Asus AC66U and full cone NAT

[nikkoaki]

I'm sorry if this was already discussed a lot of times. Ive seen so many diagrams and explanations and i still can't seem to understand the difference between symmetric and full cone NAT.
I'm posting here because i own an AC66U which from what i can tell, shouldn't support full cone, right? I did some online tests and they all detected my NAT as full cone. Also, my gaming console and Xbox windows companion app detect my NAT as open.

Can someone take a minute to explain to me as if i were a 9 year old kid, what the differences are between the two? When i think i finally understood it, i read something that explains it differently.
For example, if i had symmetric NAT and a server on my private network, couldn't the outside world access that server if i forward the port or used upnp? And i mean everyone, even ip's that i never contacted? How is full cone NAT different? As far as i can tell, don't you still need to forward ports or use upnp with it? Can't people with symmetric NAT still use services that rely on hole punching like skype or even bittorrent (with no forwarded ports). I read everywhere that hole punching doesn't work with symmetric. Is that the only main difference between the two, one not supporting hole punching?

Does full cone NAT not need port forwarding as long as the computer in the private network initiates the connection and its kept alive, and all external ip's can connect to that port, not just the original ip i connected to in the first place?
In the case of symmetric, browsing the web works fine because there is only one external server replying per connection made in the private side, but as soon as i try to use bittorrent, for example, it wouldn't work because lots of outside peers would want to connect too, right?
But isn't that what port forwarding is made to fix? Or even upnp for that matter? If someone has access to the router and can tweek those settings, why does it matter if they have full cone or symmetric (maybe apart from not supporting hole punching)?
Why do gamers complain a lot and WANT full cone? Can't they just use port forward or upnp? Or do some specific games keep trying to make p2p connections on different ports and don't support upnp?

And like i asked before, does the AC66U support full cone? It uses an old version 2.x kernel but i can confirm hole punching works just fine with it. I've been using qbittorrent without port forwarding or upnp and it still can seed (although not as much, but that's normal)

 

[ColinTaylor]

The short answer is your router doesn't support it so don't worry about it. For full cone NAT to be of any use it'd have to be an edge case.

 

[DocUmibozu]

Full Cone NAT, Restricted Cone NAT and Symmetric NAT Terminologies

When we talk about Stun Protocol used for NAT traversal in voip environment or SDWAN, the common term used when talking about the Type of NAT that is compatible with Stun is “Full Cone NAT”, then when we explain why Turn Protocol is developped to replace Stun Protocol, the most common reason is...

community.cisco.com

 

[nikkoaki]

The short answer is your router doesn't support it so don't worry about it. For full cone NAT to be of any use it'd have to be an edge case.

Well, you're not forced to answer my questions. I just don't understand why you would reply something that would even give me more questions that i don't know the answer to.
Ok answer me this then. Knowing that i have a AC66U and upnp turned on, what type of NAT should my game consoles be detecting? In this thread, OP has the same router as me and you told him you were expecting him to have a "moderate" NAT.
I'm not experiencing any problems but i really wanted to understand how it works.

Full Cone NAT, Restricted Cone NAT and Symmetric NAT Terminologies

When we talk about Stun Protocol used for NAT traversal in voip environment or SDWAN, the common term used when talking about the Type of NAT that is compatible with Stun is “Full Cone NAT”, then when we explain why Turn Protocol is developped to replace Stun Protocol, the most common reason is...

community.cisco.com

I appreciate it. Already read it before making the thread. There must be something simple i'm not getting because i still don't understand it. That's why i made simple yes/no questions

 

[ColinTaylor]

Well, you're not forced to answer my questions. I just don't understand why you would reply something that would even give me more questions that i don't know the answer to.

I was responding to your question: "And like i asked before, does the AC66U support full cone?". For a fuller explanation of the terminology @DocUmibozu provided the answer. But essentially your understanding of how NAT works is correct. If you're using UPnP or manual port forwarding then full cone NAT is pointless.

"Why do gamers complain a lot and WANT full cone? Can't they just use port forward or upnp?" Yes they can. Many gamers don't understand networking let alone NAT. They think full cone NAT is some sort a magic bullet that will solve all their problems or make things "faster". It won't.

The situation isn't helped by game console's NAT reporting being inconsistent or misleading. Different consoles use different terminology and as that article that @DocUmibozu linked to pointed out, these NAT definitions are depreciated because they are insufficient to describe all situations.

 

[nikkoaki]

If you're using UPnP or manual port forwarding then full cone NAT is pointless.

Thank you. This pretty much answers most of my questions.

Just out of curiosity, i ran this tool and it gave me these results:

Would you consider the results valid, as in port restricted cone as opposed to symmetric?

 

[DocUmibozu]

"Why do gamers complain a lot and WANT full cone? Can't they just use port forward or upnp?" Yes they can. Many gamers don't understand networking let alone NAT. They think full cone NAT is some sort a magic bullet that will solve all their problems or make things "faster". It won't.

Sad but true... Consider that a lot of gamers think that the ultimate golden bullet is putting their console under DMZ...

 

[ColinTaylor]

Would you consider the results valid, as in port restricted cone as opposed to symmetric?

I'm not an expert on STUN but those results look believable as far as the STUN terminology is concerned.

 

[nikkoaki]

I'm not an expert on STUN but those results look believable as far as the STUN terminology is concerned.

Thanks again.

 

[nikkoaki]

Forgive me for still being here. I've been reading more about NATs.
From what i can tell (or what's written online), symmetric NATs are very rare in domestic routers, they are usually used public wifi hotspots, schools, some companies, and cellular connections (or sometimes CG-NATs). In those cases it can be indeed impossible to establish some types of connections either due to the way the NAT works or not being able to access the equipment to configure port forwarding.
Most home routers use permissive, either restricted or port restricted full cone.

What i want to ask this time is, the few asus routers that let users switch between NAT types offer full cone or symmetric. Don't they mean restricted instead of symmetric?

I just connected to a public hotspot and got indeed "Symmetric" on the program i mentioned earlier.

 

[drinkingbird]

Forgive me for still being here. I've been reading more about NATs.
From what i can tell (or what's written online), symmetric NATs are very rare in domestic routers, they are usually used public wifi hotspots, schools, some companies, and cellular connections (or sometimes CG-NATs). In those cases it can be indeed impossible to establish some types of connections either due to the way the NAT works or not being able to access the equipment to configure port forwarding.
Most home routers use permissive, either restricted or port restricted full cone.

What i want to ask this time is, the few asus routers that let users switch between NAT types offer full cone or symmetric. Don't they mean restricted instead of symmetric?

I just connected to a public hotspot and got indeed "Symmetric" on the program i mentioned earlier.

View attachment 52244

Hide NAT on most platforms will try to be port restricted cone and preserve the source port, but if there is a conflict with another existing connection, will then use a hybrid approach and re-map the source port as needed (thus being seen as symmetric). The design rules are fairly flexible, you'll rarely find a router or firewall that is locked to only be able to use the exact definition of one type of NAT.

Public wifi is much more likely to have conflicts and security concerns are greater, so in that case it may be locked to symmetric only or the remote side is simply seeing it that way since the source port is more likely to have to be changed.

In reality, port restricted NAT is just as secure as symmetric, even if two hosts use the same source port to a different destination, the router is keeping track and only sending return traffic to the correct host, and unsolicited inbound requests to that port (even if it is active) are dropped. The main driver to always use a new source port on public wifi is probably to prevent remote sites from potentially having issues with what they see as two simultaneous connections from the same user, even though technically it works fine since the destination port is different, you may get a message that you're already connected from another browser etc.

From a security perspective, port mapping (or better yet, triggering so it isn't constantly open) is more secure than full cone or DMZ, but in some cases the ports change and are not able to be determined in advance, so for gaming and some other apps, the full cone option was offered.

 

[nikkoaki]

Hide NAT on most platforms will try to be port restricted cone and preserve the source port, but if there is a conflict with another existing connection, will then use a hybrid approach and re-map the source port as needed (thus being seen as symmetric). The design rules are fairly flexible, you'll rarely find a router or firewall that is locked to only be able to use the exact definition of one type of NAT.

Public wifi is much more likely to have conflicts and security concerns are greater, so in that case it may be locked to symmetric only or the remote side is simply seeing it that way since the source port is more likely to have to be changed.

In reality, port restricted NAT is just as secure as symmetric, even if two hosts use the same source port to a different destination, the router is keeping track and only sending return traffic to the correct host, and unsolicited inbound requests to that port (even if it is active) are dropped. The main driver to always use a new source port on public wifi is probably to prevent remote sites from potentially having issues with what they see as two simultaneous connections from the same user, even though technically it works fine since the destination port is different, you may get a message that you're already connected from another browser etc.

From a security perspective, port mapping (or better yet, triggering so it isn't constantly open) is more secure than full cone or DMZ, but in some cases the ports change and are not able to be determined in advance, so for gaming and some other apps, the full cone option was offered.

Really appreciate the explanation