Network Address Translators
Microsoft Corporation
January 2001
Summary: This article discusses Network Address Translators (NATs), how they are used to multiplex a single IP address across multiple machines, and how NATs can be used effectively in a gaming environment. (4 printed pages)
Introduction
Network Address Translators (NATs) are used to multiplex a single IP address across multiple machines. There are a number of different NATs on the market today. Some of them are hardware devices, sometimes marketed as "DSL Routers." Since Microsoft® Windows® 98 Second Edition, the Windows operating system has Internet Connection Sharing (ICS), which is a type of NAT. With the growing number of homes that contain multiple PCs and the increasing adoption of broadband, more and more users want to play games behind NATs.
Unfortunately, NATs were designed with client/server computing in mind. For example, Web browsing using http. NATs work well with applications where the server is not behind a NAT and the clients do not communicate directly with each other. Unlike other networked applications, games often do two things outside this model:
- Many games use peer-to-peer communications instead of client/server.
- Some users host games from their home computers that are behind a NAT.
Two additional issues complicate this further and lead to different behavior from different NATs:
- Some NATs perform additional processing on protocols they recognize, http, ftp, and DirectPlay for example.
- NATs are not consistent in the way they perform address translation. Some NATs perform security checks on the source of a UDP packet from outside the NAT before forwarding it, and others do not.
If you want to enable absolute maximum NAT compatibility in your application, follow these guidelines:
- Use the IDirectPlay8Server and IDirectPlay8Client interfaces (which imply that your game is client/server).
- Host servers on the clear Internet, not behind a NAT.
- Program your clients to enumerate the game's port directly, not through DPNSVR.
If you follow these rules, your application should work through any hardware or software NAT.
To program your clients to enumerate the game's port directly, the client needs to know the port on which the server is hosting. The client can get this knowledge through a third party, such as a matchmaking system, or the game can be programmed to use a particular port. Of the two options, using the third party is more flexible and is the better solution. If the server is not using a particular port, it should use the GetLocalHostAddress() call to determine what port it is hosting on and communicate that information to the third-party matchmaking service.
Programmatically, a client enumerates the game's port directly by explicitly specifying the port number in the IDirectPlay8Address object passed as the pdpaddrHost parameter in the IDirectPlay8Client::EnumHosts() call.
If you want to allow end users to run their own servers, advise them not to put their game servers behind a NAT, or to explicitly configure their NAT to forward the specific ports the game is hosted on to the host machine. End users can also use Windows Millennium ICS as their NAT to achieve this same result.
If your game is not able to follow these rules, for example if it is a peer-to-peer game, then that game will have problems with most NATs. There is simply no way to implement a true peer-to-peer networking session where arbitrary users are behind arbitrary NATs. The behavior in this case is much improved when the end users are using Windows Millennium ICS as their NAT.
Some NATs perform special processing for particular applications or protocols. Windows ICS performs some special processing for DirectPlay. Different versions of Windows ICS perform different processing depending on what version of DirectPlay was current at the time the Windows ICS were released.
NAT Compatibility When Using IDirectPlay8Server and IDirectPlay8Client
Windows 98 Second Edition ICS or Windows 2000 ICS
Multiple clients behind a Windows 98 Second Edition or Windows 2000 ICS machine can join a client-server game hosted on the clear Internet (that is, the server is not behind any NAT) as long as the clients behind the NAT use direct host enumeration as described earlier. Hosting an IDirectPlay8 client-server game on the clear Internet and having the clients use direct host enumeration provides the best chance of working for clients behind third party NATs. Games cannot be hosted on a machine behind a Windows 98 Second Edition or Windows 2000 ICS machine and have clients outside the ICS machine join the game.
Windows ME ICS
Multiple clients behind a Windows Millennium ICS machine can join a client-server game hosted on the clear Internet even if the clients do not use direct host enumeration. We have seen problems with the Windows Millennium ICS machine joining games. The Windows Millennium ICS machine can usually join the game if it joins the session before any of the clients behind the ICS machine join the game. If the ICS machine does not join first, then clients behind the ICS machine will be able to join, but the client on the ICS machine may not be able to join.
With Windows ME ICS, servers can be located inside the Windows ME ICS machine and still be seen from outside the NAT. No extra configuration is required in ICS or in the application. Note that when hosting behind Windows ME ICS the GetLocalHostAddress() call returns the clear address (on the NAT machine) that nodes outside or inside the NAT can use to join the session, not the address from the local NIC.
Millennium machines connecting to the Internet using a dial-up adapter (modem) should set their frame size to Large in the network driver properties page for the dial-up adapter.
NAT Compatibility When Using IDirectPlay8Peer
Windows 98 Second Edition ICS and Windows 2000 ICS
IDirectPlay8Peer will not function properly through Windows 98 Second Edition and Windows 2000 ICS. This will be the case for most third party NATs as well.
Windows ME ICS
Windows ME ICS cooperates with DirectPlay to make it possible to run full-featured, peer-to-peer DirectPlay sessions through the NAT. Users can host or join DirectPlay sessions that are hosted inside or outside the NAT. No special configuration is required. Even host migration is fully functional.
However, the restriction mentioned above in the client/server case holds true—the client on the ICS machine must join the session before any client behind the NAT joins the session, or else the ICS machine will not be able to join.
NAT Compatibility When Using IDirectPlay4 in Client/Server Mode
Windows 98 Second Edition ICS
A single client behind a Windows 98 Second Edition ICS machine can join a client-server session hosted outside of the NAT if the DPSESSION_DIRECTPLAYPROTOCOL flag is not set in the DPSESSIONDESC2 structure passed to Open(). If this flag is set, a client node behind the NAT is not able to join the session. Other clients behind a Windows 98 Second Edition ICS machine can join different client-servers sessions hosted outside the NAT. For example, multiple clients behind a Windows 98 Second Edition ICS machine can all be playing client-server games hosted on the Internet, but they have to be playing different client-server games.
Windows 2000 ICS
The Windows 2000 ICS machine can join a game hosted on the Internet. Clients behind the Windows 2000 ICS machine cannot join games hosted on the Internet.
Windows Millennium ICS
The Windows Millennium NAT cooperates with DirectPlay 8, including the version of IDirectPlay4 shipped in DirectX 8, such that users can host client-server sessions or join client-server sessions from behind a Windows Millennium ICS machine as long as the clients behind the Windows Millennium NAT are Windows Millennium machines themselves or have been upgrade to DirectX 8. Multiple clients behind a Windows Millennium ICS machine can join the same or different games.
Note that the application can use the DPSESSION_DIRECTPLAYPROTOCOL flag without problems with Windows ME ICS.
Millennium machines connecting to the Internet through a dial-up adapter (modem) should set their frame size to Large in the network driver properties page for the dial-up adapter.
NAT Compatibility When Using IDirectPlay4 in Peer to Peer Mode
Windows 98 Second Edition ICS
A single peer node behind a Windows 98 Second Edition ICS machine can join a peer session if DPSESSION_DIRECTPLAYPROTOCOL flag is not set. Other peer nodes behind the NAT can join different peer sessions hosted outside the NAT, but only one node behind the NAT can join any particular peer session. If the DPSESSION_DIRECTPLAYPROTOCOL flag is set, then a peer node behind the NAT cannot join that session.
Windows 2000 ICS
The Windows 2000 ICS machine can join a peer session regardless of the DPSESSION_DIRECTPLAYPROTOCOL flag. Clients behind the Windows 2000 ICS machine cannot participate in peer sessions outside the NAT.
Windows Millennium ICS
The Windows Millennium NAT cooperates with DirectPlay 8, including the version of IDirectPlay4 shipped in DirectX 8, such that users can host peer-to-peer sessions or join peer-to-peer sessions from behind a Windows Millennium ICS machine as long as the clients behind the Windows Millennium NAT are Windows Millennium machines themselves or have been upgrade to DirectX 8. Multiple clients behind a Windows Millennium ICS machine can join the same or different games.
Note that the application can use the DPSESSION_DIRECTPLAYPROTOCOL flag without problems with Windows ME ICS.
Millennium machines connecting to the Internet through a dial-up adapter (modem) should set their frame size to Large in the network driver properties page for the dial-up adapter.