Why 3G network NAT cannot be bypassed?

Asked 9/11, 2013 at 12:55 Answered 30/10, 2015 at 21:5

I am developing a p2p chat application which works fine over DSL two different NATs, but when it comes to 3G USB internet connection it fails.

I find out that its not possible to bypass NAT for 3g networks and the known p2p applications like Skype and torrents also cannot bypass 3g networks , whenever they come across these problems the send data through central servers.

I want to know what is the architecture of 3g networks . i heard that they do not have private IP ,port pairs only public Ip,port is available and one public port can be assigned to many devices , am i correct? if so how server sends data to 3g networks ?

Krasner answered 9/11, 2013 at 12:55 Comment(0)

I work on open source middleware for multi-agent systems, and we recently had to create a UDP-based transport option for p2p usage over 4G/3G networks. We've tested this on T Mobile's data plans, as well as various academic networks behind NATs, and I feel pretty confident in the implementation for the moment. Since there do not appear to be any solid solutions to this question here, I thought I would share the type of solution we currently have implemented in the MADARA middleware (http://madara.sourceforge.net/) via the REGISTRY_CLIENT transport option.

For us, we opted for what you might call a registry server or name service (if you're familiar with CORBA) for P2P endpoints. The registry server needs to run at some public ip:port that UDP can reach in a one way message. For our tests, we leased an Amazon EC2 node and made sure the firewall settings allowed UDP traffic through on a UDP port that we were going to bind to. On the server side (the public ip:port pairing for the registry server), we bind to the port and wait for clients to register. Any P2P client that wants to talk to others sends a registry message to the Registry Server

P2P client ----> [register message] ---> Registry Server

The register message can have any arbitrary contents. Ours actually have no contents other than a message header from our normal data protocol. On the server side, we check the remote host of the register message sender (the P2P client to the above left) via normal socket recv calls. This remote host should be the endpoint information through the firewall that is protecting the P2P client.

To understand what is going on here, we have to look at how messages are being routed for the P2P client to our public registry server. The following ASCII diagram shows the remote information a socket might see (i.e. an example firewall mapping) along the path from a P2P client to our EC2 server. This shows just one Firewall, but it should work with multiple NATs in between the P2P client and Registry Server, as long as the NATs are keeping the public ip:ports open when traffic is going through the assigned ip:port at that particular NAT.

P2P client ----> [message from 192.168.1.10:35000] ---> Firewall ---> [message from 111.111.50.34:5627] --> Registry Server

Now, if we tried to send a message to 192.168.1.10:35000 from our registry server, it would fail (or at least, it would almost certainly go to the wrong place). Similarly, you can see that the 4G Firewall is also changing the port from 35000 to 5627. To send a message back to the P2P client, you will need to do two things: 1) send a return message through 111.111.50.34:5627 rather than whatever ip:port information we initially bound to on the P2P client side, and 2) make sure either the P2P client or the registry server resend data back to each other frequently--once per second seemed fine for our purpose to permanently bind to the public ip:port of 111.111.50.34:5627, in our example.

As part of our protocol, we don't just send a useless packet back to the P2P client that registered. We send all of the relevant public ip:port pairings of P2P clients that are in that client's group/clique/domain/whatever. Basically, we send the P2P client discovery information for everything the registry server is aware of that seems relevant to the P2P client.

For instance, let's say that two P2P clients have messaged the registry server through 111.111.50.34:5627 and 111.111.37.24:15234 ip:port bindings through the 4G provider's firewall. A new P2P client connects from 111.111.70.105:7000, and we respond back with the other 2 end points in a simple listing:

[Registry Response for P2P Client #3]
111.111.50.34:5627
111.111.37.24:15234

Now, on the P2P Client #3 end, you take this list and use it as potential endpoints for your P2P application. These are your P2P peers. You can create UDP packets to them via the same socket you registered with and as long as they are not behind conservative firewalls (such as mobile tethered hotspots on your phone, which from my experience are traditionally designed to block all inbound UDP traffic on ephemeral port bindings with no configuration settings available to enable port forwarding) and traffic should be able to flow in both directions.

As noted earlier, to keep the P2P UDP connections valid you basically just need to resend data periodically to/from this endpoint to keep the public ip:port binding alive and active on each firewall protecting the P2P clients. This can be done by periodically resending registration information to the public registry server and/or receiving UDP packets from other P2P clients to that public ip:port that the 4G firewall has allocated to your P2P client.

Dwelling answered 30/10, 2015 at 21:5 Comment(1)

How is this different from ICE? – Mishear 9/12, 2020 at 15:54

Wikipedia claims Carrier Grade NAT can be traversed by P2P applications, even in the presence of port sharing:

The technique described above works fine within a CGN. A CGN can also make use of a port overloading behavior, which means that distinct internal endpoints with the same port value can be mapped to the same public endpoint. This does not break the unicity of the 5-uple {Protocol, public address, public port, remote address, remote port} and is thus acceptable. TCP port preservation can also lead to cases where the CGN ports are overloaded and is not an issue for protocol soundness. Port overloading for TCP allows the CGN to fit more hosts internally while preserving TCP end-to-end communication guarantees.

However, no references are cited for that paragraph.

Schott answered 11/11, 2013 at 22:26 Comment(2)

Yes they are! Look at my answer! I took two of the references on my answer from that Wikipedia page!!! – Bowlin 14/8, 2015 at 22:28

Nevermind. The Waseda University technique may work for some smaller scale symmetric routers (I haven't seen many myself), but I have implemented it myself and it DOES NOT work for 3/4G networks. – Bowlin 24/9, 2015 at 23:34

Why 3G network NAT cannot be bypassed?

It boils down to statistics. In order for a connection to be established, you have to send a packet into the port that they are at and they have to send a packet into the port that you are at. If you send to the wrong port number or they send to the wrong port number, you miss and no connection is established. If both of you simultaneously bind to a port and send out a packet directed at the other's ip address, you have a 1 in 65535 (65535 being the number of ports on an ip address) chance of sending a packet into their port and they have a roughly 1 in 65535 chance of sending a packet into your port. So the chance of you establishing a connection is (1/65535) * (1/65535), or (1 / 65535^2).

You can't know your port number for any subsequent connection because for every new outbound connection, the router randomly gives you a new port number on the interval between 1024 and 65535. So if you ask a server what your ip and port number is, it may tell you the right ip (your ip address doesn't change very often unless you turn off your phone or something like that), but the port number will change. If you try to guess the port number there is a ( (65535-1024-1) / (65535-1024) ), or 99.998% change of you guessing it wrong, assuming that the number of possible port numbers to choose from is (65535-1024).

So unless the port numbers are predictable (which in many 4G networks they are not), you're hosed - no chance.

Bowlin answered 24/9, 2015 at 23:48 Comment(3)

Many of the carriers are performing double-NAT. They have a "local" NAT close to the tower, and a Carrier-Grade NAT deeper inside the carrier network. It's getting harder and harder to get available IPv4 addresses, and ARIN completely ran out of available IPv4 addresses to assign to the carriers earlier today. – Selfwill 24/9, 2015 at 23:58

I think I know what you mean. On my T-Mobile network, the first four hops all start with "10." Those are the "local" NAT closer to the tower. Then the next four hops all start with "4." Those are non-local, but under the same ISP. After that, there is a divergence where packets bound for different public ip addresses take different paths and don't share a common prefix. – Bowlin 26/9, 2015 at 6:53

T-Mobile can be a very special case. T-Mobile is trying to get all users on IPv6, and a very large chunk of their customers only get an IPv6 address. This works well for many popular sites which have IPv6 (e.g. Google), but it could be problematic for IPv4-only sites. T-Mobile has implemented a unique method for getting a host with only an IPv6 address to be able to access the IPv4 Internet. Other companies are studying this method and may implement it. It solves problems for applications like Skype that would normally fail with traditional translations or NAT. – Selfwill 26/9, 2015 at 20:6

It might be possible, you just can't guess the port number exactly. You might be off by a little bit and not be able to make the connection. For a more robust hole punching method which may work over symmetric and Large Scale NAT, try one of these methods:

Bowlin answered 14/8, 2015 at 17:29 Comment(1)

THIS DOES NOT WORK ON REAL 4G LTE ROUTERS. – Bowlin 26/9, 2015 at 6:56

For carriers, they may not choose the same external port as your internal client. This breaks both TCP and UDP hole punching. See here:

UDP hole punching not going through on 3G

Salomo answered 11/11, 2013 at 22:38 Comment(0)

Recommended topics

Hot tags