Client to client through firewall - networking

A broad question.
We have a client application that currently talks to a web service to exchange data between two clients. The first client stores data on the service and other clients poll the service to collect it at some later time.
We are looking to change this infrastructure a little in that clients will Connect() to the service supplying the IP and Port that they will 'speak' on. When client A wishes to send data to client B it will look up client B's IP and port on the service and then send the data directly to that IP and port.
In the situation where several clients exist behind a common firewall (and NAT), my gut instinct is that I would need to configure port forwarding for each client so that inbound messages at the public IP (ie public side of firewall) can be routed to the appropriate client. As our application is designed to shield 'techy' details we'd like to avoid this it all possible. One caveat is that we are quite happy for the client to have to open a port on the firewall, but to avoid the extra step of setting up port forwarding.
Hope this makes sense, and please feel free to ask for any clarification.
-- Edit --
We are aware of UPnP but it is a non-starter for us due to the fact that it is either not available on some routers and the fact that some corporate environments don't allow it.
Thanks,
Simon

Most home routers provide a UPnP interface to allow applications to set up port forwarding without requiring the user to do anything. Depending on the router model, they may need to enable it on the router, usually a checkbox in some buried config screen.

Related

How do you downstream data from Cloud to Thread?

I am new to openthread I have some interrogations about Thread device connectivity to cloud server.
Cloud server <------------> local internet <-----> Thread network
ipv4 Router(firewall) ipv4 OTBR ipv6
Our products (Thread network) will be built in clients networks which have various internet routeur/firewall and network configurations.
Using UDP(DTLS) to PUT/GET/POST... (CoAP) data on cloud server did you experience any issues with UDP timeout parameters ? Will I need to do hole punching to ensure cloud server can contact end device ?
As i understand it, from cloud server point of view, he can only Rest method on the Border Router CoAP server, as he don't know end device ipv6 and i don't plan to do port forwarding ?
Would allowing cloud server to contact specific thread end device require ipv6 tunnel ?
To finish, if im spouting nonsense, please enlight me about how you build your connection with cloud server :) !
Thank you for reading this post, I hope I was clear.
Best,
Let me try to sort some things.
There are two general approaches:
the clients from your local network starts the communication and the cloud-server answer. The router acts as NAT. In that scenario there are usually timeouts on which the "NAT" rules expires and the traffic from the cloud-server will not be forwarded to a client in the local network.
the cloud server starts the communication. That traffic is sent to your router, and the router and forwards the message to a local network node. This approach requires usually configuration of the router (there are some protocols to do that from your client devices, but even that requires to enable that function). You configure a port on the router to forward the traffic to a specific address+port of your clients. Though this requires either configuration of a lot of ports (for each client one port) or one coap-node, which acts as coap-proxy and configuration for that.
The first approach will end up in a lot of traffic just to keep the NAT open.
The seconds requires either a lot of configuration or a "coap-proxy", where I'm not sure, if you can find a proper implementation.
(By the way, the router may have only a temporary fixed ip-address, e.g. one change peer day. So the second approach requires rare updates of the router's address in your cloud server. And sure, there are some Internet provider, which doesn't offer that your router is reachable, because they add a extra NAT.)

Locating servers IP address

I am making a game in Libgdx where a user(client) will be a host of the server himself
and only one other client can connect to him and play with him(likewise there might be multiple independent servers and pair of clients playing with each other like miniclip games)
but how will the other client locate host-client (or servers) IP?
I am using kryonet
Some guy suggested me to do NAT punching and stuff but I am totally confused.
Please help
(I am complete beginner to networking)
If you want your clients to discover servers just in LAN, you can do broadcasting on the servers and sniffing on the clients. As they are in the same LAN, there should be no need for NAT.
Otherwise, you have to set up managers(servers for managing) on the Internet. Servers have to register themselves to a manager, clients ask a manager for servers information. As managers know both servers and clients public IP addresses, NAT should be easy once you think your managers as STUN servers.
The most simple manager can be just a simple wraper over database/Redis with a server name/server ip/server metadata table. Details about how to implement it relies on your skill stack. To enable STUN, there are open source STUN server and client you can just pick up, e.g. coturn. No matter you put the STUN server into your manager or not, both your managers and STUN servers have to be published on the Internet (sure include AWS) where they have their own public IP.
Or you can let the managers to relay messages for servers and clients. But this way may be too complicated compares to previous. I would not recommend.

How to initiate direct connection between clients connected to a server

Suppose that I have a server and the clients are connected to the server. The server is accessible through a public ip.
I would like to "forward" the connection so that the clients would be directly connected to each other withouth the server in the middle.
I do not know if this is possible at all and I myself couldn't find a way to do it.
Other assumptions:
neither client has a public IP, both clients are behind a NAT
there can be more connections initiated if necessary
I am looking for a strictly software solution, without the need to reconfigure router, open ports, etc. etc.
The reason I would like to achieve this is to reduce the load on server. Once a two clients are associated together there is no real need (except technical one) to continue using the server as a, sort of, proxy. Direct client connection would also reduce the latency of the connection.
Take a look at http://en.wikipedia.org/wiki/UDP_hole_punching. If neither machine has a public IP, and you can't open ports, and you don't want all data to pass through the server, this is probably the only other potential option. If this wouldn't work for you, you're likely stuck with all data going through the server. If you can set up port forwarding, that would make for a better solution, then just use the server to exchange IP and port information (as it exists at the time the connection is established).
A short answer is: it is not possible.
One of the main problems is that router do not know where to redirect the request from the server (or other client). Just a case : You have a router which has multiple devices(computer, cell phone...) behind it. It gets a request and do not know, who wants to get the request.
There is a workaround for that but it is not reliable (Does not work always.) Some Companies use it if it is possible, but they have always an alternative to that (like communication over server) if it fails. It is called nat punching. More details here: http://en.wikipedia.org/wiki/TCP_hole_punching
I do not know for which reason do you need. If you need it for client server connection you can use something like long polling, call back....
Otherwise you need to set the router, or take the route over the server.
You can do two things one is hole punching http://en.wikipedia.org/wiki/TCP_hole_punching
so this will allow you to respond to your client who are behind NAT (you can configure your client to send their private ip and port number used by NAT to reply to them).
Other thing you can do is to make a peer-to-peer network as done by skype and make one of the client as relay network and keep track of active relay's and update them periodically. (see http://en.wikipedia.org/wiki/Skype_protocol )
So now your server has to just act as proxy and as an admin which kind of manage all connection but least amount of info pass through it.
I hope this help.
Some home routers support upnp and can be instructed to open a certain port and forward it to a certain client on the LAN.
You can use upnpc on GNU/Linux to open ports on the router. It also has a library to do it from C code (but it's not very well documented).
However this method might not work on all home devices, so in that case see the other answers.

What's a way for a client to automatically resolve the ip address of a server?

The project I am working on is a client/server architecture. In a LAN environment, I want the client's to be able to automatically determine the server's address. I want to avoid having to manually configure each client with the ip address of the server. What is the best way to do this? Some alternatives I have thought about doing are:
The server could listen for
broadcast packets from the clients.
The message from the client would be
a request for the IP address of the
server. The server would respond with its address.
The machine running my project's server could also have a
bind server running. The LAN's router could
be configured to use it as one of its
DNS servers.
I think I saw that
there is a bind library. Does that
mean I can build the bind service
into my server so that bind doesn't
have to be installed on the server?
Any other ideas? What have you done in the past? What are the pros/cons of these approaches and others that might be suggested?
Thanks for your help!
I like number one, that seems shortest and simplest to me. Might get tricky if the "LAN" actually involves switches that you can't broadcast through. Multicasting should help, then.
You can also use DNS, as in Zeroconf. See Bonjour for information about an implementation.
You can use WCF 4.0's new Discovery feature. Two things are possible:
The server can announce to the network that he has gone up or down, and clients can connect to it or look elsewhere, respectively.
The client broadcast an inquiry for a service and all matching services on the network will reply. The client can then pick the service he wishes to use.
You can use either or both, and it's all handled by WCF, so there's little work to actually use it. You can even set up WCF proxies if you have a restrictive network topology (such as NAT or other routing issues). The proxies can cross/convert protocols and even have custom load-balancing or other routing logic.
http://msdn.microsoft.com/en-us/library/dd456782.aspx

How to tamper with source IP address on Windows

We meet a testing scenario which needs to tamper with source IP address of a Http request to simulate clients coming from different countries. Do you know any tool help on this?
Last but not least, our web site is built with ASP.NET.
Thanks.
In a test environment it usually isn't difficult. First read this SO question about virtual network interfaces.
If the server and client are on the same machine, all you have to do is figure out how to get your client software to bind to your virtual interface.
wget for instance has the --bind-address option to specify which local address to bind to. Web browsers are a bit more difficult to do this with; you may need to just run it in a VM.
If your server and client are on the same LAN, you just need to configure your router with some static routes to your client machine. In this case you probably don't need a virtual network interface, just set a static IP for your client machine; as long as the gateway is set up correctly it should be able to send packets to the server, and as long as the route is set up correctly the replies should find their way back to the client.
If the client and server are separated by an internet, it's rather more difficult. One option is to set up a network tunnel endpoint on the server and tunnel it to the client machine, which "knows" that it has the virtual network interface.
As noted in answers to the ServerFault question "Are IP addresses trivial to forge", you cannot easily forge source addresses in a protocol that required two way communication (e.g. TCP). Note that this "two way communication" is required at the packet level. You cannot just say "no problem, I want to send requests and ignore HTTP responses." To establish a TCP session, you need to receive data. Your best bet is to use a proxy server.
I am unsure if the IP standard allows for this, but if you are working in a Lab environment, where you don't need internet connectivity during the test, I can see it working under following circumstances:
Basically, I would set the server's network interface to use netmask 0.0.0.0 and flush the rest of the routing table.
Then you could configure a client machine to take on any IP address as long as you use netmask 0.0.0.0. And two-way communication should be possible.
Server[1.2.3.4/0] <---> Client[x.x.x.x/0]
But please bear with me. I haven't tested this, so I could be wrong :-)
If you have access to your infrastructure, you can add an interface off the router and then place a static route on the router to that network.
Server-----Router----Internet
/
Test_PC----/
Alternatively you can look into PBR (Policy Based Routing) and on the routers you can flag source packets and change the source on the fly, so your server will think they are coming from where you'd like them to come from.
Server-------------Router_with_PBR-------------Internet----- PC
SCR:4.2.2.2 Change SCR:6.6.6.6 to 4.2.2.2 6.6.6.6
But you have to ask yourself why do you want to see when packets come from different countries. Some countries have massive proxy servers that filter access ( "Great Firewall of China"), so the above tests will not prove much.
Your best bet then is using proxy servers or if your looking for a long term solution then setup a server (virtual is great for this) and use RDP for testing. I'm sure you can rent a virtual server somewhere for a month or two.
That's not possible. Because when you forge the ip address, the response is never going to come back, which is required for http.
The best way is to use proxies. See also this question on serverfault.
If you change your source IP address, that means no traffic from your web server will be able to reach back to the client.
You might be able to use some kind of proxy and/or address translation filter to do the remapping while still allowing two-way communication.

Resources