Back to posts.

NAT Types

When you're diving into peer-to-peer communication you'll most likely stumble upon STUN, ICE and NAT. I'm not diving into STUN and ICE in this article as they build upon some knowledge that I explain in this article. Below I'll explain on a high level how NAT works and the things you need to be aware of if you want to know more about peer-to-peer connections work. Note that I might leave out some details and simplify certain things. When you want to know more, you can have a look at some of the relevant RFCs.

What is a NAT

Before you continue, I assume you know about IP addresses and PORTs and that the PCs in your house have their own local range of IP addresses which are not share outside your router with the public Internet. A NAT is a device that is used to translate packets to and from your network with other networks. It's part of what makes the Internet the Internet.

At home you'll probably have router which functions as a NAT: Network Address Translation. Your router which also functions as a NAT will map internal addresses and ports to external ones. When a packet arrives from the Internet to your NAT, the NAT uses a table that maps the external extIP:extPORT to the intIP:intPORT of the PC in your network that requested the packet.

Types of NATs

Before diving into the different types of NATs it might give you a better understanding of NATs when you think about it like this: all these NAT types are related to how an external IP:PORT can send data to a PC behind a NAT. In most of these cases the NAT will check if the internal PC (behind the NAT) has already sent data to the external one. Based on this fact, the NAT will forward data to the internal PC where each different NAT type has different rules about how restrictive it is. E.g. some NAT types will reject incoming packets when the internal PC did not sent a packet to the external one.

There are generally four types of NAT which I'll describe in more detail below. The different types of NATs which I'll describe are:

  • Full Cone NAT
  • Address Restricted Cone NAT
  • Port Restricted Cone NAT
  • Symmetric NAT

Did the local PC already sent packets to the external one?

The above types of NATs will check if mapping has been created already to determine how to deal with packets that the NAT receives from the Internet. The image below shows a packet which is sent from a local PC from a socket with an IP address locIp and port number locPort to remote server on remIp:remPort.

Sending packets to a remote PC Image 1. The Local PC sends data to the remote PC port 5100, creating an address mapping.

Full Cone NAT

I think the Full Cone NAT is the most simple one to understand as it's similar to something you've dealt with in the past. Maybe this is something that you've done before: creating a port forwarding rule for an internal service. In your router or NAT you've configured that when someone sends a request to port 80 of your NAT/router IP address, that it will be forwarded to a local IP and PORT. When you've created such a rule, you've configured a (static) rule for a Full Cone NAT. With Full Cone NAT devices, these rules are created automatically.

Ever created a port forwarding rule?
Nice, then you already know what a Full Cone NAT is.

In the image below you can see that any external host can sent a message to the IP:PORT of your NAT and that the NAT will forward it to the local PC. As long as an port fowarding rule exists this will work and is called a Full Cone NAT.

In this particular case, the NAT device will not check if the local PC already sent a message to the remote PC. The following NAT types, Address Restricted NAT and Port Restricted NAT will check if the local PC already sent a packet to the remote PC or not.

Image 2. With Full Cone NAT, the device allows traffic from any remote host

Address Restricted Cone NAT

While the Full Cone NAT is the most basic and well known NAT type, there are other types which are often used but which are less well known. I'm sure that you've created a static port fowarding rule yourself (i.e. Full Cone NAT rule). These other types are less known because they often apply to rules that are created automatically by your NAT device. This is also the case for the type I'll explain here: Address Restricted Cone NAT.

The Address Restricted Cone NAT will allow traffic from a remote PC only when the local PC has previously sent data to this remote PC. This is demonstrated in the image below. In this case we assume that the local PC has sent data to the remIP:5100 port as shown in image 2.

Image 3. The Address Restricted Cone NAT allows traffic only when the local PC has previously sent data to the Remote PC

Port Restricted Cone NAT

Like every article on NAT types, I'll tell you the same: the Port Restricted Cone NAT is similar to the Address Restricted Cone NAT but adds another restriction. And also this NAT type also depends whether we've already sent a packet to the 1remote host as shown in image 1. This NAT type also adds a check to the PORT number that is used. When you look at image 1 again, you see that the local PC sends a packet to the remote IP on port 5100, i.e. remIp:5100. By sending this package the NAT creates an mapping from locIp:locPort to remIp:1500. With a Port Restricted rule the remote PC can only send data to the local PC when it sends them from remIp:1500.

Image 4. Port Restricted Cone Nat: the local PC can only receive data from remote IP:PORT when it previously sent a packet to remote IP:Port

Symmetric NAT

The Symmetric NAT is the most restrictive type of the NAT types described in this article. A Symmetric NAT will create a 1:1 mapping for each locIP:locPORT to remIP:remPort that is created. This means that when the local PC connects to a remote PC on port A and B, it will create two mappings. The RFC3489 describes this very well:

A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host.