client behind a NAT (?) can not connect - can we force server to work on single port?

[skudi]

Hi, This is more like general question about dedicated server, but maybe someone here can halp me.

I've got the problem connecting to the server, the errors are like in #24. In the tcpdump it seems that server tries to communicate with client on different port, which is not forwarded to client, because client is behind NAT. Is there a way to force server to use single port for all communication?

Below is dump of working connection between client (.206) and server (.175) in LAN. Client was using "Direct connect" and entered IP addres of the server. Connection initialization, checking server details, list of players etc is done through port 27016 10790 128.238109 192.168.21.206 192.168.21.175 UDP 67 49831 → 27016 Len=25 10791 128.238238 192.168.21.175 192.168.21.206 UDP 223 27016 → 49831 Len=181 But after "join the world" the second connection is estalished (initialized by server), and all communication is done there: 11420 129.786685 192.168.21.175 192.168.21.206 UDP 98 61441 → 49845 Len=56 11453 129.848724 192.168.21.175 192.168.21.206 UDP 98 61441 → 49845 Len=56 11466 129.860019 192.168.21.206 192.168.21.175 UDP 123 49845 → 61441 Len=81

In the situation when client is behind the NAT, there are gateway adresses instead of client IP's. Gateway does not know what to do with UDP packets to random port. If the client was initializing the connection (similar to passive mode in ftp) it will also fail, because random port can not be forwarded to docker container.

Anyway thanks for yor work, I believe i'll manage to use it somehow :)

[Devidian]

Hey skudi,

first of all thanks!

I'm not a networking nerd so its always a bit difficult for me to not tell any "shit". The communication between a server and a client works ~ like this:

server port 27016 is open client asks server on port 27016 for a connection server accepts and moves client to a new free port for further communication (no need to forward this) now another client can connect to 27016 ...

if any networking pro knows it better, please correct me

[Makr91]

My two cents as a Datacenter MSP administrator.

1. Docker only exposes the ports you enter in the "ports" section of your docker-compose.yml to your internal network, unless you specify network_mode: host to expose everything to your docker hosts internal network (see: Link)

2. Since there are many makes, models, software stacks, etc that can be used as your "Firewall/Router" between your Docker Host and your ISP. It's hard to gauge what settings would need to be set for your specific instance. If for example your use pfSense as your Firewall, I set a NAT rule for 27016 to the internal IP of the docker host for the inbound rule to the server. And then I have a Outbound NAT Policy that is handled by PureNAT(automagically allow/assign ports from the internal IP that requested the outbound connection). By default pfSense blocks most everything without specific rules being added.

Are the SE Clients, and the SE Server behind the same firewall or on the same network? Or are they on different networks? IE you set up your server instance at a cloud provider, let's say Linode or something, and you are running your SE Client on your local home network? Or is it that you are running the Docker Instance on your home network, and a friend, who is remote to you, on their own network using a different ISP, can't connect? If it's the latter you may have to tweak both of your firewalls/Routers, depending on the situation.