Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EvoNode self-check of External IP fails when NAT hairpinning is not enabled #5926

Open
coolaj86 opened this issue Mar 7, 2024 · 0 comments
Open

EvoNode self-check of External IP fails when NAT hairpinning is not enabled #5926

coolaj86 opened this issue Mar 7, 2024 · 0 comments

Comments

@coolaj86
Copy link

coolaj86 commented Mar 7, 2024
edited
Loading

Expected behavior

An EvoNode should be able to skip validation or use external validation rather than require a hairpin connection to Just Work™.

I don't believe that there's any technical reason that NAT Refelction (Hairpin) should be a hard requirement of running a EvoNode. When NAT hairpinning isn't working, it's often difficult to diagnose or configure, or even out of your control (i.e. at the ISP layer).

Actual behavior

In this example I'm running an EvoNode in a container on a private network with port forwarding, and the NAT hairpin is disabled due to other firewall rules taking precedence

Update: I did indeed confirm that the NAT hairpin failure was the reason for the ProRegTx failure - which should NOT be the case.

Request from my local computer

g_external_ip='1.2.3.4'
dash-cli -testnet -rpcconnect="${g_externalip}" -rpcport=19998 -rpcuser=app-test -rpcpassword='****' masternode status

Response from the EvoNode in a container:

{
  "outpoint": "0000000000000000000000000000000000000000000000000000000000000000-4294967295",
  "service": "1.2.3.4:19999",
  "state": "ERROR",
  "status": "Error. Could not connect to 1.2.3.4:19999"
}

Obviously the ports (19998, 19999) are being forwarded correctly, otherwise we wouldn't be able to get an RPC response from the EvoNode in the container.

I've confirmed that NAT hairpinning wasn't working - devices on that network can't contact that device by its external ip, but devices outside of the network can contact it by its external ip.

To reproduce

This is somewhat difficult, because you have to be on a network where the firewall either doesn't have NAT Reflection enabled, or has another security rule that takes precedence over it.

Or I suppose you could finagle iptables to simulate the situation. I'm not sure how to do that.

Some mix of https://stackoverflow.com/a/28525022/151312 and a little LLM (i.e. GPT, StarCoder, CodeUp) magic might be able to help with that. I'm also hoping for a response from https://superuser.com/questions/1834099/how-can-i-simulate-nat-reflection-failure-with-iptables.

System information

N/A

This occurs at the TCP/IP routing layer.

See also
@coolaj86 coolaj86 changed the title self-check fails when NAT hairpinning is not enabled EvoNode self-check of External IP fails when NAT hairpinning is not enabled Mar 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@coolaj86