Nat – How does UDP NAT Know When To Remove The Rule

nat;udp

So say you are a user behind a NAT/router on an internal network. You begin sending UDP data to an internet-facing server. The packet hits your router, it inserts an entry to allow returning packets from that server on a specific port to be forwarded to your local machine when received.

However UDP is connectionless. How does the router know when to remove this rule when the client no longer wishes to send or receive data with this server?

Best Answer

A NAT router doesn't know when to remove a UDP mapping - it guesses.

The router simply ages (or times) out the entry when it hasn't been used for a period of time (usually between 5 and 60 minutes).

With TCP, there's also a similar aging/timeout to make sure that forgotten or lost sessions don't pile up, but it's much longer. Of course, normal TCP connections are properly closed, which means the NAT router can forget about it.

UDP or TCP aging is a trade-off between router resources (fast aging) and compatibility with slow low-bandwidth sessions (slow aging). Sometimes the default settings require tweaking for your workload.

Related Solutions

Routing – Problem with VPN tunel from remote location through ISP (PPTP)

Why it works from our side when I use 1.1.1.10 and I get error using 1.1.1.9 in NAT table?

You have a problem with the 1.1.1.9 configuration as an external NAT IP on the Mikrotik. The outside interface of the Mikrotik is a /30; you're using 1.1.1.9/30 as the default gateway and an outside NAT IP on the Mikrotik. If you're going to use 1.1.1.9/30 on the Mikrotik, you need 1.1.1.10 as a default-gateway.

As it stands, you're currently using 1.1.1.9 as both default-gateway and external NAT IP.

Current Routing table:

Dst. address   | Gateway      | Distance | Pref. source   |
0.0.0.0/0      | 1.1.1.9      | 2        | -              |

Current NAT table:

Action     | Chain  | Source Addr    | Dst Address   | Proto    | Dst Port | Out Intf   |
masquerade | srcnat | -              | -             | -        | -        | ether1     |
dstnat     | dstnat | -              | 1.1.1.9       | 6 (TCP)  | 1723     | -          |
dstnat     | dstnat | -              | 1.1.1.9       | 47 (GRE) | -        | -          |
dstnat     | dstnat | -              | 1.1.1.9       | 6 (TCP)  | 5006     | -          |
masquerade | srcnat | 192.168.1.0/24 | 192.168.1.230 | -        | -        | -          |

What's a little confusing is the diagram, which says the ISP-A's router is in transparent "modem state". Please be sure that the IP addressing scheme you're using on the Mikrotik is consistent with ISP-A's expectations. If the router is transparent, I'm not entirely sure you should have an IP address on it.

Nat – UDP hole punching NAT port

The NAT device will keep a table with currently open connections so that it can send return packets to the internal host that opened the connection. An entry in the state table could look something like this:

Internal Source IP | Internal S-Port | External S-Port | Destination IP | D-Port
192.168.1.12         10123             10123             203.0.113.1      5555

When a packet is received (from the external side) the NAT device will check the Source IP, Source Port and Destination Port of the packet and compare it to the Destination IP, D-Port and External S-Port fields in its connection table. When it finds a match it will forward the packet to Internal Source IP on Internal S-Port.

UDP hole punching depends on the fact that Internal and External Source Ports are the same. This is normally the case unless you have a second internal host that uses the same Source port to connect to the same external Destination/D-Port combination.

When we assume that Internal and External S-Port are the same then both clients A,B can communicate their source port to the rendezvous server which will then relay the information back to the other client respectively.

Best Answer

Related Solutions

Routing – Problem with VPN tunel from remote location through ISP (PPTP)

Nat – UDP hole punching NAT port

Related Topic