Can a magical packet traverse thru a NAT?

Question

In the case of "normal" tightened security where no DMZ, Port Forwarding is setup is it possible with any of the available NAT traversal methods for a magic packet to traverse thru a NAT from the outside network (Internet) and wake up a PC?

The question relates to both IPv6 and IPv4.

Update:

Indirectly related question to spark brainstorming/discussion: With IPv6 do we need to use NAT any more?

Also interesting: https://serverfault.com/questions/782627/udp-hole-punching-still-required-in-ipv6-even-without-nat

@user AFAIK usually SoHo routers drop these kinds of packets, so let's assume that it's not the case — Sir Muffington, Nov 21 '19 at 21:00

Steffen Ullrich · Accepted Answer · 2019-11-23T19:16:50.310

Common NAT^* as implemented in SoHo routers (i.e. DSL, FTTH, cable etc) maps multiple internal (local) IP addresses to a single external (public) IP address. Reaching an internal system from outside requires a way to translate a packet coming in on the external (internet) interface (i.e. using the external IP+port as destination) to a packet on the internal network (using an IP+port on the internal network as destination). With port forwarding, there is a predefined and fixed translation to a specific host and port.

Any other translation in NAT needs an outgoing packet from the internal to the external (internet) network first: the necessary translation from internal IP+port to external in the NAT table is only created if an outgoing packet creates a new state, like in a stateful firewall. If an incoming packet matches such a state/translation then the external IP+port can be translated back into an internal IP+port. If there is no state/translation then it is unknown how the packet should be translated and thus it gets discarded.

In other words: there is no magic packet that can pass through NAT because it is unknown which internal system this packet should be sent to.

But note that this does not mean that no direct access to internal systems can be initiated from outside. With IPv6 it is possible that the ISP assigns a customer a range of IPv6 address with the same prefix and the router makes these addresses usable in the internal network. Unless the router specifically blocks direct access an internal system could be reachable from outside by its public IPv6 address. But this is not traversing NAT since no NAT is involved here.

Additionally some routers erroneously make UPnP accessible on the external interface. This could allow an attacker to create explicit port forwardings on the router in order to access internal systems. But, this is still not a magic packet traversing the NAT.

^* Note that there are also other type of NAT, where some set of public IP addresses gets translated to a set of local IP addresses. This might for example be used to map a range of local IPv4 addresses into a set of publicly accessible IPv6 addresses with the same prefix. I don't know of any SoHo router which offers this functionality.

I think you should account for some unknown bug in the router. I don't know that any bugs like this have ever been discovered, but this should be the only way for what the question is asking to be possible. For instance, I recall years ago that fragmented packets were an issue in some old, forgotten about firewall. — Steve Sether, Nov 21 '19 at 22:10
@SteveSether: The translation table does not magically fill with information on how to translate an external ip:port into an internal one. The mappings are only created by outgoing packets. Of course, one could create a router which somehow derives an internal IP address from properties of the incoming packet but this would be explicitly intended behavior (even if not documented). There simply is no generic magic packet or a way to construct such packets which can pass a NAT when no translation to an internal system exist. There has to be a successful lookup in the translation table. — Steffen Ullrich, Nov 22 '19 at 06:31
@SteveSether: *"I think you should account for some unknown bug in the router"* - but of course, bugs exist. I only find it way more likely that some magic packet will allow some kind of RCE on the router and from there it might be possible to attack internal system - like in [CVE-2016-1287](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike). But this is not some magic packet directly traversing NAT as asked here. — Steffen Ullrich, Nov 22 '19 at 06:36
@SteffenUllrich can you extend the answer with IPv6 NAT traversal and current IPv6 state of security? — Sir Muffington, Nov 22 '19 at 14:30
@SirMuffington: IPv6 is a good point. I've extended the answer to cover this. — Steffen Ullrich, Nov 22 '19 at 18:57
@SteffenUllrich Thank you for your extension. Also, UPnP plays no role here? — Sir Muffington, Nov 23 '19 at 16:57
@SirMuffington: UPnP is a good point too. It might also be employed to access internal systems but it is still not magic packet traversing the NAT. See updated answer. — Steffen Ullrich, Nov 23 '19 at 19:18

Viktova · Answer 2 · 2020-02-21T15:12:56.900

Packet traverse through NAT is possible without DMZ, Port-forwarding etc.

You might want to have a look at this: https://samy.pl/pwnat/

Network-wise, this is simply called "Hole Punching"

pwnat, pronounced "poe-nat", is a tool that allows any
    number of clients behind NATs to communicate with a
    server behind a separate NAT with *no* port forwarding
    *no* DMZ setup, and *no* 3rd party involvement. The server
    does not need to know anything about the clients trying
    to connect.

    Simply put, this is a proxy server that works behind a NAT,
    even when the client is behind a different NAT, without any
    3rd party or network changes.

    There is no middle man, no proxy, no 3rd party,
    no UPnP/STUN/ICE required, no spoofing, and no DNS tricks.

    More importantly, the client can then connect to any
    host or port on any remote host or to a fixed host and
    port decided by the server.

How it is done: https://samy.pl/pwnat/#HOW

This answer is in tight competition with @SteffenUllrich answer. It simply and blatantly shows a way to poke a hole thru a NAT. But a destination internal IP is needed when using this kind of software, right? — Sir Muffington, Feb 21 '20 at 19:24

score 0 · Answer 3 · answered Nov 21 '19 at 20:45

0

Yes, with Port Forward.

Setup port forward on your router to accept packets on port UDP/7 (or UDP/9, check you settings) and forward the packet to your computer.

answered Nov 21 '19 at 20:45

ThoriumBR

50,648
13
127
142

let me quote the question again: > where **no** DMZ, Port Forwarding is setup. So the answer should show how to do that without port forwarding – Sir Muffington Nov 21 '19 at 21:01
1

Keep an eye out for IPv6. Many home networks have IPv4 natted but IPv6 non-natted. – Darrell Root Nov 21 '19 at 21:09
Without port forward you cannot. NAT must be started from inside the network to map the ports, and your PC is either online not needing WakeOnLAN, or offline and not able to start the connection. – ThoriumBR Nov 21 '19 at 22:00
@DarrellRoot thanks for mentioning IPv6 I forgot to talk about it. Can you add some more question-relevant resources concerning this topic? My own knowledge is also lacking in this field, I mostly learnt for the IPv4 (even though IPv6 was up and running when I started to learn) – Sir Muffington Nov 21 '19 at 22:31
You need to ask a specific question about IPv6 to get a specific answer, but to whet your appetite try out http://www.whatismyv6.com. – Darrell Root Nov 21 '19 at 23:24

Can a magical packet traverse thru a NAT?

Update:

3 Answers3