Re: gamer clubs

[Kevin Wilcox <wilcoxkm () APPSTATE EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 05/04/16 17:37, Joey Rego wrote:

> Question for those of you that host the gamer networks.  We get
> some complaints from students regarding their NAT type being
> Strict depending on the type of gaming system.  Most games seem to
> work but there are some that don’t from what I am told.  I am not a
> gamer so go gently.  lol
>
>
> 1.       What method are you providing external IP addresses for 
> gamers?  One to One Nat/ one to Many Nat/PAT?

It depends. Consoles, "smart TVs", etc., get a "public" IP but they're
behind a default-deny firewall. Those firewalls do sloppy state
management, though, so once they connect out, anyone can connect back
on that port (see Open NAT/sloppy management below).

If they want a dedicated gaming server then they get a "public" IP in
a DMZ area.

> 2.       How many external IP addresses are you assigning to these 
> gamer networks on average?

Again, it depends. Consoles and similar are in a /22. The dedicated
game servers are in a /29.

There are two types of things going on here.

1) the case where students wanted to run PCs dedicated to hosting
games -- this is the scenario we addressed by carving out a DMZ segment.

2) companies like Microsoft assuming you're using firewalls that don't
enforce state (or that you let your users change firewall policy on
the fly, or that you're not using one at all). This is where the NAT
Type stuff comes into play -- they expect consoles to generally do P2P.

I guess it's worth a high-level dive into NAT (or NAT/PAT for the
pedantic, because I know someone will hop in and say, "BUT THAT'S
PAT!" ;) ).

<u0:p1> <--router:p2--> <s0:p3>

Proper state enforcement (closed NAT, aka Strict):

User 0 makes a connection to server 0. The source port is 1 for the
user. The router makes the NAT connection to the server from its own
source port 2. The server sees the IP of the router and the router's
port 2. If the server tries to send back to port 1 it will fail. If
some other server, s1, tries to connect back to the router on any
port, it will fail. This is how many-to-one NAT works.

Moderate state enforcement (moderate NAT):

User 0 makes a connection to server 0. The source port is 1 for the
user. The router makes the NAT connection to the server from its own
source port 2. The server sees the IP of the router and the router's
port 2. If the server tries to send traffic to _any_ port on the IP it
sees of the router, it gets passed back to u0. This is how one-to-one
NAT _can_ work.

Sloppy state enforcement (open NAT):

User 0 makes a connection to server 0. The source port is 1 for the
user. The router makes the NAT connection to the server from its own
source port 2. The server sees the IP of the router and the router's
port 2. If the server tries to send back to _any_ port on the IP it
saw, it gets forwarded to u0. If another server tries to send to port
2 then it gets forwarded to u0 but any other ports fail.

Basically, it's like this:

closed - I can chat to you, you can chat to me but only on an
established port tuple

moderate - I can chat to you, you can chat to me on any port

open - I can chat to you, anyone else can chat back to me on the same po
rt

Pictures make this a lot easier to describe :-)

Some firewalls (like pf) do "strict" state enforcement and you need to
use something like upnp (so your clients can modify your campus
firewall rules on the fly!) for some game networks to function. Some
firewalls do really sloppy state enforcement and anyone making an
outbound connection can now become a server to the world.

kmw
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlcFHy8ACgkQsKMTOtQ3fKFA6gCgilHdUHpEK0COSH2dnGToP3nV
FYUAnj65A1AhgXA5GqygFfflC7nRGtzi
=xy0L
-----END PGP SIGNATURE-----