Background technology
Along with the fast development of Internet technology, Internet Protocol (IP) address is more and more deficienter, and in order to address this problem, the NAT technology is arisen at the historic moment.NAT is another IP address with the IP address transition in the IP datagram literary composition head, thereby realizes using the more private network IP address of a spot of public network IP address representative, the exhaustion that slows down the IP available address space.
Fig. 1 is the process sketch map of existing NAT processing mode.As shown in Figure 1; Realize the exchanging visit of the FTP server (FTP server) in private network main frame (Host) and the public network; Need in NAT, dispose the mapping of private net address 192.168.0.10 to public network address 50.10.10.10, concrete processing procedure may further comprise the steps:
Step 101: successfully set up control connection through transmission control protocol (TCP) three-way handshake between private network Host and the public network FTP server.
Step 102:Host carries private network Host data designated purpose of connecting address and port to FTP server transmit port (Port) message in the Port message load, be used to notify FTP server to use this address to be connected with oneself carrying out data with port.
Step 103:Port message is through NAT device the time; Private net address in the message load and port can be converted into corresponding public network address and port; Promptly; NAT device converts the private net address 192.168.0.10 in the Port message load that receives to public network address 50.10.10.10, and port one 024 converts 5000 to.
Need to prove in this step, to have only when NAT device possesses ALG (ALG) function, NAT device can be changed address and port in the Port message load that receives, to accomplish private network mutual with public network.
Step 104: after the FTP server of public network receives the Port message, resolve its content, and initiate the data connection to Host, this data purpose of connecting address is 50.10.10.10, and port is 5000.
Step 105:Port message is through NAT device the time; Public network address in the message load and port can be converted into corresponding private net address and port; Promptly; NAT device converts the public network address 50.10.10.10 in the Port message load that receives to private net address 192.168.0.10, and port 5000 converts 1024 to.
The same with step 103, in this step, also be to have only when NAT device possesses ALG (ALG) function, NAT device can be changed address and port in the Port message load that receives, to accomplish private network mutual with public network.
Step 106: after having accomplished address and port translation, FTP server initiates data to Host and connects.
So far, promptly accomplished the entire work process of existing NAT processing mode.After having set up the data connection, Host can be connected enterprising data transfer in the data of having set up with FTP server.
Fig. 2 is existing a kind of home intranet topology sketch map; As shown in Figure 2; Carry out when mutual with the server in the public network IP address that web camera in the local area network (LAN) (IPC), personal computer-A (PC-A) or PC-B utilize same public network; Normally realize, respectively this dual mode is introduced below through virtual server (claiming port mapping again) or isolated area (DMZ) mode.
The virtual server mode: be that server ip address, port numbers (internal port) in public network IP address, port numbers (outside port) and the local area network (LAN) are set up mapping relations in essence, all visits to this public network mouth serve port will be redirected to the respective inner port of server in the corresponding local area network (LAN).
The DMZ mode: in fact the DMZ main frame is exactly a default virtual server; When the DMZ main frame receives a connection request from external network; At first search the Virtual Service tabulation,, just send to the corresponding virtual server to request message and get on if the list item of coupling is arranged.If do not find the list item of coupling, just directly be revised as the purpose IP of this message the IP address of the DMZ main frame that sets in advance, be forwarded to the DMZ main frame then and get on.
Can find out through above-mentioned analysis; The virtual server mode or the DMZ mode that are adopted in the existing home intranet have all adopted the NAT conversion in essence; Need be another IP address all promptly, and need NAT device to have the ALG function when adopting the NAT mode, for some proprietary protocol, or also do not support the agreement of ALG function at present an IP address transition; Can't penetrating NAT equipment, the equipment in the local area network (LAN) also just can't realized mutual with the server in the public network.Further, for certain equipment in the local area network (LAN), possibly need continually with public network in server carry out alternately, and existing processing mode need be carried out address translation process, has also just delayed reciprocal process.
Summary of the invention
In view of this; The invention provides the method for a kind of Intranet equipment and outer net devices communicating; Can make an equipment utilization public network IP address in the local area network (LAN) realize quickly realizing mutual with public network through the NAT conversion, and implementation is flexible with mutual, the miscellaneous equipment of public network.
The present invention also provides a kind of NAT device, can make an equipment utilization public network IP address in the local area network (LAN) realize quickly realizing mutual with public network with mutual, the miscellaneous equipment of public network through the NAT conversion, and implementation is flexible.
In order to achieve the above object, the technical scheme of the present invention's proposition is:
The method of a kind of Intranet equipment and outer net devices communicating, this method comprises:
Network address translation device puts interface that self links to each other with Intranet first equipment and the public network interface of self under same virtual LAN VLAN; Put self under another VLAN with interface that Intranet second equipment links to each other; On the virtual interface of self launching, issue public network IP address and the gateway address of distributing to said Intranet first equipment, and the ARP information that this Internet Protocol IP address is set is silent status;
When said Intranet first equipment and outer net equipment communicate; NAT device receives the message that said Intranet first equipment sends to outer net; The purpose media access control MAC address of this message is the MAC Address of gateway; NAT device carries out two layers of forwarding with this message, and the public network interface that is positioned at same VLAN from the incoming interface with this message forwards;
When said Intranet second equipment and outer net equipment communicate; NAT device receives the message that said Intranet second equipment sends to outer net; This message is carried out the network address port conversion process; Source IP address after the conversion is the said public network IP address of distributing to Intranet first equipment, and NAT transmits at local record, and the message that will carry out after the network address port conversion process forwards from the public network interface;
When the message of outer net equipment transmission arrives NAT device; NAT device matees said NAT with purpose IP address and port numbers to be transmitted; If can mate list item wherein, the message that will then carry out after the network address port conversion process also will be changed according to the list item content recorded sends Intranet second equipment; If fail to mate list item wherein then directly message be transmitted to said first equipment.
On the virtual interface of self launching, issuing public network IP address and the gateway address of distributing to said Intranet first equipment comprises:
When said Intranet first equipment obtains public network IP address through the dynamic host configuration protocol DHCP mode; NAT device is intercepted said Intranet first equipment and the mutual DHCP message of Dynamic Host Configuration Protocol server, and client ip address and gateway address are issued on the virtual interface in the DHCP ACK type message that frame is heard;
When said Intranet first equipment obtained station IP address through the peer-peer protocol PPPOE mode on the Ethernet, the NAT device frame was listened the mutual message of PPPOE process, was issued on the virtual interface for the IP address of said first equipment PPPOE server-assignment;
When the said Intranet first equipment static configuration public network IP address gateway address, NAT device is this public network IP address of static configuration and gateway address on the virtual interface of self.
This method further comprises:
When said Intranet first equipment and Intranet second devices communicating, NAT device carries out three layers of forwarding according to the purpose IP of the message that receives.
A kind of network address translation device, this NAT device comprises: division unit, issue unit and processing unit, wherein,
Said division unit is used for putting the interface and the public network interface that link to each other with Intranet first equipment under same virtual LAN VLAN, and the interface that will link to each other with Intranet second equipment puts another VLAN under;
The said unit that issues is used on the virtual interface of launching, issuing public network Internet Protocol IP address and the gateway address of distributing to said Intranet first equipment, and the ARP information that this IP address is set is silent status;
Said processing unit; Be used for; When said Intranet first equipment and outer net equipment communicate, receive the message that said Intranet first equipment sends to outer net, the purpose media access control MAC address of this message is the MAC Address of gateway; NAT device carries out two layers of forwarding with this message, and the public network interface that is positioned at same VLAN from the incoming interface with this message forwards;
When said Intranet second equipment and outer net equipment communicate; Receive the message that said Intranet second equipment sends to outer net; This message is carried out the network address port conversion process; Source IP address after the conversion is the said public network IP address of distributing to Intranet first equipment, and NAT transmits in the local record network address translation, and the message that will carry out after the network address port conversion process forwards from the public network interface;
When the message of outer net equipment transmission arrives NAT device; Mating said NAT with purpose IP address and port numbers transmits; If can mate list item wherein, the message that will then carry out after the network address port conversion process also will be changed according to the list item content recorded sends Intranet second equipment; If fail to mate list item wherein then directly message be transmitted to said first equipment.
The said unit that issues; Also be used for; When said Intranet first equipment obtains public network IP address through the dynamic host configuration protocol DHCP mode; Intercept said Intranet first equipment and the mutual DHCP message of Dynamic Host Configuration Protocol server, client ip address and gateway address are issued on the virtual interface in the DHCP ACK type message that frame is heard;
When said Intranet first equipment obtained station IP address through the peer-peer protocol PPPOE mode on the Ethernet, frame was listened the mutual message of PPPOE process, was issued on the virtual interface for the IP address of said first equipment PPPOE server-assignment;
When the said Intranet first equipment static configuration public network IP address gateway address, this public network IP address of static configuration and gateway address on virtual interface.
Said processing unit also is used for, and when said Intranet first equipment and Intranet second devices communicating, carries out three layers of forwarding according to the purpose IP of the message that receives.
In sum; The Intranet equipment that the present invention adopted and the method and the NAT device of outer net devices communicating; Be through putting interface that self links to each other and the public network interface of self under same VLAN with Intranet first equipment; Put self under another VLAN with interface that Intranet second equipment links to each other, on the virtual interface of self launching, issue public network IP address and the gateway address of distributing to said Intranet first equipment, thereby make when Intranet first equipment and outer net communicate; Need not conversion, but directly message is forwarded from the public network interface that the incoming interface with this message is positioned at same VLAN through NAT; And Intranet second equipment and outer net equipment need be changed through NAT and carry out when communicating; When the message that sends when outer net equipment arrived NAT device, NAT device can transmit that really message to be transmitted to Intranet first equipment still be Intranet second equipment according to whether matching NAT.Therefore; The Intranet equipment that the present invention adopted and the method for outer net devices communicating can make with Intranet first equipment directly through public network IP address need not to carry out NAT conversion directly and public network carry out alternately; And Intranet second equipment need pass through NAT and converts mutual with public network, and Intranet first equipment and Intranet second equipment are same public network IP address to the public network IP address of outer net demonstration.
Embodiment
In order to solve the problem that exists in the prior art, the present invention proposes a kind of new Intranet equipment and the method for outer net devices communicating, its concrete realization comprises:
NAT device puts interface that self links to each other with Intranet first equipment and the public network interface of self under same VLAN; Put self under another VLAN with interface that Intranet second equipment links to each other; On the virtual interface of self launching, issue public network IP address and the gateway address of distributing to said Intranet first equipment, and the ARP information that this IP address is set is silent status;
When said Intranet first equipment and outer net equipment communicate; NAT device receives the message that said Intranet first equipment sends to outer net; The target MAC (Media Access Control) address of this message is the MAC Address of gateway; NAT device carries out two layers of forwarding with this message, and the public network interface that is positioned at same VLAN from the incoming interface with this message forwards;
When said Intranet second equipment and outer net equipment communicate; NAT device receives the message that said Intranet second equipment sends to outer net; This message is carried out the network address port conversion process; Source IP address after the conversion is the said public network IP address of distributing to Intranet first equipment, and NAT transmits at local record, and the message that will carry out after the network address port conversion process forwards from the public network interface;
When the message of outer net equipment transmission arrives NAT device; NAT device matees said NAT with purpose IP address and port numbers to be transmitted; If can mate list item wherein, the message that will then carry out after the network address port conversion process also will be changed according to the list item content recorded sends Intranet second equipment; If fail to mate list item wherein then directly message be transmitted to said first equipment.
For making the object of the invention, technical scheme and advantage clearer, will combine accompanying drawing and specific embodiment that the present invention is done to describe in detail further below.
Fig. 3 is the workflow diagram of Intranet equipment of the present invention and outer net devices communicating method.As shown in Figure 3, this flow process comprises in advance and to be provided with and message is handled two processes, and wherein, being provided with in advance can be referring to step 301-302, and message is handled can be referring to step 303-308, below respectively these two processes described in detail:
Step 301:NAT equipment puts interface that self links to each other with Intranet first equipment and self public network interface under same VLAN, puts self under another VLAN with interface that Intranet second equipment links to each other.
Need to prove; In this step, because Intranet first equipment need utilize public network IP address directly to communicate with outer net equipment, so the directly first gateway that message is sent to oneself of Intranet first equipment; The target MAC (Media Access Control) address of the message of encapsulation is the MAC Address of gateway; Then, this message is carried out two layers of forwarding, send from the public network interface by NAT device.The interface that therefore, need NAT device be linked to each other with Intranet first equipment and the interface of NAT device self put same VLAN under.
Step 302:NAT equipment issues public network IP address and the gateway address of distributing to said Intranet first equipment on the virtual interface of self launching, and the ARP information that this IP address is set is silent status.
Need to prove that in this step, Intranet first equipment obtains public network IP address can adopt following three kinds of modes:
1, the peer-peer protocol on the Ethernet (PPPOE) mode; Carry out quick mutual equipment with public network and obtain public network IP address; NAT device is monitored the mutual message that carries out fast mutual equipment PPPOE process with public network, during the stage, monitors the Address Confirmation message that the PPPOE server is given the response of PPPOE client to IP control protocol (IPCP) mutual; Note server and give the IP address of PPPOE client, this IP address is public network IP address;
2, DHCP (DHCP) obtain manner; NAT device is monitored DHCP confirmation (ACK) type message of DHCP message; At client ip address (Client IP Address) and the gateway information noted in the DHCP ACK message, this IP address is public network IP address;
3, the manual mode of static configuration, this mode need be on NAT device information such as manual static configuration public network IP address and gateway.
In reality, also can adopt other modes to obtain public network IP address and public network gateway information, be as the criterion with the realization that does not influence the embodiment of the invention.
What also need explain is; After listening to public network IP address and gateway address; NAT device need be launched a virtual interface; And on this virtual interface, issue public network IP address and the gateway address that listens to, so that can carry out alternately according to public network IP address and public network, when going to outer net, Intranet equipment can utilize the address on this virtual interface to set up the NAT forwarding-table item with Intranet first equipment.Simultaneously, the ARP(Address Resolution Protocol) information that NAT device need be set the public network IP address that listens to is silent status, promptly neither sends the request that gratuitous ARP is not responded this ARP yet, to avoid taking place address conflict.
In this step; Intranet first equipment need communicate with outer net equipment utilization public network IP address; Therefore; NAT device is set neither sends gratuitous ARP packet, also do not respond ARP request message, to avoid detecting IP address conflict between NAT device and Intranet first equipment to this public network IP address to public network IP address.
After having accomplished above-mentioned setting; Can carry out communicating by letter between Intranet equipment and the outer net equipment; In the present embodiment, mainly with Intranet go to the message of outer net, these three kinds of messages of message of message, Intranet first equipment and Intranet second devices communicating that outer net is gone to Intranet are that example is introduced concrete processing procedure:
Go to the message of outer net for Intranet,
Whether interface and public network interface that the Intranet that the judgement of step 303:NAT equipment receives is gone to the message of outer net belong to same VLAN, if, execution in step 304; Otherwise, execution in step 305.
Step 304:NAT equipment carries out two layers of forwarding with this message, and the public network interface that is positioned at same VLAN from the incoming interface with this message is transmitted.
The message that step 305:NAT equipment is gone to outer net according to existing mode to the Intranet that receives is handled, the end process process.
When NAT device is judged the Intranet that receives and is gone to interface and the public network interface of the message of outer net and do not belong to same VLAN; Explain that the equipment that sends this message is not to carry out quick mutual equipment with public network; Also be Intranet second equipment, then handle getting final product, also promptly this message is handled according to existing procedure according to the prior NAT forwarding-table item; Specifically how adopting existing procedure to handle message can repeat no more referring to Fig. 1 here.
Need to prove that the prior NAT forwarding-table item can be referring to like following table 1.
Table 1
Protocol |
GlobalAddr |
GlobalPort |
InsideAddr |
Port |
DestAddr |
Port |
TCP |
200.0.0.28 |
12288 |
192.168.0.10 |
512 |
162.105.26.246 |
512 |
So far, promptly accomplished the processing procedure of Intranet being gone to the message of outer net.
Go to the message of Intranet for outer net,
Message and NAT forwarding-table item that step 306:NAT equipment is gone to Intranet with the outer net that receives mate, if match corresponding NAT forwarding-table item, then execution in step 307; Otherwise, execution in step 308.
The message that step 307:NAT equipment is gone to Intranet according to existing mode to the outer net that receives is handled, the end process process.
Step 308:NAT equipment sends this message from the interface that the incoming interface with this message is positioned at same VLAN, promptly directly send to Intranet first equipment.
Need to prove; When the message of outer net equipment transmission arrives NAT device; NAT device matees said NAT with purpose IP address and port numbers to be transmitted; If can mate list item wherein, the message that will then carry out after the network address port conversion process also will be changed according to the list item content recorded sends Intranet second equipment; If fail to mate list item wherein then directly message be transmitted to said Intranet first equipment.
So far, promptly accomplished the processing procedure of outer net being gone to the message of Intranet.
For the message of Intranet first equipment and Intranet second devices communicating,
Step 309:NAT equipment is searched routing table according to the purpose IP of the message that receives, and directly carries out three layers of forwarding.
When with public network carry out in quick mutual equipment and the Intranet with its not when the miscellaneous equipment of the same network segment communicates, when message reached NAT device, NAT device detected these two equipment not at the same network segment; Need carry out three layers of forwarding; Promptly search routing table, find that its next jumping is a directly connected subnet, look into the ARP table again; The MAC Address that encapsulation is corresponding, the outgoing interface corresponding from this MAC Address forwards.
So far, promptly accomplished processing procedure to the message of Intranet first equipment and Intranet second devices communicating.
After the processing of having accomplished above-mentioned three kinds of messages, promptly accomplished the whole workflow of the method for Intranet equipment of the present invention and outer net devices communicating.
Based on said method, Fig. 4 is the structural representation of the NAT device that the present invention adopted, and as shown in Figure 4, this NAT device comprises: division unit 41, issue unit 42 and processing unit 43, wherein,
Said division unit 41 is used for putting the interface and the public network interface that link to each other with Intranet first equipment under same VLAN, and the interface that will link to each other with Intranet second equipment puts another VLAN under.
Since Intranet first equipment need utilize public network IP address directly and outer net equipment communicate; So Intranet first equipment directly sends to message the gateway of oneself earlier; The target MAC (Media Access Control) address of the message of encapsulation is the MAC Address of gateway; Then, need carry out two layers of forwarding, send from the public network interface to this message.Therefore, need put interface and the public network interface that Intranet first equipment links to each other under same VLAN.
The said unit 42 that issues is used on the virtual interface of launching, issuing public network IP address and the gateway address of distributing to said Intranet first equipment, and the ARP information that this IP address is set is silent status.
Further; The said unit 42 that issues; Also be used for when said Intranet first equipment obtains public network IP address through the DHCP mode; Intercept said Intranet first equipment and the mutual DHCP message of Dynamic Host Configuration Protocol server, client ip address and gateway address are issued on the virtual interface in the DHCP ACK type message that frame is heard;
When said Intranet first equipment obtained station IP address through the PPPOE mode, frame was listened the mutual message of PPPOE process, was issued on the virtual interface for the IP address of said first equipment PPPOE server-assignment;
When the said Intranet first equipment static configuration public network IP address gateway address, this public network IP address of static configuration and gateway address on virtual interface.
Said processing unit 43; When being used for said Intranet first equipment and outer net equipment and communicating; Receive the message that said Intranet first equipment sends to outer net; The target MAC (Media Access Control) address of this message is the MAC Address of gateway, and NAT device carries out two layers of forwarding with this message, and the public network interface that is positioned at same VLAN from the incoming interface with this message forwards;
When said Intranet second equipment and outer net equipment communicate; Receive the message that said Intranet second equipment sends to outer net; This message is carried out the network address port conversion process; Source IP address after the conversion is the said public network IP address of distributing to Intranet first equipment, and NAT transmits at local record, and the message that will carry out after the network address port conversion process forwards from the public network interface;
When the message of outer net equipment transmission arrives NAT device; Mating said NAT with purpose IP address and port numbers transmits; If can mate list item wherein, the message that will then carry out after the network address port conversion process also will be changed according to the list item content recorded sends Intranet second equipment; If fail to mate list item wherein then directly message be transmitted to said first equipment.
Further, said processing unit 41 also is used for, and when said Intranet first equipment and Intranet second devices communicating, carries out three layers of forwarding according to the purpose IP of the message that receives.
So far, promptly obtained the NAT device that the present invention adopted.
The concrete workflow of the NAT that Fig. 4 adopted repeats no more please with reference to the respective description among the method embodiment shown in Figure 3 here.
In a word; The Intranet equipment that the present invention adopted and the method and the NAT device of outer net devices communicating; Be through putting interface that self links to each other and the public network interface of self under same VLAN with Intranet first equipment; Put self under another VLAN with interface that Intranet second equipment links to each other, on the virtual interface of self launching, issue public network IP address and the gateway address of distributing to said Intranet first equipment, thereby make when Intranet first equipment and outer net communicate; Need not conversion, but directly message is forwarded from the public network interface that the incoming interface with this message is positioned at same VLAN through NAT; And Intranet second equipment and outer net equipment need be changed through NAT and carry out when communicating; When the message that sends when outer net equipment arrived NAT device, NAT device can transmit that really message to be transmitted to Intranet first equipment still be Intranet second equipment according to whether matching NAT.Therefore; The Intranet equipment that the present invention adopted and the method for outer net devices communicating can make with Intranet first equipment directly through public network IP address need not to carry out NAT conversion directly and public network carry out alternately; And Intranet second equipment need pass through NAT and converts mutual with public network, and Intranet first equipment and Intranet second equipment are same public network IP address to the public network IP address of outer net demonstration.
The above is merely preferred embodiment of the present invention, and is in order to restriction the present invention, not all within spirit of the present invention and principle, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope that the present invention protects.