Read (what is the solution of intranet penetration) the use of intranet penetration, and the principle of intranet penetration in detail (reprinted),

At the beginning, I would like to express my gratitude to Station B up @ Love Xuemiao. I have a very clear understanding of the principle of nat traversal from his video. This article is reprinted. If you are interested, you can go to the original post and click like~attach the link to the original article: The most detailed intranet traversal principle of Station B, you can understand it, it is all dry goods! ​www.bilibili.com/read/cv6189209

Since we want to talk about intranet penetration, NAT is an inevitable topic. Because the pure NAT technology has been used many years ago, and now the vast majority of NAT technology is used. So the NAT mentioned below refers to NAPT. The foundation of NAT technology is not to be described here too much. It is just to establish a mapping relationship between the IP and port of the external network and the IP and port of the internal network. If there is no corresponding understanding before, You can refer to the video of up @ Love Xuemiao in station B.

What is the principle of port mapping, how to achieve intranet penetration, how to achieve LAN online, and how to gracefully access home computers in the field_ Bleep bleep_ bilibili​www.bilibili.com/video/BV1tQ4y1P7Gt

With regard to NAT, I think that the focus of this article should be on the type of NAT. NAT can be divided into cone type and symmetric type. The cone type can be divided into complete cone type and restricted cone type, and the restricted cone type can be divided into ip restricted cone type and port restricted cone type. If you draw a picture, it may look like the following.

So if the classification is removed, the NAT types are symmetric, complete cone, ip restricted cone, and port restricted cone, which is the place circled in the red circle in the figure below. Let’s talk about these different classifications in detail.

Assume that the public server1: ip is 1.1.1.1, the listening port is 1111, the public server2: ip is 2.2.2.2, the listening port is 2222NAT gateway, and the ip is 3.3.3.3NAT internal computers that need to be penetrated A: the intranet ip is 192.168.0.2

At this moment, A (192.168.0.2:100) has established a link complete cone through the NAT gateway (3.3.3.3:200) and server1 (1.1.1.1:1111): if a NAT map has been established in the NAT gateway, then any external machine can access the intranet computer through this map. For example, if server2 wants to establish communication with A at this moment, it only needs to send data packets to 3.3.3.3:200, The NAT gateway will receive the packet and forward it to the internal 192.168.0.2:100.

If A actively uses the same port to connect with different servers or the same server, the NAT mapping will also use the same port. For example, if A wants to use port 100 to connect with server2, the NAT gateway will still map 3.3.3.3:2000 to 192.168.0.2:100 instead of reselecting a port to map to 100. If you can’t understand it here, look down first, When we introduce symmetrical NAT, we can combine it with symmetrical NAT.

This point is the same in all cone networks, which is also the characteristics of cone networks. The following two types of cone networks are the same. Although it will not be repeated below after the declaration here, please remember this point of IP restricted cone: if a NAT mapping has been established in the NAT gateway, only the IP with which the mapping is established can access the intranet computer through NAT.

For example, if server1 wants to establish another connection with A through the 1112 port, it only needs to send data to 3.3.3.3:200, and NAT will normally forward it to 192.168.0.2:100. But if server2 wants to establish a connection with A at this moment, because server2 has not established a connection with A before, so if server2 sends data to 3.3.3.3:200, the NAT gateway will directly discard the data packet from server2.

Port-restricted taper: Although this type is called port-restricted taper, it is not only restricted by ports, but also restricted by IP. It can be understood that on the basis of the IP-restricted taper, port restrictions are carried out. That is to say, there is a demand for not only IP, but also ports. According to the above example, if the server still wants to establish a connection with port A through port 1112 at the moment, it will not work because the port is restricted, Only the data sent from 1.1.1.1:1111 will be processed by the NAT gateway.

Symmetric NAT: It can be seen that the above three types of restrictions are becoming more and more strict. According to this idea, the restrictions of symmetric NAT will be more stringent. First, the symmetric NAT and the port-limited cone are the same, that is, there are restrictions on both IP and port. Only the IP and port with which the connection is established send data to it will not be discarded.

As we said above, the characteristic of the cone network is that if A uses port 100 to communicate with another server in the external network, the NAT gateway and its bound port are still 200, and one port communicates with many external servers. This is also the origin of the cone name, but the symmetric NAT is not.

When A actively uses the same port to establish a connection with different servers or different ports of the same server, the NAT gateway will reallocate a port to it. For example, we said at the beginning that A (192.168.0.2:100) has established a link through the NAT gateway (3.3.3.3:2000) and server1 (1.1.1.1:1111). At this time, if A (192.168.0.2:100) wants to establish a connection with server2 (2.2.2.2:2222), If the cone NAT is used, the NAT gateway will continue to use the NAT mapping established previously (3.3.3.3:200 to 192.168.0.2:100). If the symmetric NAT is used now, the NAT gateway will randomly allocate a port (for example, 300) and establish a mapping (3.3.3.3:30 to 192.168.0.2:100). Note that there are two mapping rules in the NAT gateway, namely:.

3.3.3.3:2000 maps to 192.168.0.2:100 and 3.3.3.3:300 maps to 192.168.0.2:100. That is to say, server1 communicates with 3.3.3.3:2000 and server2 communicates with 3.3.3.3:300 at the moment. But in fact, after the NAT gateway forwards, their packets are finally received by 192.168.0.2:100.

It should be noted that intranet computer A always communicates with the outside world through the port 100, and these two mapping rules are established by the NAT gateway. Therefore, computer A does not know the ports 200 and 300. It always thinks that it is communicating with the outside world through the port 100. From the perspective of the two external servers, they also do not know that they are communicating with host A, They think they are communicating with different ports of NAT gateway (3.3.3.3).

We know that the role of intranet penetration is to connect two hosts in NAT, so the four types of NAT are introduced above. If you combine them in pairs, there are 10 combinations in total. In fact, different combinations have different methods for penetration, There are even two combinations that can’t penetrate the intranet (Of course, it is OK to use a server for forwarding in the whole process, but we do not consider this method here. In addition, there are some ways to achieve these two kinds of intranet penetration, but it is still immature and the success rate is low. In fact, it is not just at present. I personally think it will not mature in the future, because the inability of these two combinations to penetrate is a logical problem in nat’s design, or nat’s design At the beginning, we did not consider these two kinds of penetration problems). The following figure lists these combinations and whether they can penetrate.

There are three ways of thinking about intranet penetration. All combinations that can be used for intranet penetration can be based on these three methods or slightly expanded based on these three methods. Let’s talk about the preparation of these three methods: intranet penetration is to connect two networks in NAT, so suppose that one NAT gateway is A and the other NAT gateway is B.

In addition, intranet penetration requires a central server to help. Both A and B need to connect to this central server first. Here, the name of the central server is assumed to be server1, so the topology should be roughly as follows

First, the penetration of full cone NAT and full cone NAT assumes that both A and B are full cone NAT. After both A and B are connected to server1, both A and B can send messages to each other through the forwarding of server1. Then at this moment, A and B can know the public IP address of the other party and what port the other party uses when connecting to server1 (assuming 100), Because the ports that the two communicate with server1 have been NAT mapped (otherwise how to communicate), the 100 ports of the two have actually completed the mapping, and because both are in full cone NAT, at this moment, A only needs to send a connection request directly to the 100 ports of B, and B replies to the 100 ports of A to agree to the connection request, Both can establish a UDP connection (of course, the establishment of a UDP connection is more complicated than this, but the focus of this article is not on how to establish a UDP connection)

The second method: IP-restricted NAT and IP-restricted NAT penetrate. Assume that both A and B are IP-restricted NAT. After both A and B are connected to server1, both A and B can send messages to each other through the forwarding of server1. A will first send a UDP request (assuming its own port is 100, and the target port is 200) to B’s public IP. Theoretically, because the 200 port in B’s NAT gateway has not established a NAT mapping, this packet will be discarded, However, after the UDP request sent by A to B, A will send an invitation to B through server1, and invite B to send a UDP request to A (at the moment, B’s own port is 200, and the target port is 100),

Note that after B receives the UDP request from A, although the packet of A is discarded by B, gateway A temporarily establishes a NAT map and waits for the information returned by B. Although the packet has been discarded, A does not know, so A will wait for a while. At this time, B receives the invitation of A and sends a connection request to A. At this moment, the NAT gateway of A happens to temporarily establish a NAT map, So A can receive B’s UDP request, and then A will send B a request to agree to establish a connection. Because B has just sent the request and is waiting for A’s reply, B’s NAT gateway will also temporarily establish a NAT map, so A’s request to agree to establish a connection will not be discarded by B’s NAT gateway. Finally, the two will establish a stable UDP connection.

The third is the penetration principle of port-limited NAT and port-limited NAT. The second is that we can complete the intranet penetration without the need for the server to carry out the transfer all the time with the help of these three ideas. So why can’t symmetric NAT use the idea of “IP-limited NAT and IP-limited NAT for penetration” and symmetric NAT penetration.

Take a closer look. In the second method, A invites B to send a UDP request to it. In the invitation information, A indicates the target port of B’s UDP request. Because in the cone NAT, the mapping between a port of host A and the NAT gateway is fixed, so host A can know which port is open when it sends a request to B through server1, and also know which port is open when B sends a request to itself, However, when switching to symmetric NAT, because a connection corresponds to a port on the NAT gateway, host A cannot determine which port it will send information to B, and also cannot determine which port B will send information to itself, so the two cannot establish a connection.

So why can’t the port-limited type and the symmetric type penetrate? Because the port-limited type requires ports, but we can’t determine which port is allocated in the symmetric type, so we can’t establish communication so that the two can establish communication. At present, it is known that the better method is to establish 65535 UDP connections between computers in the port-limited NAT and computers in the symmetric type. Because 65535 contains all the port numbers, So there is always a right port.

But in this way, almost all the ports are occupied in a flash, which may cause the computers in the symmetric model to have no time to process the normal TCP connection, and will occupy a lot of resources, and the success rate of the connection is also very low, so we usually think that the two can not penetrate. Finally, it must be what kind of NAT your network is in. At present, The routers in the home (including the optical cat sent during broadband service) use full cone NAT, but the upper computer room generally uses symmetric NAT for public safety. That is to say, most of us use symmetric NAT, so it is very difficult to penetrate the intranet.

At the end of the article, thank you again for station B up @ Love Xuemiao. This article has been reprinted with the authorization of the author. It is only for record. If you are interested in it, please go to station B to pay attention to the original author and attach the reprinted link to the most detailed intranet penetration principle of station B again. After reading it, you can understand that it is all dry goods! ​www.bilibili.com/read/cv6189209。