25

I am working on Holepunching using UDP and UDT. For the final testing I need to test the application on different NAT types (Symmetric,full cone,restricted cone, port restricted NATs).

Is there any method I can simulate these? What I expect here is some kind of virtual-Box setup. Can I use PC as a router so that I can configure according to my needs?

In general how do we test applications for different network conditions?

user739711
  • 1,842
  • 1
  • 25
  • 30
  • Hi, I am in need on setting up the exact same environments for the same reason, what did you end up using ? according to https://forum.pfsense.org/index.php?topic=58860.0 it is not possible to simulate all the types of NAT Cones – Ol1v3r Feb 08 '15 at 09:37
  • 1
    at the time I could not find a perfect solution... We brought new routers for testing different behaviours.. I have changed my job 2 yrs back, so not in touch anymore.. – user739711 Feb 09 '15 at 06:26

2 Answers2

19

Just in case someone else is looking to do this, this website explains how to set up the different NAT environments using IPTables.

Update

It has been a few years since I did this, given that the link was placed behind a login, and the rewind was also placed behind a login, I went through my notes from back than and found the following. Please note these are untested.

Full Cone NAT;

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source "public IP"
iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-destination "private IP"

Restricted Cone NAT;

iptables -t nat -A POSTROUTING -o eth1 -p udp -j SNAT --to-source "public IP"
iptables -t nat -A PREROUTING -i eth1 -p udp -j DNAT --to-destination "private IP"
iptables -A INPUT -i eth1 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -p udp -m state --state NEW -j DROP

Port Restricted Cone NAT;

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source "public IP"

Symmetric NAT;

echo "1" >/proc/sys/net/ipv4/ip_forward
iptables --flush
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE --random
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
urban_raccoons
  • 3,499
  • 1
  • 22
  • 33
Ol1v3r
  • 758
  • 1
  • 10
  • 23
  • The link is behind a login, is the content available anywhere else? – Augusto Hack Nov 21 '17 at 03:54
  • 1
    It looks like they added the login system recently, you can have a look at the previous version, the one I posted about using the link below; https://web.archive.org/web/20151029183033/https://wiki.asterisk.org/wiki/display/TOP/NAT+Traversal+Testing – Ol1v3r Nov 21 '17 at 08:51
  • 1
    @OliverCiappara this link seems to be behind a login too – shitpoet Jan 29 '19 at 20:41
  • 1
    I'm not sure if I am correct, but in case someone else finds the restricted cone NAT rules to be incorrect, I managed to get it working by changing rule 3, 4 from INPUT to FORWARD. Not sure why, it seems to just let all inbound traffic through when I had it on INPUT instead of only established. – EricChen1248 Nov 28 '21 at 16:40
11

I think you already answered your own question, use VirtualBox (or VMware, Xen, etc..).

I've done this very thing successfully by setting up mini-lans of VM's. If you're looking for software to act as your router inside a VM, I'd start off at http://www.pfsense.org/ and see if that meets your needs. It's a FreeBSD distribution tailored for being an easy to install router/firewall with a nice web management UI and all of that.

If pfsense doesn't fit your needs, there are plenty of other linux/bsd distributions out there that are tailored for this kind of stuff and that you can install in a VM: http://en.wikipedia.org/wiki/List_of_router_or_firewall_distributions for a good list :) (I've heard good things about OpenWRT and ClearOS as well.)

hexist
  • 5,151
  • 26
  • 33
  • How and where do you set them in pfsense? I searched in the document but find nothing about it. https://docs.netgate.com/ – Hui.Li May 24 '23 at 11:20