CGHMN NAT and Firewalls: Difference between revisions

A brief history on how the internet worked in the 1990's

Compu-Global-Hyper-Mega-Net (CGHMN) exists in a difficult kind of space. We aim to emulate "the old web". A time of roughly "1995 to around 2005 or so". A sort of nebulous "Before Web 2.0 took off" kind of period. Though, really we support anything that speaks ethernet and (usually) TCP/IP. We've had devices as old as a DOS 286 PC clone connected successfully. Most users trend toward Windows XP as their platform of choice due to its relative flexibility and widespread hardware and software support

Unfortunately for all of us we live at the "end of history". In 1995 the "World Wide Web" was in its infancy in such a way that every single year brought quantum technological leaps over the previous year. By the end of the millennium we'd gone from rudimentary analog Dial-Up services to Wireless Networking being accessible to consumers (Apple's AirPort routers alone showed up in 1999)

However on a technical level this began to create severe issues. The internet as it was originally designed assumed simple "end-to-end" connectivity. Every computer on the internet could (more or less) talk to another computer without exception.

This created two major problems:

The first one was IP exhaustion. Even by the 1990's there was an understanding that there simply wouldn't be enough IP addresses for everyone on the internet. This needed to be fixed, and fast! This lead to IPv6 as an evolutionary upgrade (a problem the internet still struggles to even deploy in 2025, despite being ratified in 1998)

The second, and much more obvious problem was security. By the year 2000 it was obviously apparent that every machine being able to talk to every other machine on Earth was a problem. Particularly when the dominant operating system these machines ran was what could be charitably described as..."not great" in terms of security. In the 2000's this would only escalate as the "ILOVEYOU" worm gave way to some of Windows XP's greatest hits, Blaster, Sasser, Mydoom, Nimda and Conficker. Among others.

A remedy proposed in the 1990's to the issue of IP exhaustion was "Network Address Translation" or "NAT". In layman terms this allows a bunch of computers to all sit behind a single IP address using a device such as a router. This technology is so ubiquitous that even in 2025 at time of writing it's still the defacto standard for home and business computers and other devices to access the modern internet.

However, this technology came at a cost. The internet as most folks imagine (or remember it) was originally built on the idea that every computer had its own, unique, IP address. NAT broke that assumption. And, in doing so, programs broke. Sometimes completely with services like FTP, sometimes in subtle ways. Like being unable to connect certain game players in a StarCraft lobby.

The problem that NAT introduced was that while "outbound" traffic would work fine. Such as you connecting to a website. If a program needed to receive data on your local computer, it could no longer simply sit and wait for a connection from a remote PC. An example would be AOL Instant Messenger (AIM). Chats between users are routed through a remote server. You and the Other User talk to a central server and it handles sending messages to-and-fro. However to save on bandwidth, sending files happens directly between users. If either user is behind NAT. They won't be able to "see" the remote computer and send data to it as desired.

The "solution" to this problem is known as Port Forwarding. You tell your router that [these ports] *always* go to [this IP address on the LAN] exclusively. This (mostly) solved the problem at the time. Additional solutions were proposed such as "UPnP" to allow programs to ask the router to forward ports for them dynamically. However, support for this was few-and-far-between (mostly BitTorrent clients) and in time it faded into oblivion.

As stated before, we live at the end of history. Which means we have the benefit of looking back on what was, and understanding the flaws. Which (finally) brings us to the point of this wiki page.

Okay but what does that have to do with CGHMN?

Every CGHMN user is allocated a /24 block of IP's. Effectively every user has 253 IP addresses to use as they'd like. This was a deliberate decision both to maximize the amount of freedom users would have to connect ALL their retro equipment if desired, and to try and allow direct end-to-end connectivity that the old web "expects"

However because we have the benefit of historical hindsight. Having directly allocated IP addresses does not mean that your devices are directly exposed to the network. By default (if using OpenWRT with Snep's setup script) your IP block will be firewalled against incoming connections. This is a necessary security measure because because of the very nature of "running a retro network". Connecting machines that are (likely) un-patched would make them immediately vulnerable to attack. Even before they're properly configured for service by the end user.

So, what stuff breaks, exactly?

There's no definitive list of "what" breaks under this decision. A broad (but by no means encompassing) list of things that won't work are

- Servers. You won't be able to run any kind of server or service (EG: hosting your own website, running a game server) without the ability for users to connect to it

- Games that don't use a server browser. Games like Quake or Halo where users all connect to a single server to play on will work (provided the server is either port forwarded or the firewall is disabled) but other games such as StarCraft or Command & Conquer have players connect dynamically connect to a single player as the "host" (typically the player that created the game lobby). These will not work

- FTP! FTP is such an old protocol that the remote server initiates a connection back to the client and then begins sending files that way. This was fixed in RFC 1579 with the "Firewall-Friendly FTP" proposal. Unfortunately despite being proposed in February 1994, some software such as Microsoft FrontPage did not enable it until 2003(!)

- AIM file transfers. As described already on this wiki page, AIM (and IRC and other chat clients such as MSN or Yahoo) all use a direct connection between two computers to send files across a network

How do I opt-out out?

It should be made completely clear that opting out of using the OpenWRT firewall is not a decision that should be made lightly. We cannot explicitly guarantee that a user won't accidentally (or intentionally) release a malware Pandora's Box on the network. Blaster/Sasser/Mydoom/ILOVEYOU/etc are still real malware samples that can be downloaded and executed either by mistake or by a malicious user. We highly recommend installing any and all software patches that were (or are) available for your chosen systems before doing this!

There are two "modes" of opt-out available. Depending on user preference.

The most drastic is simply to disable OpenWRT's firewall completely. This means any machine you plug in will have direct access to the network and any other devices on the network will be able to directly access it. If you choose this option we highly recommend putting any machines behind a (preferably modern!) Firewall and then port forwarding as necessary

The other option is to set a static (fixed) IP address on the device you want to run servers or play games from. Once this is done you can access the OpenWRT Firewall page (Network -> Firewall -> Traffic Rules) and manually allow the required ports for that specific host to pass the firewall.