Paul Carlin wrote:
While this is off-topic somewhat, I have been plagued by this problem as well.
.......
I dont know what upnp does, but I do understand the problem.If anyone has good information on what UPnP actually does and if it actually works with Netmeeting/MSN Messenger... I'd like to hear about it.
When you are natting, the client system (which does not know that it is being natted) sends out its message to the router. The router notes the connection info (source ip, source port, destination ip, destination port, etc.), and allocates resources (i.e. opens its own ports), changes the message to reflect its ip address and port, and sends the message on its merry way. The router is changing the clients network address to people on the outside. This is network/node address translation, or NAT. (hence, natting, natted). The router gets responses back to its ports, it looks up in its table to see what system was associated with this connection, alters the message, and sends it on its merry way back to the client.
Seems simple, but in practice it gets ugly. Specifically,
1. Some services embed their ip address in the data (not just the header). Ftp does that. the nat router needs to not only change the headers, but filter the data as well.
2. some services spawn multiple connections, which could be originated by the server. Take ftp for example. Ftp uses two channels, the control or command channel, and the data channel. A client initiates a connection to a server. This sets up the control channel to the server. When data is to be moved, the client sends its ip address and a port number in the data stream. Normally, the server would then open up a connection to the client, for the data part of ftp. The nat/router/firewall not only needs to filter the ip address and port number in the client control stream, but it also needs to be able to let the server connect from the outside.
You might have experienced having to set ftp to "passive" mode. What happens is that the firewall in question cannot handle requests back from the outside. In ftp, there is something called passive mode. In this case, instead of the server initiating the data connection, the server gives the client a port number, and the client initiates the data connection through the firewall/router.
In many audio/video protocols, there are a number connections connections initiated from the server to the client (many udp). h.323 is one of those. I dont know the specifics of the protocol, but I know it gets messy.
3. Some services encrypt. Depending on what you are doing with ipsec, you might encrypt the header. yuck. It takes a bit of work to decrypt something alter it, encrypt it again, and send it on its way. That's probably why the linksys low end router can support only one connection. I am kinda guessing at exactly what they do. I am more familiar with cisco firewall devices, which not only do the natting, but also do the vpn connection.
when you get to the vpn specific devices, you can support more connections. These typically have a math co-processor, which speeds up the crunching. it also adds to the cost.
jr
