Page 1 of 2 1 2 LastLast
Results 1 to 15 of 17

Thread: NAT vs NAPT

  1. #1
    Registered User
    Join Date
    Oct 2004
    Posts
    9

    NAT vs NAPT

    I've recently moved house and ISP which has resulted in a new router (Speedtouch 780). By default the admin console for this box sets up game sharing using NAPT instead of NAT and while it's possible to modify this by hand using the CLI, it's right on the limit of my abilities and I can't work out to get the settings to persist after a reboot of the box.

    So, my questions, what exactly is the problem with AC and NAPT? Can I expect to see support for NAPT coming soon? Why did my old router (Netgear DG834G) have no issues at all and didn't even require any kind of port-forwarding or config (UPNP seemed to handle it all)? Will Turbine produce guidelines for stable configuration of the Speedtouch 780?

    Thanks,
    Gatt.

  2. #2
    Registered User Xanius's Avatar
    Join Date
    Mar 2006
    Posts
    581

    Re: NAT vs NAPT

    The difference between nat and napt is that NAT is based on IP and NAPT is based on port.

    In NAT you tell the router this port goes to this computer all the time, with NAPT it can change which computer each port goes to and AC just doesn't like it.

    Port based forwarding causes problems in ac because as far as I know it wasn't possible to do NAPT at the time the game was made. I don't think AC can be made to work with NAPT without a big rewrite of the code.

    The reason UPNP worked is because it's basically auto-NAT it maps the ports to the computer and stays that way for a while.

    As for the speedtouch not staying on NAT instead of NAPT, I'm not sure. I've never used one, but what I'm used to seeing is, you change it, save and reboot the router and it works, are you sure you're rebooting it the right way and not resetting it?

  3. #3
    Registered User Yula_the_Mighty's Avatar
    Join Date
    Jul 2004
    Location
    South Florida
    Posts
    5,840

    Re: NAT vs NAPT

    I've hit the wrong key on my PC twice now and blown away an incomplete response. Now that I am seriously annoyed, you get the short version.

    Like NAPT, NAT and AC are all from the same era. At the time the AC networking code was written there were no cable or DSL, no routers, no home networks and NAPT was not used by ISPs. Everybody had either internal or external modems and used dial up. You found NAPT inside companies but it was not very common.

    The networking code in AC does not support NAPT. The router an end user have may:
    1) work out of the box
    2) require configuration
    3) require a firmware update and configuration
    4) not work at all

    Turbine has known about this issue with their networking code for years. IMHO - It is never going to get changed. If it was going to get changed it would have been changed as part of the Throne of Destiny expansion last year.

    Turbine does not produce any guidelines for routers or modems. I do not blame them. There are hundreds of different home routers in service in people homes in the USA. That does not even cover the regional routers that you might find in Europe or Asia.

    There is a site with thousands of pages of configuration help for various routers and games:
    http://www.portforward.com
    but even with all the pages on that site, they are no where near complete. For example they have 27 entries for Thomson-Alcatel rouuters but I do not see your model on that list.

    Yula the Mighty - HG
    Last edited by Yula_the_Mighty; 07-22-2006 at 03:38 PM.
    Yula the Mighty - HG

  4. #4
    Registered User
    Join Date
    Oct 2004
    Posts
    9

    Re: NAT vs NAPT

    Thanks both for your replies, good info.

    I think what's still confusing me (and why I'm after some fairly technical specifics) is that my old router (DG834G) supported UPnP and required no explicit configuration at all. My new router (Speedtouch 780) also supports UPnP but doesn't work out-of-the-box. There must be a relationship between the UPnP immplementation and the use of NAT, PAT, NAPT that I'm not aware of. My suspicion is that a very simple change to the config of the 780 would allow the UPnP to work without specific port configuration, but I need more info. I guess I just need to do a lot of reading.

    In the meantime I've done a bit more work on the Thomson / Alcatel Speedtouch 780 and reduced the config changes to the bare minimum needed to get AC working without opening my whole PC via NAT, so if anyone ever picks up this post as a result of the search then send me a PM for details on the changes needed and I'll post them up.

    Gatt

  5. #5
    Registered User
    Join Date
    Oct 2004
    Posts
    9

    Re: NAT vs NAPT

    Further to my previous post, section 5 of this RFC: http://www.ietf.org/rfc/rfc3489.txt talks about variations of UDP over NAT. I can modify which configuration my router uses and if knew which one AC required then I'd be happy!

  6. #6
    Registered User Xanius's Avatar
    Join Date
    Mar 2006
    Posts
    581

    Re: NAT vs NAPT

    Quote Originally Posted by Le Gatt
    In the meantime I've done a bit more work on the Thomson / Alcatel Speedtouch 780 and reduced the config changes to the bare minimum needed to get AC working without opening my whole PC via NAT

    Gatt
    There's no difference in how open your computer is to the internet when using NAPT and NAT, both of them are network address translation, NAPT is a better form because there's so many people using the internet now that we are going to run out of IP's eventually, and with NAPT you can have 1 IP and a near infinite number of ports to use.

    Buit glad you got it working.

  7. #7
    Registered User
    Join Date
    Oct 2004
    Posts
    9

    Re: NAT vs NAPT

    Connection me if I'm wrong but via NAPT I can redirect port 9000-9050 to a specific machine on my LAN. Via NAT I effectively redirect all ports to that machine. That's what I meant by opening my whole machine, quite an important difference given how exploitable an unpatched Windows box can be. Have I misunderstood something?

  8. #8
    Registered User Yula_the_Mighty's Avatar
    Join Date
    Jul 2004
    Location
    South Florida
    Posts
    5,840

    Re: NAT vs NAPT

    NAPT was designed to split an IP address based on port numbers. ISPs pay for every public IP address. In order to reduce their costs and make more money, they give their end users private IP addresses. The ISP then assigns one public address to perhaps 10 customers and then uses NAPT to forward the ports.

    NAT and NAPT were developed to deal with the shortage of IP addresses that occured in IP version 4. IP version 4 is at least 20 years old. It is not a big surprise that it had to been updated.

    Since that time IP version 6 has become available. IPV6 is about 10 years old. In order to solve the limited number of addresses available in IPV4, the address field is increased to 128 bits giving us:
    340,282,366,920,938,463,463,374,607,431,768,211,45 6 addresses.
    Hopefully, this number will last us a while...

    In answer to your question of NAPT and NAT and opening up your PC. Friewalls and port forwarding and filters on a router all work together. In order for a PC to be attacked over the internet, you need to use one of two different methods:

    1) You need to send packets to a program (listener on a port) and get some sort of reaction in the form of a remote program execution.
    2) You send them something that that the owner has to open, execute or is automatically executed.

    Almost all vulnerabilities in Microsoft PCs fall into category 2. No amount of port forwarding, filtering or anything going to help, These attacks things looks like a normal email message, AIM packet or web server response. If you have an unpatched Microsoft box and you send or receive email or browse internet you are screwed. If you have a good antivirus program, it will reduce the problem some.

    Yula the Mighty - HG
    Last edited by Yula_the_Mighty; 07-23-2006 at 11:14 AM.
    Yula the Mighty - HG

  9. #9
    Registered User Xanius's Avatar
    Join Date
    Mar 2006
    Posts
    581

    Re: NAT vs NAPT

    NAT is just a set of specified ports. You can open it to every port but if I put in the router that I want port 67 to my computer only things on that port will get through as NEW connections.

    Routing has 3 states NEW,related and outgoing I think. Can't remember exactly. But if it's an outgoing connection IE webpages and such there's no interruption. Wuth related you have to enable those which means that if I connect to a game one port 700 and a new connection is made on 750 FROM the server the router will just pass it a long because it's related to the port 700 connection. And NEW connections are incoming connections, those are blocked by router unless you forward a port.

    NAPT is something that doesn't affect the home user.

    The way both of the work is you have IP A which is your public address. and b & C which are on your network.

    If something on the internet sends a packet directed at A:9000 and IP B is the one the router has 9000 forwarded to it knows that packet goes to computer B.

    That's how NAT works.

    With NAPT it's a bit different. Computer b connects to something outside the LAN and the router assigns a port to that connection, so instead of having A:9000 being a static port to the inside computer it becomes A:4587 and after a while of not being used it will be deleted and the same connection would become A:6879. That's why it doesn't work with AC because it requires port 9000-9013 to be to the computer,and NAPT can't lock in ports like that.
    Last edited by Xanius; 07-23-2006 at 11:16 AM.

  10. #10
    Registered User
    Join Date
    Oct 2004
    Posts
    9

    Re: NAT vs NAPT

    Thanks again to both of you. I've actually solved the problem using the router's CLI as mentioned so everything else is just good chat.

    Quote Originally Posted by Xanius
    NAT is just a set of specified ports. You can open it to every port but if I put in the router that I want port 67 to my computer only things on that port will get through as NEW connections.
    Now that's a key bit of info for me, because how I've used my router's CLI to configure NAT is not constrained to particular ports - it's for the the entire range. I think NAT has to be used in conjunction with the router's firewall functionality in order to make it port specific (maybe). Back to the instruction book for me then.


    Quote Originally Posted by Xanius
    NAPT is something that doesn't affect the home user.
    I still think we're talking about different things here. I know that my ISP doesn't do NAPT at the RADIUS server (or equiv level) but my router does. I wonder whether in this case PAT (Port Address Translation) and NAPT (Network Address and Port Translation) have a subtlely different meaning here.

    Here's the default output of a "nat tmpllist" command after I've added the AC port-forwarding using the webconsole:

    Code:
    Idx Type Interface       Ifgroup  Outside Address                Inside Address                 Use
     17 NAPT any             wan      0.0.0.1:[9000-9050]            192.168.1.64:[9000-9050]       1
    This doesn't work with AC. However if I add an equivalent NAT entry using the CLI I get:
    Code:
    Idx Type Interface       Ifgroup  Outside Address                Inside Address                 Use
     19 NAT  RoutedEthoA     any      0.0.0.1                        192.168.1.64                   1
    This works. However, this implies to me that this NAT mapping is enabled for any port, not just 9000-9050, which is the reason for my concern. I need to track down the equivalent CLI commands to ensure that the ports are restricted. I also need to check this by bringing up a service on my PC and attempting to connect to it externally.

    Quote Originally Posted by Yula_the_mighty
    1) You need to send packets to a program (listener on a port) and get some sort of reaction in the form of a remote program execution.
    This is the one I'm worried about, using a tool like nmap to port-scan a typical Windows machine there's a load of ports open for which exploits are a couple of google searches away. Fortunately my PC is well patched and has Windows Firewall open, plus an nmap of my public ip from a remote server I own only appears to reveal ports open on the router. So clearly I don't fully understand the router CLI yet.

    Quote Originally Posted by Yula_the_mighty
    Almost all vulnerabilities in Microsoft PCs fall into category 2.
    Not sure I agree with that, in my experience if you install a pre-SP2 version of XP onto a PC that's connected to the internet via a fairly well-know ISP, then there's a good chance that you'll get hit by an exploit on an open port vulnerability within minutes due to all the script-kiddies running scans on certain IPs address-ranges. Perhaps I've just been unlucky.

    Oh well, it's all just a matter of reading and learning now. Or perhaps just buying a router that I can actually understand how to maintain. Thanks again for the info and chat.

  11. #11
    Registered User Yula_the_Mighty's Avatar
    Join Date
    Jul 2004
    Location
    South Florida
    Posts
    5,840

    Re: NAT vs NAPT

    Quote Originally Posted by Le Gatt
    Not sure I agree with that, in my experience if you install a pre-SP2 version of XP onto a PC that's connected to the internet via a fairly well-know ISP, then there's a good chance that you'll get hit by an exploit on an open port vulnerability within minutes due to all the script-kiddies running scans on certain IPs address-ranges. Perhaps I've just been unlucky.
    There are not many issues like this in XP. Problem is that XP is old. Five years? There are still a lot folks with bootleg copies and people who do not update their PCs. This means fertile ground for script kiddies.

    One of my daughters just started to college last year. Her roommate had a brand new labtop that had never been connected to the internet - original XP - pre SP1. It did not last long enough to even install the required software to access the internet from the college. It got crushed in less than 15 minutes. I ended up formatting her labtop and installing XP SP2 from the CDs that I had with me. Then there has an hour hassle with Microsoft to get the OS registered because her key would not work with my CD.

    If you look at the hundreds of vulnerabilities to XP, most of them are not something that a router can stop. There are exploits to Office, IE or another app. Generally, the folks people are not trying to make PC fail. The big deal today is to jam ads down your throat because the trouble maker gets paid for it. Or it is try and steal useful information.

    When you use an unpatched version of XP these days and connect the internet. You are going to get something you did not want very quickly.

    Yula the Mighty - HG
    Yula the Mighty - HG

  12. #12
    Registered User Xanius's Avatar
    Join Date
    Mar 2006
    Posts
    581

    Re: NAT vs NAPT

    LE gatt, I think the easiest way for you to set it up would be to use the web interface instead of CLI, the way it works makes forwarding ports a lot easier and it doesn't force all ports to open.

  13. #13
    Registered User
    Join Date
    Oct 2004
    Posts
    9

    Re: NAT vs NAPT

    Quote Originally Posted by Xanius
    LE gatt, I think the easiest way for you to set it up would be to use the web interface instead of CLI, the way it works makes forwarding ports a lot easier and it doesn't force all ports to open.
    Xanius, as I said at the beginning, this doesn't work on my router, which is why I had to go the pure NAT route via the CLI.

    Fundamentally, unless some from Turbine is prepared to tell me exactly what it is that AC requires then I'm stuck with what I've got (e.g. method by which it uses UDP over NAT - full cone, restricted cone, etc - see Wikipaedia ).

    Anyway, my brain is hurting now so that's it from me.

    Gatt.

  14. #14
    Registered User Yula_the_Mighty's Avatar
    Join Date
    Jul 2004
    Location
    South Florida
    Posts
    5,840

    Re: NAT vs NAPT

    If I read Wikepedia correctly AC does not use full cone NAT, restricted cone NAT, port restricted cone NAT or symmetric NAT. AC uses what is called asymetrical UDP.

    Let says your PC is IP address 191.168.1.10. Your public IP on your router is 116.17.93.45. You are communicating with a single machine in the AC world server cluster with the IP address of 165.43.31.131.

    What the AC client does is send a UDP packet out with the following header information: to 165.43.31.131 - port 9003 --> please respond to 192.168.1.10 port 9006.

    The router has to change this to 165.43.31.131 - port 9003 --> please respond to 116.17.93.45 - port 9006 and remember that a packet from 9006 is coming back in.

    Later on the router will get a packet to 116.17.93.45 - port 9006 from 165.43.31.131 - port 9003 (note: this does not have to 9003 could be any port number that the server wants the client to respond on) and now the router has to change the destination IP address and forward the packet to the correct PC.

    Some routers have a hard time with asymmetrical UDP. Many routers require that you use symmetric UDP. The router looks at the outgoing packet. The router sees the packet being sent from 9003, stores 9003 in its table. When the server sends a packet to 9006, the router goes - rogue unknown packet into the trash with you.

    Yula crosses his fingers and hopes he did not make a typo in the ports or IP addresses.

    Yula the Mighty - HG
    Yula the Mighty - HG

  15. #15
    Registered User
    Join Date
    Jul 2006
    Posts
    35

    Re: NAT vs NAPT

    Bump.

    Some good information here.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

This form's session has expired. You need to reload the page.

Reload