[Opensim-users] NAT & Corporate Firewall

Teravus Ovares teravus at gmail.com
Tue Apr 5 16:11:58 UTC 2011 

We've had this discussion before on this list so you might be able to
dig in the archives for the long winded answer.

The short winded answer is this:   The UDP protocol requires that the
login server and any 'region connect' messages have an IP address in
the response to the client.  If the UDP protocol allowed you to only
send a hostname, then this wouldn't be an issue.   As far as the
region looking up it's DNS info, neither the login server, or the
region has enough of a network structure understanding to manage that
'external ip/internal ip' thing better at the moment.    Ideally,
someone could write a subnet matching/ip rewriting scheme that gets
sent to the login server so that the login server could supply the
correct IP address based on the connecting client ip but it's probably
going to be a lot of work to refactor that in because of the
complexities of the object RegionInfo and how it interacts with the
various types of grid services, (standalone, grid, standalone grid,
hypergrid...  etc).

One thing that I think is important to note.    I vaguely remember
something about sending the client 0.0.0.0 and triggering the client
to do the lookup but, at the time, the client had some bugs that
prevented it from working.   That might be a more feasable way to move
forward.   Test that option.

-Teravus

On Tue, Apr 5, 2011 at 10:50 AM, Diva Canto <diva at metaverseink.com> wrote:
> The right combination is internal=0.0.0.0 and external=domain name. If that
> combination doesn't work off campus, it's either a firewall issue or a dns
> issue -- your logs confirmed that was a firewall issue.
>
> On 4/5/2011 7:34 AM, Fleep Tuque wrote:
>
> Gary's explanation that an IP address instead of a hostname is being passed
> to the client for the UDP handshake seems to fit the symptoms I'm seeing.
>  We have verified that UDP ports are open in the firewall and that UDP
> packets can be sent and received from off campus, so I'm 99.99% sure that
> this isn't a firewall problem.
> I've also double checked the opensim.ini, robust.ini, gridcommon.ini, and
> region.ini files and do not have a single IP address listed anywhere, all
> the configuration options I've set use a hostname.  However, when I try to
> connect with a client from off campus and capture packet traffic with
> Wireshark, I see the TCP packets being sent to the right destination IP
> address, but the UDP packets are being sent to an internal IP address
> (10.23.23.x) which of course will never work from off campus.  Something is
> sending the client that internal IP address to be sure!  :)
> - Chris/Fleep
>
> Chris M. Collins (SL: Fleep Tuque)
> Project Manager, UC Second Life
> Second Life Ambassador, Ohio Learning Network
> UCit Instructional & Research Computing
> University of Cincinnati
> 406E Zimmer Hall
> PO Box 210088
> Cincinnati, OH 45221-0088
> (513)556-3018
> chris.collins at uc.edu
> UC Second Life:   http://homepages.uc.edu/secondlife
> OLN Second Life: http://www.oln.org/emerging_technologies/emtech.php
>
>
>
>
> On Tue, Apr 5, 2011 at 7:57 AM, Diva Canto <diva at metaverseink.com> wrote:
>>
>> On 4/4/2011 9:23 PM, Gary Beck wrote:
>>>
>>> Diva Canto wrote:
>>>>
>>>> DNS resolution is made by the client. The server simply passes the name
>>>> over. Make sure to use domain names consistently in all configuration files.
>>>
>>> ----------------------------------------------------------------------
>>> My testing seems to show the IP address rather than domain name is passed
>>> to the client for region/UDP.
>>>
>>> I have one region using ExternalHostName=SYSTEMIP and the others using
>>> ExternalHostName=something.dyndns-mail.com
>>> I run Opensim 0.7.0.2 on a VISTA system, stand alone mode, client access
>>> both local and external, NAT loopback on.
>>> All that works fine.
>>
>> SYSTEMIP is an IP address. If that's what you have, that's what will be
>> sent to the client.
>> I suggest people people use domain names everywhere for ExternalHostName
>> and do local DNS mapping if necessary -- this may be needed in home
>> networks.
>>
>>> One other item I found that suggests IP addresses are being passes rather
>>> than domain names is the Entity Transfer Module entries in the server log
>>> 2011-04-04 22:24:53,759 INFO  -
>>> OpenSim.Region.CoreModules.Framework.EntityTransfer.EntityTransferModule
>>> [ENTITY TRANSFER MODULE]: Starting to inform client about neighbour 999,
>>> 999(174.124.181.36:9009)
>>
>> This has nothing to do with client communications -- it's the backend
>> server-to-server communications for handing the agent over to the other sim.
>>
>> _______________________________________________
>> Opensim-users mailing list
>> Opensim-users at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-users
>
>
> _______________________________________________
> Opensim-users mailing list
> Opensim-users at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-users
>
>
> _______________________________________________
> Opensim-users mailing list
> Opensim-users at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-users
>
>

More information about the Opensim-users mailing list