So, yesterday I went through the process of changing some router status, including updating the firmware. After I was done, I had one of my players connect to FG, just to make sure I hadn't messed up anything by doing that, and all went smoothly.

Tonight was game night, and I clicked the "Update" button before starting the server. Went through that process, no problem. Started the server, let everyone know. Nobody can connect.

Go through a myriad of setups--different aliases, direct ip connect, changing port forwarding, auto-assignment of ip by the router, and removing all that, including restarting my computer. Nothing seems to work, so I resolve to fix it between session and end the game for the night. But just to be sure, I have the other player who owns a server license start up a server, and I try to connect to his.

It goes through without an issue; I connect quickly and easily.


So...I guess the question is this--does anyone have any clue as to why I could connect out, but not accept connections in?

Thanks in advance.

Connecting out is trivial. Clients don't have to configure anything to connect to a properly configured server. The host on the other hand *must* open the port and port forward the port to the right local computer.

Two potential problems are:

1) The update may have changed the signature of the FG to your security programs. Re-allow FG in your firewall and see if that does it.

2) You do not have a static local IP address and the router assigned you a different local IP number from the one which your router is port forwarding the FG stuff to.

One thing I have not read from your description: Did the players update as well?

I had exactly the same problem yesterday, Steev, mine over a mobile connection...

This kind of thing really ought to have been predicted by those writing the code. I hope the update, if we can ever figure out how to connect again, was worth it, as I understand it also was not written in with consideration of the 4E ruleset, which probably more than 50% of users are using right now.

The other really key thing about this is that it is extremely difficult for "hosts" to check their own connectivity to the outside, so codewriters should be changing this aspect at their peril. If FG had some kind of indicator to show whether people would be able to connect, that would be useful.

You've probably done this already, but if not, use an online tool such as PC Flank's port scanner (https://www.pcflank.com/scanner1.htm) to check that port 1802 is actually open at your external IP address while you are running Fantasy Grounds on your local machine.

Spyke

The other really key thing about this is that it is extremely difficult for "hosts" to check their own connectivity to the outside.It is actually reasonably simple. Start a GM session of Fantasy Grounds, then switch to your browser and go to PC Flank's Port Scanner (https://www.pcflank.com/scanner1.htm) and then do the following:

1. Click Start Test.

2. Check that the external IP address displayed is the one you are expecting. This is often shown on your router front page, otherwise you can check it at What's My IP? (https://www.whatismyip.com/) Click Continue.

3. Leave the selection set to 'TCP connect scanning (standard)', and click Continue.

4. Click 'Scan desired ports and/or the range of ports', and enter 1802 in the box. Click Continue.

The site will report whether port 1802 is Stealthed, Closed or Open. You need it to be Open while you are GMing a session using Fantasy Grounds. If you can set your firewall up so that it is closed at all other times, so much the better.

Spyke

Thanks, Spyke - I've saved this link for future use - 1802 was open. In the meantime, ZoneAlarm flashed up that it was preventing connection (which did not happen yesterday), so perhaps this was my issue. I still can't tell for sure, though.

ZoneAlarm just updated to v8 for me, and wiped out all my previous settings... it may have done the same to you. If 1802 appears open but you still can't connect, try shutting down ZoneAlarm completely briefly. At least then you'll know whether it's a ZoneAlarm problem. (In this case we know it was forwarded correctly from your router as ZA flashed you the warning.)

Theoretically you can just drop the firewall on ZoneAlarm, but I think some expert rules could override this, so it's probably better just to shut it down for a quick test.

Spyke

... as I understand it also was not written in with consideration of the 4E ruleset, which probably more than 50% of users are using right now...

As the 4E ruleset is not written nor distributed by Smiteworks, it would be difficult for them to consider it in every little thing they change. If they do take in into consideration (maybe in larger changes), so much the better, but it'd be wrong to EXPECT them to consider it.

Patrick

PS
I don't know where you get that "more than 50%" from? 100% of the users I play with do not use the 4E ruleset... :)

Griogre:
Ah--I was assuming since it used the same ports, and data was going in both directions, setup would be similar. Regarding the signature of FG, I gave it a try (both temporarily, and deleting/re-adding), and the port scanner listed it as 'stealthed' both times. Same as when I set it up directly with the ports. And the same when I re-set up port forwarding on my router. When I killed windows firewall completely (my only fw program at the moment, other than the hardware one in the router), it was listed as 'closed'.


zabulus:
Yes, they did. Thought I mentioned that, sorry. The error they are getting is "Could not connect to the host. Check the address and try again." Nice and simple, and doesn't help at all.

Scytale2:
Glad I'm not the only one.

Spyke: I had not, but that was a good idea...and a site to bookmark for future use, I think.

---

And, just noticing that there's another update available, I updated and ran the test again; FG2 and both ports allowed by Windows Firewall; both ports being forwarded via my router. Still listed as 'stealthed'.

For the record, I'm still using the d20 ruleset, and probably will continue to, so the 4e set doesn't really matter either way for me.ac

Griogre:
Ah--I was assuming since it used the same ports, and data was going in both directions, setup would be similar. Regarding the signature of FG, I gave it a try (both temporarily, and deleting/re-adding), and the port scanner listed it as 'stealthed' both times. Same as when I set it up directly with the ports. And the same when I re-set up port forwarding on my router. When I killed windows firewall completely (my only fw program at the moment, other than the hardware one in the router), it was listed as 'closed'.


zabulus:
Yes, they did. Thought I mentioned that, sorry. The error they are getting is "Could not connect to the host. Check the address and try again." Nice and simple, and doesn't help at all.

Scytale2:
Glad I'm not the only one.

Spyke: I had not, but that was a good idea...and a site to bookmark for future use, I think.

---

And, just noticing that there's another update available, I updated and ran the test again; FG2 and both ports allowed by Windows Firewall; both ports being forwarded via my router. Still listed as 'stealthed'.

For the record, I'm still using the d20 ruleset, and probably will continue to, so the 4e set doesn't really matter either way for me.ac

Stealthed implies a firewall. Probably in your router or antivirus program.

... And, just noticing that there's another update available, I updated and ran the test again; FG2 and both ports allowed by Windows Firewall; both ports being forwarded via my router. Still listed as 'stealthed'. ...Hmm.

When you shut down your Windows firewall you saw the port change from Stealthed to Closed. This suggests that no program had opened the port on your machine. Are you sure that you had Fantasy Grounds running a GM session when you tried this?

Note that it's not enough to just be in the Fantasy Grounds opening screen. You actually have to open a campaign as GM to open the port.

Possible behaviour suggested as follows:

Stealthed: Firewall is up. The port is not open or blocked by firewall. FG host is not running.
Closed: Firewall is down. The port is not open. FG host is not running.
Open: FG host is running, and either the firewall is down or allowing traffic.

Spyke

Yes, I was hosting a campaign, and letting it load up so I had the chat window, and could look at the combat tracker, and all that stuff. That's when I was getting the 'stealthed' results. The only 'closed' result I got was when I killed the windows firewall, and was running FG. On a lark, I just chose to 'Run as Administrator', and got similar results.

So yeah, the summary of what I *am* seeing is this:

Stealthed: Firewall on, regardless of manually opened ports.
Closed: Firewall off, FG running.
Open: Never

How does your router work for port forwarding? Do you specify an internal IP on your network? Are you sure this hasn't changed (do a ipconfig from a command window)?

Does your router have a DMZ mode you can test with? This should expose all ports to that computer once placed in the DMZ.

I've just checked this on my system, and if your port forwarding is not set up correctly you would get the behaviour that you're seeing.

I switched off both my windows and router firewalls, and with FG running, my port was Open.

I removed my port forwarding, and with FG still running the port was now Closed.

With the firewalls back on, the port was Stealthed.

So, as Joshuha just suggested, check your internal address by:

1. Open a command prompt window:

Start > Run > cmd > OK

2. Type ipconfig and press Enter.

Then go to your router and check that you are forwarding the port to this internal address.

Some routers (mine included) can still show an earlier address in the client list, if they're not set to release them after a certain period, and if you've recently changed to a static IP address on your local machine this new address may not show up in the client list (my Belkin, for example, only lists the machines that it has supplied IP addresses to).

What make and model of router do you have?

Spyke

This is the stuff of nightmares - users should not have to do this. I managed to get one of my players to connect esterday by removing ZoneAlarm, although Windows Firewall was still up (I think).

Re- the 4E issues, there are around 300 users (DMs) subscribed to the 4E group on FUM. Whilst not 50% of all licences, this is going to be a high proportion of current DMs, probably at least 50%, I would suggest, so a group to confer with when changing code (before the event).

This is the stuff of nightmares - users should not have to do this.True, but this is nothing to do with Fantasy Grounds. The same issues exist for any server application on a network behind a router protected by a firewall.

The good news is that it generally works the same way for all of them, so once you get your head round it, it becomes less of a nightmare and more of an irritation.

What we need is a widespread adoption of protocols (on routers) that allow applications to identify and configure routers automatically.

Spyke

One thing - when you've gone through it once you've learned a little something and you can pass it on if needs be.

It's the price we pay for all these spangly things we have like wireless routers - when I was a lad I was lucky if my brother left some of the lump of coal for me to play with :D

I've just checked this on my system, and if your port forwarding is not set up correctly you would get the behaviour that you're seeing.

I switched off both my windows and router firewalls, and with FG running, my port was Open.

I removed my port forwarding, and with FG still running the port was now Closed.

With the firewalls back on, the port was Stealthed.

So, as Joshuha just suggested, check your internal address by:

1. Open a command prompt window:

Start > Run > cmd > OK

2. Type ipconfig and press Enter.

Then go to your router and check that you are forwarding the port to this internal address.

Some routers (mine included) can still show an earlier address in the client list, if they're not set to release them after a certain period, and if you've recently changed to a static IP address on your local machine this new address may not show up in the client list (my Belkin, for example, only lists the machines that it has supplied IP addresses to).

What make and model of router do you have?

Spyke


Yes, I had done that, multiple times.

I have attached to this post a screenshot that includes a running server, a FG server startup so that you can see the IP fantasy grounds expects (in lieu of doing another ipconfig), my router setup with the port forwarding shown, and the results of a port test at canyouseeme. I would have shown pcflank's test as well, but it was giving me a 'too many connections' error when I attempted to start the test. As the screenshot shows, the router is a Netgear WGR614 v6; it doesn't show that the firmware version is now V2.0.19_1.0.10NA.

If anyone notices errors on this, please help.

Thanks again.

We can't open the screenshot yet - I think we have to wait now for approval.

Spyke

Yeah, it's listed as 'pending approval' at the moment. I probably have too few posts or something.

Screenshot looks like it was approved. So, bumping the thread in hopes of getting some help...

Well, the port forwarding looks good to me too...

What's the complete setup? I guess we need every detail.

Is it just Netgear WGR614 wireless router and PC with a WiFi card? Also, your Netgear is presumably plugged into a separate cable or ADSL modem (which might have its own firewall also requiring port forwarding), what make is that?

Flicking through the WGR614 manual I note that it mentions that UPnP is disabled by default. You might need to enable this (see p6-18) if it's currently off.

Spyke

The computer is a Gateway FX with Vista 64 Home Premium. (Yes, I've tried running as administrator.)

UPnP is enabled.

The Cable Modem is a Motorola Surfboard SB4200.

I'd also like to remind you that it was working fine before the most recent update chain...2.2.0 was working fine.

The computer is a Gateway FX with Vista 64 Home Premium. (Yes, I've tried running as administrator.)

UPnP is enabled.

The Cable Modem is a Motorola Surfboard SB4200.

I'd also like to remind you that it was working fine before the most recent update chain...2.2.0 was working fine.

Have you contacted your ISP also to check if they have changed anything at their end?

The Cable Modem is a Motorola Surfboard SB4200.
OK, no firewall in that, so I think we can rule it out.


I'd also like to remind you that it was working fine before the most recent update chain...2.2.0 was working fine.True, but 2.2.x is connecting fine for other people, which suggests that the problem is a recent change in your configuration.

Try opening a command window and typing:


netstat -a
This will list the ports open on your local machine. Then start FG and go into a campaign. Run netstat again and you should see that your machine is now listening on port 1802:

If it's not, there's a problem with FG.

If it is, then the issue is probably with your port forwarding, which has me stumped because it looks OK, or as Sorontar says, your ISP could now be blocking port 1802 through their router.

Hope this helps,
Spyke

OK, no firewall in that, so I think we can rule it out.

True, but 2.2.x is connecting fine for other people, which suggests that the problem is a recent change in your configuration.

Try opening a command window and typing:


netstat -a
This will list the ports open on your local machine. Then start FG and go into a campaign. Run netstat again and you should see that your machine is now listening on port 1802:

If it's not, there's a problem with FG.

If it is, then the issue is probably with your port forwarding, which has me stumped because it looks OK, or as Sorontar says, your ISP could now be blocking port 1802 through their router.

Hope this helps,
Spyke

Ok. Netstat does indeed show that I'm listening on 1802.

Comcast IP support was expectedly useless, and tried to tell me that port 587 was open for email usage. An hour of pounding my head against a wall with a customer support person to no avail.

Anyone have any last resort ideas?

You might need to run a VPN solution instead like hamichi(spelling anyone?) which has been a sucessful solution for some.

I am afraid I know next to nothing about the program though so leave the setup questions to wiser people.

You can set up Fantasy Grounds to use a different port. For example to get it to use port 587 you can use the command:


fantasygrounds -p587You can update your Windows shortcut by adding the -p<portnumber> to the end of the Target line in the Shortcut section of the Properties tab, e.g.:


"C:\Program Files\Fantasy Grounds II\FantasyGrounds.exe" -p587You'll need to set up port forwarding, of course, for the new port, and a rule to open it in your firewall.

Spyke

One thing that bothers me about the idea that it's a change at the ISP is that earlier we saw that when you dropped your firewall PCFlank saw the port status change from Stealthed to Closed.

It seems to me that this means that port 1802 is getting passed through your ISP's router/firewall, otherwise the port would be constantly either Closed or Stealthed. Can someone who understands these things better than me confirm that?

What could we do to check this? Can we use tracert or somesuch to track down the point at which the connection is blocked?

Steev42, what logs are available on your router and firewall? Is there any indication where things are getting blocked in those?

Spyke

Evidently, logs get reset after applying changes on my router, so I have nothing there at the moment.

I got some semblance of workability today--I took the router out of the equation, and attached myself directly to the modem. This actually seemed to work...so it's definitely something in the router.

I have disabled the Router's SPI Firewall...and at last check, this has allowed port traffic. Not something I really want to keep disabled if I can help it, but I guess the Windows Firewall would perform a similar function.

But if I can enable that again, and get it working, that would be awesome.

And thanks again for all the help everyone. And good to know that I can force a port for the program...I was actually unaware of that option.

... I got some semblance of workability today--I took the router out of the equation, and attached myself directly to the modem. This actually seemed to work...so it's definitely something in the router.Now, why didn't I think of suggesting that! :o

I'm glad you've at least got it working and have narrowed down the problem.

Spyke

https://forum1.netgear.com/showthread.php?t=6662

Seems a lot of people are disabling SPI in that Netgear because it's a pain in the arse.

1) The update may have changed the signature of the FG to your security programs. Re-allow FG in your firewall and see if that does it.

Griogre is going on my Christmas card list! Started my Mystara4e campaign last night only to have connection problems seemingly identical to last time (see here (https://www.fantasygrounds.com/forums/showpost.php?p=52630&postcount=14)). Back then, the only solution I could find, and this after trying EVERYTHING, was to flatten my PC and reinstall the whole kit and caboodle. That worked. And that is what I was looking at last night.

But then I found Griogre's post here. "Hmm," thought I. "I *have* just updated FG2. Maybe that's it."

So into my router config page I went, removed the FG2 app from port forwarding, created it once more, applied it ... and hey presto, job's a good'un, Bob's your auntie's live-in lover and it's all good once more. Thanks Griogre.

You're welcome DNH, glad that worked for you. :)