Fort Powarding: A Port Forwarding Issue Saga.

[PantsORama]

Hi all.

I have reached the limits of what I can troubleshoot, and I don't know enough to go forward. So here is my info as I have it set up so far:

1. Your LAN IP Address
2. The first two sets (octects) of your WAN IP as displayed by Fantasy Grounds and as displayed by your Router
3. Whether you are using Wired or Wireless (and not both)
4. Confirmation that you have set your Adapter in Network and Sharing Centre to Private
5. Confirmation of what AV you are running and whether you have set any exceptions
6. Post the results of the tracert 8.8.8.8 command (if you have security concerns you can remove this bit once its been responded to)
7. Confirmation as to what you have setup in your Router if changes have been made

1. I assume you mean for the FG Server, yes? If so it is 169.254.206.254
2. External IP is 18.205.142.171
3. Wired connection
4. Yes, It is so. I can provide screenshots if needed.
5. Avast Free AV & windows security - no exceptions; NOTE: Same results when I uninstalled Avast
6. Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 192.168.23.1
2 40 ms 35 ms 30 ms 10.8.0.1
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 30 ms 35 ms 40 ms 100.65.14.65
9 34 ms 34 ms 30 ms 52.93.29.15
10 * * * Request timed out.
11 * * * Request timed out.
12 55 ms 45 ms 51 ms 52.93.114.80
13 33 ms 35 ms 31 ms 52.93.27.138
14 34 ms 36 ms 32 ms 52.95.219.139
15 39 ms 56 ms 32 ms 108.170.246.65
16 35 ms 33 ms 35 ms 216.239.49.169
17 33 ms 33 ms 29 ms dns.google [8.8.8.8]

Trace complete.

7. ROQUOS router using a built in VPN:

Forwarding Rule:
Source IP (Any)
Destination IP 169.254.206.254
External port 1802 - 1802
Internal Port 1802 - 1802
Protocol TCP & UDP
Include in VPN out connection: Yes

Any Ideas?

[Trenloe]

1. I assume you mean for the FG Server, yes? If so it is 169.254.206.254

That's not a full IP address: https://www.webopedia.com/TERM/A/APIPA.html

Are you running any virtual machines or VPNs on your computer?

EDIT: Based off question 7, I see you have a built in VPN on your router. See my questions below.

6. Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 192.168.23.1
2 40 ms 35 ms 30 ms 10.8.0.1

10.8.0.1 is a private IP address. Do you have any other network devices on your network - e.g. do you have a wireless router and then an internet router/modem? If not, then this second step could be a shared IP address with other users of your Internet Provider.

The first step (192.168.23.1) is probably a local router - but this is not on the same subnet as your 169.254 IP address - so it looks like your Internet access is going a different route than your VPN. Does your computer also have an IP address in the range 192.168.23.xx?

7. ROQUOS router using a built in VPN:

Forwarding Rule:
Source IP (Any)
Destination IP 169.254.206.254
External port 1802 - 1802
Internal Port 1802 - 1802
Protocol TCP & UDP
Include in VPN out connection: Yes

OK, this explains why you've got the 169.254 IP address.

Can you describe more about this setup? Do you use the VPN all the time? What is it's purpose? Who is your VPN provider and can they do port forwarding?

[damned]

Your external IP address is an Amazon ECS IP address.... so you are doing something funky there...
You will need to make sure that the Amazon setup is accepting TCP 1802 traffic and passing it to your VPN endpoint

[PantsORama]

That's not a full IP address: https://www.webopedia.com/TERM/A/APIPA.html

Are you running any virtual machines or VPNs on your computer?

EDIT: Based off question 7, I see you have a built in VPN on your router. See my questions below.


10.8.0.1 is a private IP address. Do you have any other network devices on your network - e.g. do you have a wireless router and then an internet router/modem? If not, then this second step could be a shared IP address with other users of your Internet Provider.

The first step (192.168.23.1) is probably a local router - but this is not on the same subnet as your 169.254 IP address - so it looks like your Internet access is going a different route than your VPN. Does your computer also have an IP address in the range 192.168.23.xx?


OK, this explains why you've got the 169.254 IP address.

Can you describe more about this setup? Do you use the VPN all the time? What is it's purpose? Who is your VPN provider and can they do port forwarding?

I do have a cable modem on my network. It is technically not my box, and I am not sure that I can even get onto it. My computer and router both (really all devices) have the subnet mask of 192.168.23.xx?

I am not currently running any virtual machines (I haven't for about 3 years). I do use the VPN all the time. I use it for privacy reasons. I have used an external VPN as before, but I didn't renew it once I got the router. The VPN provider is the company that makes the router - ROQUOS. They can do port forwarding. I outlined the setup I used in step 7 above.

Anyway, I don't think this is the issue, since I turned it off. I got a new ip, but it still doesn't work. This leads me to believe this is related to the cabler modem hop, right?

Your external IP address is an Amazon ECS IP address.... so you are doing something funky there...
You will need to make sure that the Amazon setup is accepting TCP 1802 traffic and passing it to your VPN endpoint

That explains so much. Thanks. I think the VPN uses Amazon web services. I keep running into sites that block me saying they don't accept traffic from amazon. Anyway, I may have to do this, but as I outlined above, even turning off the VPN does no fix my issue with FG - but I can now browse the acaneaum, RPG.net, BGG, etc.

[LordEntrails]

Anyway, I don't think this is the issue, since I turned it off. I got a new ip, but it still doesn't work. This leads me to believe this is related to the cabler modem hop, right?

Yep. See if you can find the default username and password online and get access to it. Otherwise you will have to ask your ISP. Tell them you do peer to peer gaming that requires port forwarding and see if they will/can help.

[Trenloe]

Thanks for the clarification @PantsORama.

You have two options:

1) Try to get FG working with your VPN.
2) Try to get FG working without your VPN.

For #1 - your VPN provider will also need to allow port forwarding on their end - i.e. when your VPN tunnel exits out to the Internet. You may want to check with them to see if they do that - or if they are forwarding all traffic to you and your router does the filtering. Forwarding all traffic to you would mean that your VPN provider is essentially giving you your own public IP address, which is rare for VPN providers, unless your VPN plan gives you that. This has nothing to do with your ISP, the VPN provider is doing all the routing and assignment of IP addresses for the VPN tunnel to/from the Internet.

You could test the VPN. With your VPN connected, start up FG, go the the load campaign page and make sure that the local address is your 169.254 address, then load a campaign - leave FG running with the campaign loaded as it needs to be listening for connections. Then go to https://canyouseeme.org/ enter 1802 in the "Port to check" field and click "Check port" - see what it reports. If it fails, then I'd recommend getting in touch with your VPN provider and ask them what LordEntrails mentioned above about port forwarding for peer to peer gaming.

For #2, you'll need access to your modem and port forward TCP port 1802 to the IP address of your router. Then you will need to port forward TCP port 1802 on your router to your computer. These will all be IP addresses that aren't 169.254 - the last (router to PC) will be 192.168.23.xx whereas the IP address of your router when connected to the modem will be something different - you'll need to look for that in either your modem or router setup screens.

[PantsORama]

Yep. See if you can find the default username and password online and get access to it. Otherwise you will have to ask your ISP. Tell them you do peer to peer gaming that requires port forwarding and see if they will/can help.

OK. Well at this point I may as well go back to using a second VPN. I can limit the second VPN to just the computer(s) I use for FG. Will PureVPN work in my situation? I'm getting the dedicated IP, but do I need the port forwarding option as well?

For #2, you'll need access to your modem and port forward TCP port 1802 to the IP address of your router. Then you will need to port forward TCP port 1802 on your router to your computer. These will all be IP addresses that aren't 169.254 - the last (router to PC) will be 192.168.23.xx whereas the IP address of your router when connected to the modem will be something different - you'll need to look for that in either your modem or router setup screens.

If PureVPN won't work, I will try option 2, I guess. Turning off the VPN for one or two computers for the duration of a session is easy enough. If I go with Port Forwarding for the VPN, then that affects all my devices. As such is a little to blunt a solution, if I can help avoid it.

[Trenloe]

If I go with Port Forwarding for the VPN, then that affects all my devices. As such is a little to blunt a solution, if I can help avoid it.

Port forwarding only affects the one computer that the port forwarding is set up for. It's actually the opposite of a blunt solution as it is designed to filter specific traffic to an individual computer. Whether you have a VPN or not, port forwarding is needed and only affects the single device it's setup for - the other computers on the network aren't affected at all.

[Trenloe]

Will PureVPN work in my situation? I'm getting the dedicated IP, but do I need the port forwarding option as well?

PureVPN should work, and you just need the dedicated IP address option.

But I'd recommend you investigate getting your own VPN solution to work first.

[PantsORama]

So I contacted them, and the answer was "As long as you setup port forwarding under advanced settings on your Roqos router, there should not be anything needed on our end."

It sure would be nice if the connection test gave an error message of any substance. I hate black box debugging.