Stupid UDP NAT argument (was: OpenVPN TCP vs UDP)

Ben Scott dragonhawk at gmail.com
Thu Jul 12 18:10:15 EDT 2007


On 7/12/07, Thomas Charron <twaffle at gmail.com> wrote:
> And there is no reliably standard way to provide full UDP nat
> traversal, which is why companies like Skype roll their own solution.

  VoIP uses dynamic port numbers for connections, which is why you
need stateful, application-layer packet inspection.  It has nothing to
do with the use of UDP.  You have the same problem with FTP over TCP
-- the data channel uses an ephemeral port, so it has to examine the
TCP payload to find out what port it has to forward.

>   Linksys was the first NAT manufacturer to my knowledge to
> AUTOMATICALLY assume that a return UDP packet to the same port should
> be forwarded to the original internal machine without requiring an
> explicit rule to allow this to occur.

  Every dynamic NAT implementation I've ever used, ever, did this.
Heck, Linux 2.0 could do it, so long as you didn't want a firewall,
too.  Can you find me any dynamic NAT implementation which *doesn't*
handle UDP?

>   By your own statement, explain then why NAT routers need to do
> 'funny things' with very basic UDP based services, like DNS.

  They don't.  I have never had to do application-layer inspection
with DNS.  Nor NTP.  Fire up WireShark and look at the packets if you
don't believe me.

> With UDP, there is a massive assumption which is
> made which may be false.

  Sure, it *could* be false.  But in practice, it almost always works.

>   If I have two computers, for instance, internal to a NAT which uses
> these rules, both trying to bittorrent a file using, say, BitComet on
> the same port, it simply will not work.

  BitTorrent uses TCP.

  http://btfaq.com/serve/cache/25.html

>   Or, a better example, If I'm at work, and my housemate is at work,
> and we both try to use OpenVPN over UDP while traversing out pfSense
> firewall at home, using an OpenVPN server internal to the
> Firewall/NAT, it simply won't work right.

  I'm not sure what you mean here (the distinction between what is
where), but OpenVPN over UDP works just fine over NAT boundries.  We
use it that way all the time.  Maybe your firewall is mis-configured.

-- Ben


More information about the gnhlug-discuss mailing list