and Firewalls
This tutorial shows you how to get running in the presence of Network Address Translators and Firewalls. The approach has many tiers, and supports a large variety of configurations. Here are some examples:
Internet routable IP address (the simplest)
A deployment that doesn't use the internet (completely on the LAN).
Bind to a specific address if there are multiple NICs on the local machine.
User configured port forwarding on the NAT.
Automatically configure port forwarding if UPnP is enabled.
Uncooperative NAT/Firewall which only allows outgoing connections.
Currently only supports relaying via non firewalled node.
Moves toward using NAT hole punching solution such as STUN or STUNT.
Constructor
Most of this flexibility is automatic if you use the extended constructor. The most important field to set is the Collection<InetSocketAddress> probeAddresses to the bootstrap node(s).
/** * May block for more than a second to determine network information. * * @param nf can be null, but must call newNode() with a NodeId of the new PastryNode * @param bindAddress the NIC to use (null will choose one that can access the Internet) * @param startPort the port of the first created node, will be incremented for additional nodes, * can be specified on a per-Node basis by calling newNode() with a MultiInetSocketAddress * @param env can't be null * @param handler will attempt to use SBBI's UPnP library if null, unless blocked by deleting the * param "nat_handler_class" * @param probeAddresses a list of bootstrap nodes' Internet routable addresses, used to establish * firewall information * @param externalAddresses ordered addresses of the nat propagation from most external to most internal, * null will use natHandler and probeAddresses to determine this */ public InternetPastryNodeFactory(NodeIdFactory nf, InetAddress bindAddress, int startPort, Environment env, NATHandler handler, CollectionprobeAddresses, InetAddress[] externalAddresses) throws IOException {
Notes
The constructor of the InternetPastryNodeFactory may block for more than a second to determine firewall settings
Bootstrap nodes must be Internet routable, or have port forwarding configured on the NAT.
More than 1 layer of NAT requires manual configuration:
set InetAddress[] externalAddresses in the extended constructor
construct PastryNode by calling newNode(final Id nodeId, final MultiInetSocketAddress pAddress) with apropriately constructed MultiInetSocketAddress
About 5% (or more) of the network must have an Internet routable address, or have a "cooperative" NAT/Firewall. Cooperative means that manual port forwarding or UPnP has been enabled.
Both UDP and TCP must be fowarded, and on the same port.
You can't mix using the InternetPastryNodeFactory and the SocketPastryNodeFactory in the same ring.
Multiple NICs
You can specify the bindAddress in the InternetPastryNodeFactory's extended constructor.
Manual Configuration
If you have manually configured the NAT, the easiest way to create a new node is to use one of these versions of newNode()
/** * This method uses the pAddress as the outer address if it's non-null. * It automatically generates the internal address from the localAddress, and increments the port as necessary. * * @param nodeId * @param pAddress * @return */ public synchronized PastryNode newNode(final Id nodeId, final InetSocketAddress pAddress) { /** * Method which creates a Pastry node from the next port with the specified * nodeId (or one generated from the NodeIdFactory if not specified) * * @param nodeId * if non-null, will use this nodeId for the node, rather than using * the NodeIdFactory * @param pAddress * The address to claim that this node is at - used for proxies * behind NATs * @return A node with a random ID and next port number. */ public synchronized PastryNode newNode(final Id nodeId, final MultiInetSocketAddress pAddress) throws IOException { UPnP
If you include the sbbi-upnplib jar, then will attempt to use UPnP to set a port forwarding for each node created. It will attempt to reuse a forwarding if already configured.
How does it work?
Ip Address Determination
The fist step in joining a ring is to determine your addresses. There can be more than one when using a NAT. Many NATs don't support "hairpinning." Hairpinning allows nodes behind the NAT to route to each other using the port forwarding configured on the NAT. For this reason, NATted nodes must know their internal address (ip:port) to communicate with each other on the same LAN, as well as their external address (ip:port) so that nodes outside the NAT can contact them.
NAT Port Forwarding
Either this is manually configured and newNode() is called with a proper MultiInetSocketAddress, or uses UPnP.
Configuration Check
Once determines the local computer's configuration, it must be tested. This requires 2 other nodes to be in the ring. This is required because the NAT may hold open a port to a single node, so just having the bootstrap node ping the local node to determine that the port forwarding worked my give incorrect results.
Essentially the way this works is that you source route a message to yourself via 2 other nodes. Alice -> Bob -> Carol -> Alice. This proves that the NAT is forwarding connections from a node that the local node didn't initiate the connection to.
Uncooperative NAT
In this case the external port doesn't matter, but the external address is still used to allow nodes behind the same NAT to find each other. Even though no Port Forwarding rules will be set, it is important to use the extended constructor. Manually set externalAddresses or include the bootstrap node's addresses in the probeAddresses.
In this case, the configuration check will fail, and the NodeHandle is marked Firewalled. You can see this status from the NodeHandle's toString() , or by casting the NodeHandle to a RendezvousSocketNodeHandle and calling canContactDirect() . Firewalled nodes will return false.
Firewalled status means that the firewall does not have port forwardings -- it is uncooperative.
When a non-firewalled node attempts to open a TCP connection to a firewalled node, a message is routed to the node, and the node responds by opening a TCP connection.
When a firewalled node attempts to open a TCP connection to a firewalled node, a random non-firewalled node is selected from the initiating node's LeafSet is used to relay the traffic.
Requirements
Due to the relaying requirement, about 5% of the nodes must be non-firewalled, or have cooperative firewalls. Technically, each leafset must contain at least 1 non-firewalled node. If this is not true, the node will not join the ring. Another way of expressing the requirement is that there can't be a stretch of 25 firewalled nodes. If this occurs, new firewalled nodes can't join the ring.