Apple‘s iChat AV right now seems to be the number one toy in the Mac community. I already went throught a couple of tests and it is obvious there are some problems with connecting from behind a NAT router. But in general it is possible, but it seem to depend heavily on the NAT being used.
I am in fact behind two (!) cascaded NAT routers before my packets leave off to the Internet. The first one is a Linux box, the second one is running NetBSD. But it works in both video and audio mode with all machines with a public IP address and even other computers behind yet another NAT router. So let‘s dig up some dirt. How do they do it?
Apple‘s own documentation is quite sparse on this topic. There is a TechNote explaining the ports that need to be open behind firewalls. But this does not explain how it works. So I was digging deeper and I discovered a page on NAT checking by Bryan Ford. He actually has prepared a Internet-Draft on this topic.
He explains a model for doing UDP to UDP communication behind NAT using a third computer telling each of the peers about the IP addresses that are actually used when sending out UDP packets. I don‘t know if this is the method Apple uses but they have both the central computer (the AIM system) and are in fact using UDP to communicate. And I don‘t see any other chance to do this anyway.
He provides a small NATCHECK program with precompiled versions for Linux and FreeBSD. The source does not compile out of the box on Mac OS X, but I patched it to make it work. It is just a single line of code that was missing, so there is no big deal here. You find the compiled program and the patched source code in this disk image (if you are not technically inclined: download the image, wait for it to open, then open “Terminal” and drag the “natcheck-darwin” file to the window and hit return).
The program detects if your router is suited to peer-to-peer communication or not. For my setup it reports:
RESULTS: Address translation: NAPT (Network Address and Port Translation) Consistent translation: YES (GOOD for peer-to-peer) Unsolicited messages filtered: YES (GOOD for security)
The important point seems to be to have NAPT and consistent translation. Routers that had a NO on consistent translation were not able to communicate with me so far.
I am still not sure if this is the key to solve the iChat problems, feel free to comment on this issue here. I‘ll keep you updated on my progress.
UPDATE: There is a thread on Mac OS X Hints covering the same topic. On first look no real news however.
UPDATE: For people using the AirPort Extreme base station via DSL (PPP over Ethernet) the V5.1 firmware update (also included in the 3.1 update for the whole AirPort software suite) improves the situation.
UPDATE: I have compiled natcheck with the “verbose” flag set so it reports the IP address and port number that is detected by the outside host. natcheck itself always uses port 9857 and connects to port 9856.