This article is a loose translation of one of the entries in .
With the permission of the author (and also for clarity and interest for the sake of it), I colored it with links and supplemented it with some personal research.
Introduction
At present, at least one user in the connecting pair must be in active mode. The NAT "bypass" mechanism will be useful in the case when the active mode is not configured on either side. This is usually caused by a firewall or NAT device blocking incoming connections.
If both clients are active
The initiating client sends a command containing its own IP address and port another client. Using this data, the client that received the command establishes a connection with the initiator.
If one of the clients is in passive mode
Through the hub passive client A sends a command active client B, which then responds with $ConnectToMe.
as a server S in the case above, it is a DC hub
If both clients are in passive mode on
Clients behind different NATs A ΠΈ B joined the hub S.
This is how the connection to the hub looks from the client side A
The hub accepts connections on port 1511. Client A makes outgoing connections from its private network through port 50758. The hub, in turn, sees the address of the NAT device, works with it and broadcasts to clients according to their identifiers.
Customer A sends to the server S a message asking for help connecting with a client B.
Hub: [Outgoing][178.79.159.147:1511] DRCM AAAA BBBB ADCS/0.10 1649612991
Being also in passive mode, the client B, upon receiving this command, must report its private port used to connect to the hub via NAT.
Hub: [Incoming][178.79.159.147:1511] DNAT BBBB AAAA ADCS/0.10 59566 1649612991
After receiving this information, the client A immediately attempts to establish a connection with the client B and reports its own private port.
Hub: [Outgoing][178.79.159.147:1511] D<b>RNT</b> AAAA BBBB ADCS/0.10 <b>50758</b> 1649612991What is the interest? Interest in shifting the endpoint of the same connection by creating a new connection to a public address through a private port already in use.
Bingo!
Of course, while NAT client B has every right to reject the first connection request from the client A, but already his own request rushes into the βholeβ created by this very connection, and the connection is nevertheless established.
An illustration that fits the entire process with the caveat that does not use public ports opened by the session NAT-S, as well as private addresses.
Finale
At the time of writing the (original) article, about half of DC clients are in passive mode. This means that a quarter of all possible connections cannot be made.
Later using existing connections A-S ΠΈ B-S to establish a direct client-client connection, even if A ΠΈ B are in passive mode.
Source: habr.com