What Is A NAT Router?

A router is a very specialised computer, that connects two or more separate networks, and directs network traffic from one network to the other as necessary.

A normal (infrastructure) router has just one simple task - to route traffic from one network to another, simply by knowing what networks are connected to each interface on the router. This requires you to know what networks are connected, and to create and input rules defining those networks.

A Network Address Translation, or NAT, router has multiple jobs.

  • DHCP Server (Assigns and passes network settings to computers on the LAN).
  • Firewall Functionality (Protects the computers on the LAN, from computers on the Internet).
  • Internet Client (Acts like a single computer to the Internet on the WAN).
  • Internet Gateway (Provides internet service to the computers on the LAN).
  • Network Address Translation.


Basic Setup
With a NAT router, you only have to make settings regarding one network - the WAN side (which connects to the internet), to get started. You set that up according to what service your ISP provides.
  • Fixed IP address.
  • Dynamic IP address.
  • Point to Point Over Ethernet, aka PPPoE.

And, you will need to setup the addresses of the DNS servers. Your ISP should provide you with those. They are essential.

The default settings on the LAN side (where all of your computers connect) should work OK to get you started. The DHCP server on the router, by default, provides all the necessary settings to each of your computers. Connecting each computer, one at a time, to a NAT router is relatively simple:
  • Set the computer to automatically get settings (DHCP client).
  • Restart the computer.


Assuming that all your computers are simply used for browsing, or similar client initiated internet activities (which is frequently the case), a NAT router needs no further configuration.

NAT Functionality
An infrastructure router has a relatively simple task - to simply pass packets from one computer to another. Computer A sends a request to Computer B. The router simply passes packets from Computer A (on router connection A) to Computer B (on router connection B). It's possible, but not certain, that the reply from Computer B to Computer A might return thru the same router.

A NAT router has a more complicated task:
  1. Opens a port when requested by a local computer, identifying the local and remote computers.
  2. Passes a series of packets thru that port to the remote computer.
  3. Waits for the reply from that remote computer.
  4. Identifies the port by the IP address of the remote computer.
  5. Passes the reply from the remote computer, thru that port, back to the local computer.


With the infrastructure router, both Computers A and B know of each others existence, as both computers use public (routed) ip addresses. With a NAT router, the remote computer actually sends its reply back to the router. The router performs Network Address Translation, and relays each packet back to the local computer.

The benefit here is that, even if the router does not have a firewall feature, the computers on the LAN are still protected. Only requested traffic, from known computers on the Internet, gets routed to a computer on the LAN. Any traffic originating from any unknown computer, or directed to an unrequested port, simply gets dropped. No original request = no delivery.

What A NAT Router Is Not
With all of that, let's get straight about what a NAT router is not. A NAT router, which may or may not provide firewall functionality between the WAN and the LAN, is not a firewall. And not all NAT routers provide firewall protection between the computers on a LAN. All computers connected to the LAN, on most NAT routers, are simply connected to a switch. Some WiFi NAT routers may have a feature called "Isolation Mode", which blocks all network traffic between all computers connected to the LAN.

To put it simply - a NAT router is not a firewall.

And there is a major difference in hardware too, between a NAT (Consumer grade) and Infrastructure (Business grade) router. Besides quality of design and manufacture, the design itself has a major difference.

A NAT router has 2 distinct sides to it - the WAN (where you connect the Internet service), and the LAN (where you connect all computers). The ports on the LAN are connected by a switch - there is no routing functionality. Routing is simply between the WAN port, and the switch.

With an Infrastructure router, all ports are labeled, and routed, identically. If you have 2 LAN segments, each connected to a router port, and a WAN segment connected to a third port, all traffic between any 2 of the 3 will be routed symmetrically.

Some NAT routers will, upon option, let you disable NAT. This may be called "Infrastructure" or "Router" mode. This will not give you a true Infrastructure router, as the ports connected to the LAN will still go through a switch. A NAT router will, at best, be the equivalent of a 2 port Infrastructure router. Very few Infrastructure routers contain only 2 ports.

Extended Setup
Although the default settings on a NAT router are very simple, there are plenty of additional settings to allow for specific needs of each individual local network. With many functions that a NAT router provides to its clients, in addition to simple web surfing, they can be quite complex to setup.

Many security experts advise changing all default settings that deal with the LAN settings of a NAT network. In case a NAT related exploit ("hacking" technique) ever becomes reality (and that will happen one day), the exploit will not be quite so easy. Specifically, there are certain default LAN settings which vary by router manufacturer, but can be improved upon by the owner of the router. For a Linksys router, for instance, the LAN defaults to 192.168.0/24, with gateway 192.168.0.1. And the DHCP server defaults to issuing addresses in the range 192.168.0.100 - 192.168.0.150. All of those settings can, and should, be changed.

Other settings which are advisable:
  • Change the administrative password. Use a non-trivial (non guessable) value. Change it regularly.
  • Disable remote (WAN) management. There is no need for anybody to make changes to the router except from a computer connected to the LAN (ie in front of the router itself).
  • Enable the security log. Review the log regularly, know what is normal, and take action when something abnormal happens.


Other configurations that you might need to make (not available on all routers):
  • DMZ. To bypass NAT functionality for individual computers on your LAN.
  • Isolation. Blocks all network traffic between all computers connected to the LAN. Provides shared Internet service, with no security risk, for WiFi clients, as in a WiFi Hotspot.
  • Packet Filter. Block specific application traffic in and out of the LAN.
  • Port Forwarding. To provide for Internet server applications.
  • Port Triggering. To allow for Internet server applications, with special needs that can't be met by Port Forwarding.
  • Stateful Packet Inspection. Complements packet filtering, and is another function provided by a full featured firewall.
  • UPnP. Similar to port triggering, but more versatile. Allows applications on your computer to control the router.
  • VPN Endpoint or Passthru. To allow for secured communications with remote networks.

All of these features may not be available on all NAT routers. Each feature requires memory, and processor time; both resources may be in short supply in a typical (inexpensive) NAT router. Some NAT routers may have these features, but disable them when excessive network traffic is experienced. When an excessive volume of network traffic is experienced, and the router can't keep up, there are only two possible actions which the router can take.
  • Fail closed. Stop filtering, simply pass traffic, unexamined.
  • Fail open. Drop traffic that exceeds a certain volume.

Obviously, neither possibility is desirable. Like any physical device, NAT routers are limited in feature set, by their components and design. When you're comparing NAT routers, compare carefully.

For additional configuration information, and endless hours of discussion about what I have summarised above, visit the Usenet discussion groups alt.computer.security, or comp.security.firewalls.

>> Top

0 comments: