[go: up one dir, main page]

CN101515882B - Method, device and system for communication between local area network and public network - Google Patents

Method, device and system for communication between local area network and public network Download PDF

Info

Publication number
CN101515882B
CN101515882B CN2008100653854A CN200810065385A CN101515882B CN 101515882 B CN101515882 B CN 101515882B CN 2008100653854 A CN2008100653854 A CN 2008100653854A CN 200810065385 A CN200810065385 A CN 200810065385A CN 101515882 B CN101515882 B CN 101515882B
Authority
CN
China
Prior art keywords
message
network
public
address
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2008100653854A
Other languages
Chinese (zh)
Other versions
CN101515882A (en
Inventor
李磊
张凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Honor Device Co Ltd
Original Assignee
Huawei Device Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Device Co Ltd filed Critical Huawei Device Co Ltd
Priority to CN2008100653854A priority Critical patent/CN101515882B/en
Publication of CN101515882A publication Critical patent/CN101515882A/en
Application granted granted Critical
Publication of CN101515882B publication Critical patent/CN101515882B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

本发明适用于网络通信领域,提供了一种局域网与公网通信的方法及设备,所述方法包括下述步骤:为局域网内的终端分配多个IP地址,所述多个IP地址中包含至少一个公共IP地址;当从局域网侧收到以所述公共IP地址为源地址的报文时,将所述报文发送至公网,并记录报文的策略路由信息;当从公网侧收到报文时,根据所述报文的网络信息确定所述报文的策略路由信息,将所述报文发送至局域网内对应的终端。本发明实施例在不需要ALG配合的情况下可以实现报文流的地址转换,维持大多数现有的NAT/ALG组网模式不变,对于用户的使用习惯变化不大。

Figure 200810065385

The present invention is applicable to the field of network communication, and provides a method and equipment for communication between a local area network and a public network. The method includes the following steps: assigning multiple IP addresses to terminals in the local area network, and the multiple IP addresses include at least A public IP address; when receiving a message with the public IP address as the source address from the LAN side, send the message to the public network, and record the policy routing information of the message; When a message arrives, determine the policy routing information of the message according to the network information of the message, and send the message to a corresponding terminal in the local area network. The embodiment of the present invention can realize the address translation of the message flow without the cooperation of the ALG, maintain most of the existing NAT/ALG networking modes, and have little change in the user's usage habits.

Figure 200810065385

Description

一种局域网与公网通信的方法、设备及系统Method, device and system for communication between local area network and public network

技术领域 technical field

本发明属于网络通信领域,尤其涉及一种局域网与公网通信的方法、设备及系统。  The invention belongs to the field of network communication, and in particular relates to a method, device and system for communication between a local area network and a public network. the

背景技术 Background technique

网络地址转换(Network Address Translation,NAT)是一个Internet工程任务组(Internet Engineering Task Force,IETF)标准,允许一个整体机构以一个公共IP(Internet Protocol)地址出现在Internet上,是一种将局域网内的IP地址翻译成公共IP地址的技术。NAT功能通常被集成到路由器、防火墙、综合业务数字网(Integrated Service Digital Network,ISDN)路由器或者单独的NAT设备中。如图1所示,终端在局域网中使用局域网内IP地址,当需要与公网通讯时,在网关处将终端的局域网内IP地址翻译换成公共IP地址,从而在公网(Internet)上正常使用。  Network Address Translation (Network Address Translation, NAT) is an Internet Engineering Task Force (Internet Engineering Task Force, IETF) standard that allows an entire organization to appear on the Internet with a public IP (Internet Protocol) address. A technology that translates IP addresses into public IP addresses. The NAT function is usually integrated into routers, firewalls, Integrated Service Digital Network (Integrated Service Digital Network, ISDN) routers or separate NAT devices. As shown in Figure 1, the terminal uses the IP address in the LAN in the LAN. When it needs to communicate with the public network, the IP address in the LAN of the terminal is translated into a public IP address at the gateway, so that it can work normally on the public network (Internet). use. the

为了能够有效解决报文流的NAT转换的问题,需要应用层网关(ApplicationLayer Gateway,ALG)的配合。ALG是解决NAT组网条件下应用互通问题的一种网络技术,一般与NAT功能一起被集成在同一个设备中,帮助NAT完成应用层报文中相关地址和端口信息的修改工作。但采用NAT/ALG组网时,对于报文内容中含有有用的地址信息的情况很难处理,不能处理IP报头加密的情况,同时由于隐藏了内部主机地址,会使网络调试变得复杂,另外还影响报文转发的效率,尤其对于新的应用,ALG需要不断更新,以支持新的应用组网。  In order to effectively solve the problem of NAT conversion of packet flow, the cooperation of Application Layer Gateway (ApplicationLayer Gateway, ALG) is needed. ALG is a network technology that solves the problem of application interoperability under NAT networking conditions. Generally, it is integrated with the NAT function in the same device to help NAT complete the modification of the relevant address and port information in the application layer message. However, when using NAT/ALG networking, it is difficult to deal with the case that the message content contains useful address information, and it cannot handle the case of IP header encryption. At the same time, because the internal host address is hidden, network debugging will become complicated. In addition, It also affects the efficiency of message forwarding, especially for new applications, the ALG needs to be constantly updated to support new application networking. the

发明内容 Contents of the invention

本发明实施例的目的在于提供一种局域网与公网通信的方法,旨在解决采 用现有技术中需要ALG配合,才能有效解决报文流的网络地址转换的问题。  The purpose of the embodiments of the present invention is to provide a method for communication between a local area network and a public network, aiming at solving the problem that the cooperation of ALG is required in the prior art to effectively solve the problem of network address translation of message flow. the

本发明实施例是这样实现的,一种局域网与公网通信的方法,所述方法包括下述步骤:  The embodiment of the present invention is realized like this, a kind of method for local area network and public network communication, described method comprises the following steps:

为局域网内的终端分配多个IP地址,所述多个IP地址中包含至少一个公共IP地址;  Assign multiple IP addresses to terminals in the local area network, including at least one public IP address in the multiple IP addresses;

当从局域网侧收到以所述公共IP地址为源地址的报文时,将所述报文发送至公网,并记录报文的策略路由信息;  When a message with the public IP address as the source address is received from the LAN side, the message is sent to the public network, and the policy routing information of the message is recorded;

当从公网侧收到报文时,根据所述报文的网络信息确定所述报文的策略路由信息,将所述报文发送至局域网内对应的终端。  When a message is received from the public network side, the policy routing information of the message is determined according to the network information of the message, and the message is sent to a corresponding terminal in the local area network. the

其中,当从公网侧接收到的报文的网络信息与记录的报文的网络信息完全不匹配时,所述根据所述报文的网络信息确定所述报文的策略路由信息,将所述报文发送至局域网内对应的终端的步骤具体为:  Wherein, when the network information of the message received from the public network side does not match the network information of the recorded message at all, the policy routing information of the message is determined according to the network information of the message, and the The specific steps for sending the above message to the corresponding terminal in the LAN are as follows:

将来自公网侧的第一个报文向所有局域网侧允许接收公网访问的端口转发,并记录所述第一个报文的网络信息;  Forward the first message from the public network side to all ports on the LAN side that are allowed to receive public network access, and record the network information of the first message;

当所述第一个报文的响应报文通过网关向公网传送时,记录响应所述第一个报文的端口;  When the response message of the first message is transmitted to the public network through the gateway, record the port that responds to the first message;

当收到公网向局域网发送的后续报文后,根据报文的网络信息与记录的网络信息的匹配情况将报文发送至局域网内对应的终端。  After receiving the subsequent message sent from the public network to the local area network, the message is sent to the corresponding terminal in the local area network according to the match between the network information of the message and the recorded network information. the

本发明实施例通过为终端分配包含一个公共IP地址的多个IP地址,采用基于业务流识别的动态策略路由机制确定报文的转发规则,在不需要ALG配合的情况下,就可以实现报文流的地址转换。  In the embodiment of the present invention, by assigning multiple IP addresses including one public IP address to the terminal, a dynamic policy routing mechanism based on business flow identification is used to determine the forwarding rules of the message, and the message can be realized without the cooperation of the ALG. Stream address translation. the

附图说明Description of drawings

图1是现有技术提供的NAT工作原理示意图;  Fig. 1 is the schematic diagram of the working principle of NAT provided by the prior art;

图2是本发明实施例适用的网络通信系统的结构图;  Fig. 2 is the structural diagram of the applicable network communication system of the embodiment of the present invention;

图3是本发明实施例提供的PPPoE方式中终端获取双IP地址的实现示意 图;  Fig. 3 is the realization schematic diagram that terminal obtains double IP address in the PPPoE mode that the embodiment of the present invention provides;

图4是本发明实施例提供的局域网中的报文向公网传递的协议处理示意图;  Fig. 4 is the protocol processing schematic diagram that the message in the local area network provided by the embodiment of the present invention is delivered to the public network;

图5是本发明实施例提供的公网中的报文向局域网传递的协议处理示意图;  Fig. 5 is the protocol processing diagram that the message in the public network provided by the embodiment of the present invention is delivered to the local area network;

图6是本发明实施例提供的网络终端的结构图;  Fig. 6 is a structural diagram of a network terminal provided by an embodiment of the present invention;

图7是本发明第一实施例提供的终端中IP地址绑定单元的结构图;  Fig. 7 is a structural diagram of the IP address binding unit in the terminal provided by the first embodiment of the present invention;

图8是本发明第二实施例提供的终端中IP地址绑定单元的结构图;  Fig. 8 is a structural diagram of the IP address binding unit in the terminal provided by the second embodiment of the present invention;

图9是本发明实施例提供的网关设备的结构图。  Fig. 9 is a structural diagram of a gateway device provided by an embodiment of the present invention. the

具体实施方式Detailed ways

为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。  In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention. the

本发明实施例中,为终端分配多个IP地址,其中一个是公共IP地址,网关基于业务流识别的动态策略路由机制,在路由转发过程中动态决定报文转发规则,在不需要ALG配合的情况下,就可以实现报文流的地址转换。  In the embodiment of the present invention, multiple IP addresses are assigned to the terminal, one of which is a public IP address, and the gateway dynamically determines the message forwarding rules in the routing and forwarding process based on the dynamic policy routing mechanism of service flow identification. In this case, the address translation of the packet flow can be realized. the

图2示出了本发明实施例适用的网络通信系统的结构,该系统包括至少一个终端和网关,终端和网关组成一个局域网,每个终端分配有多个IP地址,其中一个是网关在广域网(Wide Area Network,WAN)接口侧的公共IP地址,还可以包括一个局域网内IP地址。局域网内IP地址用于局域网内部的终端之间的互通,公共IP地址用于终端访问公网。在具体实现时,终端从网关处获取一个局域网内IP地址,例如10.1.1.1,同时,网关将WAN口侧获取的公共IP地址,例如195.1.1.1分配给终端。  Fig. 2 has shown the structure of the applicable network communication system of the embodiment of the present invention, and this system comprises at least one terminal and gateway, and terminal and gateway form a local area network, and each terminal is allocated with a plurality of IP addresses, and one of them is gateway in wide area network ( Wide Area Network, WAN) interface side public IP address, can also include a LAN IP address. The IP address in the LAN is used for intercommunication between terminals in the LAN, and the public IP address is used for terminals to access the public network. In specific implementation, the terminal obtains an IP address in the LAN from the gateway, such as 10.1.1.1, and at the same time, the gateway assigns the public IP address obtained from the WAN port side, such as 195.1.1.1, to the terminal. the

在本发明实施例中,终端从网关上获取多个IP地址的方式可以基于动态终端分配协议(Dynamic Host Configuration Protocol,DHCP)、以太网上的点对 点协议(Point to Point Protocol over Ethernet,PPPoE)或其他地址分配协议。不同的地址分配协议在终端侧产生不同的接口模式。  In the embodiment of the present invention, the way for the terminal to obtain multiple IP addresses from the gateway can be based on Dynamic Host Configuration Protocol (Dynamic Host Configuration Protocol, DHCP), point-to-point protocol on Ethernet (Point to Point Protocol over Ethernet, PPPoE) or other address assignment protocols. Different address allocation protocols produce different interface modes on the terminal side. the

以获取两个IP地址为例,在DHCP方式下,终端在一个网络接口上绑定两个IP地址,其中一个为公共IP地址。在PPPoE方式下,终端生成两个网络接口,一个是PPPoE接口,绑定公共IP地址,一个是以太网(ETH)接口,绑定局域网内IP地址。绑定公共IP地址的接口一般被设置为终端的缺省路由。  Take obtaining two IP addresses as an example. In the DHCP mode, the terminal binds two IP addresses on one network interface, one of which is a public IP address. In PPPoE mode, the terminal generates two network interfaces, one is PPPoE interface, bound with public IP address, and the other is Ethernet (ETH) interface, bound with IP address in LAN. The interface bound to the public IP address is generally set as the default route of the terminal. the

对于普通计算机用户,由于并非所有桌面操作系统都支持多IP地址绑定,而PPPoE拨号终端已经被广泛使用,用户也比较容易接受,所以可以选择使用PPPoE方式,在终端上生成一个新的网络接口,用于绑定公共IP地址。DHCP方式可以用于类似综合接入设备(Integrated Access Device,IAD)类型的嵌入式终端,可以实现与PPPoE方式相同的应用模式,不再赘述。  For ordinary computer users, because not all desktop operating systems support multi-IP address binding, and PPPoE dial-up terminals have been widely used, and users are relatively easy to accept, so you can choose to use PPPoE to generate a new network interface on the terminal , used to bind the public IP address. The DHCP method can be used for embedded terminals similar to the Integrated Access Device (IAD) type, and can realize the same application mode as the PPPoE method, which will not be repeated here. the

以PPPoE方式为例,如图3所示,局域网中的任何一台终端启动后,通过DHCP方式从网关获取局域网内IP地址。终端获取局域网内IP地址后,用户从终端上发起PPPoE认证过程,网关终结终端发起的PPPoE连接(PPPoE session),并将其获取的公共IP地址分配给终端,同时下发缺省网关、域名系统(Domain Name System,DNS)服务器等相关网络信息,建立PPP通道。终端生成两个网络接口,一个是以太网(ETH)接口,绑定获取到的局域网内IP地址;一个是PPPoE接口,绑定网关分配的公共IP地址。  Taking the PPPoE method as an example, as shown in Figure 3, after any terminal in the LAN starts up, it obtains an IP address in the LAN from the gateway through DHCP. After the terminal obtains the IP address in the LAN, the user initiates the PPPoE authentication process from the terminal, the gateway terminates the PPPoE connection (PPPoE session) initiated by the terminal, and assigns the obtained public IP address to the terminal, and at the same time issues the default gateway and Domain Name System (Domain Name System, DNS) server and other related network information to establish a PPP channel. The terminal generates two network interfaces, one is the Ethernet (ETH) interface, which is bound to the acquired IP address in the LAN; the other is the PPPoE interface, which is bound to the public IP address assigned by the gateway. the

作为本发明的一个实施例,网关可以通过终端拨号使用的PPPoE帐号或者密码信息决定是否向终端转发无连接的外部报文,例如帐号A允许外部直接访问,帐号B不允许外部直接访问。终端1采用帐号A建立PPPoE通道后,网关将所有转发到该局域网公共IP地址的报文都转发给终端1。终端2采用帐号B建立PPPoE通道后,当终端2主动向外发起请求时,网关只将其请求报文的响应报文转发给终端2。  As an embodiment of the present invention, the gateway can decide whether to forward the connectionless external message to the terminal through the PPPoE account or password information used by the terminal dial-up, for example, account A allows external direct access, and account B does not allow external direct access. After terminal 1 establishes a PPPoE channel using account A, the gateway forwards all packets forwarded to the public IP address of the LAN to terminal 1. After terminal 2 uses account B to establish a PPPoE channel, when terminal 2 actively initiates a request, the gateway only forwards the response message of the request message to terminal 2. the

在局域网内部,由于各个终端都使用相同的IP地址,为了使得终端能够与公网之间实现报文收发,网关需要对终端进行标定。作为本发明的一个实施例, 可以通过媒体接入控制(Media Access Control,MAC)地址标定来自不同终端的报文。在PPPoE方式下,也可以使用连接标识(SESSION ID)标定不同的终端。此时,网关内部的IP协议栈需要支持基于MAC/SESSION ID的策略路由,将终端的MAC地址或PPP SESSION ID等终端的标定信息加入到策略路由信息中。  In the LAN, since each terminal uses the same IP address, in order to enable the terminal to send and receive messages with the public network, the gateway needs to calibrate the terminal. As an embodiment of the present invention, messages from different terminals can be marked by Media Access Control (MAC) addresses. In PPPoE mode, you can also use the connection identifier (SESSION ID) to calibrate different terminals. At this time, the IP protocol stack inside the gateway needs to support policy routing based on MAC/SESSION ID, and add terminal labeling information such as the terminal's MAC address or PPP SESSION ID to the policy routing information. the

在本发明实施例中,终端也可以通过PPPoE扩展、DHCP选项(DHCP option)等方式向网关上传服务、设备类型等信息,网关记录终端的这些属性信息后可以更加准确的分配转发报文流记录,从而更好的定义报文(流)转发规则。  In the embodiment of the present invention, the terminal can also upload information such as service and device type to the gateway through PPPoE extension, DHCP option (DHCP option), etc. After the gateway records these attribute information of the terminal, it can more accurately allocate and forward message flow records , so as to better define packet (flow) forwarding rules. the

在本发明实施例中,当网关从局域网侧收到以上述公共IP地址为源地址的报文时,将报文发送至公网,同时记录报文的策略路由信息;当网关从公网侧收到以上述公共IP地址为目的地址的报文时,根据报文的网络信息确定报文的策略路由信息,将报文发送至局域网内对应的终端。  In the embodiment of the present invention, when the gateway receives the message with the above-mentioned public IP address as the source address from the local area network side, the message is sent to the public network, and the policy routing information of the message is recorded at the same time; When receiving the message with the above public IP address as the destination address, determine the policy routing information of the message according to the network information of the message, and send the message to the corresponding terminal in the local area network. the

作为本发明的一个实施例,报文的策略路由信息包含报文的网络信息,以及对应该报文的终端的标定信息。报文的网络信息主要是报文的源IP地址、目的IP地址、协议类型、源端口、目的端口等IP五元组信息,终端的标定信息可以是终端的MAC地址或PPP SESSION ID。  As an embodiment of the present invention, the policy routing information of the message includes the network information of the message and the identification information of the terminal corresponding to the message. The network information of the message is mainly IP quintuple information such as the source IP address, destination IP address, protocol type, source port, and destination port of the message. The terminal's calibration information can be the terminal's MAC address or PPP SESSION ID. the

局域网中的报文向公网传递的协议处理如图4所示,由于网关输出的端口只有一个WAN PPPoE,终端向公网发送报文不会存在问题。为了保证公网向终端的回传报文的正常转发,网关需要记录终端向公网发送的以上述公共IP地址为源地址的报文的源IP地址、目的IP地址、协议类型、源端口、目的端口等IP五元组信息,以及报文(流)的源MAC地址或者SESSION ID信息、终端类型信息,以此建立回传报文的策略路由信息,并可以根据双向报文提供老化机制,例如如果网关在很长一段时间之内没有收到公网返回的回传报文,则网关会将向公网发送过报文的终端对应的MAC地址删除,等下次报文发送时重新记录。  Figure 4 shows the protocol processing of packets from the LAN to the public network. Since the output port of the gateway has only one WAN PPPoE, there will be no problem for the terminal to send packets to the public network. In order to ensure the normal forwarding of the return message from the public network to the terminal, the gateway needs to record the source IP address, destination IP address, protocol type, source port, IP quintuple information such as the destination port, as well as the source MAC address or SESSION ID information and terminal type information of the message (flow), so as to establish the policy routing information of the returned message, and provide an aging mechanism based on the bidirectional message. For example, if the gateway does not receive a return message from the public network for a long period of time, the gateway will delete the MAC address corresponding to the terminal that sent the message to the public network, and record it again when the next message is sent . the

如果出现报文(流)的源MAC地址或者SESSION ID与网关记录的不同,报文(流)的IP五元组信息与网关记录的完全相同时,即局域网内的两个终端使用同样的源端口、访问同一个的公网服务器,则网关将该报文进行端口地址转换(Port Address Translation,PAT)处理,将报文的源端口映射到其他未使用端口,并做相应的ALG处理。网关也可以不处理这一类型的冲突,直接将该报文转发出去。在该报文的回传方向上,将对应的回传报文在有外出记录的所有PPP端口上广播出去,由终端的应用层判断是否接收回传报文。  If the source MAC address or SESSION ID of the message (flow) is different from that recorded by the gateway, and the IP quintuple information of the message (flow) is exactly the same as that recorded by the gateway, that is, two terminals in the LAN use the same source port and access the same public network server, the gateway performs Port Address Translation (PAT) processing on the message, maps the source port of the message to other unused ports, and performs corresponding ALG processing. The gateway may also directly forward the message without processing this type of conflict. In the return direction of the message, the corresponding return message is broadcast on all PPP ports with outgoing records, and the application layer of the terminal judges whether to receive the return message. the

公网的报文向局域网传递的协议处理如图5所示,网关在局域网方向上有多个PPP接口,网关需要判断将报文(流)转发到哪个PPP端口上。  The protocol processing of the public network message to the local area network is shown in Figure 5. The gateway has multiple PPP interfaces in the direction of the local area network, and the gateway needs to determine which PPP port to forward the message (flow). the

如果终端向公网发送过报文,则网关记录了报文的IP五元组信息、源MAC地址或者SESSION ID等信息,根据完全匹配规则,网关可以根据公网侧的回传报文找到正确的局域网侧回传PPP端口。这种情况可以满足基于客户端/服务器(C/S)网络服务模型的所有网络应用。  If the terminal has sent a message to the public network, the gateway records the IP quintuple information, source MAC address or SESSION ID of the message. According to the exact match rule, the gateway can find the correct The LAN side returns the PPP port. This situation can satisfy all network applications based on the client/server (C/S) network service model. the

如果来自公网侧的报文的IP五元组信息与网关记录的IP五元组信息部分匹配,例如目的IP地址、源IP地址、协议类型能够匹配,端口号无法匹配时,则网关向所有能够完成部分匹配的PPP端口回传,可以适用于C/S模型下,公网中的服务器在该报文中修改了工作端口号的情况。  If the IP quintuple information of the packet from the public network partly matches the IP quintuple information recorded by the gateway, for example, the destination IP address, source IP address, and protocol type can match, but the port number cannot match, the gateway sends all The PPP port return that can complete partial matching can be applied to the situation where the server in the public network modifies the working port number in the message under the C/S model. the

如果来自公网侧的报文的IP五元组信息与网关记录的IP五元组信息完全不匹配,可能有两种应用场景会出现这种情况,一是局域网内部有服务器提供对外服务,二是类语音服务,例如通过SIP流之后的实时传输协议(Real Time Transport Protocol,RTP)流。此时,网关可以通过广播报文方式,动态学习和记录报文的策略路由信息。  If the IP quintuple information of the packet from the public network side does not match the IP quintuple information recorded by the gateway, there may be two application scenarios where this situation occurs. One is that there are servers in the LAN that provide external services, and the other is that It is a type of voice service, such as a Real Time Transport Protocol (RTP) stream followed by a SIP stream. At this time, the gateway can dynamically learn and record the policy routing information of the message by broadcasting the message. the

作为本发明的一个实施例,在局域网内部有服务器提供对外服务时,网关对来自公网侧的第一个报文可以执行广播的转发策略,向所有LAN侧允许接收外部访问的PPP端口转发,并记录该第一个报文的IP五元组信息。局域网内部的服务器响应该第一个报文后,当响应报文通过网关向公网传送时,网关记录 哪个端口响应了该第一个报文,并将端口信息补充到该第一个报文的IP五元组信息中,以保证后续由公网向局域网的报文不需要再做广播操作。当收到公网向局域网发送的后续报文后,局域网网关将后续报文的网络信息与记录的网络信息对比,根据网络信息之间的匹配情况将报文发送至局域网内对应的终端。实际操作中,还可以采用网关获取局域网侧服务器信息的方式解决,例如局域网侧服务器通过DHCP选项(DHCP option)、PPPoE扩展上报服务类型(开放端口信息),或采用手工配置,或远端自动配置下发,绑定局域网侧服务器和PPP端口的关系。  As an embodiment of the present invention, when there is a server in the local area network to provide external services, the gateway can perform a broadcast forwarding strategy on the first message from the public network side, and forward it to all PPP ports that are allowed to receive external access on the LAN side. And record the IP quintuple information of the first message. After the server inside the LAN responds to the first message, when the response message is transmitted to the public network through the gateway, the gateway records which port responded to the first message, and adds the port information to the first message In the IP quintuple information, to ensure that subsequent messages from the public network to the LAN do not need to be broadcast. After receiving the follow-up message sent from the public network to the LAN, the LAN gateway compares the network information of the follow-up message with the recorded network information, and sends the message to the corresponding terminal in the LAN according to the matching between the network information. In actual operation, it can also be solved by using the gateway to obtain the information of the server on the LAN side. For example, the server on the LAN side reports the service type (open port information) through DHCP option (DHCP option) and PPPoE extension, or manual configuration, or remote automatic configuration Deliver, bind the relationship between the LAN side server and the PPP port. the

作为本发明的另一实施例,在类语音服务中,以两个SIP用户代理(User Agent,UA)采用RTP收发端口不一致的策略,局域网到公网以及公网到局域网的报文的网络信息无法完全匹配为例进行描述,其他情况比该种情况简单,更加容易处理。针对来自公网侧的第一个报文,网关可以执行广播的转发策略,向所有局域网侧允许接受外部访问的PPP端口转发,同时网关记录该第一个报文的IP五元组信息。  As another embodiment of the present invention, in the voice-like service, two SIP user agents (User Agent, UA) adopt the strategy of inconsistent RTP sending and receiving ports, and the network information of the message from the local area network to the public network and from the public network to the local area network The complete match cannot be described as an example. Other situations are simpler and easier to handle than this one. For the first message from the public network side, the gateway can implement a broadcast forwarding strategy to forward it to all PPP ports that are allowed to accept external access on the LAN side, and the gateway records the IP quintuple information of the first message. the

当局域网侧的SIP UA向公网的SIP UA发出第一个RTP报文后,网关可以建立一个部分匹配规则,即源IP地址、目的IP地址、协议类型匹配,端口号不匹配,后续公网到局域网的报文就可以按照上述IP五元组信息部分匹配的情况处理。当然,如果收发端口一致就可以采用IP五元组信息完全匹配的规则来处理。  After the SIP UA on the LAN side sends the first RTP packet to the SIP UA on the public network, the gateway can establish a partial matching rule, that is, the source IP address, destination IP address, and protocol type match, and the port number does not match. The message to the local area network can be processed according to the situation that the above-mentioned IP quintuple information partly matches. Of course, if the sending and receiving ports are the same, the rule of complete matching of IP quintuple information can be used for processing. the

图6示出了本发明实施例提供的网关的结构,为了便于说明,仅示出了与本发明实施例相关的部分。  Fig. 6 shows the structure of the gateway provided by the embodiment of the present invention, and for the convenience of description, only the parts related to the embodiment of the present invention are shown. the

公共IP地址分配单元61将公共IP地址分配给终端,报文传输单元62在收到以公共IP地址为源地址的报文时,将报文发送至公网,并记录报文的策略路由信息。在收到以公共IP地址为目的地址的报文时,根据报文的网络信息确定报文的策略路由信息,将报文发送至局域网内对应的终端。  The public IP address allocation unit 61 allocates the public IP address to the terminal, and the message transmission unit 62 sends the message to the public network when receiving the message with the public IP address as the source address, and records the policy routing information of the message . When a message with the public IP address as the destination address is received, the policy routing information of the message is determined according to the network information of the message, and the message is sent to the corresponding terminal in the local area network. the

作为本发明的一个实施例,网络信息记录模块621记录报文的网络信息, 报文的网络信息可以为报文的IP五元组信息,当报文为终端向公网发送的报文时,网络信息记录模块621记录的报文的网络信息中还可以包括报文的MAC地址或者SESSION ID,以用来标定终端。  As an embodiment of the present invention, the network information recording module 621 records the network information of the message. The network information of the message can be the IP quintuple information of the message. When the message is a message sent by the terminal to the public network, The network information of the message recorded by the network information recording module 621 may also include a MAC address or a SESSION ID of the message, so as to identify the terminal. the

路由规则确定模块622根据报文的网络信息确定报文转发的策略路由信息,策略路由信息的具体确定方式如上所述,不再赘述。  The routing rule determining module 622 determines the policy routing information for message forwarding according to the network information of the message. The specific way of determining the policy routing information is as described above and will not be repeated here. the

报文转发模块623将以公共IP地址为源地址的报文转发至公网,或者根据路由规则确定模块622确定的策略路由信息,将以公共IP地址为目的地址的报文转发至局域网对应的终端。  The message forwarding module 623 forwards the message with the public IP address as the source address to the public network, or according to the policy routing information determined by the routing rule determination module 622, forwards the message with the public IP address as the destination address to the corresponding terminal. the

图7示出了本发明实施例提供的网络终端的结构,为了便于说明,仅示出了与本发明实施例相关的部分。  Fig. 7 shows the structure of the network terminal provided by the embodiment of the present invention, and for the convenience of description, only the parts related to the embodiment of the present invention are shown. the

IP地址绑定单元71在终端上分配多个IP地址,该多个IP地址中至少包含有一个用于终端访问公网的公共IP地址,还可以包括一个局域网内IP地址。网络通信单元72通过终端的公共IP地址与公网通信,将以该公共IP地址为源地址将报文通过网关发送到公网,或者接收网关转发的以该公共IP地址为目的地址的报文。  The IP address binding unit 71 allocates multiple IP addresses on the terminal, and the multiple IP addresses include at least one public IP address for the terminal to access the public network, and may also include an IP address in a local area network. The network communication unit 72 communicates with the public network through the public IP address of the terminal, and sends the message to the public network through the gateway with the public IP address as the source address, or receives the message forwarded by the gateway with the public IP address as the destination address . the

在本发明实施例中,终端从网关上获取多IP地址的方式可以基于DHCP、PPPoE或其他地址分配协议等方式。很明显,终端具体采用哪种方式获取多个IP地址视终端的配置而定,例如当终端支持PPPoE方式时,就可以采用PPPoE方式,当终端支持DHCP方式时,就可以采用DHCP方式。  In the embodiment of the present invention, the manner in which the terminal acquires multiple IP addresses from the gateway may be based on DHCP, PPPoE or other address allocation protocols. Obviously, which method the terminal uses to obtain multiple IP addresses depends on the configuration of the terminal. For example, when the terminal supports PPPoE, the PPPoE method can be used; when the terminal supports DHCP, the DHCP method can be used. the

当终端采用PPPoE方式时,如图8所示,PPPoE接口生成模块711在终端生成PPPoE接口,公共IP地址绑定模块712在该PPPoE接口上绑定网关分配的公共IP地址。  When the terminal adopts the PPPoE mode, as shown in FIG. 8 , the PPPoE interface generation module 711 generates a PPPoE interface on the terminal, and the public IP address binding module 712 binds the public IP address allocated by the gateway on the PPPoE interface. the

当采用DHCP方式时,如图9所示,DHCP地址绑定模块713通过DHCP方式在终端的一个网络接口上绑定包括网关分配的公共IP地址在内的多个IP地址。  When the DHCP method is adopted, as shown in FIG. 9 , the DHCP address binding module 713 binds multiple IP addresses including the public IP address allocated by the gateway on a network interface of the terminal through the DHCP method. the

由于PPPoE拨号终端已经被广泛使用,用户也比较容易接受,因此作为本 发明的一个优选实施例,网络通信单元72为PPPoE客户端或者DHCP客户端。  Because the PPPoE dial-up terminal has been widely used, the user is also relatively easy to accept, so as a preferred embodiment of the present invention, the network communication unit 72 is a PPPoE client or a DHCP client. the

本发明实施例通过为终端分配包含一个公共IP地址的多个IP地址,采用基于业务流识别的动态策略路由机制确定报文的转发规则,在不需要ALG配合的情况下,就可以实现报文流的地址转换,可以维持大多数现有的NAT/ALG组网模式不变,对于用户的使用习惯变化不大,网关无需支持多种网络应用的ALG处理,便可使得终端共享公网连接,减少了新应用带来的网络故障,并减少了网关ALG支持大量应用协议NAT穿越的工作量,提高了报文转发效率。  In the embodiment of the present invention, by assigning multiple IP addresses including one public IP address to the terminal, a dynamic policy routing mechanism based on business flow identification is used to determine the forwarding rules of the message, and the message can be realized without the cooperation of the ALG. The address translation of the flow can maintain most of the existing NAT/ALG networking modes unchanged, and the user's usage habits have not changed much. The gateway does not need to support ALG processing of various network applications, so that the terminal can share the public network connection. It reduces network faults caused by new applications, reduces the workload of the gateway ALG to support NAT traversal of a large number of application protocols, and improves message forwarding efficiency. the

以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。  The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention should be included in the protection of the present invention. within range. the

Claims (1)

1.一种局域网与公网通信的方法,其特征在于,所述方法包括下述步骤:1. A method for local area network and public network communication, is characterized in that, described method comprises the steps: 为局域网内的终端分配多个IP地址,所述多个IP地址中包含至少一个公共IP地址;Assigning multiple IP addresses to terminals in the local area network, where the multiple IP addresses include at least one public IP address; 当从局域网侧收到以所述公共IP地址为源地址的报文时,将所述报文发送至公网,并记录报文的策略路由信息;When receiving a message with the public IP address as the source address from the local area network side, sending the message to the public network, and recording the policy routing information of the message; 当从公网侧收到报文时,根据所述报文的网络信息确定所述报文的策略路由信息,将所述报文发送至局域网内对应的终端;When receiving a message from the public network side, determine the policy routing information of the message according to the network information of the message, and send the message to a corresponding terminal in the local area network; 其中,当从公网侧接收到的报文的网络信息与记录的报文的网络信息完全不匹配时,所述根据所述报文的网络信息确定所述报文的策略路由信息,将所述报文发送至局域网内对应的终端的步骤具体为:Wherein, when the network information of the message received from the public network side does not match the network information of the recorded message at all, the policy routing information of the message is determined according to the network information of the message, and the The specific steps for sending the above message to the corresponding terminal in the LAN are as follows: 将来自公网侧的第一个报文向所有局域网侧允许接收公网访问的端口转发,并记录所述第一个报文的网络信息;Forwarding the first message from the public network side to all ports on the LAN side that are allowed to receive public network access, and recording the network information of the first message; 当所述第一个报文的响应报文通过网关向公网传送时,记录响应所述第一个报文的端口;When the response message of the first message is transmitted to the public network through the gateway, record the port that responds to the first message; 当收到公网向局域网发送的后续报文后,根据报文的网络信息与记录的网络信息的匹配情况将报文发送至局域网内对应的终端。After receiving the subsequent message sent from the public network to the local area network, the message is sent to the corresponding terminal in the local area network according to the match between the network information of the message and the recorded network information.
CN2008100653854A 2008-02-20 2008-02-20 Method, device and system for communication between local area network and public network Active CN101515882B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2008100653854A CN101515882B (en) 2008-02-20 2008-02-20 Method, device and system for communication between local area network and public network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2008100653854A CN101515882B (en) 2008-02-20 2008-02-20 Method, device and system for communication between local area network and public network

Publications (2)

Publication Number Publication Date
CN101515882A CN101515882A (en) 2009-08-26
CN101515882B true CN101515882B (en) 2012-05-23

Family

ID=41040185

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008100653854A Active CN101515882B (en) 2008-02-20 2008-02-20 Method, device and system for communication between local area network and public network

Country Status (1)

Country Link
CN (1) CN101515882B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103095857A (en) * 2011-10-28 2013-05-08 中兴通讯股份有限公司 Method of accessing and quitting network and sending messages and network side equipment
CN103856574B (en) * 2012-12-06 2017-07-14 中国电信股份有限公司 Method, apparatus and system for control business
US20140189082A1 (en) * 2012-12-28 2014-07-03 Futurewei Technologies, Inc. Local Partitioning in a Distributed Communication System
CN105812137A (en) * 2014-12-29 2016-07-27 中兴通讯股份有限公司 Signature method and signature device
CN106027565B (en) * 2016-07-07 2019-04-09 杭州迪普科技股份有限公司 A kind of method and apparatus of the intranet and extranet unified certification based on PPPOE
CN108540385A (en) * 2017-03-06 2018-09-14 中兴通讯股份有限公司 Data transmission method for uplink and device, router
CN108777722B (en) * 2018-04-25 2021-07-16 广州视源电子科技股份有限公司 Multi-system networking communication method and device, mobile terminal and storage medium
CN109905927B (en) * 2019-04-02 2022-06-10 成都大学 A method and system for self-organizing network of IoT devices based on WIFI
CN110401666B (en) * 2019-07-30 2022-05-13 四川虹魔方网络科技有限公司 Network authority distribution method based on user identity
CN115277289A (en) * 2022-06-27 2022-11-01 重庆长安汽车股份有限公司 Automobile bus message data routing system, method and readable storage medium
CN119172350B (en) * 2024-11-19 2025-03-11 杭州阿启视科技有限公司 A method for implementing domain address translation in a multi-domain scenario

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101052009A (en) * 2007-05-14 2007-10-10 中兴通讯股份有限公司 Method for realizing internal access by NAT device for private net element using public net address

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101052009A (en) * 2007-05-14 2007-10-10 中兴通讯股份有限公司 Method for realizing internal access by NAT device for private net element using public net address

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Request for Comments: 3102.M. Borella 等.《Realm Specific IP: Framework》.Network Working Group,2001,第2节. *

Also Published As

Publication number Publication date
CN101515882A (en) 2009-08-26

Similar Documents

Publication Publication Date Title
CN101515882B (en) Method, device and system for communication between local area network and public network
JP5335886B2 (en) Method and apparatus for communicating data packets between local networks
US8468259B2 (en) Middlebox control
Ford et al. Issues with IP address sharing
US6801528B2 (en) System and method for dynamic simultaneous connection to multiple service providers
US8422503B2 (en) Address translator using address translation information in header area on network layer level and a method therefor
US20060056420A1 (en) Communication apparatus selecting a source address
CN102171986B (en) A method and a gateway for providing multiple internet access
WO2010057386A1 (en) Data package forwarding method, system and device
TW200401534A (en) Network configuration evaluation
CN102420774B (en) Method for realizing intranet penetration by using Internet group management protocol (IGMP) and intranet penetration system
CN101360030B (en) Method and gateway for private network users to use public network address to access public network
CN102984300A (en) Distributed gateway system in 4-6-4 hybrid protocol network and access method
CN103227787A (en) Automatic 4over6 tunnel establishment method based on ARP proxy
US20040064584A1 (en) Apparatus and methods of assisting in NAT traversal
KR100433621B1 (en) Multi layer internet protocol(MLIP) for peer to peer service of private internet and method for transmitting/receiving the MLIP packet
CN102447747A (en) Method, device and system for interacting with private network
EP2509284B1 (en) Method and system for allocating local transport address, media gateway and media gateway controller
US20090141705A1 (en) Device and method for address-mapping
CN100334858C (en) Method of breakthrough NAT using dual tunnel mechanism
JP2008172816A (en) Address translation method
CN101208935B (en) Method and device for translating internet protocol addresses within a communication network
CN100391213C (en) Method for transferring data between internal data network and public data network and device for implementing the method
CN1529480B (en) A method of IP network protocol conversion
CN100393039C (en) Network management method for devices without IP addresses

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee after: Huawei terminal (Shenzhen) Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI DEVICE Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20181219

Address after: 523808 Southern Factory Building (Phase I) Project B2 Production Plant-5, New Town Avenue, Songshan Lake High-tech Industrial Development Zone, Dongguan City, Guangdong Province

Patentee after: HUAWEI DEVICE Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: Huawei terminal (Shenzhen) Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20210506

Address after: Unit 3401, unit a, building 6, Shenye Zhongcheng, No. 8089, Hongli West Road, Donghai community, Xiangmihu street, Futian District, Shenzhen, Guangdong 518040

Patentee after: Shenzhen Zhixin new information technology Co.,Ltd.

Address before: 523808 Southern Factory Building (Phase I) Project B2 Production Plant-5, New Town Avenue, Songshan Lake High-tech Industrial Development Zone, Dongguan City, Guangdong Province

Patentee before: HUAWEI DEVICE Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20211025

Address after: Unit 3401, unit a, building 6, Shenye Zhongcheng, No. 8089, Hongli West Road, Donghai community, Xiangmihu street, Futian District, Shenzhen, Guangdong 518040

Patentee after: Honor Device Co.,Ltd.

Address before: Unit 3401, unit a, building 6, Shenye Zhongcheng, No. 8089, Hongli West Road, Donghai community, Xiangmihu street, Futian District, Shenzhen, Guangdong 518040

Patentee before: Shenzhen Zhixin new information technology Co.,Ltd.

CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: Unit 3401, unit a, building 6, Shenye Zhongcheng, No. 8089, Hongli West Road, Donghai community, Xiangmihu street, Futian District, Shenzhen, Guangdong 518040

Patentee after: Honor Terminal Co.,Ltd.

Country or region after: China

Address before: 3401, unit a, building 6, Shenye Zhongcheng, No. 8089, Hongli West Road, Donghai community, Xiangmihu street, Futian District, Shenzhen, Guangdong

Patentee before: Honor Device Co.,Ltd.

Country or region before: China