Resource icon

Tutorial How the Internet (IPv4) works ... a simplistic overview

The Internet enables computers and devices to talk to each other across the world. To do this requires each device to be uniquely identifiable.

On the local network

Any device with a WiFi or LAN interface will have a unique MAC address that is hardcoded to each interface. The MAC address enables devices on the local network to identify each other but provides no way for devices from outside to access them.

With the Internet

The Internet Protocol (IPv4) uses IP addresses to identify each interface of a device (e.g. an iPhone can have WiFi and mobile data interfaces active). To manage communications between the local network and outside there needs to be a router device. The router holds tables that say where to send IP data packets that other devices send to it; each local device is configured to send non-local packets to the router. Therefore, the router bridges the external and internal networks.

Because the Internet is broken into lots of 'local networks', to successfully connect across the Internet requires many routers that pass up traffic until there's a router than controls access down to the destination device.

Limits of IPv4

There are two limitations on IPv4:
  1. IPv4 is limited to 4 billion(ish), 2^32, addresses and that has been exceeded years ago.
  2. There's no security to control devices communicating.
To fix this, most end-user networks use IP addresses that have been excluded from Internet routing, see RFC 1918: 10.0.0.0 - 10.255.255.255; 192.168.0.0 - 192.168.255.255; 172.16.0.0 - 172.31.255.255.

The router will have an Internet routable IP address and will still bridge the external and internal networks. But now the router will hide all the outbound traffic from local devices and use it's own Internet IP address. When passing traffic back the router will remember this and translate the traffic back to using the local device's non-routable address. This is called Network Address Translation or NAT.

There are million/billions of devices that use these RFC 1918 defined addresses and rely on NAT to make them accessible to the Internet.

Add a few rules for controlling what external/internal traffic is allowed and the router becomes a firewall. Now the local devices have some protection from unwanted access.

Hosting web service using IP Ports

The IPv4 specification also defines that each IP address can listen for incoming traffic on 2^16 Ports (0-65535). E.g. this enables a device run a web server and the standard ports are 80 for HTTP and 443 for HTTPS. Many Internet and Web services use standard ports but there are also many others too and it is not necessary to adhere to these assignments.

If the device running the web server has an Internet routable address then it just needs firewall rules to allow Internet devices to access it. But if the web server device has an RFC 1918 address then we need to configure the router/firewall to do NAT on the address and also the port. This means that the router cannot have any service of its own on that port and also only one local device can be Internet accessible on that port.

What does this really mean? You have two web servers (192.168.1.101 and 192.168.1.102) both listening locally on their own standard port of 80 for HTTP. You want both to be accessible from the Internet but your firewall/router has only one IP address on the Internet. The problem is is that port 80 can only be NAT'ed to web server .101 or .102, not both. You need to assign a non-standard port for one of them. So you could configure:
  • router port 80 -> web server .101 port 80
  • router port 81 -> web server .102 port 80
Provided port 81 isn't being used by the router already.

This will work but there is potential issue for web server .102: corporate firewalls usually control outbound access to a few selected, known port numbers (standard HTTP and HTTPS etc). Port 81 may not be allowed by the corporate firewall. So instead you configure:
  • router port 21 -> web server .102 port 80
Port 21 is the standard port for FTP, and may be allowed through the corporate firewall ... and you wouldn't be running a FTP server (because it's not secure!). This may work but newer corporate firewalls can inspect traffic to make sure that it really is the right type for the port number and will only allow FTP traffic on port 21 and can spot when it is being used otherwise.


However, using non-standard ports does serve a useful purpose. Many attacks start with scanning for open (listening) ports and standard ports are quickly checked. By using non-standard ports that are higher than 1024 will add time to these scans and so more likely to be omitted.

With these limitations on ports then you should decide what services really need to be Internet accessible: do you need two web servers? which is more important to be on standard ports.

There are other ways to resolve the web server ports issues, such as having the port 80/443 web server redirect web requests for specific URLs to the second web server. This is how the Synology NAS does it with its Reverse Proxy feature.


A bit more information

Internet Protocol v4 also supports a set of different communication protocols, the most common for new users are:
Both TCP and UDP get 2^16 Ports per IP address.



Latest reviews

Well done fredbert. Covers basic networking stuff without boring and complex words for newbies.
What a great tutorial. I'm completely new to NAS world and networking so this kind of information is very useful for newbies. Thank you, fredbert!
fredbert
fredbert
Thanks. I just added a little section to the end to say about TCP and UDP with links to Wikipedia for more info.
Top