[ previous ] [ next ] [ threads ]
 
 From:  Adam Swift <vikem0n0 at omnitude dot net>
 To:  Steve Yates <steve at teamITS dot com>
 Cc:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Consistent (predictive) NAT
 Date:  Wed, 16 Nov 2011 10:03:15 +1000
> For remote control purposes, the latest version introduced "tunnels"  
> where the remote makes a UDP connection to our system and uses that  
> for VNC. For comparison, they suggest turning off "Enable SIP  
> Helper" in Untangle, and on Sonicwall check "Enable Consistent NAT."


This sounds like your application uses UDP hole punching. UDP/TCP hole  
punching requires that the port mapped by the NAT is predictable by  
the software doing the punching. A brief look at some documentation on  
Sonicwall's "Enable Consistent NAT" indicates this is what it does, by  
hashing the source port to create a "consistent" translated port.

By default m0n0wall maps UDP and TCP port numbers to a random port for  
security reasons. It can be changed to avoid remapping the port number  
when there is no other mapping on the same port. If your software  
connects from random ports this should work.

For example, my network runs on 192.168.0.0/24. Under Nat -> Outbound,  
I have "Enable advanced outbound NAT", and added a rule on the WAN  
interface for packets sourced from 192.168.0.0/24 going to any  
address. That's the same as m0n0wall's default for my network. Then I  
ticked "Avoid port mapping".

Hope this helps.

Adam Swift