Advanced Troubleshooting Guide for P2P Connectivity in ISP and Wide Networks

 
P2P advanced troubleshooting guide
for ISP and wide network operators
 
Introduction
 
What is this guide?
This is troubleshooting guide to P2P easy connection Dahua protocol.
 
To whom this guide is written?
This guide is for operators, network experts and engineer who need to troubleshoot Dahua P2P NAT traveral
protocol issues on their WAN or on their managed equipements.
 
To whom this guide is NOT for?
This guide is NOT people who would like to connect a simple installation to P2P.
 
I am not an network export and I want to make P2P working
Troubleshooting P2P is quite complex, we recommand to use 
Port address translation 
as alternative.
 
P2P advanced troubleshooting
 
Types of NAT
 
P2P advanced troubleshooting
 
From: 1.1.1.1:1000                                  To: 2.2.2.2:2000
 
Generic principle of Network Address Translation
RFC 3489
 
Local IP remplaced by External (public) IP
An external random* port is opened
 
*except for symetric NAT
 
From: 192.168.1.108:8000               To: 2.2.2.2:2000
 
To: 1.1.1.1:1000                                  From: 2.2.2.2:2000
 
To: 192.168.1.108:8000                 From: 2.2.2.2:2000
 
To: 1.1.1.1:
3000
                                  From: 3.3.3.3:3000
NAT Table:
192.168.1.108:8000 -> @:1000
 
P2P advanced troubleshooting
 
Types of NAT
 
From: 1.1.1.1:1000                                  To: 2.2.2.2:2000
 
From: 192.168.1.108:8000               To: 2.2.2.2:2000
 
Any host can contact the external port
 
To: 1.1.1.1:1000                                  From: 2.2.2.2:2000
 
To: 192.168.1.108:8000                 From: 2.2.2.2:2000
 
To: 1.1.1.1:1000                                  From: 
3.3.3.3:3000
 
To: 1.1.1.1:1000                                  From: 2.2.2.2:
3000
 
To: 192.168.1.108:8000                 From: 2.2.2.2:
3000
 
To: 192.168.1.108:8000                 From: 
3.3.3.3:3000
 
Full cone NAT
NAT Table:
192.168.1.108:8000 -> @:1000
 
Types of NAT
 
P2P advanced troubleshooting
 
From: 1.1.1.1:1000                                  To: 2.2.2.2:2000
 
From: 192.168.1.108:8000               To: 2.2.2.2:2000
 
Only the remote host
 can contact contact back from any of its port
 
To: 1.1.1.1:1000                                  From: 2.2.2.2:2000
 
To: 192.168.1.108:8000                 From: 2.2.2.2:2000
 
To: 1.1.1.1:1000                                  From: 
3.3.3.3:3000
 
To: 1.1.1.1:1000                                  From: 2.2.2.2:
3000
 
To: 192.168.1.108:8000                 From: 2.2.2.2:
3000
 
(address) Restricted cone NAT
NAT Table:
192.168.1.108:8000 -> @:1000 (2.2.2.2)
 
Types of NAT
 
P2P advanced troubleshooting
 
To: 192.168.1.108:8000                 From: 2.2.2.2:2000
 
Port restricted cone NAT
 
From: 192.168.1.108:8000               To: 2.2.2.2:2000
 
From: 1.1.1.1:1000                                  To: 2.2.2.2:2000
 
To: 1.1.1.1:1000                                  From: 2.2.2.2:2000
 
To: 1.1.1.1:1000                                  From: 
3.3.3.3:3000
 
To: 1.1.1.1:1000                                  From: 2.2.2.2:
3000
 
Only the remote host
 can contact contact back and 
from the same port
 we sent packet
NAT Table:
192.168.1.108:8000 -> @:1000 (2.2.2.2:2000)
 
Types of NAT
 
P2P advanced troubleshooting
 
To: 1.1.1.1:8000                                  From: 2.2.2.2:2000
 
To: 192.168.1.108:8000                 From: 2.2.2.2:2000
 
From: 1.1.1.1:
8000
                                  To: 2.2.2.2:2000
 
From: 192.168.1.108:
8000
               To: 2.2.2.2:2000
 
To: 1.1.1.1:8000                                  From: 
3.3.3.3:3000
 
To: 1.1.1.1:8000                                  From: 2.2.2.2:
3000
 
Routeur tries, if possible, to use same source port to expose on internet
Only the remote host can contact contact back and from the same port we sent packet
 
Symmetric NAT
NAT Table:
192.168.1.108:8000 -> @:8000 (2.2.2.2:2000)
 
Types of NAT
 
P2P advanced troubleshooting
 
Network topology detection
 
P2P advanced troubleshooting
 
Network type detection
 
P2P advanced troubleshooting
 
Network topology detection
 
STUN
 
 
STUN server provides information from outside (IP address, contacted port, etc.).
STUN server is used to detect local network topology.
 
P2P advanced troubleshooting
 
Network topology detection
 
TURN
 
 
TURN server is the ultimate choice (failback mode) when not option exists to connect two peers together directly.
 
P2P advanced troubleshooting
 
Network topology detection
 
Troubleshooting steps
 
1. Identify the topology on both sides of the network
 
2. Make sure there is no:
-
Operator NAT (Bouygues)
-
Host IPv4 sharing (Free)
-
Symetric NAT (Orange)
-
Port restricted NAT (Orange)
 
3. Perform tests from different networks (client device)
4. When possible check routeur NAT table to identify which port and which is not
5. Perform network catpure using a port mirroring and contact Dahua with network capture:
julien.blitte@dahuatech.com
 
P2P advanced troubleshooting
 
P2P alternatives
 
P2P advanced troubleshooting
 
To: 192.168.1.108:8000                 From: 3.3.3.3:2300
 
To: 192.168.1.108:8000                 From: 2.2.2.2:2000
 
  To: 1.1.1.1:1000                                  From: 2.2.2.2:2000
 
To: 1.1.1.1:1000                                  From: 3.3.3.3:3000
 
To: 1.1.1.1:
8000
                                  From: 2.2.2.2:2000
 
Routeur always exposes a defined port and redirect it to same device and port
Any remote hosts that knows the port can access the device. Public IP must be fixed.
This is recommanded solution.
For security reason, external port should always be different than default device port
 
(Static) Port Address Translation
PAT Table (config):
@:1000 -> 192.168.1.108:8000
 
NAT Table (dynamic):
...
 
P2P advanced troubleshooting
 
P2P Alternatives
 
To: 192.168.1.108:
1000
                 From: 2.2.2.2:2000
 
DMZ
 
   To: 1.1.1.1:
1000
                                 From: 2.2.2.2:2000
 
To: 1.1.1.1:
8000
                                  From: 2.2.2.2:2000
 
To: 192.168.1.108:
8000
                 From: 2.2.2.2:2000
 
To: 1.1.1.1:
5000
                                  From: 3.3.3.3:3000
 
To: 1.1.1.1:
4000
                                  From: 2.2.2.2:2000
 
Routeur forwards all incoming requests to the same device on the network with same destination port
 
This configuration is a security suicide. All the ports are exposed.
 
To: 192.168.1.108:
4000
                 From: 2.2.2.2:3000
 
To: 192.168.1.108:
5000
                 From: 3.3.3.3:3000
Configuration:
DMZ = 192.168.1.108
 
NAT Table (dynamic):
...
 
P2P advanced troubleshooting
 
P2P Alternatives
 
To: 1.1.1.1:1000                                  From: 2.2.2.2:2000
 
To: 192.168.1.108:8000                 From: 2.2.2.2:2000
 
UPnP: create PAT on port 1000 for 192.168.1.108:8000
 
UPnP
 
Device detects router and provide dynamically port to forward. Public IP must be fixed.
 
This might be at risk (default port exposed, customer unaware)
UPnP Table (dynamic):
@:1000 -> 192.168.1.108:8000
 
NAT Table (dynamic):
...
 
P2P advanced troubleshooting
 
P2P Alternatives
Slide Note
Embed
Share

This troubleshooting guide is tailored for operators, network experts, and engineers dealing with Dahua P2P NAT traversal protocol issues. It covers different types of NAT, including Full Cone NAT, Restricted Cone NAT, Port Restricted Cone NAT, and Symmetric NAT, providing insights and solutions for complex P2P connectivity issues.


Uploaded on Jul 22, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. P2P advanced troubleshooting guide for ISP and wide network operators

  2. Introduction What is this guide? This is troubleshooting guide to P2P easy connection Dahua protocol. To whom this guide is written? This guide is for operators, network experts and engineer who need to troubleshoot Dahua P2P NAT traveral protocol issues on their WAN or on their managed equipements. To whom this guide is NOT for? This guide is NOT people who would like to connect a simple installation to P2P. I am not an network export and I want to make P2P working Troubleshooting P2P is quite complex, we recommand to use Port address translation as alternative. P2P advanced troubleshooting

  3. Types of NAT P2P advanced troubleshooting

  4. Types of NAT Generic principle of Network Address Translation RFC 3489 NAT Table: 192.168.1.108:8000 -> @:1000 From: 1.1.1.1:1000 To: 2.2.2.2:2000 From: 192.168.1.108:8000 To: 2.2.2.2:2000 To: 192.168.1.108:8000 From: 2.2.2.2:2000 To: 1.1.1.1:1000 From: 2.2.2.2:2000 To: 1.1.1.1:3000 From: 3.3.3.3:3000 Local IP remplaced by External (public) IP An external random* port is opened *except for symetric NAT P2P advanced troubleshooting

  5. Types of NAT Full cone NAT NAT Table: 192.168.1.108:8000 -> @:1000 From: 1.1.1.1:1000 To: 2.2.2.2:2000 From: 192.168.1.108:8000 To: 2.2.2.2:2000 To: 192.168.1.108:8000 From: 2.2.2.2:2000 To: 1.1.1.1:1000 From: 2.2.2.2:2000 To: 192.168.1.108:8000 From: 2.2.2.2:3000 To: 1.1.1.1:1000 From: 2.2.2.2:3000 To: 192.168.1.108:8000 From: 3.3.3.3:3000 To: 1.1.1.1:1000 From: 3.3.3.3:3000 Any host can contact the external port P2P advanced troubleshooting

  6. Types of NAT (address) Restricted cone NAT NAT Table: 192.168.1.108:8000 -> @:1000 (2.2.2.2) From: 1.1.1.1:1000 To: 2.2.2.2:2000 From: 192.168.1.108:8000 To: 2.2.2.2:2000 To: 192.168.1.108:8000 From: 2.2.2.2:2000 To: 1.1.1.1:1000 From: 2.2.2.2:2000 To: 192.168.1.108:8000 From: 2.2.2.2:3000 To: 1.1.1.1:1000 From: 2.2.2.2:3000 To: 1.1.1.1:1000 From: 3.3.3.3:3000 Only the remote host can contact contact back from any of its port P2P advanced troubleshooting

  7. Types of NAT Port restricted cone NAT NAT Table: 192.168.1.108:8000 -> @:1000 (2.2.2.2:2000) From: 1.1.1.1:1000 To: 2.2.2.2:2000 From: 192.168.1.108:8000 To: 2.2.2.2:2000 To: 192.168.1.108:8000 From: 2.2.2.2:2000 To: 1.1.1.1:1000 From: 2.2.2.2:2000 To: 1.1.1.1:1000 From: 2.2.2.2:3000 To: 1.1.1.1:1000 From: 3.3.3.3:3000 Only the remote host can contact contact back and from the same port we sent packet P2P advanced troubleshooting

  8. Types of NAT Symmetric NAT NAT Table: 192.168.1.108:8000 -> @:8000 (2.2.2.2:2000) From: 1.1.1.1:8000 To: 2.2.2.2:2000 From: 192.168.1.108:8000 To: 2.2.2.2:2000 To: 192.168.1.108:8000 From: 2.2.2.2:2000 To: 1.1.1.1:8000 From: 2.2.2.2:2000 To: 1.1.1.1:8000 From: 2.2.2.2:3000 To: 1.1.1.1:8000 From: 3.3.3.3:3000 Routeur tries, if possible, to use same source port to expose on internet Only the remote host can contact contact back and from the same port we sent packet P2P advanced troubleshooting

  9. Network topology detection P2P advanced troubleshooting

  10. Network topology detection Network type detection P2P advanced troubleshooting

  11. Network topology detection STUN STUN server provides information from outside (IP address, contacted port, etc.). STUN server is used to detect local network topology. P2P advanced troubleshooting

  12. Network topology detection TURN TURN server is the ultimate choice (failback mode) when not option exists to connect two peers together directly. P2P advanced troubleshooting

  13. Troubleshooting steps 1. Identify the topology on both sides of the network 2. Make sure there is no: - Operator NAT (Bouygues) - Host IPv4 sharing (Free) - Symetric NAT (Orange) - Port restricted NAT (Orange) 3. Perform tests from different networks (client device) 4. When possible check routeur NAT table to identify which port and which is not 5. Perform network catpure using a port mirroring and contact Dahua with network capture: julien.blitte@dahuatech.com P2P advanced troubleshooting

  14. P2P alternatives P2P advanced troubleshooting

  15. P2P Alternatives (Static) Port Address Translation PAT Table (config): @:1000 -> 192.168.1.108:8000 NAT Table (dynamic): ... To: 1.1.1.1:1000 From: 2.2.2.2:2000 To: 192.168.1.108:8000 From: 2.2.2.2:2000 To: 192.168.1.108:8000 From: 3.3.3.3:2300 To: 1.1.1.1:1000 From: 3.3.3.3:3000 To: 1.1.1.1:8000 From: 2.2.2.2:2000 Routeur always exposes a defined port and redirect it to same device and port Any remote hosts that knows the port can access the device. Public IP must be fixed. This is recommanded solution. For security reason, external port should always be different than default device port P2P advanced troubleshooting

  16. P2P Alternatives DMZ Configuration: DMZ = 192.168.1.108 NAT Table (dynamic): ... To: 1.1.1.1:1000 From: 2.2.2.2:2000 To: 192.168.1.108:1000 From: 2.2.2.2:2000 To: 192.168.1.108:8000 From: 2.2.2.2:2000 To: 1.1.1.1:8000 From: 2.2.2.2:2000 To: 192.168.1.108:4000 From: 2.2.2.2:3000 To: 1.1.1.1:4000 From: 2.2.2.2:2000 To: 192.168.1.108:5000 From: 3.3.3.3:3000 To: 1.1.1.1:5000 From: 3.3.3.3:3000 Routeur forwards all incoming requests to the same device on the network with same destination port This configuration is a security suicide. All the ports are exposed. P2P advanced troubleshooting

  17. P2P Alternatives UPnP UPnP Table (dynamic): @:1000 -> 192.168.1.108:8000 NAT Table (dynamic): ... UPnP: create PAT on port 1000 for 192.168.1.108:8000 To: 192.168.1.108:8000 From: 2.2.2.2:2000 To: 1.1.1.1:1000 From: 2.2.2.2:2000 Device detects router and provide dynamically port to forward. Public IP must be fixed. This might be at risk (default port exposed, customer unaware) P2P advanced troubleshooting

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#