ok, a bit of testing with
Ethereal has proved interesting.
FIRST, IT APPEARS THAT ANY TIME YOU START A DIRECTIP GAME, CIV4 SENDS A PACKET TO A GAMESPY SERVER CONTAINING YOUR PRIVATE INTERNAL IP ADDRESS. THIS IS RED-FLAG BEHAVIOR FOR THOSE OF YOU WHO ARE CONCERNED ABOUT SPYWARE AND/OR PRIVACY.
Second, civ4 is definitely a peer-to-peer program, even when using PitBoss. in the game we just started (2 humans, 8 AIs, 2 players per team, simultaneous turns) there was nearly constant bidirectional traffic between my machine and both the PitBoss server and the other player. both my machine and the server were on my 'inside' network; the other player was connecting from outside. to make this work, I changed my machine from port 2056 to 2057, and defined forwarding rules on my router to direct traffic for udp 2056 to the PitBoss server, and traffic for udp 2057 to my own machine. I did not forward any tcp ports. this is consistent with the requirement in a peer-to-peer network for all participants to have a unique address/port combination.
Third, if you try to run both a PitBoss server *and* a game client that are both on the inside of a NAT, and you try to use the same port on both, it doesn't work. for our test, I started the server (listening on udp 2056), set a forwarding rule for udp 2056 to go to the server, then had a friend connect from the Internet. once he confirmed that he was connected, I tried to connect using the internal IP address of the server. my client (which was set to udp 2056 also) immediately connected to the server (as well as phoning home to GameSpy; who knew that they're literally spying on my gaming?) then spent 15 seconds sending packets to the other player, trying to initiate a connection. after receiving no replies (presumably because replies were being sent to the server rather than my own machine, since the router was forwarding udp 2056 traffic there), my client spent 30 seconds trying to send packets to the other player USING HIS PRIVATE IP ADDRESS. I'm sure he never got any of those packets. after 30 seconds of that, my client gave up and sent me back to the host/join screen.
so, it appears that the secret to making things work when you have multiple users sharing an IP address is, assign each user a unique udp port. I recommend that you do not attempt to change the PitBoss server port (if it's even possible); I'm pretty sure it must listen on udp port 2056 in order for other players to be able to reach it, unless there's some syntax I don't know about that lets you specify a port when you connect to a server. once you've connected to the server on the 'known' port, it will tell you the addresses and 'unknown' ports for all the other players, so that the rest of the peer-to-peer mesh network can be set up.
-ken