Zuba U · Free training

Networking Foundations

A short, plain-English walk through how the internet actually gets your data where it's going — addresses, NAT, CGNAT, ports, and why being reachable is trickier than it sounds. No jargon assumed; every idea is anchored to something you've already felt — a page that won't load, “server not found,” a video that keeps buffering.

The one rule that makes it stick: when a lesson asks you to try something, answer it in your own words before you open “Check your answer.” Recalling it yourself is what turns reading into real understanding.

Three parts: 1 · Getting where you're going  ·  2 · How addresses run out  ·  3 · Being reachable. Take them straight through, or dip in.

Brought to you by Zuba Broadband — connecting Rwanda.

ZUBA · DISPATCH DOCKETADDRESSING / v8

Getting where you're going

Read three short lessons. Tell us exactly where you paused.

Lesson 01

How data finds a destination

Open WhatsApp and send a message. Open YouTube and start a video. Search something on Google. The information just appears — as if "the internet" were one place your device reaches into.

It isn't one place, and it isn't one computer. Here is what actually happens.

Your laptop is a device — a computer. So is your phone. The app or website you open runs on another device: a computer in a building somewhere, maybe in another country, always on, waiting to answer requests. (That always-on kind of device is a server — a computer that mostly just sits there storing, computing, and answering whoever asks, with almost no one touching it. More on it in the next lesson.)

So the two ends are not the same: one is the device in front of you, which asks; the other is a server, which answers.

Keep one more pair separate. The devices are those two ends. The data is what travels between them: a message, a video, a piece of a page. A device sends or receives; data is the thing that gets sent.

So "the internet" is not a place or a single computer. It is millions of devices — phones, laptops, and these always-on servers — passing data to each other, all day long. (That is what your "mobile data" gets spent on: real information moving back and forth.)

Here is the one idea the rest of these lessons build on: a piece of data can't be delivered unless it knows where it is going. Picture each piece of data as a parcel handed to a courier. A parcel with no address goes nowhere. Data is the same — every piece carries a destination, or it goes nowhere.

You have seen what a failed delivery looks like. "This site can't be reached." A page that spins and never loads. Underneath, the plain reason is often exactly this: the data didn't reach the right place, or nothing came back. The rest of this topic is about making that delivery work — and understanding it when it doesn't.


When you open YouTube, two devices are talking to each other — what are they, and what is the thing that travels between them?

Check your answer
A good answer covers: device vs data kept apart, and that the two ends are different (one asks, one answers — not two of the same).
Lesson 02

What an address is

Every piece of data names its destination. So what is that destination, exactly?

It is an address — and to keep it apart from a street address, its real name is an IP address. It is a unique label for one specific device. Unique is the key word: no two devices online share the same IP address at the same moment, just as no two houses on one street share a number. If two did, your data wouldn't know which one you meant.

What does it look like? Usually a number, like this:

142.250.1.100

For now, treat it as a unique number that every device online has. (Why it is written in that four-part shape, and why the world is starting to run short of these numbers, comes a little later — there is a real reason.)

(Wondering why you type "youtube.com" and not a number like that? Good question. A separate system turns the name you type into the number underneath. It is DNS — the Domain Name System, and it is the next lesson.)

Now the part that's easy to miss: both ends need an IP address — not only the website, but your own device too. It makes sense once you see it is a two-way delivery:

→ Your device needs the server's IP address, so it can send its request to the right place.
→ The server needs your device's IP address, so it can send the reply — the actual page or video — back to the right place. Without your address, the reply is ready with nowhere to go.

So is the website's computer just like your laptop? Almost. Your laptop and a server are both computers — the difference is the job. Your laptop is yours: you carry it, and you use it to ask. A server is nobody's personal machine — it sits in a data center and does one thing, all day: wait for requests and answer them. Same kind of device, different role.

(Two questions naturally come up, both answered soon: where your device's own IP address comes from — it is given to your device when it connects — and whether that address ever changes. Hold them.)


A friend says: "Sure, Google's computer has an address — but why would my phone need one?" Answer them in a sentence or two.

Check your answer
A good answer covers: whether "both ends need an IP address" clicks, and whether the server-vs-your-laptop role difference lands (not both ends are servers).
Lesson 03

How a name becomes a number

A device's address is a number, like 142.250.1.100. But you type "youtube.com", not a number. So how does the name reach the number?

The internet keeps a directory — a phonebook — that does one job: you give it a name, it gives back the number. Name in, number out. It translates the name you remember into the number your data needs.

DNS · HOW A NAME BECOMES A NUMBER 1 You type a name youtube.com (a name, not a number) data can only travel to a number 2 DNS — the internet's phonebook looks up the name, hands back the number 142.250.1.100 It looks up only — it never delivers. 3 Your device sends your request to that number your device does the sending — not the phonebook 4 The server answers the page or video comes back "Server not found" = step 2 came back with no number.

The phonebook's real name is DNS — the Domain Name System. You have probably heard the term. That is all it is: the lookup that turns the name you type into the number your data then travels to.

You have felt it fail. "Server not found" usually means the phonebook couldn't match the name to any number — so there is no address to deliver to, and nothing loads.

Go deeper / another way (optional)
Step by step: your device has a name but data can only travel to a number — so it asks the phonebook, which looks the name up and hands the number back (it looks up only; it never delivers your data), then your device sends the request to that number and the server answers. Keep straight: the phonebook is not your address — your IP is your device's own number; the phonebook is the separate thing that finds a number from a name. And it isn't one book: it's a chain of DNS servers — your lookup goes to a nearby one, which asks others until one knows; "Server not found" is the end of that chain with no match. A later lesson walks the whole path.

You type "google.com" and press go, but data can only travel to a number. What turns the name into a number — and after that, what sends your request to it?

Check your answer
A good answer covers: whether the diagram + "your device sends" makes the handoff clear (what acts after the lookup), and whether "DNS isn't your address" holds.
Lesson 04

Where the address lives: the label on the envelope

You now know what an address is, and that both ends have one. But here's the question that's easy to skate past: where does that address actually go? It can't just float alongside your data — something has to carry it.

Here's the answer, and it's the same parcel from the first lesson, up close. Every piece of data is wrapped like an envelope: your actual message sits inside, and the addresses are written on the outside, as a label — a TO (the destination) and a FROM (your own address, so the reply knows where to come back).

FROM 41.207.12.9 ZUBA POST TO 142.250.1.100 the HEADER the address label, on the outside — read by every router the DATA your message, inside On the wire, all of it — label and data alike — is just 1s and 0s. 01001110 01000101 01010100 01000110 01001001 01001100 01000101 (even the letter “N” travels as 01001110)

That address label on the outside has a name: the header.

And the envelope as a whole — the header on the front, your data inside — has a name too: it's a packet. A packet is just the envelope you've been picturing; "packet" is simply the technical word for it.

Two things fall out of this that matter later:

The network reads only the label, never the contents. Each router along the way glances at the TO address, sends the packet one hop closer, and passes it on — without ever opening it. That's how data crosses the whole world without anyone in the middle needing to understand what's inside.

The FROM address is why replies work. Because your own address rides on the front, the far end knows exactly where to send the answer back — the two-way delivery from the last lesson, made concrete.

Go deeper (optional)
Because the address rides on the outside and your message sits inside, the network can carry a packet without ever opening it. That same separation is what lets you later seal the message itself: put your letter in a locked envelope before it goes inside the addressed one, so only the far end holds the key. The outside still gets it delivered; the inside stays private. That's encryption — a thread for later.

Spot the blunder. Our courier [name — team's pick] grabs your parcel, squints at the TO address, and races off to deliver it — proud of himself. In his hurry, he never noted who it's from. The parcel arrives fine — so what goes wrong next?

what he got wrong — open after you've answered
Nothing can come back. He skipped the FROM — the return address — so the far end has nowhere to send the reply. Your message got there; the answer never will, which is exactly why both addresses ride on every label. (We've all sent a message no one could reply to — now you won't do it on a packet.)

Across all four

Last two questions, then send.

Next → How addresses run out

ZUBA · DISPATCH DOCKETF2 · PART 1 of 2

How addresses run out

Six short lessons. Tell us exactly where you paused.

Two of these lessons ask you to try something on your own phone — do it; that’s the best part.

Lesson 05 · two labels

Two labels on every device

You already know a device needs an address to be reached. Here's something that trips people up: a device actually carries two different labels, and they do different jobs.

The first is burned into the device at the factory and never changes. It identifies the device itself. Its name is the MAC address (Media Access Control) — think of it like a national ID number: it says who this device is, permanently, wherever it goes.

The second is the IP address from before — but here's the new part. A device is not born with an IP address. It's given one when it joins a network, the way you're given a room number when you check into a hotel. Join your home Wi-Fi, you get one IP. Join a café's Wi-Fi, a different one. The IP says where the device can be reached right now.

MACwho the device is. Permanent. Set at the factory.
IPwhere it's reachable. Assigned when it joins. Changes as it moves.

In the parcel-delivery analogy: your MAC is your national ID — it's you, and never changes. Your IP is your current mailing address — where post reaches you now, different when you move house.

One thing worth settling before we move on: the MAC is permanent and unique to each device — but it's not the address the internet delivers to. Data travels to the IP, the where. And unlike the factory-set MAC, an IP is handed out and reused, never owned. Hold onto that "handed out, not owned" idea — it's about to explain almost everything.


A laptop connects to your home Wi-Fi, then later to a café's Wi-Fi. One of its two addresses changes and one stays the same — which is which, and why?

Check your answer
A good answer covers: that MAC = permanent identity, IP = assigned/changeable location.
Lesson 06 · the big cause

Why addresses are scarce

This is the one fact that explains almost everything else about addressing. If you remember nothing else, remember this.

When IP addresses were designed, each was a number of a fixed size — and "fixed size" has a consequence: there are only so many of them. About 4.3 billion, total. In the 1980s, with a few thousand computers, that felt endless.

It wasn't. Count the phones, laptops, servers, routers, TVs, and cameras online today and you're far past 4.3 billion — many times over. The world ran out of addresses.

That's the cause. Everything that follows — private addresses, the sharing tricks, the reason your address keeps changing — exists for one reason: there aren't enough public addresses to give every device its own. Each new idea coming up is just another way to cope with that shortage. Keep that sentence in your pocket.

In the parcel-delivery analogy: imagine the postal system only ever printed about 4.3 billion possible street addresses for the whole planet, and the world outgrew them. You'd have to get clever about sharing — which is exactly what happened.


In one sentence: why did the world have to invent tricks like sharing addresses at all?

Check your answer
A good answer covers: that scarcity (running out) is the single root cause they can name.
Lesson 07 · reuse, because scarce

Private addresses: reuse, because scarce

So the world is short on addresses. Here's the first trick for coping — and you can see it on your own device right now.

Open your Wi-Fi settings and look at your device's address. It very likely starts with 192.168. or 10. — and yet a website never sees that number. That's because it's a private address: one of a special set of ranges set aside to be reused.

Instead of spending a scarce, globally-unique address on every device, networks reuse the same private addresses inside themselves. The address 192.168.1.5 exists inside millions of homes at once — fine, because a private address only has to be unique inside its own network, not across the whole internet.

The parcel-delivery analogy shifts here, from the open road to inside an apartment building. Picture a large apartment building with one street address on the front. Inside, the apartments are numbered 1, 2, 3… Every building has an "Apartment 3", and nobody's confused, because "Apartment 3" only means something inside that building. Private addresses are apartment numbers: reused in every network, meaningful only inside.

Trace it back to the cause: pure scarcity-coping — reuse the same internal numbers everywhere instead of burning a scarce global address on every device.

But notice where the picture strains: an apartment number alone can't receive a letter from outside the building — and neither can a private address. So how does your device reach the internet at all? That's the next lesson.


Your phone shows 192.168.1.7, and your friend's phone in their house also shows 192.168.1.7. How can both exist at once with no conflict?

Check your answer
A good answer covers: that "unique only inside its own network" clicks.
Lesson 08 · the translator

How a private network reaches out (NAT)

A private address can't be reached from the public internet. So how does your private-addressed laptop load a website?

Through a translator at the edge of your network: your router. It has two faces — one public address facing the internet (the building's street address), and your private devices facing inward.

When your laptop sends a request, the router swaps the laptop's private "from" address for its own public one, sends it out, and writes a line in its logbook — this reply belongs to your laptop. When the answer returns to the public address, the router checks its logbook and hands it to the right device inside.

That swap-and-track is called NAT (Network Address Translation).

In the parcel-delivery analogy, the router is the building's front desk. Outgoing mail leaves under the building's single street address; replies arrive at the desk, which checks its logbook — "this one's for Apartment 5" — and walks it over. One street address out front; many apartments behind it, sharing it.

Trace it back to the cause: NAT is the second scarcity trick. One public address now serves a whole network, instead of being spent on just one.

The internet — the street outside — 203.0.113.7 the building's one public street address Front desk = your router (NAT) translates the address — and logs each conversation so a reply can find its way home THE LOGBOOK · one line per conversation apartment is talking to (outside) Apt 5 youtube.com Apt 18 wikipedia.org Apt 42 a video app ↳ a reply from one of those names → goes back to that apartment Your building — private network 192.168.1.0/24 apartment № = private address (reused everywhere) Apt 5 laptop 192.168.1.5 Apt 18 phone 192.168.1.18 Apt 42 smart TV 192.168.1.42 One public address out front; many apartments behind it. That's NAT. you send out — desk swaps to the public address & writes the line reply returns — desk reads who it's from, finds the line, swaps back * two apartments on the same site? one finer detail — a port — keeps them apart (a later lesson).
Try it now. Open your phone or laptop's Wi-Fi settings and find this network's IP address — on iPhone, tap the ⓘ beside the network; on Android or Windows, open the network's details. It probably starts 192.168. or 10.: that's your private address. Now search the web for what is my IP. That number is different — it's the public address your whole network shares. You're seeing both sides of NAT on your own screen.

When your laptop (private address) loads a website, what address does the website actually see as the sender — and why isn't it your laptop's?

Check your answer
A good answer covers: the website sees the router's public address; the router tracks who to return the reply to.
Lesson 09 · the target idea

When the provider shares too (CGNAT)

Here's the honest thing about CGNAT (Carrier-Grade NAT — your provider running NAT a second time, on top of yours): day to day, you'll never notice it — everything you do dials out, so it just works. It only bites the day something needs to reach you directly from outside: hosting a server, linking two offices, reaching equipment at a remote site. That's almost always a business need — exactly the problem you'll solve for clients. (You may also have spotted the smaller sign: your address keeps changing and isn't really "yours".)

NAT let one building share one public address. But there still aren't enough to give every building its own. So your internet provider — your home-internet company or your mobile network; to the data, they're the same thing — does the very same trick one level up.

It's the same translation, stacked twice — that's the "double" in double NAT: your router turns your private 192.168. apartment numbers into the one address your provider gave it; your provider's gateway turns that into the single real public address the internet sees.

The address your provider hands your router is itself shared — and you can spot it, because it starts 100.64.. So you can read the layer straight off the number: 192.168. = inside your building; 100.64. = the shared rung between you and your provider; a normal public number = the real street address out front.

That second, provider-level translation is CGNAT (Carrier-Grade NAT — "carrier" just means your internet provider). Two translators stacked is double NAT.

Go deeper (optional) — why a separate 100.64. range?

So the two translators never collide. Your home already uses 192.168. inside, so if your provider used it for the shared rung too, the numbers would clash. A distinct block was reserved just for that carrier layer. Which numbers got picked is fairly arbitrary — what matters is each block is reserved and separate, so every layer stays recognisable.

The apartment picture, one level out: even building street addresses are now scarce, so a whole gated complex of apartment buildings shares one street address, with a central gatehouse routing mail. Two gatekeepers between you and outside: the complex gatehouse (your internet provider) and your building's front desk (your router).

Your mobile data has worked this way for years — which is exactly why your mobile network counts as an internet provider here too.

Trace it back one last time: same scarcity, one level higher — the provider shares one public address across many customers.

Now the consequence that matters, and it's a split: sending out still worksyou start the conversation, so the gatehouse and front desk each log a line, and the reply finds its way back. But being reached from outside breaks — something outside arrives at a street address shared by hundreds, with nothing in any logbook saying which building, let alone which apartment, so the gatehouse can't place it. That outbound-works / inbound-breaks split is the whole reason behind the customer question we tackle in Part 2.

out ↑ you dial out The internet — the street The gated complex = your provider (CGNAT) Gatehouse — your provider translates again 203.0.113.7 one real public address — shared by every building ↕ shared rung 100.64.x.x — looks public to your router, but isn't Building A your whole building — apartments + front desk, from the last diagram 192.168.1.x inside front desk translates 192.168 → 100.64 Building B same idea 192.168.1.x hands up 100.64.0.6 Follow your data upward and out: through the front desk , then the gatehouse . That second translation is the only new thing. That's CGNAT.
Spot it yourself (optional). On a router you can log into, check its WAN address. If it sits in 100.64.x.x and differs from the public address a what is my IP check returns, you're looking straight at CGNAT's two layers — your router's shared 100.64 address inside, the carrier's real public one outside.

CGNAT means many customers share one public address. Using "who started the conversation": why does browsing still work, but being reached directly from outside does not?

Check your answer
A good answer covers: the outbound-works / inbound-breaks split, tied to "who started it." (We dig into the precise version in Part 2.)
Lesson 10 · leased, not owned

Addresses are leased, not owned (DHCP)

Right at the start we said an IP address is handed to a device when it joins, not built into it. Here's how that happens — and why your address quietly changes.

Because addresses are scarce, nobody gets to keep one they aren't using. Addresses are leased. When your phone joins a network, something hands it a free address from a pool, for a while. When it leaves, that address drops back into the pool for the next device. Join again tomorrow and you might get a different one.

The thing handing them out has a name: DHCP (Dynamic Host Configuration Protocol). It runs quietly inside your router — but you've felt it every time your address changed.

Dynamic — the normal kind. You get whatever's free, and it can change. Nearly every phone and laptop.
Static — a fixed address, set deliberately so it doesn't change. You arrange one for something that must always be found at the same place: a server the business runs, or the office gateway that branch sites and remote staff connect back to.

In the parcel-delivery analogy, a dynamic address is a hotel room number — assigned at check-in, handed back at check-out, given to the next guest. A static address is your own place — your name permanently on the door, the number always yours.

Trace it back once more: leasing exists because addresses are scarce. You can't permanently hold one you're not using — so dynamic is the default, and "fixed and yours" is the special case you have to arrange.

Try it now — watch DHCP work. Note your device's current IP (Wi-Fi settings). Now make it rejoin the network — many phones have a Renew Lease button in the network details; otherwise toggle Wi-Fi off and on. Check again: the address was handed to you fresh, sometimes the same, sometimes different. That hand-out is DHCP doing its one job.

Your phone gets one address on your home Wi-Fi and a different one at work. What's happening — and what's the name of the system handing those addresses out?

Check your answer
A good answer covers: "assigned/leased, not owned," and the word DHCP.

Across Part 1

Three quick ones, then send.

Next → Being reachable

ZUBA · DISPATCH DOCKETF2 · PART 2 of 2

Being reachable

Five lessons, then the payoff: the real client problem, solved.

This is the second half — it builds on Part 1 (how addresses run out). The last section is the payoff: a real customer problem you’ll be able to explain — the “ahh, that’s why we learned all that” moment.

Lesson 11 · the asymmetry

Two directions: reaching out vs being reached

A client calls: "I can browse fine, but I can't reach my office camera from home." Before you can fix it — and before you give the wrong answer that sounds right — you need the one idea underneath it: who starts the conversation.

Outbound — you start it. When you open a website, you send the first request. On the way out, your router and your provider each write a line in its own logbook: "a reply is coming back for this customer." So when the answer returns to the shared public address, there's a trail leading it home. This is the everyday direction — which is exactly why nobody notices CGNAT.

Inbound — someone outside starts it. Now something outside tries to reach you first — and "outside" includes people you want: head office reaching a branch, your own laptop dialling in from a café. Its request lands on that one public address — shared by hundreds of customers — with no logbook entry, because nothing started from inside. The provider's equipment has no way to know which customer it's for, so it's dropped — welcome or not.

In the parcel-delivery analogy: outbound is mailing a letter with your return address — the front desk logs it, the reply comes straight back. Inbound is a letter posted to "the complex's shared street address, for… someone in there" — the gatehouse can't tell which building, let alone which apartment, so it can't deliver. A courier you were expecting and a stranger off the street fare exactly the same: nothing on file, no delivery.

The internet — the street outside — 203.0.113.7 the building's one public address ① out ② reply a stranger, uninvited Front desk = your router (NAT) for anything arriving, it checks the logbook: is there a line for this? THE LOGBOOK · a line for each conversation you started apartment is talking to (outside) Apt 5 youtube.com reply from youtube.com → matches Apt 5's line · stranger → no line, nothing matches ✓ matched → delivered ✗ dropped Apt 5 laptop 192.168.1.5 Outbound writes a line, so the reply gets home. Unsolicited inbound has no line — so it's dropped. The logbook is the whole difference. you send out — the desk writes the line reply matches a line — delivered home uninvited inbound — no line — dropped * under CGNAT the same check happens again at the carrier's gatehouse — and you can't write in that logbook (next lessons).

Now the part that keeps you honest — because here the easy answer is wrong. This does not mean you're unreachable. Almost everything that feels like being reached actually works, because something on your side dialled out first. That office camera the client is worried about? It very likely works remotely — because the camera holds an outbound connection up to its vendor's cloud, and the phone reaches the same cloud; both dialled out, each has a logbook entry, so they meet in the middle.

What truly breaks is being a direct, unsolicited destination: something outside connecting straight to a service at your address, with no middleman. And for a Zuba client, that's where real money is on the line: linking two branch offices, reaching equipment at a remote site without a vendor's cloud, hosting their own server in-country — often the very function they bought a solution for. Every one of those needs the same thing — to be reachable directly, at an address that's theirs and stays put: a stable, directly-reachable endpoint. That's the target everything from here builds toward — and the next three ideas (ports, how a conversation opens, and port forwarding) are how you get there.


A friend can't connect to a game server on your home PC, yet your phone streams video fine — explain the difference using "who started the conversation." Then the harder half: why does your office camera app still work from across town?

Check your answer
A good answer covers: outbound has a logbook entry, inbound doesn't; and that "not unreachable" lands — the camera works because it dialled out to a cloud.
Lesson 12 · address + port

One address, many services (ports)

These two show up the moment you touch a firewall rule or set up remote access — "open port 443," "forward port 3389." Here's what a port actually is, because you can't diagnose a connection without one.

An address gets data to the right device. But one device runs many services at once — a laptop loading a web page, on a video call, and syncing files all in the same moment. So how does incoming data reach the right service? A second number: a port.

A port is a number that labels a service. The full destination is always address + port, written with a colon: 203.0.113.7:443. Common services have standard numbers — 443 secure web, 22 remote terminal, 3389 remote desktop. The address gets data to the device; the port says which service on it. And note who does the work: the port decides nothing — it's just the label. The receiving device reads that number and hands the data to the matching service.

Handy reference — the ports you'll meet most:

PortService
443HTTPS — secure web
80HTTP — plain web
22SSH — remote terminal
3389RDP — remote desktop
53DNS — name lookups

Where a port actually lives: each service is a separate program on the device, each listening on a claimed number — the web-server program on 443, remote desktop on 3389. ("Virtual" just means it's a software convention, not a socket you can point at — but there's always a real program on the other end.) And keep one thing separate: a port says which service, nothing about how the conversation runs — TCP vs UDP (next) is a separate choice, and the same number 443 exists as a TCP port and, independently, a UDP port. A port isn't "a UDP port" by nature; it's just a label.

In the parcel-delivery analogy: the address gets the parcel to the right device. Zoom in, and that device runs several services the way a business runs departments. The port is the "Attention:" line on the parcel — [address], Attention: Legal Department. Same street address; it just names which desk handles it. Notice it's a different kind of sub-address than a street or apartment number — not another one of those, but a marker for which function inside.

This also sharpens the logbook entry from Reaching out vs being reached: the line your router logs on the way out isn't just your address — it's your address and a port. Every conversation is pinned to one service, so the replies to your web page never get mixed up with the replies to your call.

Here's exactly when this lands on your desk. A client wants head-office staff to reach a server — or the CCTV recorder, or the phone system — at a branch, from outside. The standard action is one line on the branch router: forward the port that service runs on, so outside requests reach the right machine inside. You'll set that up or explain why it isn't working. It's also the language your firewall work is written in — a rule is allow this port, block that one. So ports aren't trivia; they're the unit the job is expressed in. (And the hook for what's coming: try that same port-forward on a CGNAT line and it won't connect — exactly the problem the next lessons solve.)


Your laptop is one device with one address, yet it's loading a web page and on a video call at the same time, and the two never get tangled. What keeps them apart?

Check your answer
A good answer covers: port labels the service; the device reads it and routes; address+port together.
Lesson 13 · the handshake

How a conversation opens (TCP and UDP)

You'll set up VPNs and you'll troubleshoot "why won't this connect / why does it keep dropping." The difference between guessing and knowing is understanding how a conversation starts. There are two styles.

TCP opens with a handshake — a quick "can we talk?" / "yes, go ahead" / "thanks" before any real data moves. That handshake is exactly the moment your router and your provider each write a line in its own logbook. So a TCP conversation has a clear, trackable beginning. (Web, email, file transfer, remote desktop.)

UDP skips the handshake — it just fires data off and hopes (it's connectionless). With no clear "start" to latch onto, the NAT can't tie a clean logbook entry to an opening; instead it keeps a tentative entry alive on a timer and erases it after a stretch of quiet. (Voice and video calls, gaming, DNS — and, importantly, most VPNs run over UDP.)

In the parcel-delivery analogy: TCP is a signed-for delivery — both sides agree before anything ships. UDP is a postcard dropped in the slot — no confirmation, just sent.

Why two styles exist at all — it's a trade between getting everything and getting it now. TCP guarantees the whole message arrives, in order, re-sending anything lost — right for a web page, a file, an email, where one missing piece corrupts the result. UDP gives that up on purpose: in a live voice or video call you can't stop to re-send a lost packet — by the time it arrived it'd be a slice of video from a second ago, useless, and it would only jam up the live picture. So for real-time, "send it and move on" beats "send it and be sure."

Here's why it earns its place (and we stop here — how TCP guarantees delivery is a later lesson): the VPN you deploy for a client almost certainly rides UDP, and UDP behind CGNAT lives on that timer. So when a client's tunnel "works, then quietly dies after it's been idle," this is often the reason — the logbook entry timed out and was erased.

The one-line takeaway: TCP's handshake gives the NAT a solid, tracked connection to hold onto; UDP gives it only a timer — so an idle UDP tunnel quietly drops, while a TCP session stays put.


A client's VPN tunnel works, then silently drops after a few idle minutes on a CGNAT line. Given how UDP is handled at the NAT, why might that happen — and how is it different from a TCP web session that stays put?

Check your answer
A good answer covers: handshake = the logbook entry; UDP = timer, so idle tunnels can lapse.
Lesson 14 · the fix that fails

Letting the outside in, on purpose — and why CGNAT won't let you

This is the first fix any technician reaches for — and the exact moment you'll realise a CGNAT client is stuck. Both halves matter.

Normally, unsolicited inbound is dropped (no logbook entry). But you can write a permanent logbook entry yourself, in advance. You tell your router: "any request that arrives on port 3389 — send it straight to the server at 192.168.1.42." That's port forwarding: a standing line in your front desk's logbook, one you write yourself — always send this port's inbound traffic to this one machine. On an ordinary connection — one where you have your own public address — this is how you host a server or reach a device from outside. Standard fix.

Now the catch, and it's the whole point. Port forwarding only writes in your router's own logbook — translation ① from the double-NAT picture. Under CGNAT there's a second one — the carrier's logbook, kept at the gatehouse — translation ② — and you can't write in it, can't configure it, and it sits on an address that isn't even yours. So you can fill your router's logbook with standing instructions and outsiders still can't get past the gatehouse: the carrier's logbook has no line for you, and it's not yours to add one.

That's the payoff in a client call: the instant port-forwarding "doesn't work" on a CGNAT line, you stop fiddling and recognise the diagnosis — "you're behind CGNAT; no router setting fixes this; you need a stable, directly-reachable endpoint by another route." Naming that correctly in thirty seconds beats an hour of config — and it's where what Zuba actually sells begins.


A client wants head office to reach a server at a branch that's behind CGNAT. You forward the port on the branch router and it still won't connect. In a sentence or two: why — and what does that failure tell you the client really needs?

Check your answer
A good answer covers: wrote in ① (their own logbook) but ② is the carrier's logbook they can't write in; the client needs a stable, directly-reachable endpoint another way.
Lesson 15 · the need, named

What you actually need: a stable, directly-reachable endpoint

Now you can name, precisely, what a CGNAT client is missing — and it's narrower and sharper than "they can't be reached."

Remember: they're not unreachable in general — anything relayed through a cloud they dialled out to works fine. What they lack is a stable, directly-reachable endpoint.

The word, pinned down — and located. An endpoint (more precisely a connection endpoint) is a place a connection can be made to — concretely, a service running on a machine, reachable at an address + port (from One address, many services: the address reaches the machine, the port the service on it). It's a real program on a real computer sitting somewhere — not an abstraction, and not the whole device: one machine can offer several endpoints, one per service. So picture an actual machine with its own public address, out on the open internet where any outsider can reach it — a small server the client rents or runs, sitting outside the CGNAT. (The hunch that it's "a paid-for service on a server outside my CGNAT" is exactly right.) For it to do its job, three things must be true at once — and "the client" is who each one is about:

The address is the client's alone, not shared — so an inbound request lands on that client's endpoint, not on one address split across hundreds of customers. (CGNAT removes this.)
The address is stable, not changing — so whoever is connecting can still find the endpoint next week. (Dynamic leasing removes this.)
The endpoint can accept unsolicited inbound — so an outside-started connection isn't dropped. (NAT drops it by default; under CGNAT, port forwarding can't restore it.)

On a shared, dynamic connection a client has none of the three — and for streaming video that's fine, because they only ever start conversations outward. But the moment they need to be a direct destination — two offices linked, a server hosted in-country, equipment reached at a remote site without a vendor's cloud — they need that endpoint, and an ordinary CGNAT line can't give it.

In the parcel-delivery analogy: think of a rented PO box at the post office — a fixed, public address that's the client's alone, that the post office always delivers to, and that accepts mail from anyone. It isn't the client's home (behind the complex gatehouse, unreachable from outside); it's a separate, reachable point the client rents because home can't be reached directly — not a shared complex address, not a hotel room that changes next week, not a building that only ever sends mail out.

Trace it home: addresses are scarce → so they're shared (NAT, CGNAT) and leased (dynamic) → so by default a client is neither uniquely addressed, nor stable, nor inbound-capable → so when they genuinely need to be reached directly, it has to be arranged on purpose. How you arrange it is the last section.


Name the three properties an address needs for an outsider to reach a client directly — and say which one CGNAT removes, which one dynamic addressing removes, and which one port forwarding can't restore under CGNAT.

Check your answer
A good answer covers: all three properties named and matched to what removes each.
THE PAYOFF · why we learned all of this

"Make our sites reachable" — solving it for a client

A client runs a head office and two branch sites, each on Starlink. They want three ordinary things: the branches to talk to head office over a secure site-to-site VPN; head office to reach the cameras/NVR and a server at each branch directly (not via a vendor cloud); and to keep that traffic in-country. Their last IT person spent a day forwarding ports and got nowhere. You can now solve this in minutes.

1 · Recognise it (10 seconds)

Check the branch router's WAN address. If it's in 100.64.x.x and a public-IP checker shows a different address, the site is behind CGNAT. That single fact closes the case on the day of port-forwarding: the inner translation (your router's, ①) was never the problem — the outer one is the carrier's (Starlink's CGNAT, ②), which the client doesn't control.

2 · Name the need

The client needs a stable, directly-reachable endpoint — three properties at once: yours (CGNAT removes this), stable (dynamic leasing removes this), and inbound-capable (port forwarding can't restore this under CGNAT).

3 · What CGNAT actually breaks

All one root — the site can't be an unsolicited inbound destination. Site-to-site VPN is the headline: a tunnel needs at least one reachable end, so if both branches are on CGNAT, neither can reach the other and the direct tunnel never forms. Then: reaching on-site cameras/servers without a vendor cloud; self-hosting in-country; on-site VoIP; and shared-IP collateral (one public IP shared by hundreds, so geolocation is wrong and one bad neighbour can get it blocklisted for all). Starlink also blocks outbound mail (TCP/25) and Windows file-sharing (TCP/445) for everyone.

4 · The Starlink reality (current)

Default is CGNAT, inbound blocked. A public IP is an optional toggle on Priority plans — but it's public, not truly static (it can change), and the stock Starlink router can't even port-forward without a third-party router. So the best Starlink-native answer is a wobbly public address on one link — and nothing for two CGNAT sites that both need reaching.

5 · The Zuba answer — and why it works

Stop trying to receive at the CGNAT address. Flip it into something CGNAT can't block: dial out. Zuba puts a Peplink device at each site running SpeedFusion — an encrypted tunnel from the site outbound to a FusionHub, a reachable endpoint Zuba hosts in a datacentre with a real, static public IP (and, for sovereignty, in-country). Because the site starts that tunnel, it's an outbound conversation — so it always has a logbook entry and always works through CGNAT. The hub becomes the site's stable, directly-reachable endpoint.

In the parcel-delivery analogy, every piece named: your shared complex address is your CGNAT line, where you can't receive mail — so you rent a PO box at an always-open downtown depot, and that PO box is the FusionHub (yours, fixed, reachable). You run your own courier — the SpeedFusion tunnel — between your site and the box. Because you send the courier out, it sails through the gatehouse (CGNAT). Now anyone can address mail to your box and your courier brings it home — and two branches running couriers to the same depot exchange mail directly. That's the site-to-site VPN, neither branch ever reachable at its own address. And because it's Peplink, the same move adds bonding (Starlink + fibre + cellular as one) and failover.

6 · Why this is the business

Every one of the client's three asks is now the same move: site-to-site (couriers to a shared depot), reaching equipment (mail to the box), in-country (hub placed locally). Competitors sell the dish, the SIM, the pipe; the thing that turns a CGNAT-crippled satellite link into a reachable, bonded, sovereign business network is exactly this. The whole chain existed so you can walk into that room, diagnose it in two minutes, and explain why the fix works.


Be honest: did it make you go "ahh, THAT's why we learned all that"? Or did it lose you somewhere?

A client has two shops, both on Starlink Residential, and wants them linked by VPN. What's the one fact that tells you a standard tunnel between them is impossible — and why doesn't upgrading one shop to a Starlink "public IP" fully fix it?

Explain, using "who started the conversation," why a tunnel out to a hub reaches the site reliably even though nothing can reach that site's Starlink address directly.

Check your answer
A good answer covers: the whole arc converging — CGNAT recognised, the need named, and "dial out = always has a logbook entry" as the reason the fix works.

Across the whole chain

Last few — these matter most. Then send.