Hello Brian. I think you're making all this "NAT" look a lot more difficult then it really is. Here's why:
Most people behind a NAT are probably using a single "external" IP address and many different internal IP addresses. Most of those boxes allow _NO_ incoming connections to the computers behind the box unless (a) the incoming connection is related to a connection initiated from one of the computer behind the box OR (b) the box has been specifically configured for a DMZ or for port forwarding. This is why a NAT box is a very efficient firewall for a home user! All the complications with multiple available external IP addresses and multiple internal addresses probably do exist but by the time you've got multiple external IP addresses you probably got the knowledge and technology to properly use those IP's. By the time you get multiple IP addresses you either have a switch (in which case you no longer have a "NAT") or you have a really really smart router that's probably going to be smart enough to SIMPLIFY things, not complicate them. Please note the Internet is designed for 1:1 communication between computers and they tend to ignore any kind of NAT box in the middle. The only time this "abstraction" fails is when you need to use connection-less protocols like UDP for things like DNS, Time Sync or VoIP. So in my opinion it all boils down to a few simple rules. (1) The connection from a CLIENT to a SERVER will always present a Internet/routable IP address to the SERVER. That address might be the client's address or the NAT's routable address, but it will be a routable address. You can determine that address from whatever technology you're using within the server (may it be PHP or a different server technology). (2) When you need to connect from the SERVER to the CLIENT (reversing the connection and, in fact, turning the client into a server and vice versa) you'll be facing a few formidable obstacles that are completely outside the control of the former server: You'll need to face the client's ISP firewall (they might not allow connection to certain ports in order to stop them from running "servers" and eating up bandwidth). You'll need to deal with the client's firewall, and you'll need to deal with the client's NAT box. A NAT box is not more difficult to configure then a firewall, also the terminology might be different. So to the original poster (Human): If you record the IP addresses used by clients for a central-server based registration, use the IP from the connection, not the address the client computer thinks it has. The client computer might think it has a 192.168.0.1 IP address but by the time it manages to create a connection to your server it will have to reveal it's real (NAT) address. Other then this you'll need to provide documentation for configuring most common firewalls (Windows's built-in firewall being one of the most important) and samples of how to configure a generic NAT box. Besides providing documentation on how to do those configuration changes there's pretty much nothing you can do. After all, you're fighting things specifically designed to stop incoming connections (firewalls) or boxes that are unable to know where to send incoming packets unless they have a "reverse" connection (NAT boxes). Brian wrote: > Many (most ?) people these days have a router/switch/wireless box on their > end of a broadband internet connection which they use to allow multiple > computers to access the Internet. Almost all of these devices offer some > form of NAT > > >From CISCO ... > > Static NAT - Mapping an unregistered IP address to a registered IP address > on a one-to-one basis. > > Dynamic NAT - Maps an unregistered IP address to a registered IP address > from a group of registered IP addresses. Dynamic NAT also establishes a > one-to-one mapping between unregistered and registered IP address, but the > mapping could vary depending on the registered address available in the > pool, at the time of communication. > > Overloading - A form of dynamic NAT that maps multiple unregistered IP > addresses to a single registered IP address by using different ports. > Known also as PAT (Port Address Translation), single address NAT or > port-level multiplexed NAT. > > ie you might have > Externally Internally > 213.12.15.16:21 192.168.32.10:21 ie FTP > 213.12.15.16:80 192.168.32.11:80 ie HTTP > 213.12.15.16:1234 192.168.32.12:2345 ie your "server" > > NB Most of the smaller/cheaper broadband routers utilise "overloading". > > As a result of all of this, you "cannot" assume that a client can > communicate with your server based on the parameters detectable at the > server. It cannot know that its address (and possibly port) is being > translated. > > Therefore, you need to incorporate a configuration form into which a user > can enter the necessary IP-address and port details. > (info available via your "web server"/"support section" ...., etc) > > An added complication is the assignment of the external address(es) by the > ISP - if dynamic, then these addresses can (and usually do) change. One > possible way around this is to utilise a service like DYNDNS.ORG and always > refer to your server IP-address by that name (rather than using the actual > IP address). > > Again, as someone has already mentioned - check your ISP broadband contract > to what "server" functionality you are allowed to implement ....... > > Regards, > Bria __________________________________________________ Delphi-Talk mailing list -> [email protected] http://www.elists.org/mailman/listinfo/delphi-talk
