Please consider the following scenario,
Let's suppose there are two roommates having the same game installed. For the sake of this question let's assume that the game is DoTA2.
Both the roommates are connected to the same router and thus have the same public IP essentially. (router's IP)
Now, let's assume that someone else on the outside i.e. public internet outside of the router wants to connect to the roommate1, then the router will have a simple port forwarding within the NAT rule that may go like follows,
If the request comes from outside on port ABC(game owned port) forward it to roommate1.
Now, if we assume that the roommate2 is also online in the game and another public computer wants to connect to them, then how would the port forwarding work?
How will the router know which private computer(roommate) the connection request be forwarded to?
Please do not give answers like, DoTA has multiple ports allotted or any game-specific answer, use of DoTA is just an example.
You can even consider a scenario where there are two private computers running a simple HTTP server on port number 80, how would an outside computer know which one to connect?
I have googled DMZ, and port forwarding but do not clearly understand the solution.
It's kinda rude to tell us on what kind of answers we can give, specially when you have asked an off topic question yourself.
Getting to the answer to your question, port forwarding is done based on the combination of private IP and port; roomate1 and roommate2 have different private IP addresses but using the same port, on your router(assuming it's a generic one) only one forwarding rule can be used at any point.
A possible solution is to use a proxy server like HAProxy after your router on the private network side and use TCP association based policy to forward packets to roomates.
In short, NO is not possible. You can only NAT from 1 public address to an internal IP on X port.
In long, companies does this, but they have 2 or 3 public address then you can map to a different internal IP.
Public IP 1 > Internal IP:port
Public IP 2 > Internal IP:port
You can map from an external IP to multiple internal IP addresses but since you are using the same service(game) they probably use the same port or ports.
Related
I've got difficulties in understanding NAT, NAPT, and port forwarding.
I got what NAT does. But when I try to describe port forwarding, NAT's concept becomes too vague.
I found NAPT and there is only a vague assumption that port forwarding is related to this.
Is port forwarding related to NAPT? If not, what is the difference?
NAPT stands for Network Address Port Translation and it specifically is in reference to be able to have many private IP addresses (ie - inside your building) all able to share a single public IP address (that would be assigned to your router from your ISP).
Think of it like this ... your public IP Address which is visible to the entire Internet exists on the ethernet port that you have connected to your Internet service.
Then, the other ports on your router / firewall / WiFi are all on a different network entirely - that's called your PRIVATE network.
In order to get all of those IP addresses on the inside private network to be able to have autonomous access to the Internet, your router/firewall does what we traditionally call NATting - Network Address Translation. So lets say that you and three other people access the same web site from inside your house... your firewall will see those requests to access that web site on your three different private IP addresses and it will assign to that browsing session, a unique session ID to that datastream and it will then go out and contact that web server but that unique session id rides with that datastream so that when packets come back from the web site the router knows which private IP address to send them to ... it acts as a facilitator for the internet packets going to and from the private IP addresses inside your building.
And a private IP address can be assigned to computers, tablets, cell phones, printers etc. etc.
PORT ADDRESS TRANSLATION is the exact same thing, only in reverse.
You do NOT want anyone on the Internet to be able to access any of the devices on your private network, so by default, your router/fireall denys any requests coming from somewhere on the internet that might be trying to access your public IP address.
But there are times when you have something running on one of your private IP devices ... like a gaming console, or maybe a remote desktop session that you need someone to access from the Internet ... what we typically do, is go into the routers configuration settings, and we create a PAT rule that says, "Allow any attempts to access my public IP address ON this specific port number and send those requests back to this specific private IP address." - in a nut shell.
NATting is when traffic is generated from the inside of your private network and it is going out to the Internet where PATting is for traffic coming FROM the Internet into your private network.
Hope that help clarify things a little ...
Edit: I should point out, that these days, when a device or some software running on your computer needs to allow traffic from the Internet to reach it, there is a feature in most home routers called UPNP (Universal Plug And Play) that, when enabled, devices like XBOX and other software can create - on the fly and without you having to give it any thought at all - PAT rules inside your firewall. UPNP was created because most home users don't remotely understand how network traffic works so trying to teach the non-tech person how to create PAT rules was becoming an issue, so UPnP was invented... it has its issues, but for the most part it's fairly reliable and nothing to worry about.
After 20 pages of SO results about Mikrotik and some more google results, I'm come here, down on my knees to request some enlightment.
I have a network with static IP and some public IP (248 mask).
So far I've configured the network to use one of those public IP and use it for 2 subnets (192.168.85.X and 192.168.5.X) wich are isolated from each other and both can access internet.
What I'm trying to achieve is to add a second WAN ip to the router, and route traffic to a specific server to use that IP.
What i mean is:
Any PC from 192.168.85.X should use WAN IP1 and use internet with it.
Any PC from 192.168.85.X trying to access www.facebook.com should use WAN IP2 to browse and navigate to that website (while all the rest of the traffic goes through WAN IP1).
The device that gives me the WAN link only has 1 "out" port, so there is no way to put 2 cables from the "modem" to the Mikrotik, right now there is 1 cable going from the modem to the Mikrotik device. I've seen some forum post where the first part can be solved by just connecting 2 cables and then assign different IP for each interface.
As you may notice, I'm really raw in networking and routing, so any GUI/Winbox instruction is appreciated, but CLI commands would be just fine.
This info is for reference for anyone who may want to do this in the future:
1.- If you assing the IP to the WAN interface using the same notation X.X.X.X/29, the router will know that you want to use all the IP but set the default route to use the given IP as the prefered. This can be looked up in IP > Routes.
2.- If you want to use different IP for different traffic, you have to a) Mark that traffic and b) Force that traffic to go out by an specific IP. You do this in IP > Firewall > Mangle to mark the traffic and IP > Routes to add the new route for that traffic. There are contradictory info about if you need or not to add NAT (IP > Firewall > NAT) rules for the traffic and i'm really lost about it (it doesn't work with or without, but sometimes does work).
This is all i can contribute to this, i'll keep trying to find and answer in serverfault as #SergGr suggested.
Given the following scenario:
Computer A connects to a public server from behind a firewall.
Computer B connects to the same public server from behind a firewall.
Now, is there any way for Computer A to talk directly to Computer B using those outbound connections without sending all data through the server?
Can the server link those connections somehow?
Two peers, talking to each other, using outbound connections instead of dealing with inbound firewall issues.
Possible, yes. Easy, no.
At least one of the firewalls needs to be updated to forward a port on the external IP to a port on the machine behind it. The other machine can then connect to that port to open a bidirectional TCP/IP connection.
To accomplish this, you can make use of UPnP on the firewall to accomplish "hole punching" or "NAT traversal".
Once the firewall port is open, you forward that port number over the public server and pass it along with the public IP address already known to the server along to the other machine. It can now create the connection.
I don't think that it can be achieved mate. Unless you have access to the public server network and create a route to direct incoming A directly to the B and vice versa.
Suppose I am running a TURN server bound to a public IP (say 100.0.0.1). When the server creates a relay port for a create allocation request, is it ever the case that the server would send back an IP address that is different from whatever it is bound to (100.0.0.1 in this case) in the XOR-RELAYED-ADDRESS attribute? I'm not familiar enough with networking to know all possible scenarios, and the RFC 5766 doesn't really say anything specific (as far as I can tell).
Phrased another way, is the IP address in the XOR-RELAYED-ADDRESS redundant? In all cases I have considered, the client only needs to know the port allocated, and could completely ignore the IP of XOR-RELAYED-ADDRESS. As long as the client knows the relay port, it can always send relay data to the TURN server public IP (it already knows the IP since it had to connect initially...) at the relay port.
Any comments?
If you server is not behind a NAT (on the public internet with a public IP address assigned to it), then the IP address returned in XOR-RELAYED-ADDRESS will be the same. (It will always be the same as the IP address assigned to its NIC).
I assume the reason you are considering ignoring XOR-RELAYED-ADDRESS is related to you other question suggesting the TURN server will actually be behind a NAT/firewall. I think you'll find that the IP address is predictable. But the Firewall/NAT your server sits behind has the possibility of messing up the port allocations. Make sure you understand how the TURN server does port assignments, and that your firewall does port forwarding correctly.
One bit of nomenclature clarification. Your server isn't "bound" to a public or a private IP. Your server socket binds to an interface that has an IP address assigned and associated to it.
Actually, you guys both overlooked a situation when the relay IP address and different from listening IP address, on the TURN server. The TURN Server may be listening on, say, address 1.2.3.4, but it may be allocating the relayed endpoint on two other public addresses - like 2.3.4.5 and 3.4.5.6. The real relayed IP address is returned in XOR-RELAYED-ADDRESS and it may be very different from the listening address.
I have an application that relies on IP addresses for communication (Domain names simply does not work. :(... )
Its function is to connect to its peer on the other machine and send data over after establishing trust. During the "trust establishing" phase they both exchange their IPs for future communication. They both are behind the two different firewalls and are NATted. One is in our NATted office network and other is in the cloud NATted behind their firewall. The applications knows their respective private IPs and exchange that (the 10.x.xxx.xxx range), when they try to connect back to each other (using the private IPs with range 10.x.xxx.xxx) for transferring data they fail. The connection is TCP and the port range is pretty varied.
I am curious if there is anyway I can hard code (for this one time) a rule (at may be firewall level or some place outside my application) that says if there is a connection being initiated for IP address 10.x.xxx.xxx then redirect it to 205.x.xxx.xxx?
Private IP address ranges like 10.x.y.z are, by their very nature, private.
You can't do any meaningful resolution unless each node in between the endpoints has rules in place to translate these.
Translation is tricky, all the main tools you would use cater for static translation (port forwarding, e.g. where a particular port is forwarded to a particular IP). This is one avenue, but it is a hacky one (it requires you to open lots of ports, procedurally update your router and probably have some sort of broker server to maintain mappings).
Alternatively, you could run the isolated networks over a VPN, which would give your endpoints mutual private IPs which you can use to connect to eachother. It would simply be a case of binding to this new address and communicating across the VPN. This would also potentially encrypt your communication over the internet.
Other possibilities are to use NAT/TCP punchthrough techniques which can allow traversal, but these are really a patch to a broken network topology (Read up on IPv6 to see how this can be alleviated).
Alternatively, you could route all the connections over a proxy, but this will complicate matters compared to a VPN.
To answer the question about hardcoding a rule, port forwarding is the solution here. It will obviously depend on your router configuration for the peer accepting the connection, but this client should have the port target port forwarded to the machine. This will obviously not scale very well and is really shifting to a server/client architecture for one connection!
Depending on your hardware, you may be able to forward a range of ports (if a single port cannot be established) and limit the port forwarding to certain incoming connections (the external IPs).
Information on port forwarding can be found at http://portforward.com/
This sounds a lot like what you'd want out of a VPN. Is there anyway that you could set one up? Basically the Site-To-Site VPN between you and the cloud would say 'oh hey, here is an ip located on the remote network, go ahead and connect through the link'. Would this kind of solution work in your case?
Something along these lines: http://i.msdn.microsoft.com/dynimg/IC589512.jpg