SourceNAT
tags: learning networking
content
- NAT: modifying IP packets while forwarding
- SourceNAT: changing source ip address while forwarding ip packets
why:
-
so that a machine without a public ip address can send ip request to public internet
-
if there’s no SourceNAT, servers in the public internet wouldn’t know where to send back the response
-
SNAT can be used for both going out of a private network or coming into a private network, see below drawing
-
going into a private network is exactly tailscale subnet router, it’s also known as ip masquerading in firewall config
SourceNAT.excalidraw
⚠ Switch to EXCALIDRAW VIEW in the MORE OPTIONS menu of this document. ⚠ You can decompress Drawing data with the command palette: ‘Decompress current Excalidraw file’. For more info check in plugin settings under ‘Saving’
Excalidraw Data
Text Elements
private network
router 10.0.0.5 123.12.1.12
client 10.0.0.6 no public ip
server 156.16.12.3
source ip: 10.0.0.6
destination ip: 156.16.12.3
source ip: 123.12.1.12
destination ip: 156.16.12.3
public internet
with SNAT, the server knows where to send back the response, because 123.12.1.12 is accessible in the public internet otherwise, server be like “who tf is 10.0.0.6”
another machine with ip 10.0.0.6 in server’s private network
private network
subnet router pri ip 10.0.0.5 pub ip 123.12.1.12 tailnet ip 100.100.100.1
client private ip 10.0.0.6 tailnet ip 100.100.100.2
server pub ip 156.16.12.3 pri ip, i don’t care here tailnet ip 100.100.100.3
source ip: 156.16.12.3
destination ip: 10.0.0.6
source ip: 156.16.12.3
destination ip: 10.0.0.6
public internet
another machine with ip 10.0.0.6 in server’s private network
client’s route table says “if dest ip is not 10.0.0.0/8, send to 10.0.0.5”. that’s why the dest ip is 156.16.12.3 but client sends the ip packet to router
packets with dest IP 10.0.0.6 will be sent within tailnet first
Link to original