• Advertisement

Archived

This topic is now archived and is closed to further replies.

Connect through a firewall without forwarding ports - ACE

This topic is 5061 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Is there any way to connect to someone behind a firewall without manually forwarding packets on the known port? I'm using ACE if it matters any. [edited by - Vulcan on April 10, 2004 1:13:19 AM]

Share this post


Link to post
Share on other sites
Advertisement
Using UDP and an introducer (matchmaker) you can make this work, assuming the other end wants to be connected to. Google for "UDP introducer NAT" perhaps?

Share this post


Link to post
Share on other sites
Something that article at Intel doesn''t point out about NAT is that some NATs timeout the port based on idle timeout, or even an arbitrary timeout. There are a couple of scenarios where packets are dropped, particularly with UDP. One such scenario follows:
The NAT port is timed out at some arbitrary time interval (or even if it''s an idle timeout). This results in incoming packets being dropped until the next outgoing packet is sent which opens up another (possibly arbitrary!) port in the NAT. At this point your virtual connection is broken, with no route to host - you''ll see ICMP errors if you are checking for them in your recv code.

Share this post


Link to post
Share on other sites
Thx for the article thats pretty nice... explained nice and simple (maybe even too simple ). I wasn''t aware of how NAT tables work, now i do :D

It doesn''t really explain at the end how the two computers are then instructed to connect directly to each other... i doubt that you want all the game data to pass through the master server. But i think i can see how it works.

Share this post


Link to post
Share on other sites
You likely want a heartbeat between each directly connected peer every few seconds.

Note that a name server may take several seconds to answer a name lookup (named runs as UDP on port 53, typically), so the time-out on those firewalls will be at least bigger than that.

If you didn''t google, then you probably missed this link, btw. (it has links to other references, too)

Share this post


Link to post
Share on other sites
So this is a lil confusing to me: If anyone behind a NAT has ever used AIM to try to send someone a file, it OFTEN fails, especially if it is being sent to someone that is also behind a NAT. Now does AIM often fail because the developers of it happened to miss these articles or are there just situations that exist where a peer-to-peer connection simply isn't possible?

[edited by - tieTYT on April 15, 2004 2:23:06 AM]

Share this post


Link to post
Share on other sites
I just read this an i think i found a biiig mistake in it.

This is the slide: http://www.intel.com/cd/ids/developer/asmo-na/eng/79524.htm?page=5

It says that the NAT table for bob has bob''s private ip address but joe''s public ip address. And it says that joe''s NAT table has joe''s private ip address but bob''s public ip address. Shouldn''t the public ip address of the NAT table be the same as the public ip address of the router?

Share this post


Link to post
Share on other sites
No, why should the address of the router show up in the router's NAT table?

edit: let me expand that some. The NAT table works by taking the source address of the incoming packet and mucking with the destination according to the entries in the table. There should be no need for the router to store its own public address in the table, because it already knows the address of the relevant interface.

[edited by - SiCrane on April 15, 2004 6:28:49 PM]

Share this post


Link to post
Share on other sites
quote:
Original post by SiCrane
No, why should the address of the router show up in the router''s NAT table?

edit: let me expand that some. The NAT table works by taking the source address of the incoming packet and mucking with the destination according to the entries in the table. There should be no need for the router to store its own public address in the table, because it already knows the address of the relevant interface.

[edited by - SiCrane on April 15, 2004 6:28:49 PM]


Ok, that makes sense to me, but right on the page before that

http://www.intel.com/cd/ids/developer/asmo-na/eng/79524.htm?page=4

it says joe gets a packet and it shows Joe''s router''s NAT table and that NAT table has joe''s router in it. So does this mean that Page 4 is the one that''s wrong?

Share this post


Link to post
Share on other sites
Page 5 is a third party negotiated connection. Page 4 is an attempt at direct connection. So in the third party negotiated connection the tables get built differently than when the two clients try to hit each other directly. That''s the entire point of page 5''s existance, that there is a difference in the NAT tables.

Share this post


Link to post
Share on other sites
AIM file transfer may use TCP connections. TCP through two-way NAT is... not really feasible. (There are people who try, but it''s all a bunch of guesswork that often doesn''t work)

AIM uses TCP because that''s less likely to be blocked by corporate firewalls. It tries first on its own port, and then on a bunch of known ports (80, 53, 443, etc) to see if it can get through to the greater net somehow. UDP is usually blocked by corporate IT staff, because it''s mostly used for games.

Share this post


Link to post
Share on other sites
tieTYT is right, its not consistant..

on page 3 it says:

"NAT keeps the original source address and adds it to an in-memory table (the NAT table), along with the new source-address information."

Which it sticks to until page 5 where they made the mistake...

The public IP address in the NAT table should idd be the IP of the router... Although it does seem a bit pointless because that information is not really needed, the NAT already knows its own IP address.

Share this post


Link to post
Share on other sites

  • Advertisement