My Server behind NAT

[ProAsm]

There have been many debates on this and other forums regarding Servers sitting behind a NAT.
Some say it cannot be done others have some real wierd opinions so I decided to do some experimenting.

Currently my setup as shown below works 100% with anything and everything.
Ingame Browser as well as external Browsers all work fine including pings and logons.
The only problem which I still have not got around and that from your own PC you cannot see your ping from the ingame Browser as it just shows N/A
Anyone else on the Internet sees the pings just fine and can join and play with no problem.
Also from your own PC you cannot join the server via the Ingame Browser as you need to go out onto the Internet and back in again causing a self collision.
So joining your own server needs to be done via a LAN connection through IP Address 192.168.0.1:7777 normally set in your Favourites.

I have also seen threads on why players cannot join your Server from the Internet and this is very easy if you know how.
One way is to use Port Forwarding, but that is a preverbial pain in the butt as you have to forward exact and individual Ports but can be successfull at times.
The easiest way is to look in your Router for a DMZ Server setting and add in there the IP Address of your Server.
In this way ALL ports required from the Internet will now be forwarded to your Server IP address which in my case is 10.0.0.2
Now in your Server PC you can have all the FireWall, Virus scanners, FTP folders and HTTP folders if you wish.
For FTP I use a simple program called Cerberus FTP Server and is Freeware for Home use.

My Current setup - I chose this as its the safest and most secure for my Network.
Please note the various IP Address configurations and setup and also the Gateways.



For those of you that just have a single PC connected to your Router the following works very well also, although I recomment the first one.
Here you can use the McAfee Firewall which is a brilliant piece of software in which you dont have to worry about specific Ports etc and just tell it to Trust the programs you use.
These programs as you use them, like UT2003, it will ask you the first time - "Do you trust UT2003" - and you just say "Yes" and any and all Ports that is required by UT2003 just automatically get opened and works like a dream.
In fact this is the nicest piece of software I've ever used but is a little expensive.

The Internet Connection Sharing of M$ sucks and I would not recommend that, especially for gaming purposes etc.



For PPPoE Client software (Freeware) - http://www.raspppoe.com/

An excellent writeup on PPPoE - http://www.carricksolutions.com/raspppoe.php

FTP Server software if you need it - Freeware - http://www.cerberusftp.com/download.htm#download

Winroute Pro - http://www.kerio.com/wrp_home.html - a little expensive but well worth it.

McAfee Firewall - http://us.mcafee.com/root/package.asp?pkgid=103

Another very interesting program I found for limiting and adjusting the Bandwidth usage for the different PC's on your Network:

http://bandwidthcontroller.com/

For those unlucky guys (like me) that your ISP re-allocates you a new IP Address (Dynamic IP) every 24 hours you can get past that by visiting:

http://www.dyndns.org/

You will also need this program to update your current IP Address to DynDns

http://www.directupdate.net/download.html

Well thats my 0.0002c worth

[NakedApe]

ProAsm, I'm not sure to how to say this without sounding like a prick...

I know you've done lots of good work in the UT2k3 community, This post is not part of it.

You give ill advice about firewall configuration (open all ports above 5000, put computer in DMZ). And who says that "everything above 3000 is pretty safe" and do you believe that attacks on your computer only happend when you're in bed?

And since you mention NAT, where is you fix for that problem? Do you even understand the bug?

There are enough posts that give users enough "clue" about which ports to open (if they'd only search) that we don't need this kind of voodoo network engineering to "help" the inexperienced admins.

Oh, BTW, here's your coupon for a free flame on NakedApe...

[ProAsm]

Naked Ape, no offense taken here and I'm not trying to teach anyone anything about any bug or anything on those lines.

For the last 2 weeks I have basically been playing around with setups etc behind a NAT, trying to get the best configuration.
There are many posts which tell you what not to do and most I found very confusing as no-one ever tells you exactly what to do or gives a working example.

I studied all the info at the various Admin sites and their info is excellent but everyone seems to stop short on actually getting it to work.

Regarding the opening of all Ports above 5000, here I contacted large ISP's and in almost all cases I was given this advice and in fact most said I should just open everything above 1024 for a Home type network. I no longer close these ports and they are now left open permanently.
This is purely an option for an Admin and my basic argument here is most Admins run there servers directly on the Internet without any firewall or protection what so ever.

My practical example is mainly the layout of equipment but if you think the stuff on Ports could be misleading for newbie admins then maybe I should just edit or delete that - I'm open to any advice - thats how we all learn.

Post Edited

Thanks for the input

[NakedApe]

Ok, I may actually have read more into your post than you meant but such is the "Internet word". I'm glad you weren't offended.

Network administration in general and firewall administration in particular is a tricky business, that's why it's very hard to give specific advice on these problems. Especially if you want this advice to be effective in accomplishing the desired task while not having undesired side effects (such as opening large port ranges when only a few are needed). This is a large factor why the HOWTOs can't detail the network setups in the same way that they can other settings.

My view, which some may consider "eliteist", is that the problem is that people with way too little knowledge about networking are trying to set up servers and therefore run into problems that, to them, are showstoppers while to those with some basic knowledge, are no-brainers (e.g. ports used).

As for the advice you got from your ISPs, I can only shake my head in disbelief... I can't think of a single backdoor that used a port below 1024 off-hand...

Your advice to use "personal firewalls" (such as McAfee or ZoneAlarm) is good advice though. Unfortunately they are usually not able to cope with the kind of traffic a game server generates so it applies mainly to clients.

I'm sure there are people that will find your suggestions acceptable and I'm always going to be here advocating the hardcore way... See you on the barricades!

[legacy-Big_Iron]

All I can say is ... nice detail .... most people don't know wtf they are doing so the pic's are very helpful.

[legacy-rice]

thnx for that post.

[legacy-Lär]

Yes, great detail on the pictures, I love it! However, I'm trying to figure out why you are double-NATing?? You might as well just throw the DG814 in the garbage and get a standard ADSL modem. The router side of the modem does a very good job of protecting your network. Adding more NATing, by using a gateway PC, is pointless and expensive.

Of the three extra examples, #2 is the best way to go, assuming the ADSL modem is the same DG814, and the server is not using ICS. If the DG814 is configured properly, you'll have nothing to worry about.

Later!

[legacy-lanline]

Here is my config.

http://www.ina-community.com/forums/...r+and+firewall

If I config DMZ I have to turn off my DHCP. My othe comps. have issues connecting to the net when I do this.....
Still DMZ didn't work....

[ProAsm]

Lar, when one is a newbie to something like Routers and everyone gives you different advice its hard to decide which Router to go for.
I already had the ADSL installed and was still using my ISDN so I had to make up my mind quick and get something, so I thought bugger it, at this rate I'm going nowhere, so I went for what was the top of the range at the time

Also I needed to run my Game Servers and FTP servers etc on a seperate PC as I do a ton of developement work on my PC and wanted that safely out the way.

Yes I agree, I am sort of double NATing as you call it, but this still ended up the best configuration when testing the server for pings, lag and speed etc. Also its out the way and acts like a brick wall between my network and the Internet.

lanline yes to have DMZ going you need to disable DHCP and thats why your other PC's dont work as you need to dedicate IP addresses to those PC's.

Seeing as this post has attracted some of the big guns, what are you guys opinions on a USB Modem - advantages, disadvantages ?

[legacy-lanline]

This is a snip from Linksys web site.

Forwarding

Port forwarding sets up public services on your network. When users from the Internet make certain requests of your network, the router will forward those requests to the appropriate computer. )The router's DHCP function must be disabled to use Forwarding. Forwarding is generally used to set up a webserver, ftp server, or e-mail server on your network.

To add a server using Forwarding:

Enter the port number used by the server. On the same line, enter the IP Address of the server that you want the Internet users to be able to access.
Configure as many entries as you would like until all of the link entries are filled.
Click the Apply to save the settings.


Also as far as USB modem. I found it really hard to network comps with USB. (In fact I never successfully networked internet with a USB modem

[ProAsm]

mmm maybe I'm confused or something.

Port Forwarding and DMZ Server are similar in their operations but are 2 seperate things.

Port Forwarding you need to setup seperate ports for each item, like for UT2003 you would say:
Address: 192.168.0.1 (10.0.0.2 in my case)
Port Start: 7777 Port End:7778

The DMZ Server setting you just point to 192.168.0.1 (10.0.0.2 in my case) and there are no mention of Ports, as ALL ports regardless of what the are are automatically passed through to the IP Address.

From my Routers Reference Manual

Port Forwarding with NAT
Although NAT prevents Internet locations from directly accessing the PCs on the LAN, the gateway allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request, or to one designated DMZ host computer.
You can specify forwarding of single ports or ranges of ports.
Note: Port Forwarding settings will not work when NAT is disabled in NAT Status.
Use the Port Forwarding menu to configure the gateway to forward incoming protocols to computers on your local network.
In addition to servers for specific applications, you can also specify a Default DMZ Server to which all other incoming protocols are forwarded.
The Default DMZ Server feature is helpful when using some online games and videoconferencing applications that are incompatible with NAT. The gateway is programmed to recognize some of these applications and to work properly with them, but there are other applications that may not function well. In some cases, one local PC can run the application properly if that PCs IP address is entered as the Default DMZ Server.

Note: For security, you should avoid using the Default DMZ Server feature.
When a computer is designated as the Default DMZ Server, it loses much of the protection of the gateway, and is exposed to many exploits from the Internet.
If compromised, the computer can be used to attack your network.

The last item is the reason I use Winroute.

Thanks for the info on the USB - they are very cheap, so was just wondering.

[legacy-lanline]

Thats what I thought too. But on the linksys web site it said you have to dissable DHCP. That dos'nt make since to me. You can't configure other comp's. without DHCP. I'll try takeing out norton, keep you posted....

[ProAsm]

In my Setup, you disable DHCP on the Router as it serves no purpose but you can enable it in Winroute as it has its own DHCP.

[legacy-lanline]

Winroute? Is that software? Do you need it for your router? I don't need any extra software whith my router.

[ProAsm]

As Lär said in an earlier post, I am sort of "Double NATing" for this same reason.
As he said, all I need is just a basic ADSL modem, thats why I enquired about the USB Modem as we have massive lightning here and it would probably suffice for my needs should my DG814 get hit.

With my Server PC (10.0.0.2) set up as my DMZ Server on the Router, this is like a huge hole in the Router which passes everything down to the PC, and thats why I use the software Winroute as my Firewall between the Server PC and the Router.

[legacy-lanline]

My wife every so often reminds me I'm not as smart as I think.
I had vos volitile vrs1.01 in the search set up so it wouldn't ping anyone that didn't have that mutator. (Which I guess no one has it anymore. It must have been upgraded or something)

Any way, cudos to my MCP wife.....

[legacy-DBR 02]

You may want to check out this thread too.

- DBR 02

[legacy-HornDog_ut2k3]

Originally posted by lanline
Thats what I thought too. But on the linksys web site it said you have to dissable DHCP. That dos'nt make since to me. You can't configure other comp's. without DHCP. I'll try takeing out norton, keep you posted....

Yes they say that because if or when you turn off your equipment and then power back up in a different order the DHCP server assigns IPs in order of the first to power up. That being the case the ports would be forwarded to the right IP which in turn is reassigned to the wrong PC. As long as you don't completely power down the PCs (Leave the power supply on) then you are ok with using port forwarding with DHCP enabled.

[legacy-HornDog_ut2k3]

With the massive amount of information on this thread I have a quick reply that may or may not be of any use. If I have the jest of the problem figured right your network does not do internet loop back. In other words one box on the network can not connect to your server using the internet IP. This could be your router software and/or your ISP. I had this happen to me once. It turned out that I used one of my PCs Mac address in my router (Linksys) as per the instruction of my ISP. After changing the Mac address in my router back to that of my cable modem I was able to use internet loop back again. Bottom line: Use you modem Mac address in your router.

BTW Please Get ServerBot for UT2004 done, Please

[legacy-J4K0BYT3]

On the subject of the USB ADSL modems, I have been using one now for nigh on 3 years (ALCATEL SPEEDTOUCH) and have had abslutley no complaints whatsoever.
My line NEVER drops, I always have a decent ping ingame (<50) and have hadno trouble hiting and keeping download speeds.
FYI, i have a 1024/256 Line (UK) through British Telecom