[erlang-questions] Simple NAT traversal

Kaiduan Xie kaiduanx@REDACTED
Wed Feb 1 15:53:52 CET 2012


First NAT/Firewall traversal is not simple :)

UPnP will not work when there is a multiple layer of NATs, and
definitely does not work in enterprise network.

Based on the following assumptions,

1) Your server is TCP based,
2) Your server is behind NAT,
3) Your corporate NAT/Firewall only allows outbound connections to
certain ports, for example, HTTP port 80 and HTTPS port 443

then you need TURN-TCP server (defined in RFC 6062), and a
back-to-back TURN client/TCP client.

The TURN-TCP server resides on public Internet, and back-to-back TURN
client/TCP client sits in front of your TCP server behind NAT as
illustrated below,

TURN-TCP server
          |
          |
          |
Public Internet
          |
          |
Corporate NAT/Firewall
          |
          |
back-to-back TURN client/TCP client
          |
          |
Your TCP server

First, back-to-back TURN client/TCP client asks TURN-TCP server on
behalf of your TCP server to allocate a port on TURN-TCP server, for
example, port 55478, then TURN-TCP server starts listening on port
55478.

Whenever a client makes TCP connection to port 55478 on TURN-TCP
server, TURN-TCP server notifies back-to-back TURN client/TCP client
the pending connection, TURN client/TCP client then makes another
outbound TCP connection to TURN-TCP server, and makes a TCP connection
to your TCP server. The traffic is relayed by TURN-TCP server and TURN
client/TCP client.

With this solution, you do not need any changes on your TCP server,
and this works on ANY firewall/NAT.

I have built the TURN-TCP server and back-to-back TURN client/TCP
client in Erlang. For more information, please contact me offline.

Thanks,

/Kaiduan

On Wed, Feb 1, 2012 at 8:54 AM, eigenfunction <emeka_1978@REDACTED> wrote:
> @Edward
> You are right and thank you again for your help
>
> @Michael
> I am in a corporate intranet, so i do not have access to the outside
> world and there are a couple of nats between the networks.
>
> On 1 Feb., 14:37, Edward Wang <edward.yu.w...@REDACTED> wrote:
>> A tcp server itself is simple enough, but that's another piece of
>> software running on a separated machine. That's a big disadvantage. On
>> the other hand, a UPnP control point is something you can integrate
>> into your own application, given your NAT device speaks UPnP and you
>> want to deal with the protocol.
>>
>> -Edward
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Feb 1, 2012 at 9:19 PM, eigenfunction <emeka_1...@REDACTED> wrote:
>> > Thank you for the response. But before i wade into that territory,
>> > do you think it will be easier than just writing a tcp server?
>> > Anyway, i am going to check that out.
>>
>> > On 1 Feb., 10:50, Edward Wang <edward.yu.w...@REDACTED> wrote:
>> >> If your NAT device supports UPnP, you can ask for its external address
>> >> using UPnP protocol. But there's nothing simple in it. UPnP is a
>> >> horrible protocol.
>>
>> >> That said, if you do want to try this, you can check out UPnP
>> >> implementation in etorrent. I did that about one year ago for opening
>> >> port mapping. The related source code are
>> >> (https://github.com/edwardw/etorrent/tree/master/apps/etorrent/src):
>>
>> >>     etorrent_upnp_sup.erl
>> >>     etorrent_upnp_proto.erl
>> >>     etorrent_upnp_net.erl
>> >>     etorrent_upnp_handler.erl
>> >>     etorrent_upnp_entity.erl
>>
>> >> They are quite standalone and complete UPnP implementation. Take a
>> >> look at how add_port_mapping is implemented:
>> >>    https://github.com/jlouis/etorrent/blob/master/apps/etorrent/src/etor...
>> >> It should be easy enough to add your own get_external_address
>> >> function, which is defined in following specification:
>> >>    http://upnp.org/specs/gw/UPnP-gw-WANIPConnection-v1-Service.pdf
>>
>> >> Regards,
>> >> Edward
>>
>> >> On Wed, Feb 1, 2012 at 4:25 PM, eigenfunction <emeka_1...@REDACTED> wrote:
>> >> > Hi everybody,
>> >> > i have an erlang application running behind a nat. Now i have come to
>> >> > a point where i need to know my public ip. I was thinking about
>> >> > running a tiny tcp server behind the nat whose sole purpose would be
>> >> > to send me my public ip. My question is this: isn't there a more
>> >> > simple alternative? Heck, even if i could determine the public ip of
>> >> > the NAT device without doing a "backflip" it will be enough for my
>> >> > case.
>> >> > Any idea?
>> >> > _______________________________________________
>> >> > erlang-questions mailing list
>> >> > erlang-questi...@REDACTED
>> >> >http://erlang.org/mailman/listinfo/erlang-questions
>>
>> >> _______________________________________________
>> >> erlang-questions mailing list
>> >> erlang-questi...@REDACTED://erlang.org/mailman/listinfo/erlang-questions
>> > _______________________________________________
>> > erlang-questions mailing list
>> > erlang-questi...@REDACTED
>> >http://erlang.org/mailman/listinfo/erlang-questions
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questi...@REDACTED://erlang.org/mailman/listinfo/erlang-questions
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions



More information about the erlang-questions mailing list