I am making a game in Libgdx where a user(client) will be a host of the server himself
and only one other client can connect to him and play with him(likewise there might be multiple independent servers and pair of clients playing with each other like miniclip games)
but how will the other client locate host-client (or servers) IP?
I am using kryonet
Some guy suggested me to do NAT punching and stuff but I am totally confused.
Please help
(I am complete beginner to networking)
If you want your clients to discover servers just in LAN, you can do broadcasting on the servers and sniffing on the clients. As they are in the same LAN, there should be no need for NAT.
Otherwise, you have to set up managers(servers for managing) on the Internet. Servers have to register themselves to a manager, clients ask a manager for servers information. As managers know both servers and clients public IP addresses, NAT should be easy once you think your managers as STUN servers.
The most simple manager can be just a simple wraper over database/Redis with a server name/server ip/server metadata table. Details about how to implement it relies on your skill stack. To enable STUN, there are open source STUN server and client you can just pick up, e.g. coturn. No matter you put the STUN server into your manager or not, both your managers and STUN servers have to be published on the Internet (sure include AWS) where they have their own public IP.
Or you can let the managers to relay messages for servers and clients. But this way may be too complicated compares to previous. I would not recommend.
Related
Could anyone please explain if by default (firewall application) all users can access DMZ? Or only inside users? Also, if the users will be added to the access control list?
The most common form of a DMZ is a kind of "proxy" network between your intranet (LAN) where all your clients are connected to and the WAN. Imagine you have a network with some web servers, PCs like laptops or workstations, and some other servers or services with databases or similar. In front of your LAN, there´s a firewall creating the gateway to the WAN.
If everything is inside the same network you'll have security issues since, if one machine gets compromised, basically everything will be possible.
As long as you're communicating in the same subnet, let´s say a class C network of 192.168.0.0 (IP-Range from 192.168.0.1 - 192.168.0.254) the traffic will not be routed to your gateway which is usually your firewall. Meaning that every request you do from 192.168.0.2 to 192.168.0.3 will not be monitored and/or restricted by your firewall. This is an issue.
Web servers for instance have to be accessible from the outside. If an attacker gets access to the server he could mess with anything in your network.
Now you introduce a DMZ, basically a proxy network between your LAN and the WAN (at least in most cases). Since it's an own subnet the traffic will be routed through your gateway (firewall) so your rules apply. Also, to get into the intranet the data has to pass two firewalls (or twice the same firewall). You can now create firewall rules that will allow or disallow the communication from servers or clients and vice versa in the DMZ to your actual LAN. This way you can define that every communication into your LAN is denied by default and then you start adding rules to allow communication, for instance, if some service has to connect to a database in your LAN or similar.
Many networks only filter inbound traffic that way but in my opinion, you should also deny all outbound traffic until approved by a firewall rule.
Also, depending on the situation, often the clients are in the DMZ as well-meaning only critical infrastructure is in your actual intranet. In this case, commonly only administrative users will have "full" access to the intranet itself. Generally, it's a good idea to put the clients in a separate, restricted network since you'll often get to points where the clients are the biggest vulnerability for your network (Like users who like to open word documents clearly being some kind of fraud and similar)
I am trying to create a small academic project in the area of home automation. I explored various protocols and standards in IOT domain and find COAP close to my requirements.
The intent is pretty simple: To have a peripheral at home (like bulb, temperature sensor etc) which act as COAP server and expose certain resources and services. Since COAP uses an addressing scheme similar to web, any client having the address of this server shall be able to talk to this COAP server (i.e. peripheral) and control its attributes.
I have certain doubts about how a client not present in the same LAN as the server, can discover this server and the resources exposed by it. I understand that COAP facilitates resource discovery using CoRE link format but it seems that it primarily uses multicast which can only work within a LAN. I don't want to put a resource directory server at home and various COAP servers registering with it and then this directory server talking to a server sitting in the cloud. I want to have the ability to just install a peripheral at the home which can communicate to a remote client (like COPPER) using wifi home network. But how to discover the COAP server sitting at home from a remote location and then talk to it considering that COAP server will be on a private IP address.
Is this really possible using just COAP?
As you're sitting behind a NAT, that will allow neither direct discovery nor connections; CoAP will not try to magically pierce that.
Popular ways out are:
Use IPv6 (obliviating the use of a NAT) and (at least selectively) disable the firewall. You will still only be able to do discovery locally, but once discovered, you can connect to your devices from anywhere.
Use a VPN to make your mobile device act as if it were in the NAT.
Run a CoAP proxy at the router with a port open to the outside, and tell your mobile device to connect through that proxy. This does not give you local discovery either.
For the proxy and IPv6 cases, you can then still run a resource directory in your local network. That does neither need to connect to nor accept registrations from any cloud service, but it can help you do the very discovery that you'd like to do with multicast but can't because your mobile device is too far away. Both the resource directory and the proxy should be configurable to not talk to devices outside the local network unless they are authenticated.
Make your router accept HTTP requests , and run a HTTP to CoAP proxy in your system, access your CoAP devices via your IP thought HTTP-CoAP proxy.
I have been looking for an answer to this problem, but I cannot find what I am looking for. I think, perhaps, it is because I lack the knowledge to ask the question in meaningful way.
I have been learning a lot about remote access to devices at home. I know that ISP's change public IP addresses regularly (dynamic IP address). I know that to get around this, one could use a service like "no-ip", etc. Or one could get a static IP address.
What I do not understand is how some of the latest home automation devices are able to be controlled remotely without use of a static IP, or a service like "no-ip". For example, a wifi enabled thermostat, or lighting system.
If the device had a built in server, or client, then I assume that the device could connect to an outside server in a remote location. The user could then also log into that server and send commands to the device. What I don't understand is how commands sent to the device from a cell phone, for example, can reach the home device. Presumably the off site location of the server would have to know the public IP address where the devise is located, and then port-forwarding would have to be set up to allow access to the device.
What am I missing here? Is it possible to create a homemade wifi enabled thermostat, webcam, or other device without using port-forwarding, no-ip, or a static IP?
Well, there are several ways to bypass the inbound connection constraint of NAT protocol. Such as:
A virtual adapter on the device configured to a VPN server that has an inbound port open ready to transfer data. Various open source solutions such as openVPN are considered as great examples for this service over IOT boards like Raspberry Pi, Beagle Bone, etc. These are used as gateways often. Further, they communicate with the microcontrollers over popular IOT protocols such as MQTT, COAP, etc.
Another solution is to create a port forwarding tunnel, since the router won't block the outbound connection. There are various tunneling services that are availble such as localtunnel, ngrok, etc. You could also use a cloud server that has a public IP such as AWS, DigitalOcean, etc. Again as above mentioned point, they can be implemented in the gateways.
Some devices "phone home" to a server so that there are ports open between them and the servers, and the mobile apps just contact the servers. This is the same way your web browser can receive web pages from a web server. If you have a NAT router, the router must open a port from the inside device to the outside server. This is maintained in a NAT table with expiration timers for UDP and session monitoring for TCP.
A broad question.
We have a client application that currently talks to a web service to exchange data between two clients. The first client stores data on the service and other clients poll the service to collect it at some later time.
We are looking to change this infrastructure a little in that clients will Connect() to the service supplying the IP and Port that they will 'speak' on. When client A wishes to send data to client B it will look up client B's IP and port on the service and then send the data directly to that IP and port.
In the situation where several clients exist behind a common firewall (and NAT), my gut instinct is that I would need to configure port forwarding for each client so that inbound messages at the public IP (ie public side of firewall) can be routed to the appropriate client. As our application is designed to shield 'techy' details we'd like to avoid this it all possible. One caveat is that we are quite happy for the client to have to open a port on the firewall, but to avoid the extra step of setting up port forwarding.
Hope this makes sense, and please feel free to ask for any clarification.
-- Edit --
We are aware of UPnP but it is a non-starter for us due to the fact that it is either not available on some routers and the fact that some corporate environments don't allow it.
Thanks,
Simon
Most home routers provide a UPnP interface to allow applications to set up port forwarding without requiring the user to do anything. Depending on the router model, they may need to enable it on the router, usually a checkbox in some buried config screen.
I was wondering that how application like skype ( a popular chat client ) works in local network with one router, How it can listen on particular port?
for example:=
In one network A and B are two machines running skype , gateway of both is G1,
now how A and B will have same IP on internet that is of G1, but how can they ensure that they are listening on different ports? How can they ask to router G1 for unique port.
I want to make a simple text chat server on linux. How can I have connections between two different computers in two different networks?
Solution to your problem is to have a forwarding server somewhere in the net.
Different programs use different means to connect to each other. But every chat server, including Skype, has a server, which forwards data or information about subnet IP/port availability.
There are two types of clients: "listening" clients and "passive" ones. Listening clients have direct access to Internet via router port forwarding, and "passive" ones have to use additional tricks to get their hands on external data, line external servers or additional ports to listen.
The point is, not clients connect to each other, but they connect to a server, which then connects back to them to verify they are available, and, if at least one of them is not firewalled, direct another on to connect to the first one, excludint itself from further communication. And if both are firewalled, then is has to forward their messages through itself.
Host Discovery
Manual discovery, client A knowns who client B is
Discovery through broadcast UDP which is used by lot of games for LAN play. A client sends out a packet to the broadcast address for their subnet. The peers can choose to pick up this broadcast and respond. The downside is that this is limited to the current subnet. The more general INADDR_BROADCAST (255.255.255.255) works for all subnets on the local-link, but it cannot be routed, so won't work over internet (this is what DHCP auto-configuration uses).
Discovery through a central (Rendezvous) server. Each individual client knows the address of the server, and the latter informs them about each other. This technique is used by IRC, Voip, IMs and by most 'peer-to-peer' networks.
Communication
After the initial discovery is done you want to be able to talk to eachother. On the internet this can get tricky. Most people nowadays have their own router and sit behind a NAT, so direct connections are impossible.
Using a Rendezvous server, you can possibly talk to each other using the server itself. client A tells the server what to say, and it in turn tells client B, since both clients have an outbound connection to the server.
It is possible for the clients to talk to each other without the server proxying. This requires either DMZ, port forwarding or UPnP. DMZ will basically forward all incoming connections on all the ports to a given local IP. Port forwarding only forwards certain ports to local IPs. UPnP is a bit more advanced, the client requests that the router temporarily forwards a port to it, and you tell the other client via the rendezvous server where to connect.
Chatting app implementation
The easiest solution to your problem is most likely to use a central server, which is known by all the clients, that proxies host discovery and possibly the communication between the clients. If you want the clients to communicate directly, you can just proxy host discovery, and then let either DMz, manual port forwarding or UPnP do the rest.
Another solution would be to just have direct communication through NAT traversal techniques discussed above, and do manual host discovery.
Yet another solution would be to use a public webserver and 'abuse' its ability to insert content to chat with each other.
You need a central UDP Rendezvous Server.
After the initial connection from the client to the server the UDP clients can be redirected to talk to eachother directly even if firewalled.
The trick is to open an UDP connection from the inside.
Check out Real-Time Media Flow Protocol and how they use it.
Check out UDP Hole Punching
alt text http://labs.adobe.com/technologies/stratus/images/p2pvideo_250x215.jpg
Traditional NAT servers replace the source address and port with the address and a random port number of the external interface of the NAT server. This works well for simple protocols such as HTTP and SMTP, but it can create problems for more complex protocols that require multiple response ports on the external interface of the NAT server. NAT servers also aren’t aware of information stored in the data portion of the application layer header without the help of NAT editors and similar software fixes.
Windows XP’s answer to these problems is NAT Traversal, which can automatically allow the UPnP-enabled NAT client application to communicate with a UPnP NAT device. NAT Traversal provides methods to allow the UPnP client to learn the public IP address of the NAT server and to negotiate dynamically assigned port mappings for UPnP NAT client applications.
NAT Traversal features can be built into any hardware device or software application. Applications that commonly cause troubles for NAT devices but work well when UPnP-enabled include the following:
Multiplayer Internet games
Audio and video communications
Terminal Services clients and servers
Peer-to-peer file sharing applications
When these applications are UPnP-enabled, access through the Windows XP ICS allows them to work seamlessly.
Unless A and B are actually "listening" to the responses to outgoing requests, your router will need to be cofigured to forward the relevant port numbers to the relevant hosts. This isn't something that you can request in the code, it's something you need to configure on the router itself.