Private Network/Proxy Server routing question

[Chronicator]

I have been wondering something about packet routing for a while now. I believe the question can apply to both a LAN and a Proxy server, but clarification is needed.

My question is how does a router know which computer to route incoming packets to since the public ip address (destination ip in packet) of the network is the same for all incoming packets?
Say for example two computers are on a private network communicating through port 80. I understand these computers each have a private ip usually 10.*.*.* or 192.168.*.* but once the packets leave the router, they now have the same source ip address (that of the network).

The only thing I know that identifies packet source and destination are the source ip, destination ip, source port, and destination port. But both packets will be identical in these categories. So when two response packets from a website with identical information listed above reach your router, how does it know which packet goes to which host?

The same question can be asked about proxy servers. Since everyone using the proxy server will have the same public ip address, how does the proxy differentiate between identical packet header information. This applies to any number of connections, not just 2 like I gave in the example.

Is there more identifying information like a session number in packets that I am missing?

 

[Lithium381]

It is because of NAT, typically.

When you've got a subnet of lets say 250 computers on a normal /24 network and you've got one WAN ip, you've got to uniquely identify each session, as you said. All 250 are trying to reach the same web-server. When the packets are being prepped to leave the routers external interface, it is assigned a psudo-random ephemeral port number for the source. The destination port will remain the same because it identifies the service you're attempting to reach(lets call it 80).
When the server you're trying to reach responds, it responds to the same public IP for each connection, but to a different destination port(from the servers perspective). the server uses port 80 as its source port. when the packet comes back the router looks at the table and translates the packet back to its original ip information.. . .



there is the concept of private/public global/local IP's.

It's called either source-nat or secure-nat or PAT (port address translation) depending on what vendor you are using, but it's well documented out there. if you have more questions feel free to follow up here.

 

[Chronicator]

Great response, that makes sense now. So technically are the number of outgoing connections is limited by the number of ephemeral or dynamic/private ip ports? I've found this range to be 49152 through 65535, which means 16383 connections. That is obviously much more than most private networks would need, but does this limitation also apply to all WAN access points eg proxy servers?

Also, beyond port address translation, are there additional pieces of information in the packet header that identify separate "sessions" on one host. Say for example, a computer is connecting to many different websites, or the same website through many tabs, possibly using different browsers, as well as using other internet services. Would each of these services use a different ephemeral port, or what uniquely identifies each connection on a specific host?

 

[Lithium381]

well, keep in mind that EACH connection uses a port. So if you retrieve an HTML page from one server and it references an image on another server . . . that's another port.... they can add up pretty quickly. Typically they have timeouts that simply expire after XX seconds of inactivity and those ports are released back into the pool for future use.

Speaking only of HTML 1.1 (not 1.0) the computer can maintain the same TCP connection to the same host for multiple requests, so that helps. I'm not sure how browsers treat different tabs. For HTTP specifically there are session-ID's, cookies, and other identifying information that can be used in addition to the port number.(HTTP operates at a higher level of the OSI-Model)

 

[imagoon]

Mozilla tries to use HTTP 1.1 if it can, one session to all hosts loaded on the page. So if you loaded 100 tabs, with 10 destinations in it for say ads / Java and they all fired off at once, you would open at least 1000 connections. However the connections don't only time out, if the HTTP server tears down the TCP connection, most NAT routers immediately return that to the pool. Dealing with server response times and CPU time for processing time for the pages and the like you may never actually hit 1000 open connections since some are being closed as others are processing to open. (assuming one computer here.)

One of the reasons Bittorrent can be so devastating to a NAT device is because it will try to open large numbers of sessions but the hosts on the other end may never reply leaving the NAT entries in the table until they time out. Older / cheaper routers may simply not have enough RAM to store a table of more than few hundred to a few thousand entries. Some are so poorly programmed they just crash when the table is full and nothing can be added etc.