iChat audio/video chat and file transfer behind NAT

March 4th, 2006

Update 2006-03-10: It seems that the testing servers for natcheck at MIT have been shut down, so natcheck does not work any more. I have added a few more links to the post.

Pretty much all chat applications inherently have trouble stting up a direct connection when both participants are behind a NAT router. Such a direct connection is needed for audio/video chat and file transfer. iChat is one of the apps having notorious problems…

When the router providing NAT has “consistent port translation”, everything should be fine. However, especially some Netgear wireless routers seem to have trouble with this feature.

Use the NatCheck tool available from the following URL to check your router:

http://bleu.west.spy.net/~dustin/projects/natcheck.xtp

If your router does not have consistent port translation, then the only hope is to have the router communicate with iChat via uPnP (universal plug’n play). This way, iChat can tell the router how to forward incoming packets.

For some Netgear routers, tweaking the following settings on the router was successful:

  • switch the SPI firewall off (not sure if this is really needed, though)
  • switch uPnP on

If you have a firewall running on your Mac, you should include the following in your ipfw rules:

# allow uPnP traffic behind NAT
add 2040 allow ip from 192.168.0.0/16 1900 to any in via any
add 2040 allow ip from 192.168.0.0/16 to any 5000-5001 in via any

Apple has a mildly helpful KB article:

http://docs.info.apple.com/article.html?artnum=93208

Others have also written about this:

http://tim.geekheim.de/2003/06/25/troubleshooting-ichat-av/ http://www.jayallen.org/journey/2004/02/ichat_av_and_nat_routers

For an in-depth technical discussion of all the issues that can occur with NAT tunneling see

http://www.croczilla.com/zap/rfcs/draft-jennings-behave-test-results-01.txt http://nutss.gforge.cis.cornell.edu/pub/imc05-tcpnat.pdf http://www.guha.cc/saikat/stunt-results.php

See also:

http://www.falkemedia.com/dph/pedeeffsml/149/ML200412-032-036_iChat.pdf

Tags: , , , , , ,

Categories: macosx, hacking

10 Comments Add your own

  • 1. Rich Siegel  |  March 6th, 2006 at 03:44

    Thanks for the great tip! Unfortunately, the Netgear FVS338 (one of their high-performance “business-class” VPN routers) doesn’t support UPnP. I continue to hold out hope that Netgear will remedy this.

  • 2. maurits  |  March 6th, 2006 at 04:31

    You’re welcome. I wouldn’t hold my breath though for Netgear to update their router. Usually, vendors fix only the inevitable; features get added only in new products. This is unfortunate, but makes perfect business sense.

  • 3. Alastair  |  April 26th, 2006 at 09:38

    I was going to enable UPnP on my router until I read this. My takeaway is: learn to live with manual port forwarding.

  • 4. sjk  |  April 28th, 2006 at 02:12

    Thanks for the link, Alastair. Is that truly as serious as it sounds?

  • 5. maurits  |  April 28th, 2006 at 02:22

    well, if your computer is secure enough to connect it directly to the internet, which a Mac usually is, I don’t see any issues with uPnP. Of course the situation is different if there are also potentially malware-infested Windows machine behind the same router.

  • 6. shane  |  September 10th, 2006 at 11:02

    Does anyboyd know how to run the natcheck program. I’m a new Mac user and it keeps trying to open the program in excel

  • 7. maurits  |  September 10th, 2006 at 13:11

    see my comment at the beginning of the post. natcheck doesn’t work any more.

  • 8. echo  |  November 15th, 2006 at 08:54

    With a Netgear WGR614 v6, after a full day of reading + testing tons of different configurations, the info here of turning the SPI firewall off, in combination with the port triggering list on many sites, was the final thing that did work for me (since I did want to keep DHCP IPs on the machines, + use port triggering for flexibility for more than one machine). Thanks!

  • 9. echo  |  November 15th, 2006 at 23:06

    Spoke too soon on turning SPI firewall off. Although it solves ichat audio, it breaks connecting through my ftp client (Transmit), makes no difference if PASV mode is on.

  • 10. echo  |  November 16th, 2006 at 08:52

    Ooops, PASV was the solution for that. Existing bookmarks weren’t changed with the preference. Sorry for the OT, thought better than to leave inaccurate info.

Leave a Comment

hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed

Feeds

Categories

Archives

Most Recent Posts