Direct connection via internet with private IP's - NAT-T?

RouterOS General
1

Hi

I’ve got a question:

I’ve googled my eye’s off on how stuff like p2p and skype establishes a connection direct, without a server, and for example.. both clients are behind a NAT/firewall, so they don’t have a public IP to save their life. they all have internal IP’s but in the end of the day, they can connect as if there’s no problem via the internet somehow… :open_mouth:

So can I use 2 routerboards to make a direct connection from A to B via internet without giving one routerboard a public IP and vpn connection to the other one ?


http://en.wikipedia.org/wiki/Hole_punching

2

You must know the public ip addresses to contact the other side. Now, the public ip address doesn’t necessarily have to be on the router, because you may have another router ahead of it that is natting the desired router and port-forwarding to the vpn router, but you still need a public ip address to connect to.

If you don’t have static ip addresses, that is fine, you just need to use a dynamic dns service to map the dynamic ip to a hostname.

The router initiating the vpn doesn’t necessarily need a public ip, but it needs to know the public ip of the other side to make a connection.

Skpye doesn’t “just work” with private ip’s. They skype server is doing things behind the scenes to make it work. If you try to contact someone, the skype server that they are already connected to is telling them to go out and connect… you are not contacting hem directly with both sides natted.

3

mkay

I’ve got a VPN server with a dynamic public IP - Side A
and the client is for example 3G - Side B
ok, what if I add another thing and add a - Side C, and thats another 3G client

so its 2x 3G clients that connects to my VPN server, my biggest concern is the data flow? ..I want both clients to connect to VPN server or something, but they must pass data direct from 3G client to 3G client, just like p2p

or else I will have to pay times 3 the bandwidth cost?

4

With this setup, the data will flow from [client-A] to [vpn server] to [client-B].

You can’t go directly from [3G-client-A] to [3G-client-B] without passing through the vpn server. but you could setup the vpn server at client-a or client-b location, directly connectted to one of the clients, and have the other one connect to that.

5

With this setup, the data will flow from [client-A] to [vpn server] to [client-B]

Ok, thats makes sense.



but you could setup the vpn server at client-a or client-b location, directly connectted to one of the clients, and have the other one connect to that.

ok, ..so client-a will be able to see client-b right? if I understand you correct?


my mission is to create a tunnel from 3G-Client-A to 3G-Client-B without having the need to pass all data via the vpn server first, it may connect to the server to do its magic or something.

tell me then, how does the file sharing protocol work on torrents for example? it definitely don’t pass through a server first.

6

If you want to pass all data directly from 3G to 3G without going through the mikrotik vpn, then you wouldn’t be using the mikrotik at all, and you would need to find another forum to talk about it.

If you connect 3G-A to the mikrotik with a cable, and then let 3G-G connect remotely to the mikrotik, then you have 3G-vpn-3G… except the vpn is physically located at the same place as the 3G so there isn’t an extra location really.

Even with 3 locations, how is it going to charge you extra? Each of the 2 3G will be sending and receiving the same amount of data. You only need an internet connection for that middle vpn guy, which may be what you are talking about with extra cost.

7

If you want to pass all data directly from 3G to 3G without going through the mikrotik vpn, then you wouldn’t be using the mikrotik at all, and you would need to find another forum to talk about it.

:open_mouth:

RB751 with a USB 3G dongle… thats my clients devices, I’m using mikrotik! ftw


If you connect 3G-A to the mikrotik with a cable, and then let 3G-G connect remotely to the mikrotik, then you have 3G-vpn-3G… except the vpn is physically located at the same place as the 3G so there isn’t an extra location really.

Even with 3 locations, how is it going to charge you extra? Each of the 2 3G will be sending and receiving the same amount of data. You only need an internet connection for that middle vpn guy, which may be what you are talking about with extra cost.

3G-Client-A and 3G-client-B is at remote locations, and the VPN server is at some diy homemade data center.

why is this 3 locations so hard to understand?


3G-Client-A
3G-Client-B
VPN-Server

example: me sending a 1MB file from 3G-Client-A to 3G-Client-B using VPN

3G-Client-A->1MB out-------------1MB in> VPN-Server ->1MB out----------1MB in> 3G-Client-B

To get 1MB arrose it took total of 4MB of bandwidth… :frowning:

if I were able to do p2p data session, then the total bandwidth would be 2MB, money saved and no need for a silly VPN server to act a a data repeater.
http://en.wikipedia.org/wiki/Peer-to-peer




http://en.wikipedia.org/wiki/3G

I’m not talking about 802.11g

2x 3G “internal IP’s”
1x ADSL “dymanic IP”
I’m paying separately for all 3 accounts, each on their own ISP’s,



I don’t have a 3G access point yet mate, lol

Each of the 2 3G will be sending and receiving the same amount of data. You only need an internet connection for that middle vpn guy, which may be what you are talking about with extra cost.

shoot me..lol

8

The third technique, and the one of primary interest in this memo, is
sometimes known as “UDP Hole Punching.” UDP hole punching relies on
well-established NAT conventions to allow appropriately designed
peer-to-peer applications to “punch holes” through NATs and firewalls
and establish direct connectivity with each other, even when both
communicating hosts may lie behind a NAT. This technique was
mentioned briefly in section 5.1 of RFC 3027 [NAT-PROT] and has been
informally described elsewhere on the Internet [KEGEL]. As the name
implies, unfortunately, this technique works reliably only with UDP.


Can’t a mikrotik router do that?

I mean, utorrent and a thousand other applications, including skype! can do that :frowning:



Source:
http://pdos.csail.mit.edu/~baford/nat/draft-ford-natp2p-00.txt

9

Ok, i understand your question now!

On network A, you need to do a port-forward to the mikrotik from the main public router.

Then, use SSTP to connect the 2 mikrotik’s.

This is assuming you have access to the public router at one side to setup the port forward.

10

How will SSTP be any different from PPTP?

11

PPTP doesn’t port forward very well, and SSTP is much more secure.

12

Ohk, I though the same thing about SSTP, it looks more secure



As for:

This is assuming you have access to the public router at one side to setup the port forward.

I dropped the entire router in the DMZ area so everything goes to my routerboard “server side”

13

But I still don’t see how this is going to enable me to connect p2p style, and using the “server” router just to help out with the addresses if needed, like a middle man, but let the 2 natted routers connect direct, without using my “server” for a data relay.

14

You have 2 devices. A and B. What is the “server” router you speak of? It’s not needed.

Just 2 devices. A is in the DMZ zone, so simply point B’s SSTP server to the public IP address of the network where A is, and let the port forward take care of it.

This is NOT “p2p style” that you speak of… but I’m still not sure why you are trying to do it that way.

15

lol mate, I think were getting confused here with all the examples we made, I’m just doing some experiments because mikrotik is awesome, and I want to try everything in it, I have been waiting for years now.

example 1:
2 remote natted client that connect to public server, can be done. easy!

and 1 natted client that connects to a public server, I’m running it right now as we speak.

but… I want to connect 2 natted routersboards together, and its natted from the isp both running 3G mobile internet, so its doesnt have a dedicated public IP, both got a shared IP, and thats what I meant by p2p style. I want to connect em up, …and maybe… if it cant be done, I want to use the aid of a public server if needed, does this exists on mikrotik routerboards?

16

I cant connect from the public IP router board side to the 3G routerboard side, but the other way around, it works 100%

so in other words, I cant host anything from the 3G routerboard side, it doesn’t wanna connect :confused:

17

Using SSTP or whatever tunnel, once you make a 1-way connection, it will work BOTH ways. You just have to always have device A make the connection to device B… and then they can talk both directions THROUGH that connection.

18

Using SSTP or whatever tunnel, once you make a 1-way connection, it will work BOTH ways.

aint that wonder full! :slight_smile: but one got to have a public IP, and thats a fact

but there’s so many applications that can connect direct behind firewalls in a direct manner like file sharing applications, they blast some fancy UDP packets with modified headers, they don’t work with any! data relay server, and yet they still connect up, and thats what I also wanna do with mikrotik if possible.

I’ve seen so many fancy words on what its called, but no guide or useful details online


I want to make a 2 ways connection with some connections that don’t allow any incoming connections :open_mouth:

19

sounds like your talking about uPnP. Also, it might help to draw out a diagram in Visio or something..