NAT woes

Member
Posts: 142
Joined: 2002.11
Post: #1
So I have this quaint network tic-tac-toe game written for command line, using BSD sockets. The problem is that if the host is behind a router (NAT device) then the client cannot connect through the host's external IP address ... since this doesn't really correspond to the host. It works if I set up port forwarding on Airport, for example, but I cannot expect a normal user to do this just to play a simple game!

What is the easiest way to get around this?

Suppose instead I were to use SDL_Net instead of BSD sockets (which I plan on using in future projects). Then what technique might I use to get around the NAT problem? In the SDL case I would want to make sure that the code remains cross platform.
Quote this message in a reply
Luminary
Posts: 5,143
Joined: 2002.04
Post: #2
There is no way around the fact that the client needs to connect to an open port on the server. This is a fundamental rule of networking!

You have a few options:
* Require the server to have the port open. This is the most common solution!
* Send all your network traffic through a central server if neither host has the port open. This is probably fine for Tic-Tac-Toe, but it doesn't scale well.
* Attempt to use UPnP's IGD to configure the router's port forwarding, if neither host has the port open.
* I believe there are also some "fancy tricks" involving making outbound connections that can be used to convince certain routers to accept incoming traffic on a port.
Quote this message in a reply
Member
Posts: 142
Joined: 2002.11
Post: #3
OneSadCookie Wrote:There is no way around the fact that the client needs to connect to an open port on the server. This is a fundamental rule of networking!

You have a few options:
* Require the server to have the port open. This is the most common solution!
* Send all your network traffic through a central server if neither host has the port open. This is probably fine for Tic-Tac-Toe, but it doesn't scale well.
* Attempt to use UPnP's IGD to configure the router's port forwarding, if neither host has the port open.
* I believe there are also some "fancy tricks" involving making outbound connections that can be used to convince certain routers to accept incoming traffic on a port.

Is there some sort of UPnP SDK I should know about specifically?
Quote this message in a reply
Luminary
Posts: 5,143
Joined: 2002.04
Post: #4
I'm no expert sorry, I didn't even know this existed until a couple of weeks ago Smile

Note that even if you do get it working, not all routers support UPnP, and many that do support it don't have it enabled by default. You'll also likely need to set up the connection through a central server, otherwise the two hosts won't have any way to tell each other what they're doing...
Quote this message in a reply
Member
Posts: 142
Joined: 2002.11
Post: #5
OneSadCookie Wrote:I'm no expert sorry, I didn't even know this existed until a couple of weeks ago Smile

Note that even if you do get it working, not all routers support UPnP, and many that do support it don't have it enabled by default. You'll also likely need to set up the connection through a central server, otherwise the two hosts won't have any way to tell each other what they're doing...

Apparently Apple has its own competitor to UPnP called PMP. I've been reading some specifications on it, and it doesn't sound too difficult to talk to get a router supporting PMP to port forward. Though I really doubt many routers other than Airport base stations support PMP Sad

If UPnP isn't too different, then I shouldn't have much trouble with it.

Edit: Even on Apple Airport base stations PMP is OFF by default. It must be turned on in the Airport Admin Utility. Basically it's almost as demanding as making a user port forward manually.

Edit: UPnP is not supported on Airport Sad
Quote this message in a reply
Member
Posts: 370
Joined: 2002.04
Post: #6
I've heard rumors that applications like Skype work by "tricking" the router by sending forged UDP packets around. Heavy magic, not guaranteed to work (in fact probably guaranteed to break eventually :-p ), and probably not worth the effort... Require port forwarding or use a central server are your two main options :/

Did you ever wonder why we had to run for shelter when the promise of a brave new world unfurled beneath the clear blue sky?
Quote this message in a reply
Member
Posts: 283
Joined: 2006.05
Post: #7
Security Now episode 42 ( http://www.twit.tv/sn42 ) is all about NAT traversal. You might be interested.

The idea of having an intermediate server sounds pretty reasonable. You only need it once, at the start of each session - not all the traffic has to go through it.

I'd think that the effort of supporting UPnP wouldn't be worth it... I certainly have it turned off in my router.
Quote this message in a reply
Luminary
Posts: 5,143
Joined: 2002.04
Post: #8
maximile Wrote:The idea of having an intermediate server sounds pretty reasonable. You only need it once, at the start of each session - not all the traffic has to go through it.

Unless you can trick the router, or negotiate a port-forwarding with it, all the traffic would need to go through the server...
Quote this message in a reply
Member
Posts: 283
Joined: 2006.05
Post: #9
Here's what I was basing it on (transcript from that Security Now episode).

Quote:...both people send packets to this liaison, or this rendezvous server. It sees what port those packets came from on each NAT router, and it exchanges that information, sending it back to each other, that is, to the other person. And then they subsequently send their data to each other using the proper port number because they’ve sent data outbound to the other IP, and they’ve aimed it at the port that now they know, thanks to the third party’s intervention, brief intervention, now they know what port the other person’s data is coming from. Their packets are regarded as solicited, even though they technically aren’t the returning traffic. To each other they look like the returning traffic, and it works.

Does that make sense at all? NAT is a bit of a mystery to me, but that looks reasonable.
Quote this message in a reply
Nibbie
Posts: 3
Joined: 2008.04
Post: #10
It makes sense as far as I know...
As far as I know, the NAT works because the router will remember that your computer sent a packet to someone with a request for the next packet.
The system in itself only works if the host got a public IP, however, if you try something more like a P2P connection where both hosts sends a initiating packet that the other router will discard, you've allowed a "safe-travel" for the next packet.

Something in the style of this:
PC 1 -> Packet requesting packet #2 -> Router 2 will discard the packet, tough, now PC 2 will be free to send a packet with the number #2 to PC 1(Router 1)
PC 2 -> Packet with number #2 -> Router 1 which expect this packet -> PC 1

Quote:...both people send packets to this liaison, or this rendezvous server.
How your supposed to prevent the router from changing the port number when you change IP-address in the packet, I've no clue whatsoever.
Quote this message in a reply
Member
Posts: 370
Joined: 2002.04
Post: #11
Also, watch out - it will probably still fail for double NATs.

Did you ever wonder why we had to run for shelter when the promise of a brave new world unfurled beneath the clear blue sky?
Quote this message in a reply
Luminary
Posts: 5,143
Joined: 2002.04
Post: #12
maximile Wrote:Here's what I was basing it on (transcript from that Security Now episode).

*snip*

Does that make sense at all? NAT is a bit of a mystery to me, but that looks reasonable.

I wouldn't necessarily expect the router to accept the packet from the other host, since its IP address doesn't match the one you sent the outbound packet to...

It also seems likely that this would only work for UDP; presumably when a TCP connection is dropped the router closes the port mapping immediately...
Quote this message in a reply
Member
Posts: 49
Joined: 2002.05
Post: #13
http://www.codewhore.com/

That site has information regarding NAT detection and coping strategies.
Quote this message in a reply
Member
Posts: 144
Joined: 2004.07
Post: #14
Oh man, I love networking...it's so much fun to debug and make it work all nicely.
Quote this message in a reply
Member
Posts: 142
Joined: 2002.11
Post: #15
lightbringer Wrote:Oh man, I love networking...it's so much fun to debug and make it work all nicely.

I'm not having any trouble other than getting through NAT...

Personally I'm finding this really fun. Since I've never done a networked project before, I can program something fairly simple, but that still captures my interest.
Quote this message in a reply
Post Reply