nebula icon indicating copy to clipboard operation
nebula copied to clipboard

Published 20 hours ago verified publisher icon slackhq

Listen ports for nodes behind NAT

Open tahyonline opened this issue 1 year ago • 6 comments

If nodes on the same local network behind NAT are set to the same listen port, the router might not be able to correctly route the response packets from the lighthouse and other nodes outside the local network back to the correct node.

As a result, nodes on the local network will suddenly stop being able to access the Nebula network, if more than one node generates traffic at the same time. The issue is quite "mysterious", as each node works individually and there is no error indication other than timeouts.

Recommend adding a note to the sample configuration to help prevent others spending hours on figuring out why a configuration copied from a working node would suddenly not work on another.

tahyonline avatar Mar 25 '23 07:03 tahyonline

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Mar 25 '23 07:03 CLAassistant

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Mar 25 '23 07:03 CLAassistant

@tahyonline - what kind of NAT device are you using?

NAT devices should be able to correctly handle the situation you describe. If you can share more about your network setup, I can investigate further.

brad-defined avatar Mar 27 '23 13:03 brad-defined

Internal router behind a carrier provided router behind CG-NAT... which should be (or become) pretty much the norm for all except corporate networks, where edge routers can still get real IP addresses.

In my case, the internal router will route to Starlink or mobile broadband as backup if Starlink is down, but the primary link was up.

tahyonline avatar Mar 27 '23 15:03 tahyonline

@tahyonline thanks! what brand and model of internal router are you using? And, what NAT configuration settings are you using on that router?

brad-defined avatar Mar 30 '23 18:03 brad-defined

@brad-defined It's a Pepwave MAX On-The-Go MAX-OTG-U4, doing NAT and DHCP.

There are three internal VLANs: main, guest and IoT. All Nebula nodes are on the main net. To my knowledge, none of the devices on the IoT network use the same UDP port as Nebula and the port is not allowed anyway on that VLAN. No stations on the guest network.

There are the two WAN connections, both DHCP and NAT enabled, and there are no other NAT-related settings.

Were there any other settings that might be pertinent?

tahyonline avatar Mar 31 '23 09:03 tahyonline

Thanks for the PR, we don't believe this is a common issue with NATs in general. Thanks for mentioning the issue in case it comes up again.

johnmaguire avatar Apr 29 '24 21:04 johnmaguire