Jump to content

Security IT/NAT

From Wikibooks, open books for an open world

nat was created as a response to the shrinking pool of IP addresses. in short, we get one variable IP address from an ISP defined from a specific APN, goes through the router and directs to a specific computer in own WAN network with private addresses.

bypass NAT restrictions

[edit | edit source]

a few words explaining

Full-cone NAT

[edit | edit source]

usually do not need to do here, sometimes must use port forwarding

(Address)-restricted-cone NAT

[edit | edit source]
  1. Run uPnP/NAT-PMP/UPnP-IGD/PCP
  2. Set static private IP, optionally DDNS.
  3. if doesn't work, use port forwarding
  4. If doesn't work, use Port Triggering
  5. If doesn't work, use DMZ

Port-restricted cone NAT

[edit | edit source]
  1. use UDP hole punching
  2. if doesn't work, try TCP hole punching
  3. optionally, try ICMP hole punching
  4. UDP multi-hole punching (mirror)

Symmetric NAT

[edit | edit source]
  1. sequential hole punching
  2. Use Supernode

Cgnat

[edit | edit source]

Investigation

  • The only reliable solution that I've found so far has been to use IPsec VPNs initiated from behind the NAT.
  • ZeroTier can traversable CGNAT. If you follow the recommendations) (It mainly boils down to opening the port in the firewall) it is the probability that value
"tcpFallbackActive": false

For all types NAT (probably)

[edit | edit source]
[edit | edit source]