Please List Steps to Enable NAT Traversal (UDP hole punching) For Docker (Nat type: Port Restricted Cone)

[breezytm]

I am using docker on ubuntu and I ran the following command

docker run --cap-add NET_ADMIN -d -p 4449:4449 --name myst -v myst-data:/var/lib/mysterium-node mysteriumnetwork/myst:latest service --agreed-terms-and-conditions

Now my node is up and running but I can not figure out how to enable the NAT Traversal since it is not covered in the tutorial. https://www.youtube.com/watch?v=C1Msfv0yNRQ&t=122s

I beg of you to take 5 minutes of your time and assist with this issue. Too many people have this question but the answer in the guide is quite vague to follow and/or unrelated to docker. I am tired of banging my head trying to figure this out. https://docs.mysterium.network/node-runners/troubleshooting/#nat-traversal

[soffokl]

It should be enabled by default if you not disabling it explicitly. If you can share your node ID, I can double-check if working as expected.

[breezytm]

I did not explicitly disabled it but I do know port 1294 is being used by another service running on the same host. Not sure if that is the reason why I am getting the "Port Restricted Cone" as the NAT status.

0x989e30961c57f8e1b8e760b8c7c9685519480886

I have not had any connections going to my node so clearly, something is wrong.

[soffokl]

There is nothing wrong with Port Restricted Cone NAT. Most of the users will be able to connect to your node anyway. We will fix this scary message and do the required changes to docs and code to make it better.

[breezytm]

Are there any additional ports I need to open on my router other than 4449? My node has been online for 2 days now without any traffic other than some test. I also know the MMN is inaccurate. It shows up as Unknow even though this is a residential USA IP.

[soffokl]

I can confirm that it's running well. I'm sending this message via your connection:

» status
[INFO] Status: Connected
[INFO] SID: fdd14d91-ece4-4974-a838-7fff11ca7001
[INFO] IP: 108.27.250.243
[INFO] Location: New York, US (residential - Verizon Fios)
[INFO] Proposal: Provider: 0x989e30961c57f8e1b8e760b8c7c9685519480886, ServiceType: wireguard, Country: US
[INFO] Connection duration: 7m6s
[INFO] Data: 4.6MiB/1.6MiB
[INFO] Throughput: 6.7KiBs/2.5KiBs
[INFO] Spent: 0.000775
»

You are running a pre-release version, not many users are there yet so it can take some time to get a real session. We expect to do a full release of this version the next week and you will see more traffic there.

[breezytm]

Interesting. So how did I end up with a pre-release version if I am installing using the guide your team provided? Shouldn't there be a pre-release branch and a stable branch? If so, how do I the stable branch. I know this is getting out of topic but I want the node to be up and running as well as providing services.

Lastly, I am still confused as to which ports are actually being used for this service. Is it only port 4449? Is that the only port I need to open in my router or should I be enabling others?

I am sorry for asking all these questions but it seems like there is a lot of confusion when it comes to configuring and running a node. Maybe there isn't really any confusion but it's just the guide causing the misunderstanding. I am not sure. Most of the questions I do have seem to be asked by quite a few others as well.

[soffokl]

4449 port is needed for nodeUI only. It's a way to manage the configuration of your node. You should not expose it publically through the router.

By default, a node uses the 10000:60000 UDP port range. It takes random ports from this range and uses them to establish connection. It starts the connection from the inside of the container and it's not mandatory to open any ports on the router. In most cases, everything will work automatically.

If you want to do manual port forwarding, you can use special flags to set smaller port range like this:

docker run --cap-add NET_ADMIN -d -p 4449:4449 -p10000-10200:10000-10200/udp --name myst -v myst-data:/var/lib/mysterium-node mysteriumnetwork/myst:latest --udp.ports=10000:10200 service --agreed-terms-and-conditions

[breezytm]

I have done just that.

1. docker exec -it 03edcdbdd91e myst cli
2. docker stop myst
3. docker rm myst
4. docker run --cap-add NET_ADMIN -d -p 4449:4449 -p10000-10200:10000-10200/udp --name myst -v myst-data:/var/lib/mysterium-node mysteriumnetwork/myst:latest --udp.ports=10000:10200 service --agreed-terms-and-conditions

Accepting Connections: Most

The reasoning seems to be the Port Restricted Cone. I am beginning to think the issue isn't on my side because I have the ports open in my router and I also have UPNP enabled. Even if I misconfigured the port forwarding, which I did not, the application can open any port(s) it wants without my intervention.

Also, I have this issue in both of my nodes, running from two different router brands. Please see the screenshots below. Also if you can, attempt one of those "Symmetric NAT" connections and see if that goes through.

[breezytm]

Where do we go from here gentlemen? I have only met one person who says their node reads "All" instead of "Most" and that individual works for Mysterium.

[CharlyEmpereurmot]

I'm about wondering the same things and have exactly the same observations. The problem is these 0 bytes connections that I keep wondering about: is this lost traffic that I could get?

[victorelec14]

the same here, i can not set the ports in Docker, i think the container ignore this ? thx

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[victorelec14]

Activity 🙈

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale[bot]]

This issue has been automatically closed because it has not had activity for a long time. If this issue is still valid, please ping a maintainer and ask them to label it as "pinned". Thank you for your contributions.

[therealresonix]

If you are using Docker and want your NAT type to be open, you need to set your network mode to host mode.

Example:

docker run --cap-add NET_ADMIN --network=host -d -p 4449:4449 --name myst -v myst-data:/var/lib/mysterium-node --restart unless-stopped mysteriumnetwork/myst:latest service --agreed-terms-and-conditions

Other example if Docker Compose is used:

services:
  myst:
    image: mysteriumnetwork/myst:latest
    container_name: myst
    network_mode: host
    volumes:
      - myst-data:/var/lib/mysterium-node
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    command: service --agreed-terms-and-conditions

volumes:
  myst-data:

The above code snippets will result in an open NAT type IF you have disabled your firewall OR opened ports 10000-60000/UDP, but be warned and know the security implications for your network.

[darthvader666uk]

If you are using Docker and want your NAT type to be open, you need to set your network mode to host mode.

Example:

docker run --cap-add NET_ADMIN --network=host -d -p 4449:4449 --name myst -v myst-data:/var/lib/mysterium-node --restart unless-stopped mysteriumnetwork/myst:latest service --agreed-terms-and-conditions

Other example if Docker Compose is used:

services:
  myst:
    image: mysteriumnetwork/myst:latest
    container_name: myst
    network_mode: host
    volumes:
      - myst-data:/var/lib/mysterium-node
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    command: service --agreed-terms-and-conditions

volumes:
  myst-data:

The above code snippets will result in an open NAT type IF you have disabled your firewall OR opened ports 10000-60000/UDP, but be warned and know the security implications for your network.

Thank you for this. I was stumped for a bit on using this via Docker.

However, I am unabkle to get ot the settings/dashboard of my local node. Whats the best way to access this?

EDIT: I found the CLi, its all lookign good! thank you again :)