undefined | Better HN

0 pointsOldTimeCoffee4y ago0 comments

It's disabled on all AT&T Residential Gateways and can't be enabled, you have to use port forwarding or put another router behind it using IP Passthrough. It's also disabled by default on EdgeRouters and can only be enabled in the ConfigTree or CLI. On UniFi it's disabled, but can be enabled in the GUI.

It's a convenience over control item. Most things do NAT traversal pretty well anyway, UPnP IGD has run it's course at this point. PCP is better in every way, push for that instead.

0 comments

DanAtC4y ago

How is PCP any better? It would allow malware to open ports just the same.

OldTimeCoffeeOP4y ago

I don't think that's really a problem you can solve regardless. A STUN server would make most NAT irrelevant anyway. Most firewalls are setup to allow established connections, so you just need to create an outbound connection to allow the inbound. You can basically use the same techniques as SIP/RTP when they do NAT traversal.

PCP is better than UPnP IGD, most importantly because it time limits the opening so port reuse is easier. I wouldn't use either in practice. I wouldn't suggest NAT-PMP either. I wouldn't use port forwarding if I could avoid it as well. I'd use destination NAT with a source IP range I knew in advance so it wouldn't show as easily in port scans. Someone is likely to tell me why that's a terrible idea, but it's my (current) preferred method.

j / k navigate · click thread line to collapse

0 comments

DanAtC4y ago

How is PCP any better? It would allow malware to open ports just the same.

OldTimeCoffeeOP4y ago

j / k navigate · click thread line to collapse