dashpay/dash

EvoNode self-check of External IP fails when NAT hairpinning is not enabled

coolaj86 opened this issue · 0 comments

Expected behavior

An EvoNode should be able to skip validation or use external validation rather than require a hairpin connection to Just Work™.

I don't believe that there's any technical reason that NAT Refelction (Hairpin) should be a hard requirement of running a EvoNode. When NAT hairpinning isn't working, it's often difficult to diagnose or configure, or even out of your control (i.e. at the ISP layer).

Actual behavior

In this example I'm running an EvoNode in a container on a private network with port forwarding, and the NAT hairpin is disabled due to other firewall rules taking precedence

Update: I did indeed confirm that the NAT hairpin failure was the reason for the ProRegTx failure - which should NOT be the case.

Request from my local computer

g_external_ip='1.2.3.4'
dash-cli -testnet -rpcconnect="${g_externalip}" -rpcport=19998 -rpcuser=app-test -rpcpassword='****' masternode status

Response from the EvoNode in a container:

{
  "outpoint": "0000000000000000000000000000000000000000000000000000000000000000-4294967295",
  "service": "1.2.3.4:19999",
  "state": "ERROR",
  "status": "Error. Could not connect to 1.2.3.4:19999"
}

Obviously the ports (19998, 19999) are being forwarded correctly, otherwise we wouldn't be able to get an RPC response from the EvoNode in the container.

I've confirmed that NAT hairpinning wasn't working - devices on that network can't contact that device by its external ip, but devices outside of the network can contact it by its external ip.

To reproduce

This is somewhat difficult, because you have to be on a network where the firewall either doesn't have NAT Reflection enabled, or has another security rule that takes precedence over it.

Or I suppose you could finagle iptables to simulate the situation. I'm not sure how to do that.

Some mix of https://stackoverflow.com/a/28525022/151312 and a little LLM (i.e. GPT, StarCoder, CodeUp) magic might be able to help with that. I'm also hoping for a response from https://superuser.com/questions/1834099/how-can-i-simulate-nat-reflection-failure-with-iptables.

System information

N/A

This occurs at the TCP/IP routing layer.

See also