CGHMN NAT and Firewalls: Difference between revisions

A brief history on how the internet worked in the 1990's

Compu-Global-Hyper-Mega-Net (CGHMN) exists in a difficult kind of space. We aim to emulate "the old web". A time of roughly "1995 to around 2005 or so". A sort of nebulous "Before Web 2.0 took off" kind of period. Though, really we support anything that speaks ethernet and (usually) TCP/IP. We've had devices as old as a DOS 286 PC clone connected successfully. Most users trend toward Windows XP as their platform of choice due to its relative flexibility and widespread hardware and software support

Unfortunately for all of us we live at the "end of history". In 1995 the "World Wide Web" was in its infancy in such a way that every single year brought quantum technological leaps over the previous year. By the end of the millennium we'd gone from rudimentary analog Dial-Up services to Wireless Networking being accessible to consumers (Apple's AirPort routers alone showed up in 1999)

However on a technical level this began to create severe issues. The internet as it was originally designed assumed simple "end-to-end" connectivity. Every computer on the internet could (more or less) talk to another computer without exception.

This created two major problems.

The first one was IP exhaustion. Even by the 1990's there was an understanding that there simply wouldn't be enough IP addresses for everyone on the internet. This needed to be fixed, and fast! This lead to IPv6 as an evolutionary upgrade (a problem the internet still struggles to even deploy in 2025, despite being ratified in 1998)

The second, and much more obvious problem was security. By the year 2000 it was obviously apparent that every machine being able to talk to every other machine on Earth was a problem. Particularly when the dominant operating system these machines ran was what could be charitably described as..."not great" in terms of security. In the 2000's this would only escalate as the "ILOVEYOU" worm gave way to some of Windows XP's greatest hits, Blaster, Sasser, Mydoom, Nimda and Conficker. Among others.

A remedy proposed in the 1990's to the issue of IP exhaustion was "Network Address Translation" or "NAT". In layman terms this allows a bunch of computers to all sit behind a single IP address using a device such as a router. This technology is so ubiquitous that even in 2025 at time of writing it's still the defacto standard for home and business computers and other devices to access the modern internet.

However, this technology came at a cost. The internet as most folks imagine (or remember it) was originally built on the idea that every computer had its own, unique, IP address. NAT broke that assumption. And, in doing so, programs broke. Sometimes completely with services like FTP, sometimes in subtle ways. Like being unable to connect certain game players in a StarCraft lobby.

The problem that NAT introduced was that while "outbound" traffic would work fine. Such as you connecting to a website. If a program needed to receive data on your local computer, it could no longer simply sit and wait for a connection from a remote PC. An example would be AOL Instant Messenger (AIM). Chats between users are routed through a remote server. You and the Other User talk to a central server and it handles sending messages to-and-fro. However to save on bandwidth, sending files happens directly between users. If either user is behind NAT. They won't be able to "see" the remote computer and send data to it as desired.

The "solution" to this problem is known as Port Forwarding. You tell your router that [these ports] *always* go to [this IP address on the LAN] exclusively. This (mostly) solved the problem at the time. Additional solutions were proposed such as "UPnP" to allow programs to ask the router to forward ports for them dynamically. However, support for this was few-and-far-between (mostly BitTorrent clients) and in time it faded into oblivion.

As stated before, we live at the end of history. Which means we have the benefit of looking back on what was, and understanding the flaws. Which (finally) brings us to the point of this wiki page.

Okay but what does that have to do with CGHMN?

Every CGHMN user is allocated a /24 block of IP's. Effectively every user has 253 IP addresses to use as they'd like. This was a deliberate decision both to maximize the amount of freedom users would have to connect ALL their retro equipment if desired, and to try and allow direct end-to-end connectivity that the old web "expects"

However because we have the benefit of historical hindsight. Having directly allocated IP addresses does not mean that your devices are directly exposed to the network. By default (if using OpenWRT with Snep's setup script) your IP block will be firewalled against incoming connections. This is a necessary security measure because the very nature of the

So, what stuff breaks, exactly?

How do I opt-out out?