I am facing a very strange problem. I have a task to establish a TCP connection to a server who has a trusted IP. And I have to run the code in a host with private IP address. The trusted IP is 10.10.10.15, which is also a private IP. And the question arises that the IP address of my host and the trusted IP is not on the same network. To be specific, my IP address is 10.0.35.1/24. Please let me know if there is any solution to this problem
Presumably these subnets, i.e. 10.10.10.0/24 (?) and 10.0.35.0/24, are part of your local network. You will need a Layer 3 device to perform inter-VLAN routing.
This will be a router with Layer 3 VLAN interfaces, in the Cisco world they would be SVIs, that would be acting as the default gateway of the subnets in your network. What happens is all traffic that needs to go between two hosts between different networks, has to go through their default gateway and it will be routed to the destination network/VLAN.
As long as the network devices between the two clients are able to route packets between these networks, the hosts will be able to reach each other. In your code, you simply need to specify that these packets need to go to the private IP address of the other host.
Related
What is a Dynamic Host Configuration Protocol(DHCP) server? and What is the difference between DHCP server and
a Domain Name Server(DNS) server?
DHCP (Dynamic Host Configuration Protocol)
is for assigning IP addresses (or other network parameters) to devices so they can communicate with each other.
If you for example want to establish a wireless connection, then you need amongst other things request a DHCP server that assigns your device an IP address so you can communicate with other nodes.
DNS (Domain Name System)
is a hierarchical decentralised service which associates informations with domain names.
If you for example want to request google.com you first need to figure out what the corresponding IP address is. Therefore you request a DNS server.
DHCP is a layer 2 network protocol that will offer IP address from its pool to device not connected to the network, but who wanted to. It's used in LAN network.
DNS is like a dictionary. Consider you are trying to go to stackoverflow.com, so your device isn't able to know what's the IP address of stackoverflow.com. He will ask to DNS server to found the IP address for him.
DHCP = IP dynamic allocation
DNS = IP retrieval of an existing and registered device
How do I get the internal IP address and port of the local machine in a cross-platform way? Not internal within the LAN, but the ISP, so that other users of the ISP can connect? Is connecting to a VPS with a public IP enough to get the external IP and port outside the ISP? How to get the ISP subnet mask to know when another internal IP is within the NAT?
edit: Probably don't need this. NAT punch through is enough. Am I right that router's don't have the same traversal rules as ISP's?
A NAT's public IP address is its external IP address. I don't understand what you mean by internal IP address. By internal address usually is meant a device's local address.
All the users of an ISP is in local LAN if the ISP has only one NAT under which all the private IP address is assigned. Some ISPs has nested NATs. In that case users under different NATs are in different network.
You can get your NAT's external IP:Port by sending a stun request to a stun server. From the server's reply you can get your NAT's external/public IP:Port. If the users of an ISP are not in local LAN but under different NATs then using their external IP:port they can communicate.
Ignoring other possiblities such as Request.ServerVariables["HTTP_X_FORWARDED_FOR"], does Request.ServerVariables["REMOTE_ADDR"] gives me the "principal" IP of the client?
I'm talking about the IP that made the actual TCP connection.
Will ServerVariables["REMOTE_ADDR"] always be the "real" IP address of the remote endpoint?
Just to clarify: Even if it's a proxy who made the real TCP connection I'd like have its IP, and not a forwarded one.
Yes, except if its been through a NAT firewall. A NAT firewalled address would be masquerading many 192.168.x.x or any other private subnet behind a public IP address. So you'd be looking at the IP address of the NAT firewall (i.e. a Linksys Router or what have you).
Be warned that many cell phone carriers have HUGE NAT networks so they always look like they are coming from one or two public IP addresses.
The REMOTE_ADDR variable will be the IP of the system that directly connected to your web server to request the URL; so it would be the forward-most proxy server, if there is a proxy server.
If I have two internal computers connecting to the same external IP address through a NAT router, how is the router able to get the traffic to the correct internal computer? It is my understanding that NAT forwards incoming packets to the computer that recently sent outgoing packets to the [incoming packet's] sender's IP address. Since both computers are sending to the same address, does the router forward the packet to both? If that is the case, is it the responsibility of the client software to determine which packets are relevant?
Is it possible if both computers are attempting to connect to the same port?
When you open a socket, you need to address a port of the destination system and open a conjugate listening port on your own system to receive any response. You have to send the destination system your listening port.
Having more than one system using the same modem
When you start a web browser, and go to www.google.com:80, your browser obtains/searches for a free non-system conjugate port from the system for listening. Let us say, the conjugate port is 10000. The listener port is for receiving the http stream back from google.
Then your kid sitting next to you incidentally also browses www.google.com:80 and his/her google session of the play station or xbox-whatever also incidentally is assigned conjugate port 10000.
Both of you are sitting behind a cable modem, and behind the cable modem is your wireless router. And both of your systems are behind the wireless router - All sitting in that sequence, network topology-wise.
To prevent port address collision on the router/modem
Let us say that your cable company DHCP assigns your modem ip4 adress 72.72.72.72. But your wireless router DHCP assigns 192.168.0.10 to your system and to 192.168.0.11 to your kid's system.
When the frame carrying the information of your listener ports passes thro your NAT router, it would translate either one or both listening- ports. Let's say port 15000 for your page and port 16000 for your kid's page.
Your wireless router then sends your requests to google server as coming from 72.72.72.72:15000 and 72.72.72.72:16000.
The google server then responds individually to 72.72.72.72:15000 and 72.72.72.72:16000 and when you wireless router encounters the response, it reaches into the mapping that it has stored and translates 72.72.72.72:15000 to 192.168.0.10:10000 to reach your system but translates 72.72.72.72:16000 to 192.168.0.11:10000 to reach your kid's system.
Running web/game/ftp/etc servers
But what if you have a web server or an ftp server running on your system. What if you have two systems and both have a web server and both web servers are listening on port 80?
Let us say the local ip addresses registered/assigned with your wireless router of your first web server system is 192.168.0.30 and your second web server system is 192.168.0.40.
The wireless router would have a configuration web page usually by default 192.168.0.1:80, unless you changed it. There would be a tab to on the page where you could define/reserve application port mappings.
You could register with your wireless router to reserve the mapping
192.168.0.30:80 => outgoing port 8080
192.168.0.40:80 => outgoing port 8088
So that you have to phone your friends your web/game servers are addressable through
72.72.72.72:8080 and 72.72.72.72:8088 respectively,
where the wireless router would preclude its port 8080 and 8088 from its own dynamic NAT usage.
Of course, 72.72.72.72 is as good as only before your ISP DHCP decide to renew the ip4 address of your modem to say, 72.72.90.200. After which you would have to phone/email your friends and say
Hey, the servers' addresses have changed to 72.72.90.200:8080 and 72.72.90.200:8088 respectively. Or you could subscribe to dynamic dns (ddns) service to use a named domain where the ddns service will need you to install a simple heartbeat utility on your system to help them monitor the address variation. DDNS translation is a separate issue/strategy.
NAT modems
Newer ISP contracts supply you with a modem that has NAT. If so, you have to switch off either the one on your modem or the one on your wireless router. You should not use both - what's the point in translating twice because NAT is simply to prevent address collision. When you switch off NAT from your wireless router, it can operate as a hub switch and not a router anymore so that you could connect it to the modem using one of its LAN socket instead of thro its WAN socket.
The router manages "source" ports that are separate for each computer. While you may be connecting to port 80 on the "destination" the router may assign the source port to some high number port.
Wikipedia sums it up as
Network address translation involves
re-writing the source and/or
destination IP addresses and usually
also the TCP/UDP port numbers of IP
packets as they pass through the NAT.
Checksums (both IP and TCP/UDP) must
also be rewritten to take account of
the changes.
Already good answers are provided, but here is another example:
HOST A addr HOST B addr
10.1.0.2:4040 10.1.0.3:4040
-----------------------------------------
NAT 200.50.50.28:4040 200.50.50.28:4041 (what external host sees)
200.50.50.28 is router's global (internet) IP.
Every port number is unique in the NAT table. And of course the router does all the dirty job of modifying the source and destination addresses transparently.
It uses different ports for incoming external traffic, and the NAT then routes the packets on one port to one internal IP address, and the packets from the other port to the other internal IP address... The iniital request from each internal computer, when it goes through the NAT on the way out, establishes which port will be used for the incoming traffic from the external ip address, and it tells the external server what port to send it's traffic back on for that connection.
RFC3022 provides a lot of information on how this works
Since public facing or external IP Address that was given by Internet Service Provider (ISP) has been discussed, I would like to add on this.
You can ask your ISP to have your public IP Address not change. It will become static, so that you do not have to inform your friends to change the IP Address if they want to access your server inside your Network Address Translator (NAT).
As of this writing, static IP Address cost around 100 bucks. Most of the ISP they call it business account.
You can determine your public facing IP Address by googling "what is my ip address".
There is even a standard for IP in IP encapsulation. What is the use case here? I can understand stuff like TCP over DNS, where IP might be unavailable, but if you can do IP in IP, couldn't you simply do regular IP?
Obvious example: Your gateway drops packets to host A, but you can send packets to host B, and host B cand send to host A. So you tunnel to B which then forwards to A. IP in IP simply allows you to tunnel in an application-independent manner, unlike application level proxies, and you preserve TTL.
Its a case of tunnelling. You can have two remote offices connected through a link terminating on a gateway at each end. These gateways only allow traffic from the peer gateway. A host sitting on the LAN behind the gateway cannot directly reach another host in the remote office. It needs its gateway to encapsulate the packet specifying its own IP as source, so that the peer gateway will accept it, de-capsulate it and send it to the remote host on the LAN. As Moocha said, the journey from one gateway to another would then be just considered one hop.