Why can't I access my home computer from work?

The previous article "Why do all our home IP addresses start with 192.168?" mentioned that because IPv4 addresses are limited, the maximum is 4.2 billion. In order to make better use of this limited number of IPs, the network is divided into LAN and WAN, and IPs are divided into private IPs and public IPs. Many machines in a LAN can share a public IP, which greatly increases the "number of available IPs".

Sending and receiving data is like sending and receiving express mail

When we need to send a network packet, at the IP layer, we need to fill in the source IP address and the destination IP address, which are the corresponding shipping address and receiving address of the express delivery.

The IP header contains the sending and receiving IP addresses

However, in our home local area network, we basically use private IP addresses such as 192.168.xx.xx.

If we fill in this when sending a network packet, how should the other party respond when sending a data packet? After all, thousands of households use 192.168.0.1, so how does the network know who to send it to?

Therefore, it is definitely necessary to convert this 192.168.xx private IP into a public IP.

Therefore, at the end of the previous article, I left this question. Private IPs are used in the LAN, and public IPs are used in the public network. If a private IP in the LAN wants to access a public IP outside the LAN, an IP conversion must be done. Where is this conversion done?

Where to convert private IP and public IP

The answer is NAT device, the full name is Network Address Translation, Network Address Translation. Basically, all home routers support this function.

Let’s talk about how it works.

How NAT works

For simplicity, let's assume that you are rich and your home is assigned a public IP address 20.20.20.20, which is assigned to your home router with NAT function. You have many devices at home that need to access the Internet, such as your mobile phone and computer, which form a local area network and use private IP addresses, such as 192.168.xx. You run the ifconfig command on your computer and find that the IP address of your home computer is 192.168.30.5. The public IP address you want to access is 30.30.30.30.

So there is a picture like this

Intranet IP access to public IP

When you are ready to send a data packet, your computer kernel protocol stack will construct an IP data packet. The sender IP address in the IP data packet header is 192.168.30.5, and the receiver IP address is 30.30.30.30. The data packet is sent to the NAT router.

At this time, the NAT router will modify the source IP address in the IP data packet, and rewrite the private IP address 192.168.30.5 to the public IP address 20.20.20.20. This is called SNAT (Source Network Address Translation). It will also leave a mapping record of 192.168.30.5 -> 20.20.20.20 inside the NAT router, which will be used later. After that, the IP data packet is forwarded by each router in the public network and sent to the receiving end 30.30.30.30, and the sending process ends here.

SNAT

If the receiving end has processed the data and needs to send a response to your computer, you need to fill in the sending end IP address with your own 30.30.30.30, fill in the receiving end address with your public network IP address 20.20.20.20, and send it to the NAT router. After receiving the message from the public network, the NAT router will check the mapping information it left before, and find that it has left such a 192.168.30.5 -> 20.20.20.20 record, it will modify the destination IP address of this data packet to the internal network IP address 192.168.30.5, which is also called DNAT (Destination Network Address Translation). Then forward it to your computer.

DNAT

During the whole process, NAT quietly changes the sending and receiving IP addresses of the IP data packet, but the real sender and receiver are unaware of this.

This is how NAT works.

Principle of NAPT

At this point, I believe everyone has a big question.

There is not only one machine in the LAN. The mapping information left by each machine in the LAN under NAT will be 192.168.xx.xx -> 20.20.20.20. There is no problem in sending messages, but when receiving messages, I don’t know who to reply to.

NAT Problems

This is a pretty serious problem, so in practice normal NAT is not used most of the time.

What should I do then?

The problem is that we cannot distinguish between multiple network connections within the intranet.

So.

We can add other information to distinguish the various network connections in the intranet, and the port is a natural thing to think of.

However, IP packets (network layer) themselves do not have port information. Port information is only found in the common transport layer protocols TCP and UDP datagrams.

The TCP header has the port number

The UDP header also has a port number

So the process became as follows.

When you are ready to send a data packet, your computer's kernel protocol stack will first construct a TCP or UDP datagram header and write the port number in it, for example, the sending port is 5000 and the receiving port is 3000. Then, on this basis, it will add the IP datagram header and fill in the IP addresses of the sender and receiver.

That data packet looks like this.

Packet composition

Assume that the sender IP address is 192.168.30.5 and the receiver IP address is 30.30.30.30.

Send the data packet to the NAT router.

At this time, the NAT router will modify the source IP address and port number in the IP data packet from 192.168.30.5:5000 to 20.20.20.20:6000. It will also leave a mapping record of 192.168.30.5:5000 -> 20.20.20.20:6000 inside the NAT router. After that, the data packet is forwarded by each router in the public network and sent to the receiving end 30.30.30.30:3000, and the sending process ends here.

NAPT sends data

When the receiving end responds, it will fill in the sender address 30.30.30.30:3000 and the receiving end address 20.20.20.20:6000 in the data packet and send it to the NAT router. The NAT router will find that it has left a record of 192.168.30.5:5000 -> 20.20.20.20:6000, and will modify the destination IP address and port of this data packet back to the original 192.168.30.5:5000. Then it will forward it to your computer.

NAPT receives data

If there are multiple devices in the LAN, they will be mapped to different public network ports. After all, the maximum port is 65535, which is enough. In this way, everyone can live in peace.

This technology of converting IP and port at the same time is called NAPT (Network Address Port Transfer).

Seeing this, the problem arises.

So, only network protocols that use ports can be recognized and forwarded by NAT?

But how to explain the ping command? Ping is based on the ICMP protocol, and the ICMP protocol message does not carry port information. I can still ping the public network machine normally and receive the reply packet.

Ping header

In fact, NAT routers have made special processing for the ICMP protocol. There is an Identifier in the ping message header, which actually refers to the process ID of the ping command.

For NAT routers, the role of this Identifier is the same as that of the port.

In addition, when we capture the packet, we will find that there are two identifiers, one with BE (Big Endian) and the other with LE (Little Endian).

In fact, they are the same value, but the endianness is different, so the read value is different. Just like the same number 345, read backwards becomes 543. This is to be compatible with different endianness in different operating systems (such as Linux and Windows).

What is intranet penetration?

Seeing this, we probably also found that if NAT is used to access the Internet, the intranet machine must actively request the public network IP, so that NAT can convert the intranet IP port to the external network IP port.

Conversely, if a machine on the public network wants to actively request a machine on the internal network, it will be blocked at the NAT router. At this time, since the NAT router does not have any relevant IP port mapping records, it will not forward data to any machine on the internal network.

For example, in a real-life scenario, you start an HTTP service on your home computer at 192.168.30.5:5000. You want to access it through your mobile phone in the office, but find that you cannot access it.

Then the question is, is there any way to allow external machines to access internal network services?

have.

You must have heard the saying, "There is nothing that can't be solved by adding a middle layer. If there is, just add another layer."

It's still applicable here.

In the final analysis, due to the existence of NAT, we can only actively initiate a connection from the intranet, otherwise the NAT device will not record the corresponding mapping relationship, and without a mapping relationship, data cannot be forwarded.

So we add a server x on the public Internet and expose an access domain name, and then let the intranet service actively connect to server x, so that there will be a corresponding mapping relationship on the NAT router. Then, everyone goes to access server x, server x forwards the data to the intranet machine, and then returns the response along the original path, so that the data is all accessible. This is the so-called intranet penetration.

Like the server x mentioned above, you don’t need to set it up yourself. There are many ready-made solutions. You just need to spend money, such as Huamou Shell.

Intranet penetration

At this point, we can answer the question in the title of the article.

Why can't I access my home computer from work?

That's because the computer at home is in the LAN, and there is a NAT router between the LAN and the WAN. Due to the existence of the NAT router, the external network service cannot actively connect to the computer in the LAN.

How to establish communication between two intranet chat software

Okay, here comes the problem again.

My computer is in the LAN of our community, and the computer of the class beauty is also in the LAN of her community. They are all in the LAN, and NAT can only connect from the intranet to the external network, so how can the QQ logged in on my computer connect to the QQ in the class beauty's computer?

Services in two LANs cannot be directly connected

The above question actually contains a misunderstanding, thinking that the two QQ client applications are directly connected.

However, in reality, there is a server between the two QQ clients.

The chat software will actively establish a connection with the public network server

That is to say, when two clients in the intranet log in to QQ, they will actively establish a connection to the chat server on the public network. At this time, the NAT routers on both sides will record the corresponding mapping relationship. When sending a message on one of the QQ, the data will first go to the server, and then forwarded to the other client through the server. The same is true in reverse. In this way, two machines in the intranet can transmit data.

How to establish a direct connection between two intranet applications

In the above situation, two clients communicate through a third-party server. However, in some scenarios, it is necessary to abandon the third party and communicate directly between the two ends, such as P2P downloading. What should we do in this case?

In this case, the help of a third-party server is still indispensable.

Assume that there are still machines in two LANs A and B, the NAT device corresponding to A's intranet is called NAT_A, the NAT device in B's intranet is called NAT_B, and there is a third-party server.

The process is as follows.

Step 1 and 2: A actively connects to the server. At this time, NAT_A corresponding to A will leave the mapping relationship between A's internal network address and external network address, and the server also obtains A's corresponding external network IP address and port.

Step 3 and 4: B's operation is the same as A's. It actively connects to the third-party server, leaving the mapping relationship between B's internal network address and external network address in NAT_B, and then the server also obtains B's corresponding external network IP address and port.

Step 5, step 6 and step 7: Here comes the key point. At this time, the server sends a message to A, asking A to actively send a UDP message to B's external IP address and port. At this time, when NAT_B receives this UDP data packet from A, depending on the settings of NAT_B, it is possible that NAT_B can directly forward the data to B, and then A and B are connected. But it is also possible that the connection is not connected and the packet is directly lost. However, packet loss does not matter. The purpose of this operation is to leave a mapping relationship about B on NAT_A.

Step 8, step 9 and step 10: The same familiar formula as step 5. At this time, the server sends a message to B, asking B to actively send a UDP message to A's external IP address and port. NAT_B also leaves a mapping relationship between A and B. At this time, since NAT_A has a mapping relationship with B before, NAT_A can normally receive B's data packets and forward them to A. At this point, A and B can communicate normally. This is the so-called NAT hole punching.

step11: Note that we used UDP packets before, just to make a hole in the NAT of the two LANs. In fact, most applications use TCP connections, so at this time we still need to actively initiate a TCP connection from A to B. At this point, we have completed the communication between the two ends.

NAT Hole Punching

I guess everyone will have doubts here.

The port has been used by UDP. If TCP uses it again, doesn't that mean the port is duplicated (address already in use)?

Actually, it won't. The error of port duplication is often reported when two TCP connections reuse a certain IP port without using SO_REUSEADDR. However, this error will not be reported between UDP and TCP. The reason for this error is that in a Linux kernel, when the kernel receives network data, it will use the five-tuple (transport protocol, source IP, destination IP, source port, destination port) to uniquely determine the data recipient. When the five-tuples are exactly the same, the kernel does not know who to send the data to. The "transport protocols" between UDP and TCP are different, so the five-tuples are also different, so there will be no above problem.

Quintuple

There are many types of NAPT. Can all the above NAPT hole punching schemes succeed?

Regarding NAPT, there are indeed several types, such as full cone NAT and restricted NAT, but this is not the focus of this article. So I will skip it. What we are most common now is cone NAT. The above hole punching scheme is suitable for most scenarios, including the most restricted port restricted cone NAT.

Summarize

• IPV4 addresses are limited, but through a NAT router, the entire intranet with multiple machines can use only one public IP address externally, greatly saving IP resources.

• The intranet machine actively connects to the public IP, and the NAT in the middle converts the intranet IP of the intranet machine into a public IP, thereby realizing data interaction between the intranet and the external network.

• Ordinary NAT technology only modifies the sender and receiver IP addresses in the network packet. When there are many intranet devices, conflicts may occur. Therefore, NAPT technology is generally used to modify the sender and receiver IP addresses and ports at the same time.

• Due to the existence of NAT, public IP cannot access intranet services, but through intranet penetration technology, public IP can access intranet services. After a series of operations, you can access your home computer in the company network.

Finally, I have a question. With NAT, the IPv4 addresses, which were originally not abundant, suddenly become more than sufficient.

So why do we still need IPv6?

In addition, IPv6 is said to have so many addresses that every grain of sand can have its own IP address, so do we still need NAT?