Modern computer networks almost always use a private IP addressing scheme. These reserved IP address ranges can be used by everyone and are a vital part of IPv4 address space management. To allow devices on networks utilizing private IP addresses to communicate with the publicly addressed internet NAT is a critical feature.
NAT, and the related PAT, though both are generally meant when the term NAT is used, stands for Network Address Translation, or Port Address Translation respectively. NAT allows the network router to translate the private IP address and port number to the router’s public address and a new port number.
The router then keeps track of this translation. When the response comes back to that specific port, the router translates that packet to the private address of the original device and forwards it on. This process is seamless to the user in most circumstances. It is used in all LANs and many WANs that aren’t on the internet.
NAT really only has one functionality issue, servers. What happens if a server runs on an internal, privately addressed network? With NAT in place, the router doesn’t know what traffic is intended for the server and what isn’t. There’s no existing connection. This is because any connection would be initiated from the outside and dropped as it can’t be translated to an internal IP address and port.
The solution to this issue is called port forwarding. Port forwarding is essentially manually setting up NAT for a specific service. You need to identify the IP address of the computer running the server and the port number that the server is running on, on that server. Once you have those details, you must go into your router management console.
On home routers, a web-based interface will typically be hosted on the router itself. Enterprise-grade routers may offer a web interface. But will normally need to be interfaced via the command line over an SSH connection or a physical console connection. The router then needs to be configured to map a known, externally facing port number, to translate to the private server IP and port.
It will generally be necessary to explicitly save the change. Once the port forwarding rule has been implemented, however, any internet device should be able to connect to the server. One thing to note is that many applications don’t allow using custom port numbers.
This situation means that the port forwarding rule has to be configured to match the default server port number. Some applications, however, allow the destination port to be specified. In this situation, there is no pressure to ensure that the server runs on its standard port.
Note: It is worth noting that this only works for specifically invited users rather than the larger public. A specifically invited user will know to attempt to connect to a non-standard port, but members of the public will not. This should also not be relied upon as an alternative to security measures such as a password. Hackers and bots constantly scan the whole Internet address space to find servers they can access.
UPnP, or the Universal Plug and Play protocol, offers functionality that can automatically configure port forwarding on compatible routers. The process happens seamlessly upon network connection without requiring user interaction. This functionality can be exceptionally useful for non-technical end-users, who may struggle with the process of manually setting up a port forwarding entry.
Unfortunately, UPnP has been shown to have multiple security vulnerabilities. These have, in some, cases allowed attackers from the internet to directly attack internal devices on the private network. While the protocol has been updated to resolve these issues, many devices are small IoT-type (Internet of Things) devices. These devices, in many cases, will either never have an update applying the fixed UPnP version released or used.
Note: UPnP and the devices that use it are generally intended to be used in home networks. However, the increasing prevalence of IoT devices on enterprise networks increases the potential attack surface and the potential consequences of this type of issue.
Port forwarding is manually configuring a router to link an externally facing port with a port on an internal device. This allows server software on privately addressed networks to be directly accessible on the internet without making the whole computer accessible. UPnP offers functionality to automatically configure port forwarding. This is typically used on small devices such as IoT devices.
UPnP also has had several security issues identified over time that could let attackers access unintended internal devices. Though these issues are officially fixed in the UPnP protocol, many devices do not have an updated version installed or, in some cases, even available. As such, disabling UPnP is generally recommended unless you specifically need it.