Skip to content

Dynamic PAT

    Dynamic PAT

    This article is a part of a series on Network Address Translation (NAT). Use the navigation boxes to view the rest of the articles.

     

    Network Address Translation

    According to the definitions outlined in the NAT Terminology article, a Dynamic PAT implies a translation of the IP address and Port, where the post-translation attributes are selected by the router.

    Dynamic PAT is the most common of the types of address translation we will discuss in this article series. Dynamic PAT is used any time multiple internal hosts need to share a single public IP address.

    On a small scale, this is exactly what your home Wi-Fi router does. You may have 5-25 unique devices on your home network, each of them with their own private IP address. But when any of them try to speak with the Internet, they all share the single, unique public IP address assigned to your router.

    The same type of translation happens with the Wi-Fi at coffee shops, or restaurants, or airports. This was the exact same example that was provided in the “Why NAT?” article – the illustrations are examples of a Dynamic PAT.

    Of all the types of Network Address Translation, a Dynamic PAT is the most conducive to conserving IP address space. It is not uncommon to have hundreds of internal hosts sharing one public IP address.

    Dynamic PAT is often referred to as a many-to-one or one-to-many translation, implying the many hosts on the Wi-Fi network are sharing the one Public IP address on the Internet.

    Of course, this simple example referred to earlier hasn’t quite shown how ports are translated, or how the Router selected the post-translation attributes. To illustrate those concepts, we will have to look at the packet flow through a Dynamic PAT in more detail.

     

    Packet Flow – Outbound Traffic

    The image below illustrates what is occurring at the packet level:

    Dynamic PAT - Initial Outbound Flow

    The Router is serving as our translation device, and is configured with a Dynamic PAT which translates any IP address on the Inside network (10.6.6.0/24) to the IP address 32.8.2.66. When packets are translated, the Router makes note of the attributes of the original and translated packet in the Router’s Translation Table.

    Hosts A, B, and C each send a packet. They each use their own, unique Private IP address as the Source IP address, and they each randomly select a Source Port.

    There are approximately 60,000 port numbers that can be chosen, and it is entirely feasible for two different hosts to randomly select the same source port (as is the case with Host B and Host C above).

    Notice the configuration of the Dynamic PAT does not include specifying a port number. Even though the ports are not explicitly set in the Router’s configuration, this translation is still classified as a PAT because the port is dynamically changed by the Router.

    In our example above, upon reception of each packet, the Router translates the source IP address of each packet to 32.8.2.66 (as explicitly configured), and randomly selects a new, unique source port number for each packet (7777, 8888, and 9999). The Router translated the port (PAT) and the Router selected the new source port (Dynamic).

    Each specific mapping is recorded in the Router’s Translation Table. This translation table will be used to “un-translate” the response packets when they return from the Internet.

     

    Packet Flow – Response Traffic

    When the two webservers respond to the three packets illustrated in the example above, the packet flow will resemble the following:

    Dynamic PAT - Inbound Response Flow

    The response traffic from the web servers simply reverses the source and destination from the initial packet. Each web server sends the response traffic to the destination of the shared IP address (32.8.2.66), with the destination port number which the Router had selected in the original outbound traffic.

    When the packets arrive on the Router, it matches them against the translation table to know how to “un-translate” the packet to their original attributes to get them to the appropriate host:

    • The response packet sent to 32.8.2.66:7777 is forwarded to Host A (10.6.6.61:2222)
    • The response packet sent to 32.8.2.66:8888 is forwarded to Host B (10.6.6.62:3333)
    • The response packet sent to 32.8.2.66:9999 is forwarded to Host C (10.6.6.63:3333)

     

    Why was the source port re-randomized?

    In the last section, we pointed out that the router selected a new, random source port for the outbound packet. This re-randomizing of the source port is crucial to enabling successful communication through a Dynamic PAT.

    Had the router not re-randomized the source port number, the outbound post-translation packets from Host B and Host C would have looked identical – they both would have had a Source IP of 32.8.2.66 and a Source port of 3333.

    Which means the response traffic for both packets from the 28.2.4.6 server would have looked identical – the Destination IP would have been 32.8.2.66 and the Destination port would have been 3333.

    Dynamic PAT - If the source ports were not re-randomized by the translation deviceWhen the identical packets arrive, the router would have no way of distinguishing which packet should be untranslated to Host B (10.6.6.62) or which should be translated to Host C (10.6.6.63). The router would have no choice but to drop both packets.

    This would cause packets to drop anytime two hosts happen to pick the same source port, which happens often enough that no host would be content with the connectivity (or lack thereof) provided through a Dynamic PAT.

    For this reason, it is imperative that the Router ensures every packet sent through a Dynamic PAT uses a unique source port number. This allows the return packets to be distinguishable from one another, and allows the Router to forward the return traffic to the appropriate host.

    Some NAT devices assure unique source ports by re-randomizing the source port for all connections when doing a Dynamic PAT translation. Some NAT devices do this by re-randomizing the source port only when duplicate ports are chosen by the inside hosts.

    Regardless of the method used, so long as each connection’s packets can be identified by both unique IP Address and Port, for both Source and Destination, the response traffic can be successfully un-translated to the appropriate initial host.

     

    Unidirectional

    As discussed before, a Dynamic PAT allows many internal hosts to share the same the same public IP address. One of the side effects of multiple hosts sharing a single IP address is the translation only works in one direction.

    In the example above, Hosts A, B, and C initiated some traffic to external hosts. When the external hosts responded, the Router had entries in its translation table which allowed it to “un-translate” the packets and send them to the appropriate hosts.

    If, however, a new connection was initiated from an external host and destined to the shared IP address, the router will have no way of knowing which internal host was the intended target of the packet.

    Dynamic PAT - Unidirectional Translation

    Not knowing whom to deliver the packet to, the Router has no choice but to drop the packet. As such, a Dynamic PAT only succeeds if the internal host sends the first packet. If the external host sends the first packet, it will be dropped when it reaches the translation device.

    This is what is meant by a Dynamic PAT being a unidirectional translation – traffic will flow through a Dynamic PAT only if the internal host initiates the connection.

    This is in contrast to Static NAT and Static PAT, which are both bi-directional – traffic can be translated whether it was initiated by the external host or the internal host.

    Keep in mind, this is not a “feature” of Dynamic PAT so much as it is a “side effect” of multiple hosts sharing a single IP address. Since it is possible for hosts to pick identical source ports, the router must change the source port during the translation, which means the packets arriving from the Internet can only make it back through the Dynamic PAT due to the entry in the translation table, which a packet initiated from an external network would not have.

    If there is a need for certain ports to be accessible through a shared IP address, this can be achieved by using a Static PAT to selectively punch holes through the shared address of a Dynamic PAT.

    Series Navigation

    Static PAT >>Dynamic NAT >>

    Tags:
    4.6 11 votes
    Article Rating
    Subscribe
    Notify of

    23 Comments
    Oldest
    Newest Most Voted
    Inline Feedbacks
    View all comments

    Great article and an easy read, always good to brush up on NAT/PAT every once and a while.

    Fantastic piece of work makes NAT very easy to understand

    This is a great article which clearly explains the differences of Dynamic PAT which is unidirectional and Static NAT or PAT which is bidirectional.

    I think that there is something wrong with the image in the “Why was the source port re-randomized” paragraph.
    Up on the right, I see 32.8.2.66:7777 as destination IP-port address where it should have been, as far as I’ve understood, 32.8.2.66:2222 as the hypothetical “wrong” example.
    Anyway, great job Ed. Thank you very much for your clear articles about a difficult subject like this, especially for beginners like I am.
    Luca

    You’re welcome Ed. keep it up!
    Luca

    Thank you

    Very insightful

    But what if the request from the external host uses (by luck) a port that is in the translation table. The packet would be forwarded to the internal Network right?

    For example a hacker who is randomly trying every port for my public IP may found one that is in the translation table

    Great Stuff!!
    NAT is now becoming easy for me to understand after seeing these articles. Thank you so much

    Hello,
    I’ll speak my mind. Practical Networking videos has changed a lot in honing my networking skills. I’m loosing words to express how I appreciate your precious effort in sharing your knowledge with us.
    Thanks.

    With your teaching the networking seems to be “piece of cake” to learn.
    Thank you!

    What would happen if the required number of private IPs in the network exceed the number of available ports (65536)? Would new requests be denied or can we start using another public IP (similar to what we do in case of dynamic NAT)?

    Got it. Thanks!

    “If there is a need for certain ports to be accessible through a shared IP address, this can be achieved by using a Static PAT to selectively punch holes through the shared address of a Dynamic PAT.”

    Your last paragraph refers.
    Do you mean that the Static PAT and Dynamic PAT can be combined as a single scheme in a router? just so that the side effect of Dynamic PAT can be circumvented?