Is it possible therefore to link the two hosts behind the NAT directly?

There are three host:
host A is connected via NAT on the router R1
host B is connected via NAT on the router R2
host C server that is directly connected to the Internet, has static IP

The algorithm is this:
1) host A knocking on the UDP server in C
2)NAT on the router R1 opens a dynamic port (port1), substitutes the port number and external IP in the source package, which sends A C
3) Server C receives this packet and learns that host A is accessible by IP and port (port2) of the preceding paragraph
4...6) in a Similar way C learns the IP address and a dynamic port on R2 to host B
7) the Server informs the data host B on host A.
8) the Server reports data on host A to the host B.

And then there is such communication between hosts A and B (without mediator C):
A -> R1 -> R2:port2 -> B
Host A sends a packet to R2:port2
the package passes through R1, which substitutes your IP and your port1
R2 receives a packet, looks port2 and see what it is assigned to the host R2.
The packet comes to R2
Similarly, the dispatch goes from host a to host B.

The question, in what cases this method will work, and what is not?
April 3rd 20 at 17:13
4 answers
April 3rd 20 at 17:15
Uh, congratulations on the invention of hole punching. The easiest way to use something ready.
April 3rd 20 at 17:17
Some kind of addiction, really.
Just raise tinc and everything will work.
https://habr.com/ru/post/468213/

In your case even simpler way:
https://habr.com/ru/company/flant/blog/338628/
April 3rd 20 at 17:19
Read here
2.gif
Symmetric NAT. Until recently, this was the most common implementation. Its characteristic feature is in the NAT table mapping addresses IL to IG address is tied to the address OG, that is, the destination address specified in the outgoing packet that triggered the mapping. When specified to implement NAT in our example, the host 192.168.0.141 get-translated incoming UDP packets from the host 1.2.3.4 only and strictly with source port 53 and destination port 1053 – no one more. The packets from other hosts, even if the packet destination address and destination port are present in the NAT table will be destroyed by the router. This is the most paranoid implementation of NAT, which provides greater security for hosts on the local network, but in some cases greatly complicates the life of system administrators. And users too.

Full Cone NAT. This implementation of NAT is the complete opposite of the previous one. In Full Cone NAT, incoming packets from any external host will be built and forwarded to a corresponding host in a local network, if the NAT table there is a corresponding entry. Moreover, the source port number in this case is also irrelevant – it may be 53, and 54, and generally anything. For example, if a certain application running on the computer in the local network initiated the receipt of UDP packets from the external host 1.2.3.4 to local port 4444, the UDP packets for this application will be able to send and also 1.2.3.5, and 1.2.3.6, and everything up until the entry in the NAT table will not be for any reason removed. Again: in this implementation of NAT on incoming packets is checked only transport Protocol, the destination address and the destination port address and the source port is not important.

Address Restricted Cone NAT (aka Restricted NAT). This implementation occupies an intermediate position between Symmetric and Full Cone NAT the router will broadcast incoming packets with a specific source address (in this case 1.2.3.4), but the source port number may be any.

Port Restricted Cone NAT (or Port Restricted NAT). What Address Restricted Cone NAT, but in this case, the router pays attention to the line numbers of the source port and does not pay attention to the source address. In our example, the router will broadcast incoming packets with any source address, but the source port at the same time obliged to be 53, otherwise the package will be destroyed by the router.
Work.
Known external IP is a NAT address. - Eulah22 commented on April 3rd 20 at 17:22
@Eulah22back (inside) - package will not work on the internal host.
Reverse NAT (from outside) should support the router provider. - litzy.Armstrong commented on April 3rd 20 at 17:25
@litzy.Armstrongwill Go, and without support.
Suppose it is necessary to associate hosts A and B behind NAT provider.
To do this, host A establishes a connection to the intermediary host C having a white IP address ( for example, 50.50.50.50)
While NAT provider sends a request to the host and reserves a random port (e.g. 55555, which waits for a response from the host S.
Does the same as host B.

After that host B sends to the gateway address of your ISP package as the sender in the package listed the address of 50.50.50.50 port 55555.
Because the ISP's gateway waits for a response from the host with the address 50.50.50.50 port 55555, it forwards the packet to the host A. - Eulah22 commented on April 3rd 20 at 17:28
@Eulah22Not fully understand....
(even if the communications port on C:111)
1. A<->NAT_A[:55555]<->C[50.50.50.50:111]
2. B<->NAT_B[:55555]<->C[50.50.50.50:111]

After that host B sends to the gateway address of your ISP package as the sender in the package listed the address of 50.50.50.50 port 55555.
3.?....
Because the ISP's gateway waits for a response from the host with the address 50.50.50.50 port 55555, it forwards the packet to the host A.
4. ?....
Here in p. 3 and p. 4 - something I can't understand the logic... - litzy.Armstrong commented on April 3rd 20 at 17:31
@litzy.Armstrong, Well see in a regular mode NAT works the following way -
If the host 192.168.1.8 from the local network wants to communicate with the caller in the global network, NAT replaces the gray of the provider address of the sender to your white address 30.30.30.30 and sends it to the subscriber then waits for a response from the subscriber. To clearly understand that the response from a subscriber to 192.168.1.8 it reserves a port for example 1548 for that person.
In the end, the subscriber sends the reply to the address 30.30.30.30:1548 (ISP gateway and port.) and the NAT server looks at the table of address translation, sees that the port 1458 reserved for address 192.168.1.8 and sends him a package.
It is a standard scheme of work NAT.

In order to go through NAT, we need a few things -
1) you need to NAT the provider's expected response to 192.168.1.8
2) you need to know from which IP address it waits for a response.
3) you need to know on which port it expects the response.

In the end
1)Make a request to the intermediary server and NAT provider will wait for a response from him.
2)This is the mediator instead of to respond to the request, just informing other host that the gateway provider 30.30.30.30 waits for a response from the IP address of the broker on port 1548.
3)the host sends a packet to the address 30.30.30.30 pre-pass it sender.
The result of the NAT sees that he got the response from the intermediary to which it sent a request and forwards it to 192.168.1.8.
Just a hoax NAT. - Eulah22 commented on April 3rd 20 at 17:34
@Eulah22Realized.
But these NAT-deception - is it not filtered? - litzy.Armstrong commented on April 3rd 20 at 17:37
@litzy.Armstrong,
But these NAT-deception - is it not filtered?
I mean? Why?
By itself, NAT is address translation, masquerading. when the gray subscriber's address is replaced by a white gateway address.
The basic principle of any NAT is a fraud - a fake address in the packets.

To work around the NAT applies the same stream, only more cunning. - Eulah22 commented on April 3rd 20 at 17:40
@Eulah22, i.e. you can capture all the ports of the gateway, just "stitched" NAT-thread the entire NAT table in the gateway?) - litzy.Armstrong commented on April 3rd 20 at 17:43
@litzy.Armstrong, Um, a little do not understand the essence.
Could you elaborate? - Eulah22 commented on April 3rd 20 at 17:46
@Eulah22, Well every time to generate packets on the connection that the return address is the port on the gateway and on through the chain: like "sew" NAT ports and to the ports of one NAT-connectilis to each other and until then, until the end of the room. - litzy.Armstrong commented on April 3rd 20 at 17:49
@litzy.Armstrong, when a caller from grey network provider to break somewhere in the intranet NAT provider shall issue a temporary port, after it is disconnected the port is returned to the common pool.
The number of ports is limited.
If subscribers start a lot of connections (torrents for example) and subscribers a lot of ports end.
Therefore, providers that use NAT or have to restrict subscribers to the number of connections or you need to install additional gateways with NAT. - Eulah22 commented on April 3rd 20 at 17:52
@Eulah22, No. I a little not about that.
1. A - initiates the connection to the host With
2. With - returns host And port in its NAT-a (NP) do not establish a connection until the end.
3. A - opens the pending completion of the connections on arbitrary port P2, and reports its C
4. C - sends a packet with a header that the sender is NAT with port NP and the recipient - A and the port P2.

In the end - born NAT-loop.
So? - litzy.Armstrong commented on April 3rd 20 at 17:55
@litzy.Armstrong, a theory. Almost will not work.
the sender is a NAT
the package just will not fall under the rules for filtering incoming and outgoing traffic. - Eulah22 commented on April 3rd 20 at 17:58
@Eulah22, Now I have this doubt: why does filtration work and in the cheating NAT - no?
NAT e on host A was not the same outgoing connection to host B... (exactly that's my question...) - litzy.Armstrong commented on April 3rd 20 at 18:01
@litzy.Armstrong, Hmm, need to try - no idea.
But even if it works, just hang another rule and intercept such requests. - Eulah22 commented on April 3rd 20 at 18:04
@Eulah22, I would Like to understand: I said in my main answer or not?
I assumed that by default, the providers should not be allowed such (deceit and NAT). - litzy.Armstrong commented on April 3rd 20 at 18:07
@litzy.Armstrong, Say so - if you are trying to withdraw the equipment from the provider system, provider is of course protected from this anyway.

And the fact that someone is directly connected to a host behind a NAT - this kind of damage to the provider, what's the point in fighting it?
NAT for the ISP is a necessary measure so as not to waste white address at all.
If someone finds a way to connect directly - so it's good.
What's the point to ban it?

And the fact that it works the same it's works on this principle.
Server TeamViewer trying to link callers directly if possible, and in many cases, it turns out, if does not work - driving traffic through their servers.
And they fail more often because we have normal things double and triple NAT for NAT the provider is a subscriber router with NAT'om, followed by often one. - Eulah22 commented on April 3rd 20 at 18:10
@litzy.Armstrong, Well, if you go back to the example, and do not understand the idea.
A - opens the pending completion of the connections on arbitrary port P2, and reports its C
Which port will wait for a connection of NAT solves the NAT.

In the end - born NAT-loop.
Why the loop - well, even sending NAT packet to a user, he will get it - then what? - Eulah22 commented on April 3rd 20 at 18:13
@Eulah22, At the 1st comment - it is clear.
On the 2nd:
1. Decides that NAT, but node C knows it. And host A knows which port, I can catch him (tail loops).
2. Loop, because the connection from A to A is sausan NAT gateway A. - litzy.Armstrong commented on April 3rd 20 at 18:16
@Eulah22,
Let's just say - if you try to withdraw the equipment from the provider system, provider is of course protected from this anyway.
Here about protection by filtering the "left" of NAT connections - I'm just saying.
What if it is filtered, the substitution of the heading of the sender (B) should fail. Otherwise, a possible attack loop. - litzy.Armstrong commented on April 3rd 20 at 18:19
@litzy.Armstrong, @Eulah22,
Here's letters to find that such issues do not arise
Full Cone NAT
Restricted Cone NAT
Port Restricted Cone NAT
Symmetric NAT - esther67 commented on April 3rd 20 at 18:22
@esther67, Studied! Thank you! - litzy.Armstrong commented on April 3rd 20 at 18:25
April 3rd 20 at 17:21
Yes, it will work. But you need to understand that if there is a pause in the transmission of packets, the routers can "forget" about this session, and to restore the connection without C, your A and B will not.
Reliable the routers do normal forwarding.

Find more questions by tags Computer networks