Routers route packets from one network or subnet to another. A router must have an interface within each network and some means of directing traffic from one interface to another. The router accomplishes routing by having a set of rules and a map of the known network. The simplest method is when the router administrator configures a static route, which tells the router; if you receive packets for this network send it out this interface.
In order for a router to receive traffic, the LAN hosts need to be configured with a local default gateway. By configuring a default gateway on hosts, packets are sent to the router and then forwarded to the destination host.
Consider the diagram above. In order for each host to communicate with each, you need to configure the Internet router, so it knows where to route packets. The simplest way to do this is via static routing.
With static routing, the administrator needs to configure the router to accept packets and direct them to the correct interface. A static route looks like this:
IP route 172.16.1.0 255.255.255.0 ethernet 1
A static route places an entry in the router’s “routing table,” which records the path or interface for the next best next hop. In this example, traffic is destined for a host on the 172.16.1.0 255.255.255.0 network. The router finds the static route update in the table and sends the packet out on Ethernet port 1.
If another three static routes are configured, then every host will be able to communicate with each other and the Internet.
IP route 192.168.1.0 255.255.255.0 ethernet 2
IP route 172.16.2.0 255.255.255.0 ethernet 3
IP route 0.0.0.0 0.0.0.0.0 ethernet 4 (this is a default route, which matches all less-specific routes)
By adding a default route, any packets not destined for one of the three local subnets will be sent to the Internet.
In this scenario, the router is acting as a layer 3 packet router. It accepts inbound packets and looks up each packet’s source and destination address. It then looks up the IP routing table to ascertain the best route to forward the packet. Because these are simple statically configured routes, CPU and memory overhead are not an issue.
The router also takes IP packets with local source addresses in the private range and forwards them to the Internet. It is also receives packets from the Internet to its own network address and route them back to the correct host. This process is called Network Address Translation or (NAT).
NAT used to be terribly confusing because prior to ADSL, it wasn’t seen outside of corporate networks. However, with the explosive growth of the Internet and the telecom/ISP infrastructure required to support it, NAT and private IP addresses are more popular.
Computers within a private network use private IP addresses from one of three ranges:
These IP addresses have no meaning outside of a network, because they are dropped as soon as they leave the network gateway router. These IP addresses cannot cross the Internet, so are only of local significance to the internal network (LAN). So how do they connect to the Internet?
They connect through the router, and the router performs Network Address Translation (NAT) on the packets as they pass through its external interface. The router looks at every packet and makes a note of the source address/port and the destination address/port in a table (the NAT table). It then rewrites the packets source address (the private one) with the router’s own real public IP address. The packet is now legal and capable of traversing the Internet.
The router accepts the packet and looks up the NAT table looking for a match against the IP addresses/port numbers. It then rewrites the private address back into the packet and sends it on its way to the private computer on the LAN.
The router only really has to do lookups and calculations once. Once the router establishes the source address, port number and destination, the address-port number pair forwards the packets as being part of a TCP stream, which makes NAT much more efficient.
The router also protects hosts from the Internet and protects hosts on corresponding subnets from each other. It protects the hosts from each other by breaking up the layer-2 LAN broadcast domains on which they reside. Hosts on an Ethernet LAN do not use IP to talk to one another. They use Ethernet interface MAC addresses. This is a globally unique address that computers use to communicate. IP is a software protocol. This means that every time a computer receives a packet, it doesn’t know, for example, 172.16.2.5. It sends out a broadcast at layer-2 on its MAC address looking for a host that has the address 172.16.2.5?
The host that has 172.16.2.5 will respond with its MAC address. If there are more than approximately 100 machines on a LAN segment, this traffic becomes problematic and degrades performance. A router blocks those layer-2 broadcasts from crossing over to other networks. A router limits the scope of broadcast domains and provides protection against broadcast storms.
Access control is the last but not least reason for having routers. A router is a border gateway for each sub-network, and the administrator can use an access list in both the incoming and outgoing directions. This provides for security at the IP layer.