Routing, CIDR, NAT
What This Concept Is
Three closely linked ideas that together move packets across the Internet:
- Routing: given a destination IP, pick the next hop. Routers consult a routing table and use longest-prefix match: among all prefixes that contain the destination, pick the one with the most bits specified.
- CIDR (Classless Inter-Domain Routing): the practice of describing networks by arbitrary-length prefixes (
10.0.0.0/8,192.168.1.0/24) instead of the old class A/B/C fixed sizes. CIDR enables aggregation: many smaller networks can be summarized by one larger prefix in a routing table. - NAT (Network Address Translation): a middlebox that rewrites IP addresses (and usually ports) so that many internal hosts behind one public IP can share it. Most home routers do this.
Together, these three are why a private laptop on 192.168.1.42 can still reach 93.184.215.14 across the public Internet.
Why It Matters Here
Every routing problem shows up as one of:
- wrong longest-prefix match (the packet took a surprising path)
- CIDR overlap (two routes claim the same address)
- NAT mapping expiring or mangling ports (the inbound packet has nowhere to go)
Understanding these three keeps network troubleshooting from becoming folklore.
Concrete Example
A routing table might contain:
Destination Next hop Interface
0.0.0.0/0 192.168.1.1 eth0 (default route)
192.168.1.0/24 0.0.0.0 eth0 (directly connected)
10.0.0.0/8 10.1.0.1 vpn0
10.0.24.0/20 10.1.0.5 vpn0
For destination 10.0.24.53, both 10.0.0.0/8 and 10.0.24.0/20 match. Longest-prefix wins, so the packet goes via 10.1.0.5 on vpn0.
For NAT, a home router seeing an outbound packet src=192.168.1.42:45678 dst=93.184.215.14:443 rewrites it to src=203.0.113.9:60001 dst=93.184.215.14:443 and records the mapping (203.0.113.9, 60001) <-> (192.168.1.42, 45678). When a reply comes back to 203.0.113.9:60001, the router uses the mapping to rewrite dst back to the internal address.
Common Confusion / Misconception
"NAT is a security feature." NAT is address-sharing. It accidentally hides hosts behind one address, but it is not a firewall. A real firewall has explicit allow/deny rules.
"The routing table has the answer for every address." Only the default route (0.0.0.0/0) catches the rest. That is the whole reason it exists.
How To Use It
For any packet, mentally run:
- Look up the destination IP in the routing table.
- Pick the longest-matching prefix's next hop.
- ARP/NDP the next hop to a MAC.
- Emit the frame.
- If a NAT is in the path, record or apply the relevant 5-tuple rewrite.
Check Yourself
- Why does longest-prefix match, not first-match, define the selected route?
- What does "default route" mean in CIDR terms, and why is
0.0.0.0/0the default in IPv4? - Why does NAT require per-flow state in the router, and what happens when that state expires mid-connection?
- Why is NAT usually harder for protocols like SIP or active-mode FTP that embed IP addresses in payloads?
- If two organizations both use
10.0.0.0/8internally and want to merge, what options do they have?
NAT Variants Worth Recognizing
- Full-cone NAT -- one external mapping per internal host/port; any external host can reach that mapping.
- Restricted-cone NAT -- the mapping is reachable only from external hosts the internal host has contacted.
- Port-restricted cone -- as above, but also scoped by external port.
- Symmetric NAT -- a different external mapping is allocated per destination endpoint. Very hostile to peer-to-peer NAT traversal.
- Carrier-grade NAT (CGNAT) -- the ISP performs another layer of NAT above customer routers; common in mobile networks and the reason one public IP can hide thousands of users.
Most home and cloud environments are "port-restricted cone" variants. Peer-to-peer applications use STUN/TURN/ICE to work around the harder cases.
Mini Drill or Application
Given the routing table above, choose the outgoing interface and next hop for each destination:
192.168.1.710.0.24.10010.2.0.58.8.8.8
Then design a NAT scenario: two internal hosts both want to reach 93.184.215.14:443 at the same time. What must be different in the NAT mappings so their return traffic is demultiplexed correctly?