Networking
Routing and NAT¶
A switch moves traffic within a network; a router moves traffic between networks. This page explains how a router forwards packets at Layer 3 by IP address, how it chooses a path using its routing table, the difference between static and dynamic routing, and how NAT lets a whole LAN of private hosts share a single public IP to reach the internet.
Applies to
Routing and NAT are protocol-level concepts and apply to any platform. The route-table commands below are shown for both Linux (ip route) and Windows (route print); the principles are identical on dedicated routers and firewalls.
This builds directly on IP addressing and subnetting and follows on from Switching and VLANs, where traffic stayed inside one network. For naming and address assignment see DNS and DHCP.
What a router does¶
A router operates at Layer 3 (the Network layer) and forwards packets between different IP networks. Where a switch asks "which port leads to this MAC?", a router asks "which network is this destination IP on, and how do I get there?"
Every packet a router receives, it inspects the destination IP address, looks up the best matching route, and forwards the packet toward the next hop - the next router (or final network) on the path. This repeats router by router until the packet reaches its destination network.
The default gateway¶
A host can only deliver frames directly to other hosts on its own subnet. For anything off-subnet - including the entire internet - it sends the packet to its default gateway: the router IP it was given (often by DHCP).
Same subnet? --yes--> deliver directly (ARP for the host, send frame)
--no --> send to the DEFAULT GATEWAY, let the router handle it
The host decides "same subnet or not" using the subnet mask (see IP addressing and subnetting). The gateway is the doorway out of the local network.
The routing table¶
A router - and every host - keeps a routing table: a list of known destination networks and how to reach each one. Forwarding is just a lookup in this table.
A simplified table reads like this:
Destination Next hop / interface Notes
----------------- ----------------------- -------------------------
0.0.0.0/0 via 192.168.1.1 default route (everything else)
192.168.1.0/24 dev eth0 directly connected LAN
10.20.0.0/16 via 192.168.1.254 a remote office network
Longest-prefix match¶
A packet's destination may match several entries. The router always picks the most specific one - the route with the longest prefix (the biggest /number, i.e. the most network bits that match).
Packet to 10.20.5.7 with these candidate routes:
0.0.0.0/0 -> matches everything (prefix length 0)
10.0.0.0/8 -> matches (prefix length 8)
10.20.0.0/16 -> matches (prefix length 16) <-- WINNER (longest)
The /16 is the most specific match, so the router uses that next hop.
The 0.0.0.0/0 default route has the shortest possible prefix, so it is the catch-all used only when nothing more specific matches - which is why it is the path to the internet.
Static vs dynamic routing¶
| Static routing | Dynamic routing | |
|---|---|---|
| How routes are learned | Entered by hand by an admin | Routers exchange routes automatically via a protocol |
| Best for | Small or stable networks | Larger networks; adapts to changes/failures |
| Effort | Manual to add and maintain | Self-updating once configured |
Common dynamic routing protocols, at a high level:
- RIP - the simplest; picks paths by hop count. Fine for small networks, largely legacy now.
- OSPF - a fast, scalable interior protocol that builds a map of the network and picks paths by link cost. Common within an organisation.
- BGP - the routing protocol of the internet itself, exchanging routes between large networks (autonomous systems).
You do not need to configure these to understand the rest of this page - just know that dynamic protocols are how big networks keep their routing tables current without manual edits.
NAT and PAT¶
There are far more devices than IPv4 public addresses, so home and office LANs use private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) that are not routable on the public internet. NAT (Network Address Translation) is what lets those private hosts reach the internet through one or a few public addresses.
Source NAT (sharing one public IP)¶
When a private host sends a packet out, the router rewrites the source address from the private IP to the router's public IP, and remembers the mapping so it can rewrite the reply back. This is source NAT.
In practice almost all home/office NAT is PAT (Port Address Translation), also called NAT overload or masquerading: many private hosts share one public IP, kept distinct by also tracking the port numbers (see TCP, UDP, and ports).
Inside (private) NAT router Outside (internet)
192.168.1.10:50000 ---> rewrites source to ---> server:443
192.168.1.11:50000 203.0.113.5:62001 / :62002 sees only 203.0.113.5
(port keeps each flow distinct)
The router's NAT table maps each public-IP:port back to the right private-IP:port, so replies return to the correct host.
Port forwarding (DNAT)¶
Source NAT lets inside hosts reach out, but outside clients cannot start a connection to a private host - there is no mapping yet. Port forwarding (a form of destination NAT / DNAT) creates a static inbound rule:
Traffic arriving at the public IP on port 443 is rewritten and sent to a specific internal server. This is how you expose a self-hosted service from behind a NAT router.
NAT is not a firewall
NAT incidentally hides inside hosts, but it is an address-translation mechanism, not a security control. Use an actual firewall for access policy - see Linux firewalls.
Connecting a LAN to the internet¶
Putting it together, a typical home/office path out looks like this:
[ LAN host ] [ Router/gateway ] [ Internet ]
192.168.1.10 --default gw--> routing table picks 0.0.0.0/0 ---> destination
(off-subnet?) source NAT/PAT rewrites the
send to gateway source to the public IP replies routed
back, NAT undoes
the rewrite
- The host sees the destination is off-subnet and sends the packet to its default gateway.
- The router's routing table matches the default route (
0.0.0.0/0) via longest-prefix match. - NAT/PAT rewrites the private source to the router's public IP.
- The reply comes back; NAT reverses the rewrite and the routing table delivers it to the original host.
That chain - gateway, routing table, NAT - is exactly what turns a private LAN, addressed and subnetted as in IP addressing and subnetting, into hosts that can browse the internet.
Verify your work¶
# Linux
ip route show # confirm a default route (0.0.0.0/0) exists
ip route get 8.8.8.8 # which route/next hop a given destination uses
traceroute 8.8.8.8 # see each router hop toward the destination
curl -s ifconfig.me # the public IP your traffic is NATed behind
:: Windows
route print :: routing table, including the default route
tracert 8.8.8.8 :: hop-by-hop path to the destination
You are done when there is a default route pointing at your gateway, ip route get resolves to a sensible next hop, a traceroute leaves your network, and your outbound traffic appears under your public (NATed) IP.
Summary¶
- A router is a Layer 3 device that forwards packets between networks based on the destination IP and a next hop.
- Hosts send off-subnet traffic to their default gateway; the decision is driven by the subnet mask.
- The routing table is consulted per packet, and longest-prefix match picks the most specific route - with
0.0.0.0/0as the catch-all default. - Static routing is manual; dynamic routing (RIP, OSPF, BGP) updates routes automatically, with BGP running the internet between networks.
- NAT/PAT lets many private hosts share a public IP via source NAT, while port forwarding (DNAT) exposes an internal service inbound.
- Gateway + routing table + NAT together are what connect a private LAN to the internet - but NAT is not a firewall.