I have a home network 192.168.0.0/24. My router is at 192.168.0.1. The outside IP of the router is 69.21.45.123. The router at 192.168.0.1 is set up to do NAT.
      It's easy - everything going out from my 192.168.0.0/24 network will get translated and will be seen as coming from 69.21.45.123. This scenario is standard and I understand how it works and what my router exactly does.

      Now, let's imagine a network at a colocation that has like a thousand computers one of which is mine. Its IP address is 170.15.88.101. It's gateway is 170.15.87.1 and it's mask is /21
      When I access anything from my machine, everybody sees my IP as 170.15.88.101 and NOT the "outside IP" of 170.15.87.1. How the heck does 170.15.87.1 do NAT? How does it remain transparent like that? Or does it translate at all? What am I missing? What should I read?

      Thank you much for your help.

      1 Reply Last reply Reply Quote 0
      • E
        Efonnes
        last edited by

        I think one way such a configuration can be done on pfSense is to set up your DHCP server to hand out the public IP addresses directly on the LAN (possibly bridging LAN with WAN, but I'm not completely sure).  Under such a configuration, you would have it on manual outbound NAT and have the list of rules there cleared.

        When your computers don't have public IP addresses, the router needs to change the source IP address because outside computers and routers don't know how to access 192.168.x.x addresses through your router.  When your internal computers do have public IP addresses, outside computers and routers do know where to send packets to reach your connection, and thus no modification of the source IP address is required for the replies to arrive back at your router.

        As far as I know, the router can say anything it wants for the source address when passing packets out from WAN to the Internet or out from LAN to your internal network.  To get a reply, it basically only needs to be an IP address that the destination knows how to reply to. (assuming the destination is on a different side of the router)  The router could probably even say that the source was just some random IP address on the Internet and the reply would go to that address, but the reply packets would most likely get dropped when they arrived because the computer or router at that address wouldn't be expecting the packets. (since neither side requested to open a connection with it)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.