Im trying to troubleshoot a possible NAT issue and to narorw things down, im trying to find out if there are any router technologies that might be able to bypass NAT when the destination has not done port forwarding/does not have upnp enabled.

As some people in a tech support channel explained to me, NAT hides the internal IP so if there is no port forwarding done, the sender sends a packet to the destination machine, but the packet only contains the external IP. The destination router has no idea which machine to forward the packet to, so drops/rejects it. Is this correct?

E.G. My machine -> Friend's machine. Friend's machine is behind a NAT, has not done port forwarding/does not have UPNP enabled.

In a situation like this, would my router be able to bypass the NAT and get the packet through to my friends machine somehow? I found some references to hole punching, STUN, etc, but im having trouble understanding if these are router specific technologies or whether you need an application specifically coded to use these.

Possible NAT issue in a nutshell :

  1. Friend is behind a NAT, does not have upnp enabled, has not done port forwarding.

  2. I cannot connect to him properly via a UDP connection with a randomized port (p2p multiplayer game)

  3. Others can, even though everyone tells me this should be impossible as there is no port forwarding happening.

Theory : My router is too old/does not support certain technologies that would let it bypass the NAT and connect to him, while others have more modern routers that can do this.

That's why Im trying to figure out if routers do have stuff like that would let them bypass a NAT.

  • 1
    "Is this correct?" - This is indeed correct.
    – Ramhound
    Commented Feb 23, 2017 at 20:21
  • "The destination router has no idea which machine to forward the packet to, so drops/rejects it. Is this correct?" Not exactly, The address belongs to the router, and absent forwarding, anything sent to that address is sent to the router itself. A router is a host in its own right. If the router doesn't have any process running to use what is sent to it, just like any other host, it will ignore it.
    – Ron Maupin
    Commented Feb 23, 2017 at 21:33
  • By the way, NAT is not routing. You can use NAT in different devices other than routers, and routing doesn't require NAT. NAT is merely a kludge to extend the life of IPv4 until IPv6 replaces IPv4, by allowing multiple addresses to hide behind a single address.
    – Ron Maupin
    Commented Feb 23, 2017 at 21:35

2 Answers 2


In a nutshell, you can't do this and its not something you can fix on your end.

To briefly summarize / over-simplify, when you address a packet to your friends router it has to know what to do with that packet. If there is a NAT entry (i.e. your friend's computer made a network request through the router) then the router knows to route the return packet to the originating computer just as if a short-term, one-off port-forward had been turned on for the life of the packet trip.

The exact mechanics may differ between devices and if the router has a built in firewall (almost all do now) but, in essence, if there is no NAT entry or port-forwarding then the packet has been delivered to a device (router) not configured to accept a packet on the port which means drop / ignore the packet. This is the desired behavior of the router / firewall otherwise anyone on the internet could break into the internal network.

Your friends router either has to enable port-forwarding, setup UPnP (which is basically just automated port-forwarding), or use a service that has a third-party intermediary that you both talk through which triggers the NAT functionality in the friend's router.

  • What about hole punching? As I understand it, both me and my friend would make a connection to a server, the server then tells each of us the correct ip/port to use to connect to each other directly. Wouldnt that bypass the NAT issue?
    – Question
    Commented Feb 23, 2017 at 21:53
  • @Question sure but then your connected to the server and a service running on it instead of connecting to a service running on either machine. The server would still have to be able to communicate with the machine behind a NAT which is the same problem you face trying to communicate with that machine
    – Ramhound
    Commented Feb 23, 2017 at 22:32
  • @Question, that doesn't "bypass" the NAT issue so much as it uses NAT as designed since your friend is using NAT to exit the network to connect to the server (which is what I was referring to in my last sentence about third-party intermediary).
    – Wayne
    Commented Feb 24, 2017 at 23:01
  • @Ramhound : The service/application would be setup to use hole punching in this scenario. So for example, Client A -> server < - Client B. Both clients connect, get the correct ip/port to use, both then use it to establish another connection with each other via the application. Ive been told that firewalls will block this somehow, but why? They do not block outgoing traffic to the third party server right? (unless you configure it to, which would not be typical).
    – Question
    Commented Feb 25, 2017 at 13:06
  • @Wayne : yes, thats what i meant by bypassing. My question is now, is there anything other than hole punching that can do this? If yes, how does it work and what are the limitations involved?
    – Question
    Commented Feb 25, 2017 at 13:07

Your explanation of the issue with NAT is accurate.

Hole punching isn't as much of technology, as just a technique. In a nutshell, it exploits some properties of NAT's principles of operation to set up a connection between two NAT-ed hosts. STUN is a standardized implementation of this technique.

I'm a big fan of ZeroTier. It's a decentralized VPN. What that means is that it can make two or more hosts on the internet appear to be connected into a LAN, with each one having a dedicated IP address in that LAN, without any designated server. It's reasonably easy to set up and the free plan is more than enough for your needs. Hole punching happens automatically and data is sent directly between the participating devices. 3rd party server is used only initially to coordinate establishing the connections.

ZeroTier has some limitations though. Officially double NAT traversal is not supported (device behind a NAT which is behind another NAT). I've tried to use it anyway, but the connection wasn't reliable. YMMV. Other than that, in supported networks I didn't experience any issues so far.

  • also worth noting that ZeroTier didn't exist when he asked in 2017. Also, any VPN technology., of which there certainly were in 2017. Also SSH reverse tunnel.
    – barlop
    Commented Dec 25, 2022 at 7:45

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .