If several computers with local addresses (192.168.0.#) are connected to a router and each computer opens a web browser and requests a page over HTTP, when these TCP:80 packets are sent out, the router switches the local address with the static IP of the router (i.e. Provider given IP) so the server can reply to the appropriate address.
But how does the router know to which computer to forward the HTTP reply, since the TCP header does not contain the local IP address (does it?), and all computers are using port 80?
Does this have anything to do with the MAC addresses?
How exactly does this work?
Most home routers use a special-case of NAT called PAT.
You’ll also see it referred to as NAPT, or IP Masquerading. All three of the latter terms mean the same thing in general use. (The acronyms – Network Address Translation / Port Address Translation / Network Address Port Translation)
When the packet goes out from your internal machine, the source address is rewritten as you are aware. The source port is also changed, usually to a high number, and the router keeps an address translation table.
For example, let’s say you have a client machine that goes to www.google.com. Your computer (e.g., 192.168.1.100) looks that address up and makes a TCP connection to 18.104.22.168 on port 80 from your internal IP address, using a random source port.
To your computer, the connection looks like this:
192.168.1.100:37641 <--> 22.214.171.124:80
Your computer sends the packet to the router, which picks a new random high port and rewrites the packet. Each outbound connection gets its own port on the router. The router then forwards the packet on to your ISP after adding it to its connection table:
PrivateIP PrivatePort PublicIP PublicPort Remote RemotePort ------------- ---------- ----------- ----------- ---------- ----------- 192.168.1.100 37641 *10.6.23.5 59273 126.96.36.199 80
*For example purposes, I used an address starting with 10, but these aren’t publicly routable. The table is also somewhat oversimplified.
To google, the connection looks like this:
10.6.23.5:59273 <--> 188.8.131.52:80
Google will send it’s reponse to 10.6.23.5 on port 59273. Your router then looks up that information in the table and forwards the packet on to 192.168.1.100:37641.
The routers between the local network and the rest of the internet use a technique called NAT.
Just an excerpt from TCP/IP Illustrated Volume 1 about NAPT, with a word about the shortcomings of its simple cousin, Basic NAT:
Basic NAT performs rewriting of IP
addresses only. In essence, a private address is rewritten to be a
public address, often from a pool or range of public addresses
supplied by an ISP. This type of NAT is not the most popular because
it does not help to dramatically reduce the need for IP addresses—the
number of globally routable addresses must equal or exceed the number
of internal hosts that wish to access the Internet simultaneously. A
much more popular approach, NAPT involves using the transport-layer
identifiers (i.e., ports for TCP and UDP, query identifiers for ICMP)
to differentiate which host on the private side of the NAT is
associated with a particular packet (see Figure 7-4). This allows a
large number of internal hosts (i.e., multiple thousands) to access
the Internet simultaneously using a limited number of public
addresses, often only a single one. We shall ordinarily use the term
NAT to include both traditional NAT and NAPT unless the distinction is
important in a particular context.