FEATURE REQUEST: full cone NAT

kcarhc · August 17, 2020, 6:29am

Please support full cone NAT

Gaming with full cone NAT router, we can running multi PC/PS4 Games in same LAN as multi Teams Master in Games, games like “Monster Hunter: World”
Now, with Symmetric NAT or uPNP or DNAT-static and other, we can only create One Teams Master.

https://tools.ietf.org/html/rfc3489

https://github.com/Chion82/netfilter-full-cone-nat
https://github.com/LGA1150/openwrt-fullconenat

Full cone NAT:
“A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address.”

Symmetric NAT:
“A symmetric NAT applies restrictions exactly the same way as a port restricted cone NAT but handles the NAT translation differently. All types of NAT discussed so far don’t change the source port when NATing connections. For example when a client accesses the Internet using IP 192.168.0.1 and source port 56723 NAT changes the source IP to say 56.35.67.35 but keeps the port number the same; this is known as port preservation. A symmetric NAT NATs ports to new randomly generated ones. This even applies to connections from the same client to different destinations. It’s said that Symmetric NAT is more secure.”

kical · August 17, 2020, 5:20pm

deploy ipv6 and free of headache

kiler129 · August 17, 2020, 11:00pm

Plenty of ISPs don’t offer IPv6 (sadly).

Sob · August 18, 2020, 1:20am

Then you as a customer, together with other customers, should say “no” and demand IPv6, or you’ll go elsewhere. The tricky part is how to increase your numbers above around five people. And then there’s the tough decision, if you’re really prepared to live without internet, when ISP also says “no”.

Don’t get me wrong, I actually like IPv6, but…

kcarhc · August 18, 2020, 1:22am

PS4/PC Games like MONSTER HUNTER: WORLD not support IPv6

and you cannot make all players use IPv6

elbob2002 · August 18, 2020, 6:22am

Yes. Good Idea. Sell everything and move to another town or city where there is more than one ISP available. Or maybe even another country.

Sometimes it is what it is and you have no choice but to work with what you have.

kiler129 · August 21, 2020, 5:19pm

The issue is a lot of ISPs don’t NEED IPv6 and it provides no real advantage for an average customer. If an ISP offers a cheap fiber and subsells its resources to other smaller ISPs you have no choice really…
For example where I used to live there were essentially 3 services: dirty cheap & good fiber w/o IPv6, cheap coax w/CGN and no IPv6, crappy ADSL w/IPv6. Well, fiber it is.

Sob · August 21, 2020, 6:48pm

If you read also the other half of my post, to quote myself:

then I think it’s clear that I’m aware how frustrating current state of things is. If not, then I’m stating it explicitly, it’s very bad.

And I’m affraid that what you write is not completely true. It seems that average customer doesn’t need IPv6. But it’s only because the world spent twenty years working around NAT, which is useful thing, but no real solution (that effort should have been spent on polishing IPv6).

There are millions of average users who are unhappy, because their XBox has troubles connecting with others, who can’t forward port to their NAS or something, who have to rely on “clouds”, or in other words be at mercy of someone who runs them, etc. All these people would benefit from IPv6, only they have no idea that it exists. ISPs are the ones who must do something. After all, they are supposed to be the professionals who know about these things and should provide best service to their customers. But in reality…

kcarhc · February 13, 2023, 2:41pm

Regarding Full Cone NAT, I don’t know about others, but most people around me who use RouterOS are using it as a home router. And for home routers, the highest network requirement is to play games, such as XBox, PS5, and Switch. These games mainly use the network for online gaming, and when you play online, it requires port mapping. Different people who use RouterOS do not know how to set up port mapping. Of course, people have developed DMZ and uPNP functions for this, but in the end, you will find that these do not solve the problem effectively. That’s why Full Cone NAT appeared.

Full Cone, also known as NAT1, is the most relaxed NAT UDP conversion method, which can solve the port mapping problem for most people. External devices can actively send messages to devices in the NAT1 network. All requests from the same internal IP and port number Endpoint1 will be mapped to the same external IP and port number Endpoint2, and any external host can send packets to this internal host through the mapped Endpoint2. That is, all packets sent from the outside to Endpoint2 will be forwarded by NAT to Endpoint1. There are no restrictions on the source of external requests. Many online games need this functionality.

More and more home routers are starting to support Full Cone NAT, and users only need to turn on this option to solve the online gaming problem. I think RouterOS should also follow this.

Some may say that there is no such trouble with IPv6, but you have ignored one problem. Some games need Full Cone NAT because your online gaming is not through a server, but is peer-to-peer. Then if you want to play IPv6 with the other person, you need to let the person who is playing with you also have IPv6, and his IPv6 is not NAT. If his IPv6 is NAT, I’m sorry, you will not be able to send the game’s UDP data to him unless he does the correct port mapping.

For some technical aspects of Full Cone NAT, you can see some implementations from the following link, I hope it will be helpful.
https://github.com/Chion82/netfilter-full-cone-nat

With MikroTik’s more and more home routers hAP ax2, RB5009, I still look forward to the Audience AX. I believe supporting Full Cone NAT will be a good thing for every RouterOS user at home.

pe1chl · February 13, 2023, 3:26pm

It looks a lot like you are tasking MikroTIk with solving problems that actually are the problem of your game and/or the ISP.
I guess that will not fly.

BartoszP · February 13, 2023, 4:30pm

I don’t think so. If you want “one button” solution then buy other SOHO brands.
If you want to have full control over “what is behind the scenes” then you should get lessons on configuring routers.

Some games need Full Cone NAT because your online gaming is not through a server, but is peer-to-peer.

So “one button” should open the security Pandora’s box?

guipoletto · February 13, 2023, 4:41pm

Off course we are, We the ISP, buy the Mikrotik gear precisely BECAUSE it fixes the ISP issues, like:
“i need a core switch” - enter CRS317 for the save
“i need a router with a stable and performant BGP implementation” - Enter CCR2xx/ROS7
“i need to firewall port25 at the ISP level, due to longstanding policy/implementation issues on all sides” - enter CCR1036 to firewall tens of gigabytes of trough-traffic…

we most definitely don’t buy this gear because the routers make for cute paperweights.

the need to somehow fix certain deficiencies of general CPE and Application-layer(read shitty network stack on games) issues arises because that’s the part of the network that’s under OUR (the ISP) purview

we cannot fix the game
cannot fix the customer’s internal network
cannot force them to only buy good gear properly configured by us
and simply there are not enough man-hours to setup port forwarding for every single customer, with different CPE/firmware/bugset

so, a “standard” solution that takes pressure off and frees resources at the ISP level, so we can focus on other stuff is very much welcome;
By the way, i deliver FIXED Ipv6 for my whole customer base, it’s free/included in the package, and enabled by default.

They don’t care, cause their shit PS4/Xbox won’t play their games, and it’s obviously the ISP’s fault, that we don’t pull IPV4 address-space from our tails and magically “Just enable Upnp” like the crappy guide provided by “Sony/Microsoft” states “we should do”.

So yeah,
“Full-cone”, codified by RFC3489
“PCP”, codified on RFC6887
and/or anything else that can be used to de-crapify the edge deficiencies at the ISP-core level (therefore improving the user experience / usability of the actual network)
are very welcome additions in the Mikrotik/ISP toolset.

mrz · February 13, 2023, 4:44pm

Any modern competitive game uses client-server approach, for others mostly uPnp is enough, so it is only some edge cases that would benefit from cone NAT.

pe1chl · February 13, 2023, 4:54pm

But at least you can give every customer IPv6.

guipoletto · February 13, 2023, 4:57pm

Lack of PCP support breaks Upnp at the CGN level.

Does Mikrotik have plans to implement this in the future?

guipoletto · February 13, 2023, 5:00pm

Well we do!

But Application support is nigh non-existent. (especially when talking games/consoles)
Basically all IPV6 traffic is either from/to Netflix, Meta, or Google.

all the other good stuff either rely on manual port-mapping, deterministic NAT/STUN/Full Cone, or Upnp.

pe1chl · February 13, 2023, 5:12pm

When games want to have peer-to-peer communication between devices, they should support IPv6.
Even when MikroTik would support the required NAT, part of the customers would be out of luck because they are behind another NAT layer (at the ISP).

guipoletto · February 13, 2023, 6:55pm

100% Agreed on principle

In practice, unfortunately, we don’t get to force the billion dollar companies to get their IPV6 act together.

And for the end-user, “the internets” and “magic!” are indistinguishable from each other.
So we get the heat, and the mandate to somehow “unbreak” post-nat IPV4.

If we (from an ISP standing) get the tools to minimize customer crying, all parties get happier, less service calls are needed, whilst we continue to bad-mouth Micro$oft and Sony in the IPV6 arena.

PCP and “FullCone NAT” are our friends in the short-to-medium term.

kcarhc · February 14, 2023, 3:45am

As users, why do ordinary users reject IPv6?
Taking RouterOS as an example, the AAAA resolution problem was not resolved until the 7.8rc1 version. Before that, if you turned on IPv6, your streaming media would have various problems, such as interrupting while playing. This type of problem is also very common in other home routers. In the general perception, if there is a problem with your home network, such as network congestion, turning off IPv6 will solve the problem. If the video playback is incorrect, turn off IPv6. In short, all problems with your home network can be solved by simply turning off IPv6, returning to the state where there were no problems.

As a common occurrence, most users reject IPv6. For RouterOS, the AAAA resolution issue was only resolved in version 7.8rc1. Before this, if IPv6 was enabled, users would experience various issues with streaming media, such as frequent interruptions. This type of issue is also very common among other home routers, where users perceive any network slowdowns as a result of IPv6, and simply turn it off to resolve the problem. Any video playback errors? Turn off IPv6. In short, any problems with a home network can be resolved by simply turning off IPv6.

This has become a common phenomenon, and even among ISPs who offer IPv6, it is not as wonderful as people imagine. Most ISPs that provide dynamic IPs, when you get a new IPv4, your IPv6 prefix also gets a new one, and the old prefix becomes invalid. This means that your IPv6 prefix is also dynamic.

So, it is often the case that a problem occurs where the customer’s device uses an invalid IPv6 address to access the internet, causing problems. This is the same with RouterOS, but the problem was not resolved until RouterOS supported IPv6 NAT and could be resolved through code configuration. Similar problems abound in IPv6, it can only be said that IPv6 is still too young or the configuration of IPv6 is not yet perfect.

So in this case, the user’s device will continue to use the outdated and invalid IPv6 prefix, resulting in issues accessing the internet. This is because the ISP informed the user that the IPv6 prefix is only valid for three days, but if the user updates their IPv4 address within that three-day period, they will receive a new IPv6 address and the old IPv6 prefix will become invalid.

Some people may say that the issue can be solved by advertising invalid delegated prefixes. However, only a few routers support this feature, including RouterOS, which does not support advertising invalid delegated prefixes. Furthermore, advertising invalid delegated prefixes requires client support, meaning that the client receiving the broadcast needs to respond to it.

Guscht · February 14, 2023, 8:20am

I want to understand whats is the difference between MTs NAT implenation and the “Full Cone” Implentation?

From here:
https://www.networkacademy.io/ccie-enterprise/sdwan/tlocs-and-nat

A full-cone is one where all packets from the same internal IP address are mapped to the same NAT IP address. This type of address translation is also known as One-to-One.

In 99% of all Home-Users, they have only one public IP. So thats what the basic SNAT/Masquerade-Rule does.

Additionally, external hosts can send packets to the internal host, by sending packets to the mapped NAT IP address.

I understand this that way, if you request the public IP (from any public IP) with any random port (high-port?), it will gets DNATed to the specified internal IP.
AFAIK thats what “Exposed Host” does on so many SOHO-Routers? A simply DNAT-rule does the same on MT.

I cant figure out whats the difference