How NAT Port Mapping Works The Basic Problem Your computer has a private IP (e.g., 192.168.1.100). The internet can't route to private IPs. NAT translates your private address to your router's public IP. Your PC Router/NAT Internet 192.168.1.100:49783 → 87.202.101.66:???? → STUN server The question is: what port does the NAT assign externally? Port-Preserving NAT (Cone NAT) Internal External Destination 192.168.1.100:49783 → 87.202.101.66:49783 → stun.google.com 192.168.1.100:49783 → 87.202.101.66:49783 → stun.ekiga.net 192.168.1.100:49783 → 87.202.101.66:49783 → peer at 87.115.91.104 ↑ Same port every time The NAT preserves your port (or at least keeps it consistent). Anyone who knows 87.202.101.66:49783 can send packets to you. Symmetric NAT Internal External Destination 192.168.1.100:49783 → 87.202.101.66:27939 → stun.google.com 192.168.1.100:49783 → 87.202.101.66:35843 → stun.ekiga.net 192.168.1.100:49783 → 87.202.101.66:????? → peer at 87.115.91.104 ↑ Different port per destination! The NAT assigns a different external port for each destination. Why This Breaks P2P You Peer │ │ │ 1. Ask STUN: "What's my public address?" │ │────────────────────────────────────────────────│ │ │ │ 2. STUN says: "You're 87.202.101.66:27939" │ │←───────────────────────────────────────────────│ │ │ │ 3. Tell peer: "Connect to me at :27939" │ │─────────────────────────────────────────────────→ │ │ │ 4. Peer sends packet to :27939 │ │ │ │ ╔═══════════════════════════╗ │ │ ║ BUT your NAT created a ║ │ │ ║ NEW mapping for peer: ║ │ │ ║ :27939 was for STUN ║ │ │ ║ :58421 is for peer ║ │ │ ║ ║ │ │ ║ Peer's packet to :27939 ║ │ │ ║ gets DROPPED! ║ │ │ ╚═══════════════════════════╝ │ The address you discovered via STUN is only valid for talking to the STUN server. When the peer tries to use it, your NAT doesn't recognize the packet and drops it. Why Cone NAT Works You Peer │ │ │ 1. STUN says: "You're 87.202.101.66:49783" │ │ │ │ 2. Tell peer: "Connect to me at :49783" │ │─────────────────────────────────────────────────→ │ │ │ 3. Peer sends packet to :49783 │ │←──────────────────────────────────────────────── │ │ │ ╔═══════════════════════════╗ │ │ ║ NAT uses SAME mapping ║ │ │ ║ for all destinations ║ │ │ ║ ║ │ │ ║ Packet arrives! ✓ ║ │ │ ╚═══════════════════════════╝ │ Your Situation Without VPN: IPv4: 57460 → 1160 (different = symmetric, broken) IPv6: 57460 → 57460 (same = cone, works!) With VPN: IPv4: 49783 → 27939 (different = symmetric, broken) IPv6: gone Your IPv6 was your best path for direct P2P because it preserved ports. The VPN eliminated that advantage.