Fullcone NAT vs. DMZ

Balthazor

Gawd
Joined
May 18, 2006
Messages
688
Hello,

I have a DSL router/bridge connected to a 4-port & wireless router.

The DSL router was set up basically as a bridge; its IP was 192.168.0.1, and I had the 4-port wireless router set up in the DSL router's DMZ at 192.168.0.2.

I turned off the firewall on the DSL router and then had the firewall, DHCP, and routing done at the 4-port wireless router.

A recent firmware upgrade to the DSL router added an option for 'fullcone nat.' This router is woefully undocumented, but I found this description of fullcone nat on another website:

/// A full cone NAT is one where all requests from the same internal
/// IP address and port are mapped to the same external IP address and port.
/// Furthermore, any external host can send a packet to the internal host,
/// by sending a packet to the mapped external address.

Now this differs from a regular NAT slightly, because a regular NAT requires the internal host to open a port first prior to the NAT accepting packets from an external host. This is why I setup the internal host (the 4-port wireless router) on the DMZ, so I wouldn't have to use portforwarding on both the DSL router & the internal 4-port wireless router.

But the fullcone NAT option looks a lot like the DMZ option for a router, doesn't it? What are the differences? Should I only have one of the two options?

It kind of looks like with my setup a fullcone NAT makes the DMZ unnecessary. The DMZ would be useful if I had multiple devices behind a NAT but wanted one to be the 'default.' But since I just have one device behind my NAT the fullcone NAT option seems to be the better fit.

Any comments / suggestions would be appreciated!
 
Pardon my ignorance, but what exactly are you trying to accomplish? It sounds to me this can be simplified, but that depends on your needs. :)
 
Well its kind of the same thing.

Basically what it means is, when a packet is sent out on a port, it automatically creates a binding and all packets from the destination will be sent back to the original source on the same port that was specified when the first packet was sent.

This is much the same thing as putting the device in the DMZ, but if it ain't broke, don't fix it imo.
 
Pardon my ignorance, but what exactly are you trying to accomplish? It sounds to me this can be simplified, but that depends on your needs. :)

I had previously had my DSL router & internal 4 port wireless router on more of a bridging mode using a 'PPP IP Connect' option. This used DHCP from the DSL router to the internal router to pass the external IP and bypassed all NAT and firewall functions of the DSL router, allowing the internal router to do everything and to even have the external IP address assigned to the internal router's WAN port.

Unfortunately a firmware released by D-link prevents this setup from working. Now the external router has to have NAT enabled in order for me to access it or the internet in general.

So now I have the external router's NAT enabled but my internal router is in its DMZ, because any other setup would require port forwarding to be done twice.

I prefer the internal router to do the routing because it is one of the D-link gaming routers and is supposed to have some basic quality of service prioritization for games.

It would be nice if the much more elegant PPP IP connect mode worked, but it doesn't, so what I described above is my workaround.

It all functions, I was just wondering what the difference between using a DMZ and fullcone NAT might be.

As it turns out using the fullcone NAT option without a DMZ does not work to host games behind it, unless you port forward through it. So the DMZ turns out to be the better option - although I'm not sure why.
 
Fullcone NAT according to the description you posted = multiple IP's on the outside (WAN IP's) such that you could have a "DMZ" for multiple internal servers.

DMZ in the "SOHO" arena = a single internal host that gets all incoming connections that don't otherwise match a port forwarding rule.

to use the fullcone nat option, your ISP would have to support you having multiple WAN IP's, which I doubt is the case here.
 
hi~~~
i find some description about fullcone nat.may be it's useful for you~~~

Various types of NAT (still according to the RFC)

Full Cone: A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address.
Restricted Cone: A restricted cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X.
Port Restricted Cone: A port restricted cone NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P.
Symmetric: A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host.
 
Back
Top