I am trying to achieve double NAT working with UPNP. My PC connection is as follows:
Internet -> Router 1 -> Router 2-> PC
I have successfully done port forwarding on the Router 2, but not able to do on router 1. Due to which packets from the server(which is on Internet) are not able to reach PC.
Gone through few document how to tackle but mostly found manual way like bridge the network or put the lan wire.
I am rather looking for the some recursive solution using UPNP protocol to do the port forward on both routers. I guess torrent, skype does the same.
How to get the network interface related to router 1 and then port forward on that Network ?
Any help would be highly appreciated.
Thanks,
Pawan
There is an IGD-PCP IWF specification that tries to solve similar problem, although it assumes PCP support on your "Router 1", not UPnP. So let's try to approach this issue from a pure theoretical point of view with two plain UPnP routers/NAT devices.
There are several distinct steps of UPnP communication as per UPnP Device Architecture version 2.0:
addressing
discovery
description
control
eventing
presentation
Addressing is of little interest for us, let's assume proper DHCP everywhere and be done with it. Eventing and presentation are also almost useless in our case. So the main things to be concerned about are discovery, description and control.
Discovery works via SSDP message exchange. SSDP uses UDP for its transport with port number 1900 (by default) and well-known multicast address.
Description starts with URL provided by the device at discovery phase, the control point (that is PC in our case) needs to issue an HTTP GET request on this URL and that means it uses TCP as a transport protocol with devices IP address (unicast).
Control starts with URL provided by the device in its description, and it uses SOAP on top of HTTP on top of TCP which in turn also means unicast IP for us.
So, what all of that means for double NAT is that in description and control steps of UPnP interaction we have zero problems communicating from PC to Router 1 as all of that is just standard TCP with unicast IP addresses. But to get to the description step we need to have a URL of Router 1, so let's take a closer look at how this URL is acquired the normal way.
There are two main mechanisms for discovery — advertising (when the device periodically multicasts some information about it) and search (when the control point sends multicast search message and the device answers to that with unicast response). Obviously, by default our PC behind the Router 2 can't get multicast advertisements from Router 1 and the Router 1 can't get multicast search messages from PC, so we have a problem here and the question now is whether there is a possibility for communication without multicast.
Luckily, the same architecture document says:
In addition, a control point is allowed to unicast a discovery message to a specific IP address on port 1900 or on the port specified by the optional SEARCHPORT.UPNP.ORG header field (which supersedes port 1900 for this use), searching for a UPnP device or service at that specific IP address.
...
All devices shall listen to incoming unicast search messages on port 1900 or, if provided, the port number specified in the SEARCHPORT.UPNP.ORG header field and shall respond if any of their root devices, embedded devices or services matches the search criteria in the discovery message.
And this means that if you know the Router 1 IP address (from Router 2 side, of course), you can (and most importantly, allowed by specification to) communicate with it with unicast UDP messages and that is also NAT-friendly, so not an issue to be done from PC behind the Router 2.
The only thing left is getting Router 1 IP address. Unfortunately, there is no easy standard way to do that, but you have at least two options: tracerouting (in whatever fashion you want) and brute force IP scanning (most probably, the potential set of IPs for Router 1 is limited).
Now you can communicate with the Router 1, but there is still one minor thing you should always remember while communicating with it — in any internal UPnP messages you should use Router 2 IP address (as seen from Router 1 side) and its ports. Like in NewInternalClient parameter of AddPortMapping action on Router 1 you should use Router 2 IP. This, BTW, raises a question of Router 2 IP, but you can get that via Router 2 UPnP ExternalIPAddress variable of WANIPConnection service (this service is required for IGDs to implement).
So, to summarize:
this technically can be done, although I doubt that any standard library would do that for you
two things you need are:
Router 2 "external" IP and you get that via ExternalIPAddress variable of WANIPConnection UPnP service
Router 1 "internal" IP (from Router 2 side), that requires tracerouting or scanning
given Router 1 IP you just need to use unicast messaging at discovery step instead of multicast
everything else should just work, with only caveat of using Router 2 "external" IP instead of PCs IP in the UPnP messages
With the upnpc cli tool I've been able to get Double NAT port forwarding working.
For my example, let's say I want port 6667 to be forwarded to my machine, 192.168.50.123, behind a double NAT. The first layer of NAT has the IP range 192.168.1.1-255, and then 2nd layer has IP range 192.168.50.1-255.
On a machine inside the 2nd layer of NAT, just setup port forwarding with upnpc like normal.
$ upnpc -a 192.168.50.123 6667 6667 tcp
...
$ upnpc -l # this will confirm the rule is in place
...
Now for the slightly tricky part. I now issue UPNP requests to the outer layer NAT. Since the usual SSDP discovery won't work, I have to specify the XML root description URL manually. It's often something standard like http://192.168.1.1:5000/rootDesc.xml, though on some hardware the port number is randomized. I find just port scanning the gateway address will eventually reveal it.
Now that I have the rootDesc url, http://192.168.1.1:5000/rootDesc.xml, I then issue UPNP command to the outer layer NAT:
$ upnpc -u "http://192.168.1.1:5000/rootDesc.xml" -a 192.168.1.XX 6667 6667 tcp
...
$ upnpc -u "http://192.168.1.1:5000/rootDesc.xml" -l # this will confirm the rule is in place
...
With the -u option instead of discoverying the rootDesc, it just uses the URL provided.
The address 192.168.1.XX should be the 2nd layer network's IP address on as seen by the 1st network. When running the first set of UPNP commands this will be shown since it's the "external" address from that NAT's perspective.
With that now setup, traffic will go like this:
<INTERNET> --> MY_PUBLIC_IP -> 192.168.1.XX -> 192.168.50.123
Related
I am a student learning computer network.
Here's how my network look like:
Router(NAT)
/ \
My PC My iPad
I have looked up my computer's routing table, and it shows the following:
$ netstat -r
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 172.22.128.1 UGScg en0
127.0.0.1 127.0.0.1 UH lo0
172.22.128.1 0:74:9c:96:72:55 UHLWIir en0 1200
172.22.161.13 ba:2e:b1:6f:69:39 UHLWI en0 740
I confirmed that the ip 172.22.161.13's gateway ba:2e:b1:6f:69:39 is the MAC address of my iPad.
I have a few doubts:
Shouldn't the routing table records ip address of next hop? how can it store a MAC address?
If the command netstat -r also lookups the arp table, how should it send packets to my iPad without going through the router?
The issue here is understanding the functionality of layer 2 and layer 3 in a network.
There is a difference between forwarding packets to the device located on the same subnet and on the device located on the different subnet.
I don't think there is a better definition of subnet, than devices that can communicate via a layer 2 protocol with each other. Routers are used to forward packets between devices in different subnets, that is, two devices in the same subnet do not communicate over the router, at least not over the "router" part of the router.
Devices that are located in the same subnet should be assigned the same IP prefix (i.e., the bits covered by network mask are the same). "Should" means that if it is not the case, then your network is configured wrong and may not work properly. This way your PC and your IPad can determine that they are on the same subnet and do not need to go over their default gateway.
Since your PC and your IPad are on the same subnet, they will talk to each other using layer 2. I am not sure from your configuration how many interfaces are actually wireless. If both interfaces are wireless, they may actually be capable of talking directly (i am not sure if wifi protocol in AP mode allows it, i think it does). If your PC is connected over Ethernet, then your Router also acts as a switch/bridge (which is layer 2 device) and forwards packets according to ethernet specification. You can learn about it by googling MAC learning.
This should answer the second question, now to the first one.
Actually, I wonder why the table is storing IP addresses. IP address of the next hop is not used in forwarding. First, note, that communication between devices which are two hops from layer 3 (i.e., routers) standpoint happens using layer 2. When a device makes routing decision, in takes the destination address from the IP header and looks up next hop, where what the device needs is a) outgoing interface b) how to reach next hop using layer 2 protocol of the interface. Then the device constructs an appropriate layer 2 header and sends the packet to the next hop device, which more or less does the same. So, actually your PC needs mac address of your router's interface to which it is connected to send the packet somewhere outside of the subnet.
I have a Client issuing a request to server S. Assume UDP/TCP request. HOP1 is a load balancer switch and assume it has detected that path HOP4->HOP5 is better to route the packet to ServerS. My Question is , After HOP1 has received the pkt generated by client, how can it force the packet to take the best path as calculated to reach S i.e. via HOP4 only.
CL -------HOP1---------HOP2-------HOP3--------ServerS
| |
|-----------HOP4-----HOP5-----------|
I was thinking, that HOP1 should set the field SA,DA, MAC-SA, MAC-DA fields of the pkt as follows :
SA : HOP1
DA : ServerS
SMAC - HOP1MAC
DMAC - HOP4MAC
Would that work ? Is there any better approach ?
My Other doubt is that, for Server S, HOP4 would appear as CLient since it forwarded the client request impersonating as client to Server S. So, HOP4 would receive the reply from Server S. How HOP4 can determine that the reply it has received is actually for the CLient CL and not for itself ? Does NAT comes into picture ? Can somebody shed some light ?
IP has a source routing option, but no network engineer worth his pay configures routers to allow source routing. Network routing needs to be deterministic, and the routing protocols will determine which direction packets should go. Allowing an end-device or application to do that breaks this.
MAC addresses are layer-2 addresses, and the layer-2 frames are stripped off the layer-3 packets and discarded at each hop. A new layer-2 frame is created for each hop in the path, and it is stripped off and discarded at the net hop. MAC addresses are only local to a LAN, and they do not survive across a router hop. Using a destination MAC address that is not local to the source LAN will guarantee failure. In fact, not all layer-2 protocols use MAC addresses, and you have no way to know if any of the links between the hops do are don't use MAC addresses. Of the layer-2 protocols that do use MAC addresses, some use 48-bit MAC addresses, and some use 64-bit MAC addresses.
There really is no way an application or host can guarantee the path that packets will take. That is a job for the routers.
I think after gaining some more wisdom in the field of networking, I got the answer to this Question.
Source packet routing (SPRING) is the new buzz in networking to achieve it.
Other techniques is Tunneling - Ip in IP encapsulation, GRE tunnels etc.
I know that ipchicken.com will tell you your router's ip address and the port it is using for your connection. But can this information be obtained "locally"? (Without relying on a website).
What I want it for is establishing a connection between two random hosts...without a "dedicated server" in the middle. My problem is to reach through the NAT. I think the best bet is a kind of TCP hole punching, where both hosts connect somewhere and then just tell each other (it can be by phone or chat or similar) the current ip address and the port number their routers are using. It should trick the routers into forwarding the packets to the hosts, albeit coming from a different source than they originally connected to.
Is it possible to find the port number your router is using to patch you through in a more local manner than ipchicken.com?
Are there any ideas on other possible approaches to this problem?
EDIT: Setting port forwarding on the router is not an option in this case, as many people (including me) do not have admin powers over their routers and I do not want to impose such a task on the "users" of my application
The router would use a different source port for every outgoing connection, so checking based on an outgoing connection will not work for your use case.
For an incoming connection, i.e., if you want to reach a specific machine behind a NAT device (like a home router), you'll have to explicitly open up some ports on the router and set up forwarding rules. The router would then listen for incoming connections on that port and forward it to a machine:port based on the configured rule.
How you do this would depend on the specific router make/model. Search the web or logon to the admin interface and look around, it should be easy to find. However make sure you understand the security implications of opening up a port on your router!
UPDATE based on edited question:
Without port-forwarding and if both devices are behind NAT, your only solution is to have an intermediary server! If only one of them is behind NAT, you can have that machine initiate the connection.
You could use a Stun server as the external globally reachable server.
What I am asking is if two computers listen to the same port and a packet of information enters the router through the WAN Ip and the same port. Would the packet go to both computers? Neither? One or the other?
IE
computer 1 -(internal IP)-> 192.168.1.3 -(listens to port)-> 4444
computer 2 -(internal IP)-> 192.168.1.2 -(listens to port)-> 4444
computer 3 -(connects and sends)-> 24.157.358.45:4444
packet -> computer 1 AND computer 2
The code in VB6 is:
LAN.LocalPort = 4444
LAN.Protocol = sckTCPProtocol
LAN.Listen
I am using a WinSock object in the Microsoft WinSock Control 6.0 in VB6 Professional
If there is something that needs to be clarified I would be more than happy to.
The router won't send an inbound packet to either machine unless communication has already been established.
If 192.168.1.3 calls out to some other machine (e.g. 4.5.6.7) from its port 4444, the router will assign an arbitrary port on its external address (say 24.157.358.45 [sic] :5555) and pass the packets on to 4.5.6.7. 4.5.6.7 will send reply packets to 24.157.358.45:5555 -- because that's the only address it knows about -- and the router will relay those to 192.168.1.3:4444.
That's the normal course of things, but there are a lot of additional details to this scheme that make it possible to establish communication with a machine behind a router via trickery.
The system of having machines with private IP addresses behind a router with a public address is called network address translation (NAT); it's a pretty deep topic.
From my knowledge of routers, unless port forwarding is setup, the router will discard any packets sent on that port.
If port forwarding is setup, only one of the computers could be setup to receive the packets.
If the packet is an inbound request to establish a new TCP connection with a server that is running behind the router, the router must have an explicit port-forwarding rule configured, either statically in the router's configuration or dynamically via uPNP or SNMP, that tells the router where to route inbound packets on 24.157.358.45:4444 to, either to 192.168.1.2:4444 or to 192.168.1.3:4444, otherwise the packet will be discarded. So no, both of your listening servers will not see the same packet.
Once a TCP connection is established, the router knows which specific LAN machines are associated with which connections and will route incoming packets belonging to those connections accordingly.
The previous answers are correct, you need to enable port forwarding. If it is not enabled port 4444 will be closed on the router.
It sounds like you have multiple servers and want to forward to whatever server is turned on at the moment. This is not possible (*), the router does not care whether or not PC1 or PC2 are listening on port 4444, it will simply forward everything to the address configured in the port forwarding.
(*): Ok it is possible but it takes some extra work.
Solution 1: Trick the router into thinking there is only one server. Give PC1 and PC2 a virtual network interface with the same IP address and forward to that address. Make sure only one of these interfaces is enabled, having duplicate IP addresses in your network can have unintentional behaviour.
Solution 2: Make the router care about which server is on. You will need to write a program to run on the router (or on another server) that can detect which server is on and forward the packets accordingly. If you are using Linux the program iptables can be worth looking at.
we have little network devices which are shipped with IP address 0.0.0.1 to ensure that they never collide with any other device in their new environment (thus none of the 10.x.x.x, 172.16.x.x or 192.168.x.x ranges) until configuration. DHCP is no solution since there might be no DHCP server in the field.
The devices would listen to UDP broadcasts and answer with broadcasts until they are given their new IP address this way.
This worked fine with Windows XP - but sucks with Windows 7: the config program does not receive the answer packets from the devices which still have 0.0.0.1. Wireshark sees the packets, then they are dumped by the system.
Question: Is there any reason (RFC?) that actually prohibits using this address in a local environment? Or is it just MS that was overcautious? Where can I read why they treat this address "invalid"? Which ranges are really "invalid" now, too?
Any idea of a workaround on the PC side (Win 7)?
I know that it is not recommended to use 0.xxx addresses for work places, but for this very reason - having a not-used address - it works perfectly.
Edit: there is a device out there called "Netburner" which might have faced the similar issue, according to their forum. See: http://forum.embeddedethernet.com/viewtopic.php?f=5&t=612&p=2198 Does - by coincidence - anybody know some background information?
It sounds as if your configuration application is listening for broadcast packets on all network interfaces and expecting to receive packets from foreign subnets.
That should not work - the OS should only pass-on broadcast packets from the subnets each network interface is on, not from all subnets on the same physical (e.g. Ethernet) segment. I am reasonably certain that doing otherwise is broken behaviour WRT the IP protocol.
The are two ways to deal with this:
Make sure that your network interface has an IP address in the target subnet. You can have more than one IP addresses for each network card, so that should not interfere with normal network operations.
Configure or modify you application to use raw sockets, like Wireshark. Keep in mind, however, that this overrides all normal checks and balances and should be avoided, since it can cause behaviour that is almost impossible to diagnose - which is why it is frowned upon by meny network administrators.
Can you you add new routing table entries to Windows machines easily? Windows has to know which interface to use when routing a broadcast packet to the 0.0.0.x network.
The Unix machines I'm familiar with have a routing table that maps network/netmask entries to either gateways or interfaces (if the network is a local network). The local network (192.168.0.0/16 for my home network) gets sent to interface eth0. Everything else 0.0.0.0/0 gets sent to a specific gateway machine 192.168.0.1.
If my machine sent a UDP broadcast message to network 0.0.0.0/24 (in other words, UDP broadcast sent to 0.0.0.255, then my machine would forward the packet to the gateway machine (which it can look up via arp). The switches in the middle wouldn't propagate the packet to other network devices, because the MAC address is set.
If my machine had another routing entry for 0.0.0.0/24 to the local interface, then my machine would send the packet on the wire using an ethernet broadcast group, and the switches would forward the packet to all connections. (Yay! Just like hubs in the 90s! :)
So I figure you need to add a routing entry for 0.0.0.0/24 to your client machines, so that they can properly address the broadcast packet.