On a home private network, the router would have a private IP address something like this 192.168.0.1. On the home network there are 5 computers. Each has a local IP address 192.168.0.xx e.g. 192.168.0.2 – 192.168.0.6. But the computers themselves do not have a public IP, only the router does. So would it be possible for someone from an outside network to send a file to one specific computer in my home network? Like if they know the MAC address of the device.
And how is it that emails can reach e.g. outlook application installed on one computer with one IP address, but still be accessed from another computer with a completely different IP address.
In: 5
Your router is using something called Network Address Translation (NAT). NAT allows the router to hide your personal network (private) IP addresses and dynamically creates tables of what device IPs requested certain services like a google request (port 443) or an FTP request (port 21). When they exit the router to the internet your router appends its public IP address instead of the internal network IP address. When information inbound to the router comes from the internet it strips the public address, looks up the port number it assigned and combines it with the corresponding internal IP address.
*edit: And no, unless your router has some severe and malicious security flaw, it is not possible for an external host to communicate directly with the private IP in your network.
Your router uses NAT to “share” it’s external IP among all the internal computers.
It’s possible to do reverse NAT, from the internet to your internal computers, but it’s risky and demand knowledge about TCP/IP ports and firewall.
So in general, you’re right. The rest of the internet can only “see” your router and send traffic to it. That means if some rando wants to push a file transfer directly to your computer, they simply can’t. You might even be running something like an FTP server on the computer. But when the router gets their “Hi, I want to connect to the FTP server” message, it responds, “I do not run an FTP server, sorry.”
But how does traffic get back to your computer when you ask for a web page? Well, that’s the router’s job. Your computer has to tell the router, “Ask Reddit to send me this page.” The router nods and sends the request to reddit. Reddit thinks it’s the router asking for the page so it sends the page to the router. The router remembers that your computer ASKED for that data so the router happily redirects it to your computer.
That’s how Outlook works. It ASKS servers outside of itself for data. The router always assumes if you ASK for data then it’s OK to “forward” the response to you. But this only works for one “connection”. If for some reason after that is over reddit decides to send more stuff to you, the router’s liable to ignore it or respond, “I didn’t ask for this.”
That’s why there’s a feature called “port forwarding”. Sometimes you want to run a program that EXPECTS people from the outside to ask it the questions, like when you host a video game server. To make that work, usually the program tells you “I use this port”. Think of ports like “channels” your computer can use, each network connection has about 65,000 of them and a program is free to use any of them above 1024. (The first 1024 are reserved for a lot of core internet services, this gets a little complex.) So your video game server might tell you it’s going to use port 54678. You have to go tell your router, “If you get someone asking to connect to port 54678, please send that to the computer with this IP address inside your network even if I haven’t asked for it first.”
So when the person tries to send data to your router, the router says, “Ah, port 54768, I’m supposed to pass this along.” and it does. That person still doesn’t know your ‘inside’ IP address. You’ve just kind of poked a hole in your router to let people get through. Obviously, if two different computers “inside” the network want to use the same port, one of them has to change. (There are some things you can do to deal with this but let’s keep it simple.)
There are also some tools that seem to “magically” get around this, but it’s really not any more complicated. Tools like LogMeIn Hamachi can help people connect to your computer even when you can’t mess with your router’s port forwarding.
What that does is set up a “Virtual Private Network” or “VPN”. You’ve probably heard some Youtubers shill for one. It’s a fancy name to say your computer connects to some other computer that agrees “Let’s pretend I’m your router.” Since YOU started this connection to that computer, your real router doesn’t get in the way. So in that situation the way it works is:
1. Your computer asks to open a connection to your VPN service.
2. Your router sees this outgoing request and passes it on.
3. When the VPN service responds your router remembers you asked for this and passes it back to you.
4. You tell someone else the IP address *of the VPN computer*, which is now acting like a second router.
5. They try to connect to the VPN’s IP address and port number.
6. The VPN sends that data to your router.
7. Your router passes it along because you opened this connection yourself.
8. You get the data, and the other person only knows about your VPN’s computer’s IP address.
VPNs can do a lot of other things, like encrypt the traffic so your router can’t snoop on what you’re doing. But for this question what’s important is the way they work is sort of like having a 2nd router “on the other side” of your current router, and that can let you do things your router might not normally let you do.
And to summarize, generally the rule is:
* If you ask an external site for some data, your router will let that data get back to your computer.
* If you did NOT initiate a connection with the external site, your router will block it UNLESS you have used a feature like “port forwarding” to tell the router to let that data through.
There is NOT a standard, easy way for someone to just randomly upload a file to your computer. There are hard, malicious ways to do it, but they *usually* require you to do something silly like install a program that pokes a hole they can slip data through. A long time ago some OSes had VERY very insecure file sharing setups that people could trick into accepting files, and that was also a time when fewer people used routers. So that’s when the scariest stories come from and that’s also part of why it takes a lot of steps to enable public file sharing *and* we still tend to configure routers to prevent it from happening.
Other good answers here but will add more detail and something I’m not seeing mentioned elsewhere.
Network communication operates in several distinct layers (See: [The OSI Model](https://s7280.pcdn.co/wp-content/uploads/2018/06/osi-model-7-layers-1.png)) – Your router is basically just concerned with the Physical (physical cabling), data link (Raw network protocol, almost always Ethernet), Network (IP data packets and routing), and Transport (TCP, UDP packets) layers. It exists to route packets on a local network consisting of any number of devices to and from where they want to go, and gatekeep anything that shouldn’t be happening with a firewall.
In order to actually download something or otherwise interact with you in a meaningful way, your computer is also handling things (in addition to the above layers) on the Session (OS-side Sockets/port sessions), Presentation (OS-level usage of specific protocols such as IMAP for mail), and Application (Application-specific usage of Presentation layers).
Normally when you download mail to say, outlook – Outlook the application reaches out at the application and presentation layers, the OS gets that request and opens up a network socket on the Session layer, the for example IMAP packet will be looped into a TCP packet on the transport layer and sent out through an ethernet frame on the data link layer, then out the physical cable on the physical layer to your router which then needs to route it out to your modem and to the mail server. The mail server then responds with whatever you ask for, including a file download. The mail server isn’t so much pushing a file to you, as you’re asking for a file and it’s sending it to you.
In order for someone to send a file to you from an outside network, highly specific conditions would be required on both your router and computer across all layers. The router would need to accept unsolicited inbound requests, allow it to be routed to a specific computer/know where to route it to, and on the specific port being used. The computer then would need to also be accepting those same requests and ports, allow that to be passed to a specific application or service on the local computer, and that specific application or service would need to accept that unsolicited file.
*So would it be possible for someone from an outside network to send a file to one specific computer in my home network?*
No. Not unless you’ve configured your router ahead of time to allow this to happen. Depending on your router, your ISP, and some other details, it is possible to allow it to happen, but it is not the default.
*And how is it that emails can reach e.g. outlook application installed on one computer with one IP address, but still be accessed from another computer with a completely different IP address.*
Very generally speaking, Email isn’t being pushed from the internet onto your laptop. Outlook (and most email clients) work by constantly pulling any new email from the server. Outlook, running on your laptop, is constantly reaching out to the internet to your mail server, which has a public IP address. The data for that email is on the server, so many different computers, with different IP addresses, can access it.