Mastering NAT, NAPT, Intranet Penetration & Proxy Techniques Explained

Mastering NAT, NAPT, Intranet Penetration & Proxy Techniques

Introduction

This piece completes the discussion on network fundamentals by focusing on how packets travel from the public internet back to private subnets, a process that relies on NAT, NAPT tables, and various proxy techniques.

NAPT Table Overview

Routers maintain both a routing table and a NAPT (Network Address and Port Translation) table, which maps internal IP/port pairs to public IP/port pairs. The NAPT table enables return traffic from the internet to reach the correct internal host.

Internal IP   Internal Port   Public IP      Public Port   Protocol   State
192.168.1.2   50000          203.0.113.5    61000         TCP        ESTABLISHED
192.168.1.3   50001          203.0.113.5    61001         TCP        ESTABLISHED

When a packet arrives from the internet, each router consults its NAPT table to locate the corresponding internal address and forwards the packet accordingly.

Intranet Penetration (NAT Traversal)

Intranet penetration uses a public relay IP to mediate communication between two private hosts that cannot directly see each other's IP and port. The relay forwards traffic, allowing both hosts to discover each other's endpoints.

Tools such as frp can implement this mechanism.

Comparison of Normal Forwarding vs. Intranet Penetration

Project          | Normal Forwarding                     | Intranet Penetration
------------------|--------------------------------------|----------------------
Applicable Scope | Network devices with public IP & port mapping | No public IP, cannot configure router
Connection Direction | Passive request reception               | Active connection initiation (bypass NAT)
Commonality       | Enterprise/server environments          | Home/office networks, cloud instances

Intranet Hole Punching

Hole punching creates a P2P channel by having both hosts simultaneously send packets to each other's public IP and port, tricking NAT devices into opening a direct path.

This technique depends heavily on the type of NAT and may fail with symmetric NATs or strict firewalls.

Hole Punching vs. NAT Traversal

Aspect                | Hole Punching (P2P)                     | NAT Traversal (Relay)
----------------------|----------------------------------------|--------------------------
Goal                  | Direct client‑to‑client communication   | Access internal services via server
Server Dependency     | Only during punch phase                | Continuous server relay
Communication Path   | Client ↔ Client                         | Client ↔ Server ↔ Client
Efficiency & Latency  | Lower (direct)                           | Higher (extra hop)
Failure Scenarios     | Symmetric NAT, strict firewall          | Rare (mostly slower)

Forward and Reverse Proxy

A proxy acts as an intermediary server that forwards client requests to target servers. It can hide the client’s IP (forward proxy) or hide the server’s details (reverse proxy).

Hide Real IP : Protects user privacy (forward).

Bypass Restrictions : Access blocked sites (forward).

Cache & Accelerate : Reduces repeated requests (forward).

Audit & Filter : Record and control network behavior (forward).

Enable Intranet Penetration : Access internal services via public proxy (reverse).

Forward vs. Reverse Proxy Comparison

Dimension          | Forward Proxy                         | Reverse Proxy
-------------------|--------------------------------------|--------------------------
Proxy Target        | Client                               | Server (target)
Request Initiator  | Client explicitly configures proxy  | Client unaware of proxy
Primary Use        | Client accesses restricted/external services | Client accesses unified entry, server hidden
Hidden Object       | Client identity & address            | Server structure & address
Client Config Needed| Yes                                   | No

Understanding these concepts helps network engineers design solutions for remote access, secure communications, and efficient traffic handling.

Thank you for reading!