8

So say you are a user behind a NAT/router on an internal network. You begin sending UDP data to an internet-facing server. The packet hits your router, it inserts an entry to allow returning packets from that server on a specific port to be forwarded to your local machine when received.

However UDP is connectionless. How does the router know when to remove this rule when the client no longer wishes to send or receive data with this server?

James Dean
  • 183
  • 3

1 Answers1

10

A NAT router doesn't know when to remove a UDP mapping - it guesses.

The router simply ages (or times) out the entry when it hasn't been used for a period of time (usually between 5 and 60 minutes).

With TCP, there's also a similar aging/timeout to make sure that forgotten or lost sessions don't pile up, but it's much longer. Of course, normal TCP connections are properly closed, which means the NAT router can forget about it.

UDP or TCP aging is a trade-off between router resources (fast aging) and compatibility with slow low-bandwidth sessions (slow aging). Sometimes the default settings require tweaking for your workload.

Zac67
  • 81,287
  • 3
  • 67
  • 131
  • 1
    And many cheap routers have too little RAM and/or sloppy firmware, leading to the RAM filling up with state-information for connections that are not longer needed, but don't get cleaned up. This leads to the fairly common ritual of having to reboot the router every couple of days/weeks. – Tonny Mar 16 '18 at 12:19
  • @Tonny, remember that such devices are off-topic here. – Ron Maupin Mar 16 '18 at 12:52
  • 2
    @RonMaupin Off topic? How come? Even though the phenomenon is quite common in consumer equipment, I've also seen enough low-end "business grade" equipment guilty of it. E.g. Cisco and Siemens DSL modem/routers used to be notorious for this sort of thing. – Tonny Mar 16 '18 at 13:46
  • @Tonny, enterprises will not stand for needing to reboot a router every few days. If you have something like a Cisco or Juniper router that requires that, then it gets fixed. We have many, many (thousands) Cisco routers, and some have been up for years. If one needs to be rebooted, even once, for something like that, it gets replaced. – Ron Maupin Mar 16 '18 at 13:52
  • 2
    @RonMaupin Serious enterprise equipment of course not. But there is this entire world of "small enterprise/business" equipment that sits somewhere between consumer stuff and big enterprise stuff. Last time I looked at the FAQ this "in-between" category was still on-topic for this site. – Tonny Mar 16 '18 at 14:05
  • @Tonny, the manufacturer must offer optional, paid support for a device to be on-topic here. From the [help/on-topic]: "_hardware that has a paid support option (enterprise/provider class products, some small business class devices)_" – Ron Maupin Mar 16 '18 at 14:10
  • 2
    To offer some support for @Tonny: we had professional routers a few years back with only 16 MB RAM and they used to fill up *very* quickly with DNS scans and such. – Zac67 Mar 16 '18 at 18:26
  • 2
    @Zac67 Exactly, and to get support you have to get a paid-for support contract. Or the router was ISP provided and support was part of the mandatory services fee included in the ISP contract. I have been forced to be network admin for both categories. Some admins will never encounter this in the wild (I wish I was that lucky), but there are parts of the world where this sort of thing is quite common. I'm still convinced it is on-topic. – Tonny Mar 17 '18 at 11:24
  • Well, the ISP router is off-topic here because it's not (totally) under your control... ;-) – Zac67 Mar 17 '18 at 12:38
  • 1
    @Zac67 Where I'm from it is normal to get a DSL router together with the DSL line from the ISP. But you have full control of the router (that is mandated by law). Of course, the first thing their over-expensive technical support does, when you do call them is instruct you to reset it to their initial defaults, because they assume you have messed up the thing yourself. (I had that happen when I called them because the power-supply of the router burned out. How I was supposed to reset the settings without a working power-supply is still a mystery to me...) – Tonny Mar 18 '18 at 19:43
  • @Tonny "Have you tried turning it off and on again?" - [IT Crowd](https://www.youtube.com/watch?v=nn2FB1P_Mn8) – Zac67 Sep 21 '20 at 20:22