ForHonor NAT

[Wafaduck]

My ForHonor says nat is STRICT? that means I can't play online which sucks. only against bots. do you guys know any clue on how to fix this? They said portforwarding the ports do. anyone can help me on that?

[Windows7ge]

What you need to do is go into your router and locate port forwarding. It's usually near or under firewall settings. From here you'll need to specify the IP of the system you're on (you'll likely need to assign a static IP to your system) & the ports you need to forward both inbound and outbound then if you need TCP, UDP, or both.

 

You'll have to look up what ports forHonor needs forwarded.

[Wafaduck]

1 hour ago, Windows7ge said:

What you need to do is go into your router and locate port forwarding. It's usually near or under firewall settings. From here you'll need to specify the IP of the system you're on (you'll likely need to assign a static IP to your system) & the ports you need to forward both inbound and outbound then if you need TCP, UDP, or both.

 

You'll have to look up what ports forHonor needs forwarded.

oh cool. can you show me which part exactly where in my router?

Is this the correct area for portforwarding

[Wafaduck]

1 hour ago, Windows7ge said:

What you need to do is go into your router and locate port forwarding. It's usually near or under firewall settings. From here you'll need to specify the IP of the system you're on (you'll likely need to assign a static IP to your system) & the ports you need to forward both inbound and outbound then if you need TCP, UDP, or both.

 

You'll have to look up what ports forHonor needs forwarded.

Inbound and outbound? Can you explain me what does that mean?

[Windows7ge]

9 hours ago, Wafaduck said:

Is this the correct area for portforwarding

That is the area. Every router displays the configuration differently. The only standard is what values you input.

 

9 hours ago, Wafaduck said:

Inbound and outbound? Can you explain me what does that mean?

With networking traffic generally goes both directions. From a central interface Inbound traffic would be data entering the interface (like a computer) and Outbound traffic would be data leaving the interface.

 

With routers there is generally a WAN & a LAN. Inbound traffic is used to describe data coming from the Internet on the WAN interface trying to enter the LAN. Outbound traffic is used to describe data on the LAN interface trying to leave via the WAN interface.

 

Inbound ports are used to describe firewall exceptions for traffic with Destination Ports that match.

Outbound ports (or local ports) are what the IP TCP Destination Port is switched to for the application on whichever machine requesting it accepts.

 

A simple example: SFTP/SSH (Secure File Transfer Protocol/Secure Shell). This protocol by default uses port 22. However bots on the Internet like to scan ports 20,21,22 for access to your local network (this is bad). You can set the Inbound port to something obscure like Port: 4000 but the Outbound/Local port to Port: 22. The router will see the TCP IP packet come in on port 4000, It'll change the Destination Port to 22 and send it to the IP specified in the Port Forwarding menu. When the server receives the request for access it'll received the request on Port: 22 but the router received it on Port: 4000. This will work vise versa as well. The server will reply on Port 22 to the router. The router will change the Destination Port to Port 4000 and send it out to the Internet to wherever you or your clients are.

[beersykins]

It's probably easier to enable the UPnP service on the LAN interface.

[Wafaduck]

8 hours ago, beersykins said:

It's probably easier to enable the UPnP service on the LAN interface.

and how do I do that? can u guide me through it?

[Wafaduck]

8 hours ago, Windows7ge said:

That is the area. Every router displays the configuration differently. The only standard is what values you input.

 

With networking traffic generally goes both directions. From a central interface Inbound traffic would be data entering the interface (like a computer) and Outbound traffic would be data leaving the interface.

 

With routers there is generally a WAN & a LAN. Inbound traffic is used to describe data coming from the Internet on the WAN interface trying to enter the LAN. Outbound traffic is used to describe data on the LAN interface trying to leave via the WAN interface.

 

Inbound ports are used to describe firewall exceptions for traffic with Destination Ports that match.

Outbound ports (or local ports) are what the IP TCP Destination Port is switched to for the application on whichever machine requesting it accepts.

 

A simple example: SFTP/SSH (Secure File Transfer Protocol/Secure Shell). This protocol by default uses port 22. However bots on the Internet like to scan ports 20,21,22 for access to your local network (this is bad). You can set the Inbound port to something obscure like Port: 4000 but the Outbound/Local port to Port: 22. The router will see the TCP IP packet come in on port 4000, It'll change the Destination Port to 22 and send it to the IP specified in the Port Forwarding menu. When the server receives the request for access it'll received the request on Port: 22 but the router received it on Port: 4000. This will work vise versa as well. The server will reply on Port 22 to the router. The router will change the Destination Port to Port 4000 and send it out to the Internet to wherever you or your clients are.

So much to learn. thanks for your brief explanation really appreciate it.

[Windows7ge]

6 minutes ago, Wafaduck said:

So much to learn. thanks for your brief explanation really appreciate it.

Yep.

[mynameisjuan]

15 hours ago, Windows7ge said:

A simple example: SFTP/SSH (Secure File Transfer Protocol/Secure Shell). This protocol by default uses port 22. However bots on the Internet like to scan ports 20,21,22 for access to your local network (this is bad). You can set the Inbound port to something obscure like Port: 4000 but the Outbound/Local port to Port: 22. The router will see the TCP IP packet come in on port 4000, It'll change the Destination Port to 22 and send it to the IP specified in the Port Forwarding menu. When the server receives the request for access it'll received the request on Port: 22 but the router received it on Port: 4000. This will work vise versa as well. The server will reply on Port 22 to the router. The router will change the Destination Port to Port 4000 and send it out to the Internet to wherever you or your clients are.

Port forwarding is an inbound protocol only. Does not change the port on outbound traffic. 

On 6/22/2018 at 11:29 PM, Wafaduck said:

My ForHonor says nat is STRICT? that means I can't play online which sucks. only against bots. do you guys know any clue on how to fix this? They said portforwarding the ports do. anyone can help me on that?

Enable UPnP. Look at your screen shot you posted, its two tabs above port forwarding. 

 

Port forwarding is a very bad habit and a last resort. Do not do that.

[TotallyLegitimateandSafe]

Universal Plug and play is usually used for newer devices connecting to the network.  Unplug your device from the network, enable UPnP and then re-plug your device to the network.

 

However.. Network Address Translation has nothing to do with playing a game.  This "strict" bullsh* that they push on games is about them not having routing privileges. Just make sure your public network is not being actively translated to a different private IP.
 

Easy solution : get a damn static external IP that you use for your hub/machine.

Hard solution : change your setting internally to statically route your hardware to the same path each time and set default schemes for each port that forward.  This gets barraged by multiple users on the network as well, so lets say 2 people wanna play the same game : only one gets routed this way(port forwarding).

 

Why I suggest a static external;

 - you will NEVER have an issue with NAT due to a router/some other device on the network... you are the SOLE user of that static.  You are done.

[Windows7ge]

6 hours ago, mynameisjuan said:

Port forwarding is an inbound protocol only. Does not change the port on outbound traffic. 

You are the spitting image of my networking professor at college. No mercy when I say something even remotely wrong but I don't think it's a bad thing.

[TotallyLegitimateandSafe]

4 minutes ago, Windows7ge said:

You are the spitting image of my networking professor at college. No mercy when I say something even remotely wrong but I don't think it's a bad thing.

I just wanna say something here:  advanced networking allows for outbound port forwarding.  It is the basics of cisco programming and can be done with or without a hypervisor.

[Windows7ge]

12 minutes ago, TotallyLegitimateandSafe said:

I just wanna say something here:  advanced networking allows for outbound port forwarding.  It is the basics of cisco programming and can be done with or without a hypervisor.

It's kind of nice to hear that what I said is technically possible (although when you're programming you're only limited by your imagination). It still makes sense to correct me because I'm still wrong for the given situation.

 

I am curious now though. I used SFTP/SSH as an example for port forwarding because I use it (this was easy for me since the network the server is on its WAN isn't another private network. Also the public IPv4 is delightfully static (I didn't ask for it to be) though the IPv6 changes multiple times a day.) I never really understood what UPnP can do. Is it possible to use it to replace port forwarding for these protocols?

[TotallyLegitimateandSafe]

1 hour ago, Windows7ge said:

It's kind of nice to hear that what I said is technically possible (although when you're programming you're only limited by your imagination). It still makes sense to correct me because I'm still wrong for the given situation.

 

I am curious now though. I used SFTP/SSH as an example for port forwarding because I use it (this was easy for me since the network the server is on its WAN isn't another private network. Also the public IPv4 is delightfully static (I didn't ask for it to be) though the IPv6 changes multiple times a day.) I never really understood what UPnP can do. Is it possible to use it to replace port forwarding for these protocols?

just use mac address allocation and a passthrough device that filters ports.  Some hubs or switches can be configured like this, it shouldn't matter tho.

 

If all your doing is playing for honor, get a static IP from your ISP and just use it.  They are like 10-15 extra per month and you can then host/client whatever you want and it wont matter.

 

If you are using SSH to SFTP files... you shouldn't need to forward anything inherently.  things like filezilla don't use crazy port ranges by default.  Just make sure your firewall isn't blocking it on the device.

[Windows7ge]

4 minutes ago, TotallyLegitimateandSafe said:

just use mac address allocation and a passthrough device that filters ports.  Some hubs or switches can be configured like this, it shouldn't matter tho.

 

If all your doing is playing for honor, get a static IP from your ISP and just use it.  They are like 10-15 extra per month and you can then host/client whatever you want and it wont matter.

 

If you are using SSH to SFTP files... you shouldn't need to forward anything inherently.  things like filezilla don't use crazy port ranges by default.  Just make sure your firewall isn't blocking it on the device.

I'm not playing any games. I have a FreeNAS server that I use for various things. Mainly as a file server and I like being able to access it from anywhere. As for the Public IP for whatever reason the IPv4 is already static even though nobody asked for it. Even if it wasn't I'd look into a DDNS service before paying for a static IP.

 

I opted to use a random inbound port other than port 22 as a insignificant form of extra security (because I know port scanners exist) since bots on the internet have tried using port 22 before and tried logging into the server. As for software it's a combination of FileZilla on Linux, then PuTTY & WinSCP on Windows. I don't know if there's a way to connect to the Public IP & then the server without specifying a port and then the IP of the server.

[mynameisjuan]

2 hours ago, TotallyLegitimateandSafe said:

I just wanna say something here:  advanced networking allows for outbound port forwarding.  It is the basics of cisco programming and can be done with or without a hypervisor.

Thats not port forwarding though, thats static routes. He said it forwards in AND outbound which the protocol does not do. 

[mynameisjuan]

2 hours ago, Windows7ge said:

You are the spitting image of my networking professor at college. No mercy when I say something even remotely wrong but I don't think it's a bad thing.

Im just clearing up info for everyone. Its not to attack or put you down. You are mostly correct but just a bit off. More correct info the better!

[Windows7ge]

8 minutes ago, mynameisjuan said:

Im just clearing up info for everyone. Its not to attack or put you down. You are mostly correct but just a bit off. More correct info the better!

I'm not against being corrected at all so long as it is constructively with the intention to help and prevent the spreading of misinformation. I'm always up for learning more and correcting what I thought was right.

 

I have a problem with being corrected when the individual just looks at me and says something along the lines of "You're wrong!" then just disappears without helping anybody. This does happen from time to time and it's annoying...welcome to the Internet.

[mynameisjuan]

1 hour ago, Windows7ge said:

I'm not against being corrected at all so long as it is constructively with the intention to help and prevent the spreading of misinformation. I'm always up for learning more and correcting what I though was right.

 

I have a problem with being corrected when the individual just looks at me and says something along the lines of "You're wrong!" then just disappears without helping anybody. This does happen from time to time and it's annoying...welcome to the Internet.

Well I probably should explain my comments more with why. By no means am I drying to seem like a douche and I apologize coming off that way!

 

So to expand on the outbound port forwarding. So say a client connects to a server by SSH on port 2249 and port forwarding on the server has port 2249 forwarded to 22. The client sends the packet out and the firewall sees the port 2249 forwards it to the server. Now the server just sees the 22 (the source port in the packet) and responds on 22 as well. This hits the router (the router does care about outbound unless static routes are configured) and sent out to the destination port to the NAT table in the clients router. The client then gets the packet on port 22. 

 

So on your response, if the router stripped the 22 and added port 2249 on the outbound and sent it to the client now the clients router will not know what to do with packet as now it received a packet on port 2249 instead of its own port selected in its NAT table. 

 

The only thing I think you are missing are NAT and that each packet has 2 ports, source and destination. So if you take a packet it has destination:source:des.port:src.port. Ex. 43.15.223.2:192.168.2.4:4000:4000-->router-->NAT-->43.15.223.2:x.x.x.x:4000:33500-->server router-->translates 192.168.2.4:4000:33500 to 192.168.2.4:22:33500 because forwarding--> server responds with x.x.x.x:43.15.223.2:33500:4000-->back to router then client.

 

Edited June 24, 2018 by mynameisjuan

[Windows7ge]

9 minutes ago, mynameisjuan said:

Well I probably should explain my comments more with why. By no means am I drying to seem like a douche and I apologize coming off that way!

It's fine. Like I said you reminded me of my networking college professor. I put up with her for two semesters because I considered her a challenge. I could tell she had full intention to help so her strict attitude didn't bother me. I cannot say the same for my peers. She built a reputation at the college for not being particularly well liked.

 

17 minutes ago, mynameisjuan said:

So on your response, if the router stripped the 22 and added port 2249 on the outbound and sent it to the client now the clients router will not know what to do with packet as now it received a packet on port 2249. Now this can work because of the routing table in the firewall and allow it to comeback in because its a response it was expecting but the client will most likely not know what to do with it unless forwarding is on the client as well. 

So the client doesn't care that the message it receives is on a port different from the port the initial message was sent. This is simply how the protocols are designed to work?

I'm wondering if it did receive the message on the same port as it was sent if the client would interpret it like an echo. The reason why it doesn't know what to do with the response.

 

So similar to OP's desire. If a particular application has the ability to use UPnP or Port Forwarding to accomplish the same task would UPnP be "safer" in terms of not opening a door strait into your network? The reason I'm asking is because besides my SFTP/SSH file server I'm also doing something else that involves opening ports. Only this project I do know supports UPnP (It'll traverse NAT and use the loopback 127.0.0.1 address to get in/out) just that they recommend port forwarding.

[mynameisjuan]

13 minutes ago, Windows7ge said:

So the client doesn't care that the message it receives is on a port different from the port the initial message was sent. This is simply how the protocols are designed to work?

I'm wondering if it did receive the message on the same port as it was sent if the client would interpret it like an echo. The reason why it doesn't know what to do with the response.

I was editing my post when you responded. Working for 34 hours straight so I was all over the place! It should be clearer now.

 

So the client and server have their ports they are talking on and the two routers via NAT have their own ports. 

 

 

 

 

[mynameisjuan]

25 minutes ago, Windows7ge said:

So similar to OP's desire. If a particular application has the ability to use UPnP or Port Forwarding to accomplish the same task would UPnP be "safer" in terms of not opening a door strait into your network? The reason I'm asking is because besides my SFTP/SSH file server I'm also doing something else that involves opening ports. Only this project I do know supports UPnP (It'll traverse NAT and use the loopback 127.0.0.1 address to get in/out) just that they recommend port forwarding.

UPnP is "safer" but it kind of acts like a dynamic port forwarding. I never was interested in UPnP so I dont know how it works on the layer level but it seems like its auto port fowarding. Its still considered unsafe because malicious programs can automatically open ports this way to let incoming traffic attack the device.

 

Port forwarding in general is not dangerous. It just requires an understand of everything that is listening on a port. Linux doesnt tend to have a firewall by default because if an application is not listening on a port, nothing can attack it. 

 

If you open ports tend to stay about the 30000-60000 port range as bot I see never tend to go that high and you will experience much less login attempts. I just dont tell people to port forward because they dont understand what they are opening up and will tend to use common ports and brute force breaches can happen, especially if a server does not use a strong password.

[Windows7ge]

1 hour ago, mynameisjuan said:

If you open ports tend to stay about the 30000-60000 port range as bot I see never tend to go that high and you will experience much less login attempts. I just dont tell people to port forward because they dont understand what they are opening up and will tend to use common ports and brute force breaches can happen, especially if a server does not use a strong password.

When I first setup SFTP/SSH on the server I was using port 22 and a password this did result in log in attempts from unknown entities. Within a month I switched to a much higher random public port (not 30k~60k high) and setup Public/Private Key Authentication (RSA 2048-bit) w/ password so even if the private key is breached you still need a password (though I should figure out how to setup limiting the number of login attempts within a given time frame).

 

As for the other port forwarding their ports are only in the 1000's but the program lets me set the ports manually so I'll move them to between 30k~60k if it'll help at all. The OS the software is running on is Windows so from a security aspect that doesn't help anything. I've been told the software has a Linux version and I'd like to explore it if Linux has less holes for people or bots to find.

[mynameisjuan]

14 minutes ago, Windows7ge said:

The OS the software is running on is Windows so from a security aspect that doesn't help anything. I've been told the software has a Linux version and I'd like to explore it if Linux has less holes for people or bots to find.

Windows in reality is really not that much less secure, the public has just dug that perception into people, its all how well its setup. Linux is a marginal step up in security but that is due to the way permission work and frequent patches on the OS. Even an unpatched linux machine with a bad firewall setup is just as bad as an unpatched windows machine. Just review what is listening on what port, that is key. Try to stick to ports that are not sharing the same port as other applications (UDP only) with TCP applications cannot listen on the same port (without support ,like webservers) so just ensure those ports are not open. Usually people will open ports like 3016-3020 when they never realized one service is listening on 3019 when they just needed 3016,3017,3020. Just small things like that a needed to be looked for.

 

No different than calling a number and dialing an extension. If you dial an extension that no one has, there is no way to use that maliciously even though you can dial through.