Redirecting IP adresses
(Version française ici)
Atempting access without NAT
As it took long to me to understand IP addresses redirection, I thought I could share What I have understood.
IP address redirection is useful if you want to access a given host behind your ISP box (which is a router) from the outside (anywhere).
We start by assuming this address is permanent and known (otherwise
go here to see how to get around).
For the purpose of this eplaination, we will assume this address is: 82.1.2.3
It is a WAN type address (Wide Area Network) as opposed to these example addresses 192.168.0.5 and
192.168.0.12 (in the drawing) which are LAN addresses (Local Area
Network).
On the WAN side, you will never see you LAN addresses. Despite 82.1.2.3 totally came from my head, LAN adresses here should look much like yours because 192.168.x.x is a LAN reserved adress (as well as those two : 10.x.y.z and 172.16.x.y) which make 3 groups of adresses begining with those numbers. These are the 3 only groups meaning that your address is local and cannot be anything else.
The problem
In the top animation, a client tries to access a http server behind a router. He types in: 82.1.2.3 in his browser and goes thus directly to the router. The client also have WAN address but not shown here.
Upon arrival, the router sees what is called an incoming frame, e.g. a bunch of data with the WAN IP address of the client leading (here:
82.1.2.3) coming from the client's browser and the WAN IP address of the destination.
Because the router could handles more than 1 host, the router has absolutltely no idea to which host to forward this frame and therfore simply ignore it. In the best case you access the router itself (if it has an internal http server AND is open to WAN) or you get a 404! but you never get to your host.
Note this is very useful to ignore all kind of unwanted external requests coming from outside. It acts almost like a firewall :-)
Long live to addresses redirection
There are 2 ways (at least) to tell the router which host we are interested to:
- The simpliest way is to use the DMZ (demilitarized zone) and tell the router to forward everything that is coming to our desired host by configuring the router so the DMZ leads to the LAN addresse of the host. In this case all incoming frames will be forwarded on that host (but also all unwanted frames).
THIS IS TOTALLY UNSAFE except for small tests of limited time.
But other users would want more features: "There are 10 servers and I want to access #3".
Solution involves addresses redirection. Basically the router will be configured to let it know what to do (with a little help though). - This solution is already in place in networks and consists of appending a port number to an address e.g.: 82.1.2.3:6000
where 6000 is the port number.
If you do not specify a port number, your browser will use a standard port (80 for http, 443 for https etc.)
.
You can use any port number betwen 1 and 65535 except that the fist ones (1 to 1023) already have a stantard use. We will also avoid those between
1024 et 49151 but that leaves more than 16,000 ports ;-)
Address redirection is sometimes found in the "port forwarding" section.
Inside the server, we will have something like this:
| Incoming port | Protocol | Local address | Port |
| 6000 | TCP | 192.168.0.12 | 80 |
Which means: Any incoming connection with 6000 as port number should be forwarded to 192.168.0.12 as if the port were 80 (that's http port).
The server (A) then receive a frame with 80 as port number and processes it as any http server:
Access with NAT
Et voilą !
Questions ?
Write to migrigaut at gmail point com