NAT - How
-
Hi All,
My Objective is to simulate all four types of NAT as defined here. Simulating the various kinds of NATs can be done using pfsense. In these examples, eth0 is the private network and eth1 is the public network.
Full-cone:
Restricted cone:
Port-restricted cone:
Symmentric:Any suggestions will be most helpful.
-
PF's NAT is sort of a combination of port-restricted cone NAT and symmetric NAT. It doesn't support full cone nor restricted cone, both of which should be considered insecure.
-
Hi,
Thanks so much for this info.
I'm trying to check against which NAT I'm behind using STUN server, The STUN server doesn't recognize the NAT and doesn't return any answer.
Any suggestion how can i Check it, I have installed the latest pFsense version , I didn't touch the default rules .Thanks In Advanced.
-
"The STUN server doesn't recognize the NAT and doesn't return any answer."
Hmmm - so just did a simple test to stunserver.org from behind pfsense 2.1 from my ubuntu test box
And I got this
stunc stunserver.org -b -r -n
stunc: Binding to local port 25236.
assign_socket: local socket is bound to 0.0.0.0:25236
stunc_bind_cb: stun_discovery_done
stunc_bind_cb: local address NATed as 24.13.xx.xx:22343
stunc_nattype_cb: stun_discovery_done
stunc_nattype_cb: NAT type determined to be 'Symmetric NAT (address and port dependent filtering, endpoint dependent mapping)' (9).So seems to report nat type to me? your saying your not getting anything back? Then I would assume you have a connectivity issue.
It reported my public IP correctly, just snipped out for privacy.
-
Hi,
Thanks for the test and the quick reply, My testing environment is isolated from the internet so I will try to check it against the public STUN. I tried to test it against a private STUN server I built.
I was wondering , So the default NAT type after a fresh pFsense installation is Symmetric ? Am I correct ?
If I need to change it to a Port-Restricted-Cone, Do you know which steps Do I need to configure?Thanks In Advanced.
-
Change over to manual outbound nat, and edit the rule to use static source port
You have new mail.
stunc stunserver.org -b -r -n
stunc: Binding to local port 54532.
assign_socket: local socket is bound to 0.0.0.0:54532
stunc_bind_cb: stun_discovery_done
stunc_bind_cb: local address NATed as 24.13.xx.xx:54532
stunc_nattype_cb: stun_discovery_done
stunc_nattype_cb: NAT type determined to be 'Port Restricted Cone NAT (endpoint independent mapping)' (6).
-
Hi,
Thanks so much on the efforts and for the quick & professional answer/explanation. I think you settings has made it.
I installed a local STUN server in my Lab, do you know if the answer I'm getting from the STUN server (in-house) reflects Port-Restricted Cone:
"Primary: Independent Mapping, Port Dependent Filter, preserves ports, no hairpin
Return value is 0x000017"Thanks In Advanced,
-
Not really a stun expert by any means - what server are you running? I could prob install it on one my vps and then test too it.
Does the server your running manual detail out the different responses.. not sure what hairpin would mean? The others seem to be clearer in name than "hairpin"? What client are you using?
What I do know is that the returned values are not always perfect.. My reading says to take them as hints to the type of nat, not gospel.
-n Perform a STUN binding type check. Notice that the results are only
hints. Nondeterministic behaviour, resource exhaustion, or reboots
of network elements can cause changes in NAT behaviour between
successive runs of stunc.Can you do a test to stunserver.org what does it return?
My version of stunc says
sofia-sip-1.12.11devel -
Hi,
I'm using a standard STUN Client-Server ,http://sourceforge.net/projects/stun/.
I'm not sure if the info from the Stun client is correct.Thanks