How stun detects Nat types

Stun is a NAT penetration method specified by rfc3489. It uses an auxiliary method to detect Nat IP addresses and ports. Undoubtedly, it plays a huge role in the early NAT traversal, and will continue to have a place in ant penetration.
The test process of stun requires a public IP stun server. The UAC (User Agent client) after Nat must work with the server to send several UDP packets to each other. The UDP packet contains information that UAC needs to know, such as the NAT Internet IP address and port. UAC determines its Nat type by checking whether the UDP packet and the data in the packet are obtained.
Assume that the following UAC (B), NAT (A), stun Server (C), UAC IP is IPB, Nat IP is IPA, and Server IP is ipc1 and ipc2. Note that stun server C has two IP addresses, and you will understand why two IP addresses are needed later.

Step 1:
B sends a UDP packet to port port1 of ip1. C. After receiving the package, C writes the source IP address and port of the received package to the UDP package, and sends the package back to B through IP1 and port1. This IP address and port are the NAT Internet IP address and port, that is, UAC obtains the NAT Internet IP address in step 1.
If the UAC does not receive any response packet from stun after sending a data packet to a stun server, there are only two possible reasons: 1. the stun server does not exist, or the port is wrong; 2. Your Nat rejects all UDP packets from external to internal (our company's Nat is ).
When B receives the UDP, it compares the IP address in the UDP with its own IP address. If the IP address is the same, it means that B is on the public network. If they are different, it indicates that Nat exists and the system performs step 2.

Step 2:
B sends a UDP packet to IP1 of C, requesting C to pass another ip2 and port (different from IP1 of setp1) return a UDP packet to B (now you know why C has two IP addresses, huh, huh ).
Let's analyze. If B receives this packet, what does it mean? This means that the NAT visitor does not reject the packet and does not filter the packet. This is the full cone Nat In the stun standard. Unfortunately, full cone Nat is too small, which means you are unlikely to receive this packet. If you do not receive the request, the system performs step 3.

Step 3:
B sends a packet to port2 of ip2 of C. After C receives the packet, it writes the source IP address and port of the packet to the UDP packet, then, send the package back to B through ip2 and port2. Like step 1, B will certainly receive this UDP response packet. The port in this package is the data we are most concerned about. Let's analyze it as follows:
If the port is different from the port in step 1, it is certain that the NAT is a cone Nat; otherwise, it is a symmetric Nat. The principle is simple: According to the symmetric Nat rule, when the IP address and port of the destination address change, Nat will allocate a port again, and in step 3, it corresponds to step 1, we changed the IP address and port. Therefore, for symmetric Nat, the two ports must be different.
If the port is different in your application at this step, congratulations, your stun is dead. If they are the same, only restrict cone and port restrict cone are left. The system uses Step 4 to test which one is used.

Step 4:
B sends a data request packet to a port PD of ip2 in C, requiring C to return a data packet to B using ip2 and a port different from PD.
Analysis result: If B receives the packet, it means that as long as the IP address is the same, Nat allows UDP packets to pass through even if the port is different. Apparently this is restrict cone Nat. If you do not receive the packet, you can say nothing about port restrict Nat.