NOTE: my terminology and understanding is most likely incorrect, please educate me!
TL;DR
Why can't I connect from one client to another over the internet without port forwarding?
How is this different from any website / internet-based software which connects two clients together?
What I have read
Two solutions - the simplest is a port forwarding rule on his firewall, the second is as you suggest an external server that both clients connect to.
Accessing a computer from outside the local network is possible, but it normally depends on the policy of the institution where you work. The easiest way is to have port forwarding...
My understanding
A router protects all the client computer fs from outside connections (e.g. firewall). And this prevents two clients from connecting over the internet even if they know each other's IP addresses unless you explicitly tell your router to let them communicate by something like port forwarding.
I have always thought that websites are just servers running on a computer somewhere. But apparently this isn't correct, since we just established that a server running on a computer cannot connect to another computer over the internet because firewall.
- I (client) can open up a browser, go to a web domain (external IP server), and download a picture.
- But I (server) can't write a program to send a picture to an external IP (client).
- I also (client) can't write a program to connect to an external IP (server) and download a picture from it.
Questions (looks like a lot but it's repetitive)
How is an external server that a client connects to (which has an external IP and is accepted through the router's firewall) any different from an external server that a client connects to (which has an external IP but is not accepted through the router's firewall)?
Essentially what is the difference between my computer running a server and a web domain server (computer).
What is different about the ISP, router, firewall of a web domain server from my own computer.
What is the difference between a computer I rent online running my server program which anybody in the world can connect to and my own computer running my server program which nobody can connect to (outside my LAN).
Why is it impossible for my own computer to run a server which anybody can connect to. What is the difference between a central server and a server on a computer in my LAN?
CodePudding user response:
In general, I think that your confusion is based around what we can do on the internet vs what a typical internet user's configuration and package are.
Before I go further, I am not going to answer your questions assuming typical IPv4 options, not IPv6.
When we talk about public server IPs we really mean static, owned external IP addresses. These are IP addresses that do not change and are controlled by an organization. That is why they often have a domain name associated with them via DNS. All the traffic sent on the internet to that address comes into their equipment (rented or otherwise). So they can choose to allow/dissallow traffic to get to a server that will actually do something with the data.
What is different about the ISP, router, firewall of a web domain server from my own computer.
Your internet is through a dynamic, NAT'd (possibly CG-NAT'd), public IP address. Periodically your public address will change. This is cheaper to implement and it assumes you just want to make connections outbound (Get website, not host website). You have to explicitly tell it to change its behavior when you want it to listen on a port.
What is the difference between a computer I rent online running my server program which anybody in the world can connect to and my own computer running my server program which nobody can connect to (outside my LAN).
It has a static public IP.
Why is it impossible for my own computer to run a server which anybody can connect to
That's not true. As you mentioned, if your carrier allows port forwarding you can open up a port to the internet. You also can use more advanced tactics like Nat-punching.
Closing Note Asking your internet provider for the cost of a static IP plan (don't need to buy it) is a great way to see how they offer the true sever external IP.
Also IPv6 tries to make it so NATs are optional and anyone can host anything. Carrier's have just been very slow to adopt it.
CodePudding user response:
On your home network you have a home router. This home router uses a technique called NAT which breaks your Internet connection and then duct-tapes it mostly back together again. It does this because otherwise there aren't enough IP addresses for everyone to have one.
The NAT system intercepts connections from your computer, phone, etc. and makes them look like they came from the home router, instead. Everything outside of your network thinks your network is one computer (which is the router) with one IP address (the router's IP address). As far as the Internet can tell, your computer doesn't exist, nor does your phone, your laptop or your tablet.
You cannot make a connection to your computer from the Internet because your computer doesn't actually have an IP address. Only the router is actually connected to the Internet, remember? Oh sure, your computer thinks it has an IP address - one of those 192.168 thingies. But that's basically just pretend. It's a little mind game NAT plays on your computer. If you can't send packets to it from the Internet, is it really an IP address?
People outside the network can only connect to the router (because that's the only IP address that really exists). So if you want to run a server, you have to set up the router so it knows what to do with that connection. This is port forwarding. Otherwise, how would it know whether to pass the connection onto your computer or your phone? The connection request doesn't say! It just says it's for the router!
Your ISP might also have a NAT router, because there aren't even enough IP addresses for every house to get one. Double the NAT, double the breakage. And your ISP won't set up port forwarding on theirs.
In an ideal world your desktop computer would just have an IP address, and if you wanted to connect to your desktop computer, you'd use the IP address of your desktop computer, and that would be that. This is how it was before the IP address shortage. And this is how it is today with IPv6, where there's no shortage. If you don't have IPv6, ask your ISP today. It might take you a while to get used to how the addresses look. 1/3 of Internet traffic is IPv6 - join the wave of the future.
When you rent a server they do not put their rented-out servers behind NAT routers, because they would be useless. Every server you can rent has its own IP address.
If your ISP has its own NAT router (besides the one in your house) they might be able to give you a non-NAT connection if you ask nicely and pay them a bunch of money. They might want you to upgrade to an expensive business-class internet plan though. You're going to pay for each IP address, so you want to minimize your IP addresses, so you're always going to be using NAT anyway on your network as long as there's an IP address shortage.