The Mysteries of Network Masquerading

One indispensable part of the Internet-savvy broadcast engineer’s toolkit nowadays is network address translation, or NAT. I introduce it in this article and show you how to use it to enable another great tool, Virtual Network Computing (VNC).

As usual, I’m going to keep this short and sweet. I’ll let the True Geeks argue about whether a particular case would more accurately be called “masquerading” or “port forwarding.” If you’re interested, do a Web search on “network address translation” and “RFC 1631” to get the inside story. You’ll see why NAT was developed in the first place (a growing shortage of available IPV4 addresses, which is also why IPV6 has been introduced) and how it has been cleverly adapted to the usage I’ll discuss here.

Also as usual, I’ll stick to standard IPV4 address (e.g. 192.168.1.100) and my favorite example, a small office network that shares Internet access with a typical DSL modem/router.

Network addressing

IP addresses can be compared to the delivery location specified for a piece of mail. The “post office” (your network, in this case) sees that address and delivers the “message” (the packet of data) to the requested computer. But there’s another number built into that message header that’s analogous to the addressee’s name, called the port number. These are 16-bit values from 0-65535.

It would be inefficient for the mailroom to open each envelope to determine who should get each letter. Likewise, your computer won’t examine the contents of each data packet to try to figure out where it should go. Instead, port numbers are used to mark and match each request to a given “recipient.”

The analogy ends here, but the cleverness appears: Port numbers are the key to network address translation!

Some port numbers are standardized. For example, suppose you’re running a typical Web server at your station. Incoming requests will be destined for your IP address, at the standard HTTP port, number 80. Your PC’s network subsystem sees that number and sends the packet to the Web server for handling.

But port numbers are used to mark outgoing data as well. In fact, port numbers routinely are used to mark data packets, as you’ll see in a moment. For example, your Web server might have several people connected at the same time, all coming from different locations. It might mark each outgoing response with a unique port number to keep up with who is doing what.

We can refer to ports and IP addresses as being either for a destination (i.e., where the data is going) or a source (i.e., who made the request). These designations are always from the sender’s point of view.

Fundamentals of Network Address Translation

You almost certainly use NAT every day without even realizing it. If my co-workers and I are all browsing the Web at the same time, the destination addressing is obvious. But how does each reply get back to the correct PC on our internal network?

Fig. 1: A simplified diagram of how packets get through a router, onto the Internet and back to the original computer. This is illustrated in Fig. 1. My PC is at 192.168.1.100; our DSL modem has an external (“Internet”) address 212.1.23.19.

1. My PC uses DNS to look up the desired website’s actual IP address, which is at 216.180.12.22.
2. My PC crafts a request with that destination IP, port 80. The source is my IP address and a self-generated port number that my PC will use to help keep track of things.
3. The DSL modem now translates this for sending. It stores my original IP and source port number in a table, and then generates its own source port number to index my values.
4. The DSL modem sends the request with its own IP address and “index” source port number to the website.
5. The website gets the request and replies to the DSL modem. The reply destination is my DSL modem’s IP address and port number.
6. The DSL modem uses the destination port number as an index to look up my original numbers in its internal table.
7. My IP address and original port number are re-inserted and the packet finally makes it back to my PC.

The key point here is that it takes more than an IP address to make a conversation. The port number is part of it too! But if you think about it for a moment, you’ll see how we could use this to “masquerade” incoming ports to different machines ourselves. All the modem needs to do is watch for certain port numbers, which it will then always send to the same internal network address.

Masquerading (port forwarding)

Since a DSL modem already does NAT routing anyway, most of them toss in the ability to do specifically-targeted port forwarding for free. This allows you to set up a server on the internal network and expose it to the Internet.

DSL modems usually include a built-in Web interface for configuration. Check your modem’s manual for details, but there should be a configuration option entitled “NAT,” “masquerading” or “port forwarding.” This is what you want.

Fig. 2 shows the port forwarding for one of our DLink units; I’ve mapped VNC to one of our internal machines.

Fig. 2: Port forwarding with a typical modem/router. Port 5900 is routed to a VNC server on the internal network. Security must get a mention here: Be careful about setting up a Web or mail server like this. High-traffic servers on standard, well-known port numbers not only require a lot of care and feeding, they really ought to be isolated from your internal network. That’s for another article.

But I’ll close with one ideal use for this: you can give yourself remote access to one of the machines on that local network with VNC (Virtual Network Computing). If you do this on your audio network, for example, you can log in remotely to insert programs, move spots and check the logs at nights and on weekends. Very handy!

Here’s how you do it:

1. Your DSL modem must have a static IP address on the Internet and it must not block ports. Contact your Internet service provider to ensure this. If you don’t currently have a static IP, you may have to pay a bit more each month for that feature.
2. Go to www.uvnc.com and download Ultr@vnc. It’s a free VNC server and client that work like a champ on Windows machines.
3. Install it on the chosen server machine. NOTE: This PC must have a static IP address on the internal network as well. The modem needs a known, unchanging IP address to forward requests to.
4. You can accept the defaults for most configuration options, but we’ll make two changes. Bring up the Server configuration box by right-clicking on the “eyeball” icon in the toolbar. First, give it a strong password, a random mix of numbers and letters. Second, change the “main” port from the default 5900 (see Fig. 3; we can leave the HTTP port to the default 5800 because we won’t use it in this example). Hackers love to target these well-known port numbers to try to gain access to your network.
5. Go into Windows’ firewall and open your chosen port number.
6. Go into your modem’s configuration page and set the forwarding for your chosen port number to go to that VNC machine’s IP address.

Fig. 3: Changing the default password and port number on a VNC server. Now install the VNC client on your PC at home (once again, the defaults will work fine). To connect, enter the IP address of your DSL modem along your special port number. You’ll need to enter the password you selected when installing VNC Server so the connection is secure. You can then operate the server remotely, almost as if you were standing at the machine instead of sitting at your PC at home or anywhere else with Internet access.

Here’s a tip: If you forget your DSL modem’s external address, go to any PC on your internal network and browse to “whatismyip.com.”

Once you’ve used it for a while, you’ll wonder how you got along without VNC … and all of this is accomplished through the magic of Network Address Translation!

Stephen M. Poole, CBRE-AMD, CBNT, is market chief engineer at Crawford Broadcasting in Birmingham, Ala.