Understanding Network Address Translation (NAT)

network address translation

At one point in my life, I hated databases. I don’t know why but databases were just something that didn’t excite me at all. I loved programming but programming a database seemed irrelevant. I was an embedded programmer working on bare metal applications, and databases weren’t something I could use.

IT stuff was something else that didn’t excite me. In those pre-Ethernet days, that stuff was the province of the data processing department and before that, the people in the “IBM room.” Those guys worried about putting terminals on everyone’s desk, paying the company’s bills and doing payroll. It seemed boring to me. I always worked directly with the important part of the business – the manufacturing machines that were turning out products day in and day out.

I’ve come to realize how shortsighted I was since Ethernet arrived on the factory floor. How a router works, layer 2 and 3 communications, HTTPS, VLANS, and a thousand other things have become more and more important to us over the last ten years. Now knowing what I do about Modbus TCP, OPC UA, EtherNet/IP and all the rest isn’t enough – I have found that I really need to understand the basics of Ethernet technology and all the other technologies associated with the IT world.

NAT is one of those technologies. If you’re like me, you’ve probably heard one of your IT guys throw that word around and really didn’t understand it. I sure didn’t when I first heard it, but it’s really not that difficult a concept. NAT is simply “Network Address Translation.” It’s about how devices inside a facility can access devices outside a facility.

Think about it like this. A device on your manufacturing network has a private TCP/IP address like 192.168.0.100. That address is private, not public, so it can’t be used on the internet. Only public addresses can. But that device has energy data it needs to send to your corporate office or somewhere else offsite. When a device sends a message, it puts its TCP/IP address in the source field of the message. Since a private ID address can’t be used to talk over the internet, how does that message travel over the internet?

Someplace in your network, usually in your router, that private TCP/IP address gets translated to a public IP address. Since the router has a public TCP/IP address, it changes the TCP/IP address in the outgoing message from the internal private address to the public address of the router. Now, the message can be sent through the internet to a destination like your corporate office. The reverse happens if the application at the corporate office responds to your device. When the message is received at the router, the destination IP Address (your router) is changed to the private TCP/IP destination address of your device (192.168.0.100). That reply is then sent through your company network to your device. This process of changing internal, private IP addresses to external, public IP addresses is called Network Address Translation or NAT for short.

This stuff isn’t directly applicable to our automation protocols like EtherNet/IP, Modbus TCP, PROFINET IO, and OPC UA because those devices don’t normally communicate with devices outside the local network. For the most part, an EtherNet/IP motor controller talks with a PLC like a ControlLogix. But newer devices are starting to have the capabilities to talk to remote servers. For example, an EtherNet/IP motor controller could have energy data and in addition to the I/O, it sends to the PLC. It might also want to send that energy data to a database at corporate or in the cloud. When that happens, there’s some NAT device that’s doing that routing behind the scenes and making those remote connections work.

One of the benefits to the above scenario is that if you have a bunch of EtherNet/IP devices or a bunch of IoT devices, they can all send data to an internet destination using just one public IP address. That saves IPV4 addresses. There just aren’t that many IPV4 addresses available and using the router’s public IP address to support a bunch of devices is a way around that address limitation.

PS: I actually don’t hate IT stuff anymore. I find things like NAT kind of interesting.