Here is an explainer video of the NAT hole punching and also about why it doesn’t always work:
00:00 - 08:17 How simple it used to be way back when.
08:17 - 12:40 Why UDP hole punching is nececcary, and hot it works.
12:40 - 16:51 Why it doesn’t always work.
I cannot evaluate how correct all that is, but seems legit to me. So, @Josh it might work, if your router is not enforcing symmetric NAT, I guess.
symmetric NAT is a nightmare. Some allocate the next port on next connection and some use random next ports. Then if you have one on each side you are really in trouble. There are ways where you create over 10,000 connections to try. But in reality, it’s just hell.
That’s what I thought, but others seem to thing having a local IP different from the public/external IP is the problem.
Frankly I can’t see why that would be a problem. Webservers, torrents, all sort of services work this way: if you have a static IP, and correct ports forwarded, the router takes the request addressed to the external IP and routes it to the device indicated by the forwarding rule, and vice versa.
Why would safe be any different?
Torrent nodes can happily be uncontactable and maybe even relay via torrent servers. For Safe, we have no such servers as you need to trust them. So it’s a bit more nuanced, but a participating node must be contactable, either directly or by some other means. We don’t, as of yet, have another means of ensuring this connectability.
Hope that helps.
Ok thanks, that clarifies. But what about P2P services like gnutella/emule? I seem to remember they needed nodes to be contactable…
Lets assume my node is connected directly but I do not have a static ip, it changes after I joined.
Is this a problem?
Will a static ip be required.
Trying not to drown here, please excuse my ignorance.
At the moment we are not handling that well. It should be fine but it needs to be clarified in code. I would say give it a try (short answer 
)
If people want some background on NAT etc. there is always this https://docs.maidsafe.net/Whitepapers/pdf/DHTbasedNATTraversal.pdf
Am I correct to assume that if you’re using a VPN proxy, then NAT problems go away?
If so, then the solution here might be to implement relay nodes on SN … where the relays need to have VPN or otherwise solid connectability.
Not sure what would take longer to implement well nor what the tradeoffs might be, but having the option to use a relay if NAT traversal isn’t working for you seems a good option to enable S-A-F-‘E’.
Would you say that if not “everyone” can run a node that is not living up to the E in SAFE?
I don’t thinks so, to me it means secure access to data for everyone. Probably a minority take though.
I think that there is the future possibility of many different types of sub-nodes doing specialty tasks - like oracle work on the network. So enabling as many people to do node work in some capacity on the network is really important … longer run we’ll have IPv6, so maybe this isn’t a big concern … but who knows how long that will be. I don’t know the many and various tradeoffs so I can’t speak to the best “port forward” here … lol, sorry for the pun.
VPN is only a tunnel from point A to B, communication in the tunnel can be configured in countless ways. If the VPN provider gives public IP addresses in the tunnel than yes, it is a way to avoid NAT problems.
Sooo, fomo got the better of me and I contacted my ISP.
I had gig service with the dreaded dynamic IP.
Gig was a little OTT honestly so I switched to 500MB with 5 static IP’S for less than I was paying before.
Feels like a win! 
The things I’d do for SAFE 
Uncertain since most use a form of NAT to allow many people use the one VPN server. You pay extra for unique IP
I was wondering about that because Tor has it’s own NAT punching tool.
Just a FYI to anyone who has Frontier fiber in the US.
It is currently cheaper to switch from a standard home connection to a business connection.
You can regrade your line.
Your monthly subscription will likey be less for the same speeds.
Which makes up for adding additional IP’s.
1 static for 19.99 or 5 for 25.99.
New free wifi 6e router.
No install or switching fees.
No contract.
No brainer really.
Is identifying nodes behind NAT going to be trickier than expected?
Before my line gets changed I thought I would try this again.
This is what I did 
Everything works just fine.
But because I don’t really understand a whole lot of this, would there be a problem or is the laptop clear to join a test where NAT is blocked?
From the laptop look at https://www.whatismyip.com/
If it shows same IP address as you have on the laptop, then the laptop has public IP and you are fine (no NAT).
I did, that was the case.
Is it really this simple, or am I just lucky that it works with my ISP?
Now I am wondering how many devices I could connect to the switch without issue.
