I quickly skimmed code+docs so correct if i’m wrong:
- we currently use STUN on the QUIC port to get our external IPv4+port and detect the NAT type
- if the NAT type allows hole punching we keep contacting the STUN server with a delay in order to keep the punched hole open
- if we detect that the port changes we gradually reduce the delay from
stunKeepaliveStartS(180s) down to
stunKeepaliveMinS(20s) to handle NAT implementations with a low timeout.
- do we have anything similar for IPv6? I know that IPv6 doesn’t use NAT but we would still need to punch holes as most firewalls are going to drop incoming traffic for non-established connections
- the detection mechanism for IPv4 only detects if the router firewall closed its port. A local firewall might have closed the punched hole a lot earlier. e.g Linux netfilter timeout is 30s for non-established UDP “connections”. With the default check delay of 180s the port might be closed at the device itself most of the time. It’s not a real problem as the firewall should be properly configured anyway.
Offtopic: I also noticed that the global discovery server returned duplicates for my device