Receiving data with Sockets when behind a Router

Alex Tweedly alex at tweedly.net
Fri Feb 2 20:09:58 EST 2007 

Stephen Barncard wrote:
> Look at IP tunnelling. This allows a computer on a LAN to get a port 
> or range of ports of various protocols through a router from the 
> outside world.
>
> All routers will have this.
>
> http://www.linuxvirtualserver.org/VS-IPTunneling.html
>
Unfortunately, this scheme described here uses IP Tunnelling *direct* to 
the real server - and hence requires that the real server be directly 
addressable from the external Internet - which is not the case in the 
scenario of the original question.

There are also other problems that the article skates over ....

1. This scheme has the real server send its reply direct to the client. 
This raises (or rather, doesn't raise :-) the question of what the form 
of these reply packets will be. There are two choices for the Source IP 
address

   - the real server's own IP address (the obvious choice). This can 
(will) result in the packets being dropped if the client is behind a 
secure NAT/firewall, because the src-ip of the packets will not match 
the dest-ip address of the established connection.
   - the Virtual IP address. This can (though only rarely will) result 
in the packets being dropped because they have spoofed IP addresses, and 
any ISP using Reverse Path Filtering will drop it for security reasons. 
Sadly, not enough ISPs run RPF (if they did, spam and other attacks 
would drop significantly), so you might get away with this.

2. the tunnelling is all the way to the server - so you need IP 
tunnelling support on the server, not on the router. Most users (i.e. 
Windows and Macs) will either not have this support, or will need 
privileged access to configure it.

3. MTU issues - probably not as serious now as they were a few years 
ago, since many people are configured with slightly smaller MTUs to 
allow use over VPN, but still might catch out some users.
> then one can use dynDNS or other service to get the IP when it 
> inevitably will change.
>
But knowing the new IP address on the server still leaves you vulnerable 
to the problem of changing the port forwarding on the router (and 
related issues, which Jim's email covers better than I could).

Note you could run this IP tunnelling via the router - having the router 
decapsulate the packet and forward to the relevant local machine (but 
that's no easier than configuring port forwarding, and not all routers 
will support GRE with configured output ports).
>
>> I'm in need of some guidance.  How do you resolve an IP address when 
>> it's behind a router or a firewall?
>>
>> I'm trying to build a simple communications device in Revolution, and 
>> I have been looking at some of the demo stacks that are out there.  
>> They all work wonderfully, but I occasionally run into the problem of 
>> being behind a Wireless Router.
>>
>> My IP address when connected through the router is 192.168.0.7, while 
>> the outside world see my IP as 69.179.91.117.  Attempting to connect 
>> to the public IP address results in nothing.
>>
>> I mean I'm figuring with all the Instant Messengers and P2P programs 
>> out there that there's a way to do this.  Help!
>>
Don't be confused by the term "P2P". Many of these (e.g. BitTorrent) 
will function OK with only outbound connections, and the majority of 
users work this way. Those users who need (or want) higher speed access 
must either be not behind a NAT, or the use port forwarding to allow 
inbound connections.

One other hurdle to watch out for - even if you have port forwarding on 
the router, you also need to check for software firewall on the "server" 
machine; if the user is running one of these, it will need to have the 
relevant port opened up.

-- 

Alex Tweedly      mailto:alex at tweedly.net      www.tweedly.net

More information about the use-livecode mailing list