The Basics of Routers and Network Address Translation (NAT)


As was explained in detail in Chapter 22, a router is a device that connects two disparate IP networks together and determines how datagrams get from one network to another.

Note

A datagram is a packet of digital information. It contains addressing information as well as the data to be transmitted. Not all datagrams necessarily take the same route to get to their destinations, even if they all have the same origin.


To better understand what a router does, look at the following two figures. Figure 28.1 shows two sample networks for a fictional global company that has offices in New York and Denmark.

Figure 28.1. A sample global network for a fictional company, with several hosts in its New York office and several hosts in its Denmark office.


In the network in Figure 28.1, the hosts named lion, cheetah, tiger, and puma all know about the existence of each other and can communicate with each other at the New York office. Also, the hosts named wolf, bear, fox, and lynx all know about each other and can communicate with each other at the Denmark office. The problem here is that the networks are physically isolated from each other, each one connected only to its local upstream Internet provider. None of the hosts in the New York office know anything at all about any of the hosts in the Denmark office, and vice versa. There is no way for network information to travel between the two offices. In order for data to be able to flow between these two offices, you need to install a couple of routers. Figure 28.2 shows the same network, but this time you have installed a router at each office.

Figure 28.2. The same network as shown in Figure 28.1, except that a router is installed on each end of the network.


After the router is installed, one change needs to be made to the hosts on the network: They simply need to be told about the existence of the router in the office. (See Chapter 22 for information on how to tell the hosts about the existence of the router.)

The hosts in the New York office still know nothing at all about the hosts in the Denmark office, and the reverse is also true. So what has changed about this setup? Well, the hosts in the network now know about the existence of the router in their office. If each host is configured to use this router as the default router, it will send to the router any outgoing traffic for an unknown host. The router then worries about routing the network traffic to the correct destination.

For example, suppose that the user of cheetah wants to establish a network connection with lynx. As mentioned before, cheetah knows nothing about the existence of lynx. So, when cheetah generates traffic to lynx, it will simply pass that traffic off to simba, which is the router in the New York office. The router simba does know about the existence of lynx, and it also knows that it can get network traffic to lynx by passing it to the router in Denmark (falcon). The router in Denmark then sends the traffic to lynx.

This is a very simple example. In a real scenario (especially when sending transoceanic network traffic), several routers will usually be involved, each passing the traffic to another until it gets to the proper destination. If you want an analogy, you can think of routers as being like air traffic controllers, and network traffic as being like aircraft. An aircraft en route from New York to Denmark will be handed off between several different air traffic controllerseach one aware only of the next one along the sequenceuntil it finally reaches its destination.

Okay. So why do you need a router? Why not just tell the hosts in New York about the hosts in Denmark, and vice versa, so that they can communicate with each other directly? There are two primary reasons why it is not done this way:

  • Ease of maintenance This might not seem like a big deal with only eight systems. But now think of a network the size of the Internet. Without routers, every single system connected to the network would have to know how to contact every other system on the network. Obviously, when you are dealing with millions of systems, this would quickly become a maintenance nightmare.

  • Reduced traffic congestion If the two offices were just connected by one big network, then all network traffic would have to be sent to all computers. If, for example, lion sends network traffic to cheetah (both in the New York Office), this traffic would also get sent through the pipe, across the Atlantic Ocean, and into the Denmark office. This would occur even though the hosts in Denmark couldn't care less about this traffic because it is not for them. Imagine the network congestion if any time any host on the Internet sent network traffic to another host, that traffic had to also go to every single other host on the Internet. And besides that, transoceanic leased lines are expensiveyou are usually charged by the amount of bandwidth you use. That means you don't want to use the line when you don't have to. The router acts as a "door" that keeps traffic intended for one of the local hosts inside the local network. Only traffic not intended for one of the local hosts will be sent outside of the local network. (This also increases securityyou don't want your internal network traffic being broadcast over the Internet where just anyone can intercept it.)

What Is a Gateway?

In general network terminology, a gateway is a router that allows the rest of the hosts on the internal LAN to access the outside world. Because of this, the terms default router and gateway are virtually interchangeable in most networking circles these days. In our example in the previous section, the routers simba and falcon could be called gateways.

Note

According to the technical definition, a gateway is a router that can route between two different types of networks, such as between an Ethernet LAN and a serial WAN.


One of the most common uses of a gateway is to allow multiple hosts to share a single Internet connectionfor example so that all the computers in your household can all use the same cable modem connection.

What Is NAT?

NAT, which stands for Network Address Translation, is a way for multiple hosts to connect to the Internet using a single IP address. For this to work, all traffic on the local network must pass through a gateway router that's set up to perform NAT. Hosts on the internal network can have IP addresses that aren't necessarily valid anywhere outside the local network. Normally this would mean that traffic from the outside can't reach them; but NAT makes this trick possible.

When the internal hosts want to send or receive Internet content, their request goes through the NAT gateway. The gateway "hides" the internal IP address and sends all requests from the hosts connected to it out on the Internet as though they had come from a single IP address (which is the IP address owned by the NAT gateway router). Responses that are sent back are sent to that single IP address, the address of the gateway router. The gateway then routes the data to the proper internal host.

There are three primary advantages of this method:

  • It conserves IP addresses. The Internet's pool of valid IP addresses is a limited resource, running lower every day, and there is no reason to waste addresses where they are not needed. NAT prevents you from having to register an IP address for each one of your systems, or reserve an IP subnet carved out from your ISP's precious IP space. The only machine that needs a public and registered IP address is the NAT gateway. The rest of them can all have private, internal IP addresses.

    Note

    Because of its much vaster address space, IPv6 doesn't need to worry about conserving addresses, and NAT is considered unnecessary in the IPv6-based Internet. However, the security implications of NAT still make it an attractive proposition.


  • If you are a home or small office user, it allows you to share a single Internet connection with multiple computers, and you won't have to purchase additional accounts from your ISP. You can also share a single modem and a single phone line, preventing you from having to install additional phone lines if more than one computer will use the Internet at the same time.

  • NAT protects you from the vast majority of remote security exploits perpetrated by "script kiddies" who target the well-known public IP address space used by cable modem and DSL customers. Outside hosts can't spontaneously contact any host on the inside of a NAT. FreeBSD isn't very vulnerable to most exploits in the wild, but NAT prevents them from reaching you in the first place (because the only communications between your machines and the outside world are the ones that you initiate).

Drawbacks of NAT, however, include the fact that you cannot operate an Internet server on the inside of a NAT gateway. Servers have to be publicly available for client hosts to contact them at any time; because NAT dictates that you can only initiate connections and not receive any, no outside hosts will be able to reach you. If you need to run a server, NAT is not a suitable solution. However, if you're a cable modem customer, you're likely forbidden from running servers anyway. NAT is ideal for home and business networks where the only networking that needs to occur is typical desktop surfingweb, email, chat, and the like.

To illustrate some of the ways you can configure various types of routing services on FreeBSD, this chapter presents a few sample scenarios. We begin by looking at sharing a single modem and Internet connection at home or in a small office.




FreeBSD 6 Unleashed
FreeBSD 6 Unleashed
ISBN: 0672328755
EAN: 2147483647
Year: 2006
Pages: 355
Authors: Brian Tiemann

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net