Understand in one article how the intranet and extranet communicate?

For network developers, we often use TCP and UDP protocols, but usually, they are used for protocol communication within a local area network. But have you ever thought about it? What if it involves the interaction between the intranet and the Internet? In other words, how do the local area network and the public network interact?

[[273535]]

Suppose there are two hosts A and B, they are in different LANs, and their LAN IP is 192.168.1.2. At the same time, they both access Baidu server, how does Baidu server reply to these two hosts respectively? Or how does the server distinguish A from B?

The difference between public IP and private IP

Let's first understand the concepts of public IP and private IP.

Public address: It is managed by Inter NIC (Internet Information Center). These IP addresses are assigned to organizations that register and apply to Inter NIC. Public IP is unique in the world and can directly access the Internet (directly access the Internet). There are five main types of addresses: A, B, C, D, and E:

1. Class A: The address range is 1.0.0.0 to 127.255.255.255, mainly allocated to large networks with a large number of hosts and a small number of LAN networks;
2. Class B: The address range is 128.0.0.0 to 191.255.255.255, generally used by large international companies and government agencies;
3. Class C: The address range is 192.0.0.0 to 223.255.255.255, and is used in small companies, campus networks, research institutions, etc.
4. Class D: The address range is 224.0.0.0 to 239.255.255.255, used for special purposes, also known as broadcast address;
5. Class E: The address range is 240.0.0.0 to 255.255.255.255, temporarily reserved.

Private address: It is an unregistered address used exclusively within an organization. To put it bluntly, private IP cannot directly access the Internet. There are three main types: A, B, and C. The address range of Class A is 10.0.0.0-10.255.255.255, the address range of Class B is 172.16.0.0-172.31.255.255, and the address range of Class C is 192.168.0.0-192.168.255.255.

127.0.0.0 to 127.255.255.255 are the system loopback addresses.

We usually access the Internet through operators (mainly China Telecom, China Mobile, China Unicom broadband, etc.), and after passing through a home router, it will become a private IP. You may wonder, we can access the Internet, how can it be a private IP?

In fact, we do not access the Internet through private IPs, but through public IPs. In layman's terms, operators have public IPs, but IP resources are limited under IPV4, so these IPs cannot be allocated to each person individually, so they need to be allocated dynamically to Internet users. This process is a bit like buying some pens and then distributing them to all students in the class. Of course, the process of operators dynamically allocating public IPs is much more complicated than this.

So it is normal that A and B have the same IP, but for the Baidu server, it does not care what the other party's private IP is, and it does not know it either. It only knows that the one accessing it must be a public IP.

Now the question is, it is still the same old question. Since the final access to Baidu server is the public IP, how is the conversion from private IP of A and B to public IP completed? When they access Baidu server at the same time, how does Baidu server distinguish which one is A and which one is B?

Port Mapping

Before explaining the principle, let us first understand a concept, port mapping?

• Port mapping is to map a host's intranet (LAN) IP address to a public network (WAN) IP address. When a user accesses a port on the host that provides the mapped port, the server transfers the request to the host that provides this specific service within the local area network.
• The port mapping function can also be used to map multiple ports of a machine with an external IP address to different ports on different machines on the internal network.
• The port mapping function can also complete some specific proxy functions, such as proxy POP, SMTP, TELNET and other protocols. Theoretically, it can provide 65535 (total number of ports) - 1024 (number of reserved ports) = 64511 port mappings.

Idea: Since port mapping can map multiple ports of a machine with an external IP address to different ports on different machines in the intranet, when a user accesses this port of the external IP, the server automatically maps the request to the corresponding machine in the LAN.

For example, we have a host in the intranet, but users in the external network cannot directly access the server. So we can set up a port mapping on the router. As long as the external user accesses port 80 of the router IP, the router will automatically transfer the traffic to port 80 of the intranet host. In addition, there is a session on the router. When the intranet server returns data to the router, the router can accurately send the message to the host of the external network requesting user. In this process, the router acts as a reverse proxy, which protects the security of the host in the intranet.

Our usual Internet access process is to first pass through the router, then through broadband, and finally through the operator's conversion to the web server. The returned data first goes to the operator, and then the data is sent to the user's host.

We all know that a router has two ports: LAN port and WAN port.

WAN: Used to connect to external IP addresses, usually refers to the egress, forwarding IP data packets from the internal LAN interface.

LAN: Used to connect to the internal IP address. There is a switch inside the LAN. We can use the router as a normal switch without connecting to the WAN port.

Let's take a look at how communication works. To make it easier to understand, we consider the operator as a NAT device.

To make it easier for everyone to understand, we analyze the IP conversion direction in reverse (to be precise, from the public network to the local area network).

A host IP is a private IP (192.168.1.2), which is assigned from the LAN port of the router. We will not discuss how it is obtained, which involves whether it is automatically obtained or manually assigned.

When we access the Baidu server, the corresponding IP and port conversion is performed through the wan port of the router: 192.168.1.2:80 -> 10.221.0.24:8080, so the address going out from the wan port is: 10.221.0.24:8080.

Can you access the Internet through 10.221.0.24:8080? Obviously not, because it is still a private IP. One more step is needed: convert it to a public IP.

After passing through the operator, the operator will do the corresponding port mapping (and it is dynamic port mapping), and the subnet IP (10.221.0.24:8080) is converted into a public IP (128.0.0.1:9999), and the Baidu server is accessed through this public IP.

Similarly, the process for B is the same. Through such layer-by-layer port mapping, the uniqueness of the address (IP + port) is ultimately guaranteed. When A and B access the Baidu server, although their LAN IPs are the same, the address (IP + port) they use to access Baidu is ultimately unique. Therefore, when the Baidu server replies, it can distinguish who the reply is for when returning along the original path.