Jump to content
Dante Unbound: Known Issues ×
Dante Unbound: Share Bug Reports and Feedback Here! ×

Strict Nat

[DE]Glen

By [DE]Glen,
in Multiplayer

 Share

Recommended Posts

[DE]Glen

[DE]Glen

Posted
Posted

If the Warframe network analysis tool detected a problem with your network this could be the root cause of contact list, matchmaking and even voice-communication issues. Since Warframe is much more fun with friends we want to help you sort out your network troubles and get you back in the game!

Almost all home internet routers use NAT to allow you to share your internet connection with multiple devices on your home network. For security reasons routers may opt to enforce a more careful packet forwarding policy that may interfere with your game. If you are behind a Strict NAT you will have problems connecting to other players and likely appear offline to your friends.

Routers can be configured with NAT rules to direct traffic to specific hosts automatically using the Universal Plug and Play protocol (UPnP). UPnP is more convenient and secure than manually forwarding ports and also will allow you to run more than one copy of Warframe on your home network.

UPnP may not be working for one of several reasons:

1. UPnP is disabled in Warframe – the option to re-enable UPnP is in the Settings menu; re-enable it and restart Warframe.
2. UPnP was not detected – the service may be disabled on your router; enable it according to the manufacturer’s instructions.
3. UPnP is malfunctioning – if you have more than one person on your LAN try changing them to use different network ports (in the in-game settings).

Another possible source of problem is old router firmware; please check for updates according to the manufacturer’s instructions. There is also a component to UPnP that runs as part of the Windows operating system itself; you should also check for Windows Updates.

After upgrading router firmware or enabling features on the router you may need to reboot windows. After rebooting, test your network again from Warframe to see if you have solved the Strict NAT problem with UPnP.

If your router does not support UPnP you should be able to forward the UDP ports manually on your router.

Please note that if you are forwarding the ports manually you should disable UPnP first to avoid it interfering (you can disable it on your router or in the Warframe settings).

Warframe normally uses UDP ports 4950 and 4955. Your router needs to let traffic on those ports through to your PC. For your convenience these ports and your local IP address are shown in the network analysis dialog.

The instructions for forwarding ports on your router vary by manufacturer and model; please consult your router’s documentation for details on how to forward these ports to your PC.

Link to comment
Share on other sites
[DE]Glen

[DE]Glen

Posted
  • Author
Posted

I have no idea how to manually forward my ports

The instructions for forwarding ports on your router vary by manufacturer and model; please consult your router’s documentation for details on how to forward these ports to your PC.

You might not even need to forward your ports -- did you read through the first post and try anything listed there?

  • Like 1
Link to comment
Share on other sites
[DE]Glen

[DE]Glen

Posted
  • Author
Posted

My router is admittedly a piece of garbage that apparently doesn't actually allow for port forwarding (The option kinda-sorta exists but does nothing) but even when I put myself in a DMZ (!) the game still asks me to forward the 39xx ports.

http://i.imgur.com/3eSx6jV.jpg

http://i.imgur.com/KvbbsVs.jpg

I think you might need two separate rules; one for 3960 and one for 3962 (it looks like your rule is triggered off of just one port and is trying to map both).

Link to comment
Share on other sites
[DE]Glen

[DE]Glen

Posted
  • Author
Posted

I don't see anything wrong with that rule except you might want to try triggering it off of UDP 3962 or 3960 -- right now it's not clear to me which port you should trigger off of -- I've changed it for Update 7 to send from 3960 to 3960 *first* (right now it does 3962 -> 3960, then 3960 -> 3960 which might confuse port triggers).

Link to comment
Share on other sites
polarity

polarity

Posted
Posted (edited)
UPnP is more convenient and secure than manually forwarding ports and also will allow you to run more than one copy of Warframe on your home network.

Sorry, but UPnP is anything but secure compared to port forwarding. Even if you don't fully understand how either of them work, a quick google for 'upnp security' will give you plenty of hits saying that having UPnP enabled on your router is a major security risk.

In January of this year, at the end of a long research program by an internet security firm, it was disclosed that around 40-50 million devices on the internet are at risk of being compromised due to flaws in the way that UPnP has been implemented on them. This is so severe that the US Department of Homeland Security is now recommending that UPnP be disabled wherever possible.

There are no shortcuts when it comes to security, so you have to choose either security or convenience. Choose to use UPnP and put yourself at risk, or turn it off and learn how port forwarding works.

Also you can run multiple copies of Warframe on one network, you just need to change the settings in each game client to use different pairs of ports, and port forward them in addition to the default pair.

Edited by polarity
  • Like 1
Link to comment
Share on other sites
LordAsmolicious

LordAsmolicious

Posted
Posted

Im having problems with the connection again. DEWill helped me alot with the first problems. Now. i have two sets of ports forwarded (the basic WF ports cant be forwarded for some reason my router Does Not allow it. ) UPNP is enabled. the ports i assigned the game to use are forwarded yet, i still cant connect to my friends. the problem started apearing the last couple of days.

Link to comment
Share on other sites
polarity

polarity

Posted
Posted

I think there must be something up with the game itself, as I've confirmed that port forwarding is working fine on my router, by using it to forward ports 80 and 443 to an Apache webserver running on the same computer as Warframe. I then used dial-up from my laptop to access this server via the internet.

I also used a packet sniffer to check for packets going out and responses returning on the forwarded ports. When I click the analyze network button, I see 2 packets go out from my computer from port 3962 to port 3960 on two different servers, and then each server sends a packet in response, which comes from 3960 to my port 3962.

Is that what's supposed to be happening?

Link to comment
Share on other sites
[DE]Glen

[DE]Glen

Posted
  • Author
Posted

I also used a packet sniffer to check for packets going out and responses returning on the forwarded ports. When I click the analyze network button, I see 2 packets go out from my computer from port 3962 to port 3960 on two different servers, and then each server sends a packet in response, which comes from 3960 to my port 3962.

In those reply packets the server tells the game what *external* ports were used (ie: what your router mapped the outgoing data to be from).

We can't assume we can send to 3962 on your router (because it might have mapped your data out some other port if 3962 was already used) so we look at where the packet came from and use that for the reply-to-address.

If the test packets went *out* different ports it's called Strict NAT because it means each remote peer must reply to a different address.

The problem is that if server A thinks it has to talk to you your router on port 1234 to reach you and server B thinks it has to use port 5678 we have no idea what to tell another player to use when they need to send you packets.

Link to comment
Share on other sites
polarity

polarity

Posted
Posted (edited)

I've solved the strict NAT problem on my router, and don't get error messages any more about that.

I've confirmed that it's forwarding ports, and have a packet coming through from the server to the computer running the game, but the game is still throwing up a "Please ensure that your firewall permits UDP ports 3960 & 3962" error, as if the game is completely ignoring what's being sent, which is this (my IP and MAC removed):


0000 -- -- -- -- -- -- 00 0d b9 23 03 92 08 00 45 20 ........ .#....E
0010 00 3e 00 00 00 00 30 11 12 a6 40 8c 74 e4 -- -- .>....0. ..@.t...
0020 -- -- 0f 78 0f 7a 00 2a 6f ae 00 33 86 6d d2 e8 ...x.z.* o..3.m..
0030 65 67 45 00 00 00 80 13 00 9c 0e 00 00 00 38 31 egE..... ......81
0040 2e 32 2e 38 32 2e 36 3a 33 39 36 32			 .2.82.6: 3962

I'm running tcpdump on the router, and there are no other packets arriving at either port 3960 or 3962 on it while 'Analyze network' is running.

[edit] After logging in this morning and having the strict NAT error message back for a few minutes, the problem eventually just vanished, and my network is working fine now including port forwarding. I don't know if it was changes made your end or just a poor connection to the server (I've had that happen before playing Misery battlegroup in WoW, as the Telia Sonera routers in Sweden would regularly drop or corrupt packets). The first few games I played were very laggy, but everything's cleared up now.

Edited by polarity
Link to comment
Share on other sites
RainbowFlash

RainbowFlash

Posted
Posted

I have to jump the wagon here I'm afraid, I've tried all the suggestions and I still get the strict NAT message. Additionally, I tried to run Warframe in a frieds flat, who has different ISP and router brand (with UPnP enabled) and got the very same message, just with different IP (naturally).

Link to comment
Share on other sites
polarity

polarity

Posted
Posted (edited)

In those reply packets the server tells the game what *external* ports were used (ie: what your router mapped the outgoing data to be from).

We can't assume we can send to 3962 on your router (because it might have mapped your data out some other port if 3962 was already used) so we look at where the packet came from and use that for the reply-to-address.

If the test packets went *out* different ports it's called Strict NAT because it means each remote peer must reply to a different address.

The problem is that if server A thinks it has to talk to you your router on port 1234 to reach you and server B thinks it has to use port 5678 we have no idea what to tell another player to use when they need to send you packets.

You tell the player to connect to port 3962, because that is the port that I have manually forwarded. Your servers and only those servers can send data to my computer on the ports assigned to them, because of stateful packet filtering. It will block incoming connections from any other computer, including the other server, so there is no point in giving those port numbers to anyone.

And if I was using UPnP/IGD, and strict NAT prevented it from forwarding port 3962 on my router, so it had to pick something else, then the IGD protocol allows for reporting back to the application that made the request, what port had to be forwarded instead. That way the application can tell your servers what port number to give to clients instead of 3962.

You shouldn't be testing for strict NAT, because it's not something most people can fix, short of getting different, less secure hardware (I'm lucky. I built my own router that runs OpenBSD, so I can decide what kind of NAT is used for any connection). The port that data is coming from is completely irrelevant, and has no effect on whether or not someone can be part of a peer to peer network. You should only be testing for working port forwarding, because that is what the whole system relies on.

In addition to that, you're telling people to forward ports, but have failed to mention anything about DHCP / 'Obtain an IP address automatically'. Port forwarding is going to fail unless the IP address that it is to is static. If the router assigns the player's PC a different IP address next time they turn on their computer, then they're going to have the same problem all over again, unless they change the port forwarding to the new IP.

Edited by polarity
Link to comment
Share on other sites
Triburos

Triburos

Posted
Posted (edited)

Yeah, this type of system for online games always baffled my mind why it existed. I'm no expert or anything but it does seem odd how so many other MMOs are just.. Sign in and play, when there's a select few out there who have you dig inside your router and firewalls just to play the game properly :P. Like- couldn't you have picked another method?

I still have this problem and I'm completely lost as to what I should do. I've forwarded my ports, my firewalls are not blocking the ports nor the program. I have tried disabling and re-enabling UPnP both through the game and my router's settings and playing the game while it's off or on, forwarding the ports on multipler browsers, a tool confirms that the ports are indeed forwarded to the right I.P, my router's firmware is up to date, and it's ability to port forward is not malfuctioning in any way.

It makes me wonder; are we really messing up the instructions, or is the game the one that's messed up?

Edited by Triburos
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...