Using a Private Network to Access the Internet

This article does not deal with IPv6 but rather specifically the difficulties around the lack of scope in IPv4. IPv6 is a while off yet so these IPv4 woes and their solutions are still very current.

The Internet is an INTERlinked NETwork. In general terms, there are no computers in the Internet. It is made of network stuff - routers and switches. The computers and servers all live around the edges - and so do private networks. The Internet serves to connect them together.

So they can find each other across a network, each network connected device (computers and network gear) uses an "Internet Protocol (IP) address". This works in the same way as your house address but looks very different and is not human friendly. In the most commonly used form (IP version 4) there is a limit of about four and a quarter billion possible addresses. This might sound like a lot but with seven billion people on the planet and many more computing devices (including network components etc) it isn't that many. The clever chaps who designed IPv4 all those years ago realised there wouldn't be enough addresses to go round and so they made three groups of IP addresses (actually a few more than this but they are special purpose) that don't work across the Internet - these are called "Private Addresses" - nearly everything else is called a "Public Address" (ignore stuff like loopbacks etc...)

Most end-point users and systems access the Internet from a private network. Between the private network and the Internet is a "Gateway". This will be a firewall, proxy or router (or a combination of these) with a public IP address as well as a private address in your LAN which relays traffic back and forth between the Internet and the private network. This process allows many computers to access the Internet without each needing a public address and provides a good first defense against attack (worms and the like) because when properly configured it is not possible to target the machines on the network behind the gateway or even to discover the topography (a map) of it. The replies will come back to the gateway (since it made the request for you) but it will recognise the traffic and pass it to the original requester in the private LAN. If everything is working properly, you shouldn't even be aware of the gateway's existence.

The following image shows how private networks communicate with each other across the internet using gateways. Networks are usually shown as clouds in such diagrams - now you understand why "cloud computing" :o)

The three address ranges that can be used for private networks are:

  • Addresses starting 10.x.x.x - "Private Class A" giving 16 Million addresses intended for very large organisations and data centres.
  • Addresses starting - - "Private Class B" giving a million addresses intended for medium-to-large organisations and data centres.
  • Addresses starting - - "Private Class C" 65 thousand addresses often broken up as 256 networks of 256 addresses each. Intended for home or small-to-medium organisations.

(Generally you can ignore the legacy concept of "classes" of address, they have been superceded by the much more compact and flexible CIDR notation, but many people still refer to them as a quick way of indicating the size of a network.)

Private addresses don't work across the Internet and so they can be used over and over again to form private networks - factories, offices, your house etc. If you try to get to a private address via the Internet, every network router you hit on your way should do two things:

  1. It should send back a "Destination Unreachable" message then immediately...
  2. It should send back a "Source Quench" message.

You only need one router (usually the first off your network) to do this to form a ring-fence around your private network. What that router is effectively saying is

"You can't get to that address through me. Don't send me any more traffic like this."

This is a convention - there is no technological reason private addresses wouldn't work over the Internet, indeed some of the very same devices used to build the internet are also used to form private networks... it is just how they are configured. For this reason, every router along the way should respond the same so that if the one before is badly configured and allowed the traffic through, the next should stop it.

Another method employed is to bounce un-routeable data packets back and forth between a pair of routers. So router A sends the packet to router B which then sends the packet to router A which then sends the packet to router B... Every packet has a TTL (Time To Live) counter which is decremented (subtract 1) each time it passes through any networked device. If the TTL gets to zero, the packet is returned to the sender as "Expired in Transit". TTLs usually start out at about 32 or so. This means every packet you send has to get to its destination in 32 or fewer hops or it will die along the way and be returned. Although more intensive and time-consuming, this method is used as a last resort on master gateways because some things are a bit stupid and won't behave properly when the router does points 1 & 2 above (there is some discussion as to whether routers should even send a source quench because it may increase network traffic if the recipient doesn't act on it) - but everything responds to a TTL death. A recent hack on certain vulnerable routers caused them to forward every packet with a TTL of 1 which meant that you couldn't reach any network other than your own LAN, the moment you stepped out of your network, the packet expired and was sent back - nasty and a real so-and-so to find.

You can see from this, that private networks (even if they use identical addresses) can't see each other across the Internet because they are "hiding" behind the public address of their respective gateways, so nothing gets confused. Public addresses must be unique on the internet. This means they get used up quite quickly (we are almost out of IPv4 addresses) and this only serves to underline the far-sighted thinking of the original IPv4 designers. Millions of computers could occupy private networks and consume just a few hundred precious public addresses and everything works - it really is a brilliant piece of engineering design.

Sometimes it is useful or even necessary to know with what address you appear to the Internet (your Gateway address), maybe to configure a firewall rule on a remote system or to NAT some inbound traffic (which otherwise couldn't reach you because of your private address), which is why we provide this service.