Beware of the ‘NAT’

Advances in video compression and the availability of high speed Internet have made remote video monitoring more practical and in high demand from end-users. The typical application for small business owners involves using a PC to access live and recorded video from a DVR, NVR or network camera. To remotely access the video device, the network messages from the PC’s video management software must penetrate the business’s network router. This can be problematic for a video management system.

A common network router for small business or home use will provide a feature called Network Address Translation (NAT). NAT provides the link between the IP addresses on the installation’s private LAN and the public addresses on the Internet. An NAT allows multiple devices on the private network to use a single public IP address to access the Internet.

During the 1990s, as the number of devices with IP addresses grew exponentially, it was widely assumed that the world would soon run out of publicly available Internet addresses. Thanks to NAT, the rate of exhaustion has decreased, although it remains a long-term problem until Internet service providers fully implement IPv6. IPv6 increases the Internet address space to 3.4 x 1038 unique addresses from the 4.2 x 109 addresses supported by the IPv4 standard in widespread use today.

NATs introduce complications in the communication between devices on either side of the NAT.  For example, all network traffic originating from the private LAN (see above) appears to the remote PC as if it originated from the NATs single IP address.

How can the PC differentiate and communicate to the multiple devices that sit behind the NAT in our example? To address this problem, the router can be configured for “port forwarding.” With port forwarding, the router can forward traffic to specific IP addresses on the LAN side of the router based on the TCP/UDP port that is specified. In other words, although all of the network traffic from the PC to the router is bound for the router’s public IP address, the router will route traffic to specific devices, based on the port number received in each message.

The port forwarding works fine as long as the video devices and video management software are built to support NAT. The number of DVRs and video management software products that fail this requirement is quite surprising!
So what is the problem? In our example, many security devices will attempt to stream video back to the originating PC’s private LAN address and not the public address exposed to the Internet.  This happens when the video management software publishes its private address to the video device, rather than relying on the NATs to modify the standard source and destination IP address in the IP packet header. This leads to communication failures.
Another problem is that some video management software products will not permit multiple cameras to share the same IP address with unique port numbers for each device.

The bottom line: if your system requires Internet access to video or other security devices, be sure to find out if the system is NAT compatible. The specific questions to ask:
Can the components (IP cameras, DVRs, video management software) be configured to use different ports for video streaming and device control?
Will the video device stream correctly navigate the NAT to reach the destination address on the public Internet (versus the LAN address)?
Can the video management software manage multiple cameras behind a NAT with a common IP address?

Tom Galvin of NetVideo Consulting is a network video specialist. His Web site is