Most home routers use a special-case of NAT called PAT.
You'll also see it referred to as NAPT, or IP Masquerading. All three of the latter terms mean the same thing in general use. (The acronyms - Network Address Translation / Port Address Translation / Network Address Port Translation)
When the packet goes out from your internal machine, the source address is rewritten as you are aware. The source port is also changed, usually to a high number, and the router keeps an address translation table.
For example, let's say you have a client machine that goes to www.google.com. Your computer (e.g., 192.168.1.100) looks that address up and makes a TCP connection to 72.14.204.147 on port 80 from your internal IP address, using a random source port.
To your computer, the connection looks like this:
192.168.1.100:37641 <--> 72.14.204.147:80
Your computer sends the packet to the router, which picks a new random high port and rewrites the packet. Each outbound connection gets its own port on the router. The router then forwards the packet on to your ISP after adding it to its connection table:
PrivateIP PrivatePort PublicIP PublicPort Remote RemotePort
------------- ---------- ----------- ----------- ---------- -----------
192.168.1.100 37641 *10.6.23.5 59273 72.14.204.147 80
*For example purposes, I used an address starting with 10, but these aren't publicly routable. The table is also somewhat oversimplified.
To google, the connection looks like this:
10.6.23.5:59273 <--> 72.14.204.147:80
Google will send it's reponse to 10.6.23.5 on port 59273. Your router then looks up that information in the table and forwards the packet on to 192.168.1.100:37641.
3So to summarize, the Router uses port numbers to remember what from the outside the local network goes to what on the inside of the network. However, this doesn't explain how it
www.google.com
would find me if I didn't send it an initial request. In other words, messages can only reach me via the router if I initially sent a request through the router – CodyBugstein – 2014-06-26T15:15:33.710AFAIK, NAPT and PAT and IP Masquerading are the same colloquially and technically. And they are cases of NAT. With NAT there is https://www.rfc-editor.org/rfc/rfc2663.txt traditional NAT, basic NAT and NAPT.
– barlop – 2014-06-26T16:25:05.6632@Imray google.com (or anything else on the Internet) can't find your computer if your computer didn't initiate the request. This is why having a router adds a lot of security. – Jason – 2014-07-22T18:27:47.647
6
@Jason That's a dangerous myth. Having a firewall adds security. The job of a typical SoHo router is just to make things work, not to stop things from working. Se here for more information.
– David Schwartz – 2014-07-22T18:38:29.810@David Schwartz I read your link, the comments, and the chat. While educational, it's not really helpful in practice or in the context of this question. As you said yourself, home/SOHO routers don't purely use NAT. So again, if you have a router, the internet won't be initiating requests with your PC. – Jason – 2014-07-23T18:24:57.697
@Jason That "having a router adds a lot of security" is a dangerous myth, though it might happen to be true sometimes. And, in fact, your specific claim ("can't find your computer if your computer didn't initiate the request") is flat out false -- permissive NAT is quite common in SoHo routers because it makes a lot more things 'just work'. – David Schwartz – 2014-07-23T18:29:37.317
1@Jason Better not to delete your comment, it makes what would've been a worthwhile discussion to read, not possible to read. – barlop – 2014-12-11T15:42:36.773
2Nice example, but does this mean all high number ports are always open on our routers? – jiggunjer – 2015-02-15T15:15:08.037
1No. Often, the NAT feature is more a function of the firewall code within the router than the regular networking functionality. The port won't be in a LISTEN state or accept new connections, but once the mapping is there, it may or may not allow other inbound packets to use that mapping; Newer systems will usually only allow packets in from the actual system you initiated the connection to. A few exceptions to that rule: 1) Special handling to support FTP connections will open ports; 2) UPnP devices may request an inbound port; 3) You manually configured port forwarding for a given protocol. – Paul – 2015-02-16T22:40:57.570
Just to add to the subject: since you cant predict which public port the router will generate, you cant communicate peer to peer even if the remote (a friend) inform you of his public IP. Thats why most routers have "port forwarding" configurations. It assures to keep packets sent trough these configured ports unchanged, and thus, knowing the port you can have a P2P connection. Handy if you want a P2P app without needing a server for NAT punch trough. – Icebone1000 – 2017-04-06T02:38:00.120
Wouldn't be possible to have all devices given the same IP address? anyhow the important thing is the Port, right? I mean, any how the router knows the MAC address of the devices... – Pablito – 2017-04-17T19:32:22.003
Nice explanation. What I don't understand is: why does the router generate a new PublicPort instead of using the PrivatePort? @Paul – gedamial – 2018-05-11T18:57:14.077
@gedamial -- Technically there's no reason PublicPort and PrivatePort have to be different, as long as that port number is only needed for one internal system at a time. In practice, there's little advantage to doing so for normal traffic. And it's likely to be simpler for the NAT implementation to just pick a random unused port rather than having to address collisions (two systems with the same port number) specially when they occur. Most outbound connections behind PAT will be using random high ports (ephemeral ports) anyway, so you don't gain much in terms of predictability. – Paul – 2018-09-03T05:30:42.513
So, every request made selects a new port? Is this true, coz there are only 64k ports available for use which tells me that I can only make 64k requests from my computer – swayamraina – 2018-11-02T18:02:34.153
@swayamraina - What you are referring to is called "port exhaustion" and yes, it's possible. In practice it's only likely to be an issue if you're making unusually large numbers of outbound connections or masking large networks behind a single external IP address. Exact behaviour will be implementation-dependent, but in general as connection timers expire or TCP sessions are torn down, ports will be released and can be reused for different outbound connections. – Paul – 2018-11-26T17:17:05.190
@Paul - how would the large organisations would typically handle port exhaustion? I'm assuming using multiple public IPs, but can you give me some references how it's done? Particularly dev companies, where employees working on web development, each of them might use large number of ports for testing (for example testing large number of socket connections on their dev machine). – Shishir Gupta – 2019-11-11T03:39:03.840