🌐 Network Layer: IPv4 & NAT

IPv4 Overview

The network layer (Layer 3) handles logical addressing and routing. IPv4 addresses are 32‑bit numbers, usually written in dotted‑decimal format (e.g., 192.168.1.10). The address is split into four 8‑bit groups (octets), so each group can range from 00000000 to 11111111 in binary, which corresponds to 0 to 255 in decimal. This is why every octet must be between 0 and 255 – an address like 384.785.854.412 is invalid because those numbers exceed 255 and cannot be represented in 8 bits.

IPv4 Address Structure

An IPv4 address consists of a network part and a host part. The division is defined by the subnet mask (e.g., /24 or 255.255.255.0).

Example: 192.168.1.34 with mask 255.255.255.0
Network = 192.168.1.0, Host = 0.0.0.34

Binary representation helps understand the split:

192.168.1.34  → 11000000.10101000.00000001.00100010
Mask 255.255.255.0 → 11111111.11111111.11111111.00000000
Network bits (first 24) = 11000000.10101000.00000001
Host bits (last 8)      = 00100010

Binary ↔ Decimal Conversion

Each octet is 8 bits. To convert, remember the value of each bit position (from most significant to least):

Bit position	7	6	5	4	3	2	1	0
Value	128	64	32	16	8	4	2	1

Example 1: Binary to Decimal

Convert binary 10101100 to decimal.

1   0   1   0   1   1   0   0
128 64  32  16  8   4   2   1
↓   ↓   ↓   ↓   ↓   ↓   ↓   ↓
128+0 +32 +0  +8  +4  +0  +0 = 172

Result: 10101100₂ = 172₁₀

Example 2: Decimal to Binary (Subtraction Method)

Convert decimal 86 to binary. Start with the largest bit value (128) and work downwards:

86
Can 128 be subtracted? No  → bit 7 = 0
Can 64 be subtracted?  Yes → bit 6 = 1, remainder = 86 - 64 = 22
Can 32 be subtracted from 22? No  → bit 5 = 0
Can 16 be subtracted from 22? Yes → bit 4 = 1, remainder = 22 - 16 = 6
Can 8 be subtracted from 6?  No  → bit 3 = 0
Can 4 be subtracted from 6?  Yes → bit 2 = 1, remainder = 6 - 4 = 2
Can 2 be subtracted from 2?  Yes → bit 1 = 1, remainder = 2 - 2 = 0
Can 1 be subtracted from 0?  No  → bit 0 = 0

Reading the bits from position 7 down to 0 gives: 01010110 (often written without the leading zero as 1010110, but for 8 bits we keep the full byte).

Result: 86₁₀ = 01010110₂

Using Spreadsheet Formulas

In Microsoft Excel or LibreOffice Calc, you can use built‑in functions for quick conversion:

DEC2BIN – converts a decimal number to binary.
Example: =DEC2BIN(86; 8) returns 01010110 (to show the leading zero, we place that "8" positions in the formula).
Note: The result is text; you can use it in further calculations if needed.
BIN2DEC – converts a binary number (as text or number) to decimal.
Example: =BIN2DEC("1010110") returns 86.

These functions are especially handy when you need to convert many addresses or verify your manual calculations.

Address Types

Unicast: One‑to‑one communication (most device traffic).
Broadcast: One‑to‑all on the local network (e.g., ARP requests). Address: all host bits = 1 (e.g., 192.168.1.255).
Multicast: One‑to‑many subscribed devices (used for streaming video to multiple OR monitors). Address range 224.0.0.0/4.

Special IPv4 Addresses

Some addresses have special meanings and should not be used as normal host addresses:

0.0.0.0/8 – “This network.” Used as a source address when a device does not yet know its own IP (e.g., during DHCP discovery). Also used in routing tables to denote a default route.
127.0.0.0/8 – Loopback addresses. 127.0.0.1 is the standard loopback – it points to the local machine. Packets sent to this address never leave the device.
255.255.255.255 – Limited broadcast. Used to send a message to every host on the local network. Routers normally do not forward this.
169.254.0.0/16 – Link‑local addresses (APIPA). Assigned automatically when no DHCP server is available (e.g., a misconfigured medical device).

NAT – Network Address Translation

NAT allows multiple devices on a private network to share a single public IP address. It modifies IP addresses in packets crossing the router.

        ┌────────────┐      ┌──────────────────┐      ┌────────────┐
        │  PC1       │      │     Router       │      │  Internet  │
        │ 192.168.1.2├──────┤ 192.168.1.1 (LAN)├──────┤            │
        └────────────┘      │ 203.0.113.5 (WAN)│      └────────────┘
        ┌────────────┐      │   (with NAT)     │
        │  PC2       │      │                  │
        │ 192.168.1.3├──────┘                  │
        └────────────┘      └──────────────────┘
      

How it works: The router keeps a translation table mapping (private IP:port) to (public IP:port). When a response comes back, it forwards it to the correct internal device.

Private Address Ranges (RFC 1918)

These addresses are reserved for use inside private networks and are not routable on the public internet. They are the foundation of NAT.

Network	CIDR	Address Range
10.0.0.0 – 10.255.255.255	10.0.0.0/8	16,777,216 addresses
172.16.0.0 – 172.31.255.255	172.16.0.0/12	1,048,576 addresses
192.168.0.0 – 192.168.255.255	192.168.0.0/16	65,536 addresses

Port Forwarding

If a device on the internet wants to reach a specific server inside your private network (e.g., a PACS server or a remote monitoring station), it must connect to your public IP address. The router then needs a rule – called port forwarding – that tells it: “when a packet arrives on this public port, forward it to this private IP and port.” Without port forwarding, the router does not know which internal device should receive the incoming traffic.

Manual vs. Automatic IP Assignment

IP addresses can be assigned in two ways:

Manual (static) configuration: You enter the IP address, subnet mask, and default gateway yourself on each device. This is common for servers, network printers, and critical medical equipment so that their addresses never change.
Dynamic Host Configuration Protocol (DHCP): A DHCP server automatically assigns an IP address, subnet mask, gateway, and DNS servers to devices when they connect. This is typical for workstations, laptops, and mobile devices, making network management easier.

Carrier‑Grade NAT (CG‑NAT)

Because public IPv4 addresses are scarce, Internet Service Providers often use CG‑NAT (also called NAT444). They assign you a private IP from the range 100.64.0.0/10 (100.64.0.0 – 100.127.255.255) and then translate that to a public IP at their own router. This means multiple customers share one public IP. For medical devices that need to be reachable from the outside (e.g., remote patient monitoring), CG‑NAT can be problematic – you may need a public IP or a VPN.

Implications for Medical Devices

Devices behind NAT cannot be directly accessed from the internet unless port forwarding is configured – important for remote monitoring or tele‑radiology.
Some legacy medical protocols may embed IP addresses in payloads, breaking NAT (use NAT‑aware devices or gateways).
For device management, consider VPNs instead of exposing ports.
When choosing private IP ranges, ensure you have enough space for current and future devices (e.g., use /16 or /8 for large hospitals).

Practical Tips for Medical Engineers

Assign static IPs to critical devices (PACS servers, modalities) to avoid changes after reboot.
Use DHCP for workstations and mobile equipment, but reserve addresses based on MAC for consistency.
Document IP subnets, VLANs, and NAT rules for the entire clinical network.
When connecting devices across different sites, ensure NAT does not interfere with DICOM or HL7 traffic; consider site‑to‑site VPNs.
Binary math is rarely needed manually, but understanding it helps troubleshoot subnet mismatches.

⬅ Previous: Transport Layer Next: Index ➔