Re: [dev] Logical abilities of routers

From: Jeremy <jer_AT_jer.cx>
Date: Sun, 30 Apr 2023 16:21:18 -0700

Hi,

For a typical at-home router, everything Mr. Fossy Dinx wrote is correct.

The router runs a DHCP server, which assigns IP addresses to hosts on
the network(laptops, printers, coffee maker(this is ok), TV, etc).

I know it's typically called a "smart-TV". Please understand that I'm
trying to be sensitive to the insecurities of everyone on this mailing
list.

The router also translates the local IP addresses(192.168.1.2, 192.168.1.3, ...)
to your public IP address(typically assigned to your router by your ISP), mapping
the connection by port, so:

1. Coffee maker(192.168.1.2:1234) makes HTTP request to nsa.gov(23.65.34.113:80)
2. HTTP Packet goes from coffee maker to router
3. Router changes the source address on the HTTP packet
        - from 192.168.1.2 to router's public address, 50.50.50.50
4. Router sends the packet to nsa.gov:
        - from 50.50.50.50:2345 to 23.65.34.133:80
5. nsa.gov sends back HTTP response to 50.50.50.50:2345
6. Router knows it sent the coffee maker's IP packet from port 2345, so:
        - router redirects nsa.gov packet to 192.168.1.2:1234 (coffee maker)

That's NAT. With that, we can drop all other packets(packets which are
NOT responses to connections that you(or your coffee maker) initiated).
This is the ONLY measure necessary protect a network from REMOTE threats.

Port forwarding is just an (OPTIONAL)exception to NAT... or "reverse" NAT.

Say your coffee maker exposed a web interface that allowed you to start
making coffee remotely. All you need to do is tell your router to accept
requests to 50.50.50.50:80 & send them to 192.168.1.2:80.

This allows you to enter 50.50.50.50:80 into your webbrowser(from
anywhere) & access your coffee maker's web interface.

Nothing more to a home router than that - hope it helps.

Jeremy
Received on Mon May 01 2023 - 01:21:18 CEST