Today we will look at the issue of organizing shared access to the Internet and automatically setting up a network on the Windows platform. Despite the fact that this is a more expensive solution, its use will be justified when close integration with the network infrastructure deployed on the basis is required Windows Server.
As a working platform, we used Windows Server 2008 R2, as the most current platform today, however, everything said, with minor amendments, also applies to previous versions of Windows Server 2003 / 2008.
Initially, you need to configure the network interfaces. In our case, the interface facing the provider’s network receives settings via DHCP, we renamed it EXT. The internal interface (LAN) has a static IP address of 10.0.0.1 and a mask of 255.255.255.0.
The easiest way to organize general access to the Internet will enable the corresponding option in the network connection settings. However, despite its simplicity, this method is extremely inflexible and is acceptable only if no other routing tasks are assigned to the server. It is better to take a more complicated, at first glance, route, but get your hands on a very powerful and flexible tool that allows you to solve much more complex network problems.
Let's start, as expected, by adding a new server role: Network Policy and Access Services.
In role services we note Routing and Remote Access Services, everything else doesn’t interest us now. After successfully installing the role, you can proceed to the routing settings.
IN Cast we find the routing service and through the menu Actions choose Configure and enable routing and remote access . The setup is done using a wizard that will guide us step by step through all the setup steps. As a configuration we select Network Address Translation (NAT), any other features can be configured manually later.
Here you need to specify the interface with which our server is connected to the Internet; if necessary, you can create it (for example, when using PPPoE or VPN connections).
We leave the remaining settings at default and after clicking the ready button, the Routing and Remote Access service will start, our server is ready to serve clients from internal network. You can check the functionality by specifying the client machine an IP address from the range of the internal network and specifying as the gateway and DNS servers our server address.
To automatically configure network parameters on client machines, without having to run from place to place manually registering IP addresses, you should add a role DHCP server A.
For this we choose Add a role V Server Manager and mark the option we need.
Now we have to answer a number of simple questions. In particular, select for which internal networks DHCP should be used; if necessary, you can configure various parameters for different networks. Then sequentially specify the parameters of the DNS and WINS servers. The latter, if absent, may not be specified. If your network does not have old workstations running operating systems other than Windows NT 5 and higher (2000 / XP / Vista / Seven), then there is no need for a WINS server.
Adding a DHCP scope must be treated with extreme care; an error here can lead to the inoperability of the entire network. There is nothing complicated here, we just carefully enter all the necessary network parameters, making sure that the allocated IP range does not overlap that already allocated for other devices and do not forget to correctly specify the mask and gateway.
Separately, you should pay attention to such a parameter as the lease term of the address. After half the lease period has expired, the client sends a request to the server to extend the lease. If the server is unavailable, the request will be repeated after half the remaining time. In wired networks, where computers do not move within the network, you can set a fairly long lease period, if available. large quantity mobile users (for example public Wi-Fi hotspot in a cafe), the rental period can be limited to a few hours, otherwise the leased addresses will not be released in a timely manner and there may not be any free addresses in the pool.
The next step is to abandon IPv6 support and after installing the DHCP role, the server is ready to work without any additional settings. You can check the operation of client machines.
The issued IP addresses can be viewed in Rented addresses, related to the area of interest to us. Here you can also configure the reservation of a specific address for a certain client (binding it by name or MAC address); if necessary, you can add or change area parameters. Filters allow you to create allowing or denying rules based on client MAC addresses. A more complete consideration of all the features of the Windows Server 2008 R2 DHCP server is beyond the scope of this article and we will most likely devote separate material to them.
In our previous article, we looked at setting up NAT for the Windows Server platform. As the reader's response showed, certain difficulties arise when using dial-up connections to the Internet: VPN or PPPoE. Today we will look at some...
NAT Network Address Translation is an IETF (Internet Engineering Task Force) standard. working group development of Internet technologies), with the help of which several computers private network(with private addresses from ranges such as 10.0.x.x, 192.168.x.x, 172.x.x.x) can share a single IPv4 address providing access to global network. The main reason for the growing popularity of NAT is due to the increasingly acute shortage of IPv4 addresses. Also, many Internet gateways actively use NAT, especially to connect to broadband networks, for example, via DSL or cable modems.
In order to act as a router, the server must have 2 network interfaces. The Internet and the network itself, which must be connected to the Internet. I have network connections are called LAN_1 (Internet) and LAN_2 (local area network).
I’ll say right away that the service Windows Firewall/Internet Sharing (ICS) must be disabled.
So, let's start the installation:
So, we have installed the network interfaces, now let’s configure them.
First of all, let's configure External interface (LAN_1):
192.168.0.2 - IP address of the user who will access the network through our server
10.7.40.154 - external IP address of the server
When accessing the Internet using this technology, you will have an IP address of 10.7.40.154. There are different configuration methods; you can reserve addresses for each machine separately. In a reservation, you can specify more than one address range or not specify it at all, then any IP in local network will be able to surf the Internet through the server.
Let's go to Properties local network card, Further TCP/IP Properties. We register the client’s IP, mask, in Default gateway enter the server IP address. In the DNS fields you must enter the IP addresses of the DNS provider or the IP addresses of the installed local DNS server.
All! This completes the installation and configuration.
Network Address Translation (NAT) is a method of reassigning one address space to another by changing the information that is, the headers of packets are changed while they are in transit through a traffic routing device. This method was originally used to easily redirect traffic on IP networks without renumbering each host. It has become a popular and important tool for preserving and distributing global address space in the face of a shortage of IPv4 addresses.
The original use of network address translation is to map each address in one address space to a corresponding address in another space. For example, this is necessary if the Internet service provider has changed and the user is unable to publicly advertise the new route to the network. With the foreseeable global depletion of IP address space, NAT technology has been increasingly used since the late 1990s in combination with IP encryption (which is a method of moving multiple IP addresses into one space). This mechanism is implemented in a routing device that uses stateful translation tables to map "hidden" addresses into a single IP address, and forwards outgoing IP packets on the egress. Thus, they appear to be leaving the routing device. In reverse, responses are mapped to the source IP address using rules stored in translation tables. The translation table rules, in turn, are cleared after a short period if new traffic does not update its state. This is the basic mechanism of NAT. What does this mean?
This method allows communication through the router only when the connection is on an encrypted network, as it creates translation tables. For example, a web browser inside such a network can view a site outside of it, but if installed outside it, it cannot open a resource hosted within it. However, most NAT devices today allow translation table entries to be configured for persistent use. This feature is often referred to as static NAT or port forwarding, and it allows traffic originating on the "external" network to reach designated hosts on the encrypted network.
Due to the popularity of this method, used to preserve the IPv4 address space, the term NAT (what it actually is - stated above) has become almost synonymous with the encryption method.
Because Network Address Translation changes the address information of IP packets, it has serious consequences for the quality of your Internet connection and requires careful attention to the details of its implementation.
NAT applications differ from each other in their specific behavior in different cases regarding the impact on network traffic.
The simplest type of Network Address Translation (NAT) provides one-to-one IP address translation. RFC 2663 is the main type of this translation. In this type, only the IP addresses and the checksum of the IP headers are changed. Basic translation types can be used to connect two IP networks that have incompatible addressing.
Most flavors of NAT are capable of mapping multiple private hosts to a single publicly designated IP address. In a typical configuration, the LAN uses one of the assigned "private" subnet IP addresses (RFC 1918). A router on this network has a private address in this space.
The router also connects to the Internet using a “public” address assigned by the ISP. Since the traffic passes from the source local network, each packet is transferred on the fly from a private address to a public one. The router keeps track of basic information about each active connection (specifically, the destination address and port). When the response returns to it, it uses the connection data that is stored during the off-site phase to determine the private internal network address to which the response should be forwarded.
One of the benefits of this functionality is that it serves as a practical solution to the impending exhaustion of the IPv4 address space. Even large networks can be connected to the Internet using a single IP address.
All datagram packets on IP networks have 2 IP addresses - source and destination. Typically, packets traveling from a private network to a public network will have the packet's source address change during the transition from the public network back to the private network. More complex configurations are also possible.
Setting up NAT may have some features. To avoid difficulties in how to translate the returned packages, further modifications are required. The vast majority of Internet traffic travels over TCP and UDP, and their port numbers are modified so that the combination of IP address and port number begins to match when the data is sent back.
Protocols not based on TCP and UDP require other translation methods. The Internet Control Message Protocol (ICMP) typically matches the data being transmitted to an existing connection. This means that they must be displayed using the same IP address and number originally set.
Configuring NAT on a router does not give it end-to-end connectivity. Therefore, such routers cannot participate in some Internet protocols. Services that require initiation of TCP connections from the external network or users without protocols may not be available. If a NAT router does not make special efforts to support such protocols, incoming packets may not reach their destination. Some protocols can fit into a single translation between participating hosts ("passive mode" FTP, for example), sometimes using an application layer gateway, but the connection will not be established when both systems are separated from the Internet by NAT. The use of Network Address Translation also complicates "tunnel" protocols such as IPsec because it changes values in headers that interact with request integrity checks.
End-to-end connectivity has been a core principle of the Internet since its inception. The current state of the network shows that NAT is a violation of this principle. There are serious concerns among experts about the ubiquity of IPv6 network address translation, and concerns about how to effectively address it.
Due to the short-lived nature of the translation state tables in NAT routers, internal network devices lose IP connectivity, usually within a very short period of time. When talking about what NAT is in a router, we must not forget about this circumstance. This seriously reduces the operating time of compact devices powered by batteries and rechargeable batteries.
Additionally, when using NAT, only ports that can be quickly depleted are monitored internal applications that use multiple simultaneous connections (for example, HTTP requests for web pages with a large number of embedded objects). This problem can be mitigated by tracking the destination IP address in addition to the port (thus one local port is shared by a large number of remote hosts).
Since all internal addresses are masqueraded as a single public address, it becomes impossible for external hosts to initiate a connection to a specific internal host without special configuration on the firewall (which must forward connections to a specific port). Applications such as IP telephony, video conferencing and similar services must use NAT traversal techniques to function properly.
Return address and translation port (Rapt) allows a host whose real IP address changes from time to time to remain available as a server using a fixed IP address home network. Basically, this should allow the servers setup to maintain the connection. Although this is not a perfect solution to the problem, it may be another useful tool in the arsenal of a network administrator when solving the problem of how to configure NAT on a router.
Cisco's implementation of Rapt is Port Address Translation (PAT), which maps multiple private IP addresses to a single public IP address. Multiple addresses can be mapped as an address because each one is tracked using a port number. PAT uses unique source port numbers on the internal global IP to distinguish the direction of data transfer. These numbers are 16-bit integers. The total number of internal addresses that can be translated to one external address can theoretically reach 65536. The actual number of ports to which a single IP address can be assigned is about 4000. Typically, PAT tries to preserve the original "original" port. If it is already in use, Port Address Translation assigns the first available port number starting from the beginning of the corresponding group - 0-511, 512-1023, or 1024-65535. When there are no more ports available and there is more than one external IP address, PAT moves on to the next one to try to allocate the original port. This process continues until there is no more available data.
Address and port mapping is performed by a Cisco service that combines the translation port address with IPv4 packet tunneling data over the internal IPv6 network. Essentially, it is an unofficial alternative to CarrierGrade NAT and DS-Lite that supports IP address/port translations (and therefore supports NAT configuration). Thus, it avoids problems in establishing and maintaining connections and also provides a transition mechanism for IPv6 deployment.
There are several ways to implement network address and port translation. In some application protocols that use IP address applications running on an encrypted network, it is necessary to determine the external NAT address (which is used at the other end of the connection), and in addition, it is often necessary to examine and classify the type of transmission. This is usually done because it is desirable to create a direct communication channel (either to keep data flowing through the server uninterrupted, or to improve performance) between two clients, both of which are behind separate NATs.
For this purpose (how to configure NAT), a special protocol, RFC 3489, was developed in 2003 to provide simple UDP bypass over NATS. Today it is outdated, since such methods are insufficient to correctly evaluate the performance of many devices these days. The new methods were standardized in the RFC 5389 protocol, which was developed in October 2008. This specification today is called SessionTraversal and is a utility for NAT operation.
Each TCP and UDP packet contains the source IP address and its port number, as well as the coordinates of the destination port.
To receive public services such as mail server functionality, the port number is important. For example, connects to software web server, and 25 - to SMTP mail server. The IP address of a public server also has a significant value, similar to a postal address or telephone number. Both of these parameters must be reliably known to all nodes that intend to establish a connection.
Private IP addresses only have meaning on the local networks where they are used and on host ports. Ports are unique communication endpoints on a host, so communication across NAT is maintained using a combined port and IP address mapping.
PAT (Port Address Translation) resolves conflicts that may arise between two different hosts using the same source port number to establish unique connections simultaneously.
/05.07.2004 20:43/In recent years, the fashion for FireWall and NAT. Eserv users have known my attitude towards these technologies since the mid-90s, but sometimes such questions about FireWall / NAT are asked by newcomers, and we have to repeat ourselves. That's why I wrote a separate article about FireWall about a year ago, and today it's NAT's turn.
Document table of contents
The simplest solution to this problem - replacing the return address at the border of networks - lay on the surface and was immediately published: in May 1994, i.e. two months after the “network division” they proposed the NAT specification: http://www.ietf.org/rfc/rfc1631.txt The Network Address Translator (NAT) May 1994 The authors announced this as a "short-term solution", i.e. temporary solution of this problem, a kind of “hack” until normal solutions become widespread. But, as we know, nothing is as permanent as temporary IPv6, contrary to expectations, did not quickly take root, and over the past 10 years we have witnessed more and more new battles on the borders of the LAN and the Internet. NAT has become widespread because... There was no other acceptable solution to this problem in those years: FTP clients and HTTP clients (browsers) did not have time to adapt to the changed picture of the world, they could not work from the LAN with external resources, so in order to make the border transparent for them, they were simply they were programmatically “deceived” using NAT - all IP packets addressed from the LAN outside were subjected to the simplest processing at the border: replacing the reverse IP address with the real address of the “edge” computer, and reverse replacement in incoming packets. In addition, the port number of the source LAN was usually replaced, because Packets can come from different machines on the LAN with the same port numbers. Those. Not only IP addresses are translated, but also port numbers (sometimes port translators are called a separate abbreviation PAT). In the conditional classification, NAT is divided into “static, dynamic and masquerading”, but in practice the third type is mainly used; it allows you to serve thousands of connections from the LAN (ideally) through one real address; port translation is always used. On a NAT computer or router+NAT, a range of ports used for translation is allocated, for example with numbers greater than 60000 (to quickly distinguish these ports from those allocated for the computer’s own needs) and a dynamic table of current sessions/address mappings. Each passing packet is checked against this table by port and the appropriate substitutions are made. The technology is so simple that it is now increasingly rare to find a router or cable modem without built-in NAT (and FireWall, which is just as primitive as NAT), and NAT can already be found even in hubs with prices starting from $40. Not to mention the “free” "NAT, which is part of several latest versions Windows under the name " connection sharing" And " connection sharing"It is accessibility, ease of understanding/use and undemanding client software that have made NAT deservedly popular.
Therefore, the “NAT problem” in the FTP protocol has to be circumvented in a special way in FTP clients or in another intermediate specialized FTP proxy. In the FTP client, for this you need to switch to the so-called. "passive mode" - use the PASV command instead of the PORT command. PASV asks the FTP server to open an additional port on itself and inform the client of its :port. The client then connects to the specified one (NAT deceives it again and broadcasts it) and the session is successful. In addition to the need to support PASV mode in the FTP client (the standard ftp.exe does not have it), it also requires some effort on the part of the FTP server administrator - especially if it is also partially blocked by Firewalls and NATs (like the FTP developer -servers for Eserv know these problems firsthand). In general, here NAT does not help connect, but hinders.
Now about reconstructing the protocol inside NAT to bypass the problem “transparently” for the client. Those few NATs that can do this (although in practice they also declare rather than know how to do this), they actually rise one network level up - instead of the simplest forwarding of packets with address translation in the header, they begin to do the same thing that the TCP stack does - TCP assembly - flow of packets. Thus, they turn from an overdeveloped router into an underdeveloped application TCP proxy. in this case in an FTP proxy or an FTP gate. Underdeveloped because the client does not know about this proxy, and NAT, in turn, continues to guess the protocol and engage in a task that is inconvenient to solve at its level (the level of IP packets).
This problem can be solved much easier if instead of NAT or in addition to it, you immediately use a specialized proxy (FTP gate) or universal TCP proxies such as Socks or, in extreme cases, httpS (this extreme case will nevertheless work better than NAT). They work natively at the TCP level and do not trick the FTP client, but cooperate with it. Three layers of problems disappear at once: the FTP client can use any mode - active or passive (in HTTPS only passive, as in NAT), there is no need to guess the protocol and double TCP assembly. In addition, the administrator has more opportunities to influence the process (more on this later).
If the client program cannot work through a special proxy (there are practically no such ones left, but we will talk about the worst cases), then when using a Socks proxy, the client’s work can also be made transparent using the SocksCapture or domestic FreeCap programs. Transparency of the border is always a deception, but SocksCapture or FreeCap intercept not IP packets, but program calls to the OS, so they always know exactly, and do not calculate from the packet flow, what exact action the program wants to perform, and accordingly redirect these actions through Socks -proxy
Socks has overcome all the limitations of NAT, plus added at least three convenient tools that allow you not only to “proxy” almost any TCP and UDP protocol, but also to improve control over the use of the Internet from the LAN:
The same is with any other application protocol for which there are specialized proxies - they are always an order of magnitude more manageable than universal low-level ones. For example, many POP3 proxies allow you to filter spam, such as PopFile (although it is much more correct to filter spam not on the proxy, but on the SMTP server). Socks and NAT for this would require special skills in understanding the transmitted protocol, i.e. in fact, “emulating” a POP3 proxy using not very convenient means.
Therefore, the use of Socks or NAT to work with those protocols for which there are specialized proxies (HTTP, HTTPS, FTP, SMTP, POP3, IMAP) or a generally accepted architecture of intermediate servers (SMTP, POP3, IMAP, DNS) can be considered a forced suboptimal solution. Forced - either from the impossibility of using the required type of proxy for organizational reasons (there is nowhere to put the required type of proxy, or the type of connection does not provide for the presence of a single real IP address, as is the case with the Internet via GPRS or home network options - in these cases NAT or " forced HTTP proxy" are already on the provider’s side), or due to insufficient awareness of the responsible persons, incl. admins I don’t take financial restrictions into account, because... There are many options for free or very cheap proxies for all these protocols.
In some cases, the use of Socks5 is quite justified - for example, for ICQ and other instant messengers. Special proxies are simply not developed for these protocols, because they are almost invisible against the general background of network use. If there is no mail server or pop3/smtp proxy on the LAN, the next candidate will also be Socks5, although not all mail clients support it, and in some it has non-obvious features (see Mozilla ThunderBird).
When looking through options, NAT will be the “last resort” - in case nothing better was found, or if NAT was initially installed by the provider - in a cable modem, router, mobile connection(it is NAT that is installed in these pieces of hardware, and not a special proxy for popular protocols, due to the extreme simplicity of its basic implementation: the source code of a similar NAT device, the UDPMAP plugin in Eproxy, is only 4Kb in size). Some protocols will not work, and it will be difficult to manage the work. But in such extreme cases it is better to work at least somehow than not to work at all.
Here is a detailed explanation of my well-known position for the last 8 years - “Eserv will never have NAT.” In the vast majority of cases, you either don’t need NAT, or you already have it as a punishment for choosing a provider. And to get acquainted with NAT, you can use the built-in in Windows connection sharing, it works exactly like NAT.
See also the "crutch" for NAT on the Microsoft website: NAT traversal - overcoming NAT by adapting applications, NAT/Firewall configuration via UPnP. If you are hearing the phrase NAT traversal for the first time, it is because developers prefer Socks5 instead of crutches for patches, and this initiative has not received “code support”. But the article is good with its pictures (unlike mine and another independent description of NAT problems.
In Windows XP, NAT/ICS is enabled in the Internet connection properties.
If you receive the message "Unable to enable sharing. Error: 1722: The RPC server is unavailable." (“Cannot enable shared access. Error: 1722: The RPC server is not available.”), then most likely your DHCP client service is stopped or disabled; you need to start it before enabling ICS.
Quote If we compare working through NAT with the real thing, then so far I have only had problems with NAT with voice, video and file transfer in programs like MSN Messenger. Perhaps in some NAT implementations there are also problems with active ftp, connection to external VPN servers, etc., but when working through NAT in Linux (with appropriate settings) there are no problems with this. The advantage of NAT in this case is saving IP addresses and a firewall.
If we compare NAT with a proxy (as a way to access the Internet, i.e. redirecting requests, without considering the functions of caching, URL analysis, etc.), then more applications and protocols work through NAT (all); NAT does not require special settings from the user; a proxy is more demanding on equipment. Proxies usually do not provide Destination NAT (DNAT) functionality, although in Eserv you can achieve partial similarity of DNAT using tcp/udp mapping. End of quote.
This quote shows that providers also have very different requirements from enterprise administrators.
BackLinks |
---|
Articles |
FireWall |
MxServer |
NCSI |
WhatIsProxyServer |
Besides SNAT, i.e. providing users of a local network with internal addresses with access to the Internet, is often also used Destination NAT, when requests from outside are translated by the firewall to a server on the local network that has an internal address and therefore is not directly accessible from the external network (without NAT).
The figures below show an example of the operation of the NAT mechanism.
Rice. 7.1.
User corporate network sends a request to the Internet, which arrives at internal interface router, access server or firewall (NAT device).
The NAT device receives the packet and makes an entry in the connection tracking table, which controls address translation.
It then replaces the source address of the packet with its own external public IP address and sends the packet to its destination on the Internet.
The destination host receives the packet and sends a response back to the NAT device.
The NAT device, in turn, having received this packet, looks up the sender of the original packet in the connection tracking table, replaces IP address destination to the corresponding private IP address and forwards the packet to the source computer. Because the NAT device sends packets on behalf of all internal computers, it changes the original network port And this information stored in the connection tracking table.
There are 3 basic concepts for address translation:
Static NAT maps local IP addresses to specific public addresses on a one-to-one basis. Used when the local host must be accessible from outside using fixed addresses.
Dynamic NAT maps a set of private addresses to a set of public IP addresses. If the number of local hosts does not exceed the number of public addresses available, each local address will be guaranteed to correspond to a public address. Otherwise, the number of hosts that can simultaneously access external networks will be limited by the number of public addresses.
Masquerade NAT(NAPT, NAT Overload, PAT, masquerading) is a form of dynamic NAT that maps multiple private addresses to a single public IP address using different ports. Also known as PAT (Port Address Translation).
There can be several mechanisms for interaction between an internal local network and an external public network - it depends on specific task to provide access to the external network and back and is prescribed by certain rules. There are 4 types of network address translation defined:
In the first three types of NAT, the same external port is used to communicate between different IP addresses on the external network and addresses from the local network. The fourth type - symmetrical - uses a separate external port for each address and port.
Full Cone, the external port of the device (router, access server, firewall) is open to requests coming from any address. If a user from the Internet needs to send a packet to a client located behind a NAT, then he only needs to know the external port of the device through which the connection is established. For example, a computer behind NAT with an IP address of 192.168.0.4 sends and receives packets on port 8000, which map to the external IP address and port as 10.1.1.1:12345. Packets from the external network arrive at the device with IP address: port 10.1.1.1:12345 and are then sent to the client computer 192.168.0.4:8000.
In incoming packets, only the transport protocol is checked; The destination address and port, the source address and port do not matter.
When using NAT, working by type Restricted Cone, the external port of the device (router, access server, firewall) is open to any packet sent from the client computer, in our example: 192.168.0.4:8000. And a packet coming from an external network (for example, from computer 172.16.0.5:4000) to a device with address: port 10.1.1.1:12345 will be sent to computer 192.168.0.4:8000 only if 192.168.0.4:8000 previously sent a request to the IP address of the external host (in our case, to the computer 172.16.0.5:4000). That is, the router will broadcast incoming packets only from a specific source address (in our case, computer 172.16.0.5:4000), but the source port number can be anything. Otherwise, NAT blocks packets coming from hosts to which 192.168.0.4:8000 did not send a request.
NAT mechanism Port Restricted Cone almost similar to the NAT Restricted Cone mechanism. Only in this case, NAT blocks all packets coming from hosts to which the client computer 192.168.0.4:8000 did not send a request to any IP address and port. The router pays attention to the matching source port number and does not pay attention to the source address. In our example, the router will broadcast incoming packets with any source address, but the source port must be 4000. If the client sent requests to the external network to several IP addresses and ports, then they will be able to send packets to the client on the IP address: port 10.1 .1.1:12345.
Symmetric NAT differs significantly from the first three mechanisms in the way it maps the internal IP address:port to the external address:port. This display depends on the IP address:port of the computer to which the sent request is intended. For example, if client computer 192.168.0.4:8000 sends a request to computer #1 (172.16.0.5:4000), then it may appear as 10.1.1.1:12345, while at the same time if it sends from the same port (192.168. 0.4:8000) to a different IP address, it is displayed differently (10.1.1.1:12346).
However, it is worth mentioning the disadvantages of this technology: