Beyond the Router: Getting Access

Discussion in 'Tech Talk' started by rsagona1, Aug 30, 2007.

  1. rsagona1

    rsagona1 Hello

    Messages:
    2,394
    Likes Received:
    0
    Joined:
    Jun 21, 2006
    Location:
    Somewhere in MD
    A couple years ago I designed a very basic/easy software program that accessed a main (public) server and requested a 'block' of 100 IP addresses. These IP addresses were of all users currently using the software. It was a basic Peer to Peer networking system, in which the person would query each IP address for a certain file, and if found, it would send it to the user that made the request.

    All fine and dandy, until the person was behind a firewall. It worked on my LAN because obviously, it's easy to access 192.168.1.XX (any number) since it's all on the same network.

    The ONLY way it would work beyond if the person OUTSIDE the network set up port forwarding. Pretty much a pain in the butt, because the user would have to tell the router to forward any requests on port XX to 'my computer'.

    How does Limewire and other programs like this work without having to set up port forwarding?


    I figured maybe I could (when the user logs on to the system) submit to the server something like this:

    Main IP -->192.168.1.1 (Individual IP). But that really doesn't do anything because I can't get passed the router.

    Any advice is appreciated.
     
  2. geekboy

    geekboy Glock Lover

    Messages:
    528
    Likes Received:
    5
    Joined:
    Mar 24, 2006
    Location:
    Tampa Bay, Florida
    Welcome to the wonderful world of firewalls. The way most NATed firewalls work is that outgoing connections are not blocked.

    The ReplayTVs in my house -- a really cool out-of-the-box network ready DVR -- have access via MyReplayTV.COM. However, my firewall won't allow MyReplayTV.COM to access my boxes! But, my boxes connect to the "service" (server) every night... so get their information that way.

    You would have your "peer" programs send a heartbeat every XX seconds to the main server to see if there's a connection to be made. The Server proxies the connections for someone who wants something from you and tells YOU who wants it...

    e.g.

    Peer With File: 18.172.0.10 (NAT Address: 192.168.0.99)

    Peer Who Wants File: 72.64.0.20

    Host Server: 114.110.0.30

    Host that wants file 72.64.0.20 asks Host Server to get file from 18.172.0.10. The peer will poll every XX seconds so at the interval it contacts host on 114.110.0.30. The Host 9114.110.0.30) tells the Peer With File (18.172.0.10) that 72.64.0.20 wants "some" file. At that time, the peer with the file contacts the peer who wants file (72.64.0.20) directly. This fixes the NAT issue. I think that the Peer With file, when connecting to the Host Server will still show as 18.122.0.10. This is necessary since any Peer must "register" with the Host Server using the non NATed address -- hope that makes sense. I don't think this is an issue, but I haven't tried this.
     

  3. rsagona1

    rsagona1 Hello

    Messages:
    2,394
    Likes Received:
    0
    Joined:
    Jun 21, 2006
    Location:
    Somewhere in MD
    Thanks for the reply. However, the problem would still exist.

    Direct connections would not work with a firewall. Determining who has the file is not the problem, everything you said above works fine but the problem still lies when the direct connection needs to be made.

    For example, IP Address 10.10.10.10 w/ NAT 192.168.1.1 wants to connect to 9.9.9.9 w/ nat 192.168.1.102. I can get all that information fine, but I still cannot bypass the router.

    I wish I could tell the router, "Hey, I am here for NAT 192.168.1.1, let me through".

    By the way what does NAT stand for?
     
  4. geekboy

    geekboy Glock Lover

    Messages:
    528
    Likes Received:
    5
    Joined:
    Mar 24, 2006
    Location:
    Tampa Bay, Florida
    NAT is Network Address Translation. It's how you can use one IP address to serve many individual network devices.

    I don't understand when you say it won't work? If the request is from INSIDE a NATed Firewall, there is no problem. It is exactly how my ReplayTV device works today and is how I'm able to connect to GlockTalk now.

    Unless the firewall you're talking about is one that actually has rules to block EVERYTHING but 80, 25, 23, 27 and maybe some others like 110 (POP), then I'd agree. The only places I know that do these sorts of things are businesses. Other than that, no ports are blocked. I will give another exception... some ISPs are intentionally blocking Port 25 outbound and blocking Port 80 inbound.

    I use a CISCO 3620 medium grade router/firewall at home. I do not have any blocks for outbound ports. I could, but it would not be a typcial setup. Many business block extraneous ports, because they think it's going to be more secure. You could always tunnel through Port 80, which is how many programs circumvent firewalls.
     
  5. rsagona1

    rsagona1 Hello

    Messages:
    2,394
    Likes Received:
    0
    Joined:
    Jun 21, 2006
    Location:
    Somewhere in MD
    Thanks for responding.

    The problem is they are not inside the same network. Your right, the reason why glocktalk works is since I am making the request inside and glocktalk is listening on 80 (and is setup to do so). BUT, for me, all the users will be in different locations with different routers. And each user will have their own router and they will not be able to set up port forwarding to listen for incoming connects and forward it to each computer. So the list of users may look something like this:

    10.90.90.1 (computer 192.168.1.1)
    62.255.67.1 (computer 192.168.1.1)
    62.255.67.1 (computer 192.168.1.102)

    Notice the last two are in the same building, two different computers. But the first is a different location completely. The first would try to get with the second. But they are two different routers.

    Is this a bit more clear or is it my fault the way I am explaing it?
     
  6. rsagona1

    rsagona1 Hello

    Messages:
    2,394
    Likes Received:
    0
    Joined:
    Jun 21, 2006
    Location:
    Somewhere in MD
    Here's a diagram. 'Red' wants to connect with 'Red'. One of the reds must initiate the connection, but that is impossible since the other is behind a router.
     
  7. geekboy

    geekboy Glock Lover

    Messages:
    528
    Likes Received:
    5
    Joined:
    Mar 24, 2006
    Location:
    Tampa Bay, Florida
    Sorry, yeah, I am sorry for the confusion. (I need my coffee!)

    In order for my scenario to work, you must have a "main server" that serves as a proxy. With that, it's not true peer to peer networking, it's more a proxied network.

    [​IMG]
     
  8. rsagona1

    rsagona1 Hello

    Messages:
    2,394
    Likes Received:
    0
    Joined:
    Jun 21, 2006
    Location:
    Somewhere in MD
    Thank you very much.

    So the proxy server is essentially responsible for 'connecting' the two users. Since the two users can't ever talk to each other personally, the proxy will relay the bits of data to eachother (both query results and the binary file itself).
     
  9. geekboy

    geekboy Glock Lover

    Messages:
    528
    Likes Received:
    5
    Joined:
    Mar 24, 2006
    Location:
    Tampa Bay, Florida
    Exactly. With that, you could also use the HTTP protocol over Port 80, so it is likely not to be blocked.
     
  10. rsagona1

    rsagona1 Hello

    Messages:
    2,394
    Likes Received:
    0
    Joined:
    Jun 21, 2006
    Location:
    Somewhere in MD
    Good deal.

    If you're ever in Baltimore, beers on me.
     
  11. geekboy

    geekboy Glock Lover

    Messages:
    528
    Likes Received:
    5
    Joined:
    Mar 24, 2006
    Location:
    Tampa Bay, Florida
    I was architecting this, I wouldn't really use the proxy server as a tunnel. I'd probalby have Red B request a file from Red A. Then have Red A "transfer" the file to the proxy server. Then have Red B suck it off the proxy server. In this scenario, the proxy server is "caching" the Red A copy for transfer to Red B.

    Just worried about latency and the proxy server acting as a bridge. It could do that... but if these are large files, you could have issues.
     
  12. geekboy

    geekboy Glock Lover

    Messages:
    528
    Likes Received:
    5
    Joined:
    Mar 24, 2006
    Location:
    Tampa Bay, Florida
  13. rsagona1

    rsagona1 Hello

    Messages:
    2,394
    Likes Received:
    0
    Joined:
    Jun 21, 2006
    Location:
    Somewhere in MD
    At that point then my server is acting like a 'host' of all files and I do not know if it could handle that. I wouild imagine it would use less resources to just take a packet of bits and hand it on over the 'Red B'.

    You know, wouldn't it be perfect if there was a way to just be able to knock on the router's door, say I am here for 192.168.1.1, let me through.

    Why the hell did no one think of this??
     
  14. geekboy

    geekboy Glock Lover

    Messages:
    528
    Likes Received:
    5
    Joined:
    Mar 24, 2006
    Location:
    Tampa Bay, Florida
    Yea, it's to protect that host. Anyhow, I was thinking just "cache" the requested file only... not store it permanently. You could still just "proxy" it as was originally talked about.
     
  15. rsagona1

    rsagona1 Hello

    Messages:
    2,394
    Likes Received:
    0
    Joined:
    Jun 21, 2006
    Location:
    Somewhere in MD
    You know what would be cool technology though? If companies made a password that you could get through to that host. Don't think it's been done.