NAT Traversal (also known as UDP encapsulation) allows traffic to reach its destination when a device does not have a public IP address. This is often the case if your ISP applies NAT, or if your router or firewall is connected to another NAT device.
The shortage of IPv4 addresses and the slow transition to IPv6 means many devices still rely on NAT to connect to the internet. While NAT works fine for outbound traffic, it creates problems for applications that require inbound connections, such as peer-to-peer systems or VoIP.
To solve this, NAT traversal mechanisms are used. One of the most common methods is UDP hole punching.
UDP Hole Punching
Hole punching (also called punch-through) is a networking technique used to establish direct UDP connections between devices behind NAT or firewalls.
A “hole” is created in the firewall or NAT by having the local device send an outbound packet first.
This outbound transmission creates a temporary rule in the NAT table that allows packets from the remote peer to pass back through.
This makes it possible for peers behind NAT to communicate directly without requiring a public IP.
Types of NAT
NAT devices handle connections differently depending on their type. The two main categories are Cone NAT and Symmetric NAT.
Cone NAT – uses the same port numbers for internal and external addresses.
Symmetric NAT – uses different port numbers for internal and external addresses, making traversal more difficult.
Cone NAT variations
There are three types of Cone NAT, each with different levels of restriction on inbound traffic:
Full Cone NAT – Any external host can send packets to the internal client, as long as the correct external IP and port are known.
Restricted Cone NAT – Only hosts that the client has previously sent packets to can send packets back.
Port-Restricted Cone NAT – Similar to restricted cone, but also requires the exact source port to match.
Full Cone NAT is the least restrictive and easiest for NAT traversal, while Port-Restricted Cone is stricter.
Most restrictive types
Port-Restricted Cone NAT and Symmetric NAT are the most difficult for peer-to-peer traffic.
If you run a MystNodes behind one of these NAT types, you may need additional configuration to ensure your node is reachable by more users.