Some basic router questions and zoom

[Bit Twister]

192.168.1 My basic hardware setup using two routers
.-----. .-----------. .----------.
.50 | wb |------| lan router|----|isp router|--
`-----' `-----------' `----------'
.-----. | | |
.60 | mtv |--------' | | SIP .-------.
`-----' | `-------| phone |
.-----. | `-------'
.70 | tb |-----------'
`-----'

Nodes using shorewall firewall running Mageia Release 7.1 Linux

Examples are two users on mtv and wb nodes doing the same activity
at the same time on my same internet address/connection.

isp router configured to pass all ports to same ports in lan router.

A simple example, Firefox open a bi-directional connection.
If wb and mtv user run firefox www.yahoo.com and click
Sign In, yahoo only sees my internet ip address.

How does the packet stream get back to the correct user?

A complex example, zoom.us connects 8801, 8802 for the meeting.
I do not know how my router would know to route the incoming
request to the correct user.

The reason I ask, zoom uses these ports,
TCP 80, 443 *.zoom.us
TCP 443, 8801, 8802 MeetingConnector
UDP 3478, 3479, 8801, 8802 MeetingConnector

and if ports 8801, 8802 are the ports zoom.us wants to open for the
meeting. How would the router know to route those packets to the
correct node?

I may be overthinking this. I have a VOIP phone, and I have configured
lan router to forward ports 3478, 3479 to my phone based on the
assumption that the ports are used for incoming phone calls.

[David W. Hodgins]

On Wed, 16 Dec 2020 10:54:43 -0500, Bit Twister <BitTw...@mouse-potato.com> wrote:

> A simple example, Firefox open a bi-directional connection.
> If wb and mtv user run firefox www.yahoo.com and click
> Sign In, yahoo only sees my internet ip address.
>
> How does the packet stream get back to the correct user?

It sees more than the address.

The tcp protocol is a stateful protocol. The lan router keeps a table of current
connections containing the mac address within the lan, the website ip address, the
latest sequence number and the time of the latest packet in the connection. After
the initial packet, all further packets in that connection will go to the same mac
address. When a connection times out or closes, the entry is removed from the table.
https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment

Where is gets messy is handling the initial incoming packet in a connection, the syn
packet. With a home router, the router has a table that controls which mac address
to forward the syn packet to, based on the port number. So each lan can only have
one computer that will receive all incoming connections for each tcp port number and
one for each udp port number.

In a commercial router there can be more than one computer in the lan that can
receive syn packets for a given protocol and port number. The router decides which
of those mac addresses to send the syn packet to based on other contents of the
packet (url etc), or other means such as round robin load balancing.

For basic torrent connections, my understanding is that the tracker(s) keep track
of which torrent is available at which ip address and what port to use with that
address. Also keep in mind that some isps will do their best to block all torrent
traffic. If they are using deep packet inspection to identify torrent traffic, it
may be blocked or rate limited.

Regards, Dave Hodgins

--
Change dwho...@nomail.afraid.org to davidw...@teksavvy.com for
email replies.

[Pascal Hambourg]

Le 16/12/2020 à 16:54, Bit Twister a écrit :
> 192.168.1 My basic hardware setup using two routers
> .-----. .-----------. .----------.
> .50 | wb |------| lan router|----|isp router|--
> `-----' `-----------' `----------'
> .-----. | | |
> .60 | mtv |--------' | | SIP .-------.
> `-----' | `-------| phone |
> .-----. | `-------'
> .70 | tb |-----------'
> `-----'
>
> Nodes using shorewall firewall running Mageia Release 7.1 Linux

Including the routers ?

> Examples are two users on mtv and wb nodes doing the same activity
> at the same time on my same internet address/connection.
>
> isp router configured to pass all ports to same ports in lan router.

What do you mean exactly by "pass ports to same ports" ?

> A simple example, Firefox open a bi-directional connection.

What are you calling "bi-directional connection" ?
I would say that any HTTP connection is bidirectional by nature, as the
client sends requests and the server sends replies.

> If wb and mtv user run firefox www.yahoo.com and click
> Sign In, yahoo only sees my internet ip address.

What are you calling "my internet ip address" ?

> How does the packet stream get back to the correct user?

Using the destination address and port, as usual.

> A complex example, zoom.us connects 8801, 8802 for the meeting.

What do you mean by "connect 8801, 8802" ?

> I do not know how my router would know to route the incoming
> request to the correct user.

The router doesn't know anything about users. It just forwards the
packet to the destination host. The destination host delivers the data
to the destination socket and process.

> The reason I ask, zoom uses these ports,
> TCP 80, 443 *.zoom.us
> TCP 443, 8801, 8802 MeetingConnector
> UDP 3478, 3479, 8801, 8802 MeetingConnector

What is "MeetingConnector" ?

> and if ports 8801, 8802 are the ports zoom.us wants to open for the
> meeting. How would the router know to route those packets to the
> correct node?

What do you mean by "ports zoom.us wants to open" ?

[Bit Twister]

On Thu, 17 Dec 2020 17:38:54 +0100, Pascal Hambourg wrote:
> Le 16/12/2020 à 16:54, Bit Twister a écrit :
>> 192.168.1 My basic hardware setup using two routers

>> .------. .-----------. .----------.

>> .50 | wb |------| lan router|----|isp router|--

>> `------' `-----------' `----------'
>> .------. | | |

>> .60 | mtv |--------' | | SIP .-------.

>> `------' | `-------| phone |
>> .------. | `-------'
>> .70 | tb |-----------'
>> `------'

>>
>> Nodes using shorewall firewall running Mageia Release 7.1 Linux
>
> Including the routers ?

No, routers the ones a normal house hold internet user would buy.

>> Examples are two users on mtv and wb nodes doing the same activity
>> at the same time on my same internet address/connection.
>>
>> isp router configured to pass all ports to same ports in lan router.
>
> What do you mean exactly by "pass ports to same ports" ?

If you were to look in your router you might find a Port Forwarding
screen which allows you to configure what Wan ports are
to be forwarded to desired ip addresses on the Lan.

>> A simple example, Firefox open a bi-directional connection.
>
> What are you calling "bi-directional connection" ?
> I would say that any HTTP connection is bidirectional by nature, as the
> client sends requests and the server sends replies.

Yup, you and I are on the same page about that definition.

>
>> If wb and mtv user run firefox www.yahoo.com and click
>> Sign In, yahoo only sees my internet ip address.
>
> What are you calling "my internet ip address" ?

Just like any home user has an internet ip address.

>> How does the packet stream get back to the correct user?
>
> Using the destination address and port, as usual.

Me thinks you are looking through the wrong end of this conversation.

I understand routing from my node to some site on the internet.
David Hodgins's reply describes how the router knows which Lan ip
is to get the packet.

>> A complex example, zoom.us connects 8801, 8802 for the meeting.
>
> What do you mean by "connect 8801, 8802" ?

Picture/Audio from the meeting server is sent on ports 8801, 8802
after the server has made the connection with the Zoom client
running on your node.

>
>> I do not know how my router would know to route the incoming
>> request to the correct user.
>
> The router doesn't know anything about users. It just forwards the
> packet to the destination host. The destination host delivers the data
> to the destination socket and process.

Ok, I was using user as a pronoun for node and process/client.

>> The reason I ask, zoom uses these ports,
>> TCP 80, 443 *.zoom.us
>> TCP 443, 8801, 8802 MeetingConnector
>> UDP 3478, 3479, 8801, 8802 MeetingConnector
>
> What is "MeetingConnector" ?

Term about the Zoom server which connects you to the desired meeting.

>> and if ports 8801, 8802 are the ports zoom.us wants to open for >> the meeting. How would the router know to route those packets >> to the correct node?
>
> What do you mean by "ports zoom.us wants to open" ?

Just what I said. Zoom is going to open/establish a connection to
my internet address to one or more of those ports.

[William Unruh]

On 2020-12-17, Bit Twister <BitTw...@mouse-potato.com> wrote:

> On Thu, 17 Dec 2020 17:38:54 +0100, Pascal Hambourg wrote:
>> Le 16/12/2020 à 16:54, Bit Twister a écrit :
>>> 192.168.1 My basic hardware setup using two routers
>>> .------. .-----------. .----------.
>>> .50 | wb |------| lan router|----|isp router|--
>>> `------' `-----------' `----------'
>>> .------. | | |
>>> .60 | mtv |--------' | | SIP .-------.
>>> `------' | `-------| phone |
>>> .------. | `-------'
>>> .70 | tb |-----------'
>>> `------'
>>>
>>> Nodes using shorewall firewall running Mageia Release 7.1 Linux

The router uses NAT. zoom ports are for receiving, not necessarily
transmitting.

You machine A sends out a packet from A:PA to internet address Q:PQ where PQ is the
port and the address is Q. The router replaces A:PA with a new port RA
and a new address R, and keeps a table which says that R:PR is linked
with A:PA When the reply comes back to R:PR, the router looks up the
table, and forwards that replay to A:PA. It does that with each packet.

The ISP router does the same thing.

If an outsider does a connection, then you would need to set up a table
in your router that says "If a packet comes into the router for R:PZ (
where PZ is the zoom port say, of port 80 for http) it looks in its
table ( which you set up beforehand) and says OK, you said that if R:80
comes in, then send that to C:80, where C is what you chose as your http
handler. I do this for many of my ports.
I have this set up for many of the ports coming to me, who are behind a
router, for example with ssh, or mail.

>>
>> Including the routers ?
>
> No, routers the ones a normal house hold internet user would buy.
>
>>> Examples are two users on mtv and wb nodes doing the same activity
>>> at the same time on my same internet address/connection.
>>>
>>> isp router configured to pass all ports to same ports in lan router.

I presume not to tranlate the ports.

>>
>> What do you mean exactly by "pass ports to same ports" ?
>
> If you were to look in your router you might find a Port Forwarding
> screen which allows you to configure what Wan ports are
> to be forwarded to desired ip addresses on the Lan.
>
>
>
>>> A simple example, Firefox open a bi-directional connection.
>>
>> What are you calling "bi-directional connection" ?
>> I would say that any HTTP connection is bidirectional by nature, as the
>> client sends requests and the server sends replies.
>
> Yup, you and I are on the same page about that definition.
>
>>
>>> If wb and mtv user run firefox www.yahoo.com and click
>>> Sign In, yahoo only sees my internet ip address.

So?

>>
>> What are you calling "my internet ip address" ?

>
> Just like any home user has an internet ip address.

Well, no. Your home could either be assigned a private address
(10.x.x.x, 192.168.x.x) in which case I think it is impossible for an
outsider to connect to your machine, or a public address (most of the
other possibilities), in which case it knows exactly where to send the
packet to.

>
>>> How does the packet stream get back to the correct user?

The user is up to the local machine. I presume you mean that local
machine. It is either a reply, in which the NAT tables in the router
know where to send the reply to, or it is call out of the blue, in which
case the port forwarding tables tell it where to go.

>>
>> Using the destination address and port, as usual.
>
> Me thinks you are looking through the wrong end of this conversation.
>
> I understand routing from my node to some site on the internet.
> David Hodgins's reply describes how the router knows which Lan ip
> is to get the packet.
>
>>> A complex example, zoom.us connects 8801, 8802 for the meeting.
>>
>> What do you mean by "connect 8801, 8802" ?
>
> Picture/Audio from the meeting server is sent on ports 8801, 8802
> after the server has made the connection with the Zoom client
> running on your node.

Those are the server's ports, not your ports. The two computers decide
which port on your machine is to get the information. You initiate the
zoom connection. Your computer sends a packet to the zoom server on some
random port. Zoom then knows to reply to that random port if it wants to
send something to your machine, and the NAT router knows which machine
those reply packets are to go to.

>
>>
>>> I do not know how my router would know to route the incoming
>>> request to the correct user.

Becaue that machine your user used connected to the zoom server on some
port, and the router knows that stuff coming back on that port should be
directed to your machine.

>>
>> The router doesn't know anything about users. It just forwards the
>> packet to the destination host. The destination host delivers the data
>> to the destination socket and process.
>
> Ok, I was using user as a pronoun for node and process/client.

Bad idea.

>
>>> The reason I ask, zoom uses these ports,
>>> TCP 80, 443 *.zoom.us
>>> TCP 443, 8801, 8802 MeetingConnector
>>> UDP 3478, 3479, 8801, 8802 MeetingConnector

No, it uses a whole bunch of ports. Those are the ports that are used if
you, cold turkey, what to talks to the server on.

For example, my machines are behind a firewall. ports8801 and 8802 are
NOT allowed inbound through the firewall. Yet I use zoom all the time.
Why? Because my machine sends packets to the server over a random port,
and when that happens, the router and the firewall software know that if
a reply comes on that port, it should be forwarded to your machine.

>>
>> What is "MeetingConnector" ?
>
> Term about the Zoom server which connects you to the desired meeting.
>
>>> and if ports 8801, 8802 are the ports zoom.us wants to open for >> the meeting. How would the router know to route those packets >> to the correct node?
>>
>> What do you mean by "ports zoom.us wants to open" ?
>
> Just what I said. Zoom is going to open/establish a connection to
> my internet address to one or more of those ports.
>

No it is not. It is going to establish a connection on some random port
chosen by your machine. After the connection is established, the server
may or may not use the those ports.
(It is also possible that that your machine will establish connections
on those zoom ports, and then, because the connection on those ports was
instituted by your machine, the router knows to send replies back to
you. In general the server will not see those ports at all. It will see
a request from your machine whose port has been translated by the NAT to
some random port and the zoom server will only see that random port.
There are only 64000 ports, so if you have 64000 machines on your end
all trying to be NATed, the NAT router will run out of ports, and you
will have a mess. ( There are 2^24 address in 10.x.x.x and only 2^16
(64000) ports, but I doubt that you are in that situation. I do not know
IPV6 has more port possibilities.

[Bit Twister]

On Thu, 17 Dec 2020 18:50:53 -0000 (UTC), William Unruh wrote:
> On 2020-12-17, Bit Twister <BitTw...@mouse-potato.com> wrote:

>>
>> Just like any home user has an internet ip address.
>
> Well, no. Your home could either be assigned a private address
> (10.x.x.x, 192.168.x.x) in which case I think it is impossible for an
> outsider to connect to your machine, or a public address (most of the
> other possibilities), in which case it knows exactly where to send the
> packet to.

Technically your description is correct inside the ISP network,
but you can get your internet address by running any of these in a terminal
wget -qO - http://smxi.org/opt/ip.php
curl http://icanhazip.co

>
> Those are the server's ports, not your ports. The two computers decide
> which port on your machine is to get the information. You initiate the
> zoom connection. Your computer sends a packet to the zoom server on some
> random port. Zoom then knows to reply to that random port if it wants to
> send something to your machine, and the NAT router knows which machine
> those reply packets are to go to.

> Becaue that machine your user used connected to the zoom server on some
> port, and the router knows that stuff coming back on that port should be
> directed to your machine.
>

> It is going to establish a connection on some random port
> chosen by your machine. After the connection is established, the server
> may or may not use the those ports.
> (It is also possible that that your machine will establish connections
> on those zoom ports, and then, because the connection on those ports was
> instituted by your machine, the router knows to send replies back to
> you. In general the server will not see those ports at all. It will see
> a request from your machine whose port has been translated by the NAT to
> some random port and the zoom server will only see that random port.
> There are only 64000 ports, so if you have 64000 machines on your end
> all trying to be NATed, the NAT router will run out of ports, and you
> will have a mess. ( There are 2^24 address in 10.x.x.x and only 2^16
> (64000) ports, but I doubt that you are in that situation. I do not know
> IPV6 has more port possibilities.

Ok, that makes sense, somewhat, and if so, then I understand how any
user at work/school can enter a Zoom meeting.

My questions come from reading about having to whitelist Zoom servers.
Your description seems to indicate all communication is though
connections made by Zoom client on the computer.

Hopefully my webcam gets here this week and my meeting test should have
no problems.

[William Unruh]

No, that is not your internet address. That is the internet of the
address of your router or of the ISPs router, depending on how to handle
things.
ifconfig -a
will give you your computer's IP address. And that is usually a
non-routable address like 10.x.x.x or 192.168.x.x.

The "internet address" as you define it will be the same for all of the
computers in your own local network. For example on my system, I get
75.155.y.y for all of the computers on my home network, where y.y is
the same for all of them.

That address is the address of the router that connects me to the
internet.

Assuming that your computer can see the web cam, and it obeys the right
protocol that zoom can see it and use it, it should be very
straightforward. So I have a few different Logitech webcams and they
worked fine out of the box. I use guvcview to set it up (colour,
contrast, etc) and that helps with zoom.

[Bit Twister]

On Thu, 17 Dec 2020 22:49:44 -0000 (UTC), William Unruh wrote:
> No, that is not your internet address. That is the internet of the
> address of your router or of the ISPs router, depending on how to handle
> things.
> ifconfig -a
> will give you your computer's IP address. And that is usually a
> non-routable address like 10.x.x.x or 192.168.x.x.
>
> The "internet address" as you define it will be the same for all of the
> computers in your own local network. For example on my system, I get
> 75.155.y.y for all of the computers on my home network, where y.y is
> the same for all of them.
>
> That address is the address of the router that connects me to the
> internet.

Heheh, we are in a violent agreement that if you want to connect to another
site/user on the Internet you have to use the Internet Ip Address.
If you want to connect with anyone on LAN side you have to use the LAN
ip address.

[William Unruh]

On 2020-12-17, Bit Twister <BitTw...@mouse-potato.com> wrote:

Well, I would phrase it differently. If someone wants to connect with you
they have to use the internet address of the router that connects you to
the internet. If someone inside your network want to connect to you then
have to use the IP of your machine. Unfortunately the formet only gets
you to the router, not to your machine, and there are many computers on
the inside of the router. How can the packet get from the outside to
your particular machine? At first approximation it cannot. At second
approximation you could have told the router that any packet arriving at
router at port X should be delivered to your machine at port Y. (but
that would mean that port X has to uniquely be connected to port Y on
your machine.). This brings in the third approximation. If you send out
a request to a remote machine on port Z, which the router translates to
port ZZ, then if the router receives a packet from that machine directed
to port ZZ it will deliver it to your machine on port Z. Ie, this is
just like case 2 except that you do not have to set up the port
forwarding yourself, it is set up automatically by the router.

[David W. Hodgins]

On Thu, 17 Dec 2020 19:04:43 -0500, William Unruh <un...@invalid.ca> wrote:

Perhaps I can clarify in a way we can all agree on.

As I explained, the router has temporary tables used for network address translation
between the address seen by the the two sides of the router. That I think we all
agree on.

The wide area network (WAN) address is what is seen by external sites such as
https://ident.me/ while the local area network (LAN) address is provided by
the router the computer is connected to. Keep in mind the computer may have
multiple network interfaces, each with it's own ip address, so technically
the LAN address is the address of the network interface in the computer, assigned
by the router it's connected to.

The router status page will show what it labels the WAN address, and normally
that is what it shows as I and BitTwister stated. However William is correct
in that it isn't always really a WAN address. It may be that the router is
connected to another router, in which case the WAN address of the first router
is actually a LAN address provided by the second router.

Using multiple levels of routers is relatively rare for home users. It's more
common in corporate environments and when it's necessary to bridge long distances
for connections between the computer and the modem used to connect to the isp.

[Bit Twister]

On Thu, 17 Dec 2020 19:54:23 -0500, David W. Hodgins wrote:

> Using multiple levels of routers is relatively rare for home users. It's more
> common in corporate environments and when it's necessary to bridge long distances
> for connections between the computer and the modem used to connect to the isp.

Yep, I agree. The reason I have two is anytime I can switch providers
and save $20 a month, I switch providers. I got tied of having to
get into the router and reconfigure it for my lan nodes.
Same thing when the Helpless Desk says to factory reset modem. :(

With the second router, my LAN nodes keeps their address and I have
to nothing to the ISP router except forward all ports to my router
disable UPnP, ALG Passthrough, remote internet access, and
turn off the wireless transmitter(s).

A big thank you for your Mageia community support David
and thanks to William for his replies.

[Dick]

> Why not set the isp router to 'bridge' mode. That's what I do. Much
simpler that forwarding all ports. I have a similar setup as you do.
Of course, your isp router may not have a a 'bridge' mode...

[Dick]

On 12/17/2020 8:35 PM, Bit Twister wrote:

Why not use 'bridge' mode on your isp router? That's what I do. I have
a similar setup and I find that it is much simpler than forwarding all
ports. Of course, your isp router may not have a a 'bridge' mode...