Pls help dedicated server ip/port + firewall advanced question

[Ysaric]

I am having a lot of trouble getting my server behind a firewall to be seen by both myself, also behind the firewall on a different subnet, and also by others over the internet who try to connect at my ip.

 

I am running a SMoothwall firewall+router as Red + Green + Orange. Red is external interface, Green is my workstation (192.168.1.2) and Orange is my server (192.168.2.2).

 

When I put my server on my subnet as 1.5, I can connect as a Local game. BUt when I put it back to 2.2 I get nothing.

 

For the Smoothwall settings, I have port forwarding TCP and UDP all 28070 traffic to 192.168.2.2. For my external access I have opened 28070 for TCP and UDP. FOr my DMZ pinholes (between green and orange) I have opened 28070 with source 1.2 and destination 2.2 for TCP and UDP.

 

My server config is worse than basic, it is basically as stripped down as they come. The only thing I know is that it looks like it is running properly, and as I said if I move the server to 1.5 I can connect as a local game over the same subnet from 1.2 to 1.5.

 

Command line is +set dedicated 2 +exec server.cfg

 

I have tried setting the net_ip and net_port variables to my external ip of 12.247.154.193 but no luck. My firewall log isn't being too helpful, with a bunch of traffic between my server and workstation ICMP packets on port 3 and UDP packets originating from 2.2 on 1139 and heading for 1.2 on 1900 but I don' t know if that is JKII traffic or something else.

 

I spent about an hour on the phone with a guy I know who knows smoothwall and who also does game hosting and we ran into a dead end. Any help someone might be able to provide here, or you can also send via email @ jmchie@attbi.com or any of my IM accounts that are in my profile.

 

*Any* knowledgeable help would be greatly appreciated. Thanks in advance for any info provided.

 

Jim

[jaustin1]

This may be oversimplifying, but how many machines do you have on your subnet? Why don't you just use 192.168.1.0 as your network IP, then let the server be 1.5, the workstation is 1.2, and have the smoothwall forward 28070 to 1.5? Then you connect via 192.168.1.5 (a local game) and everyone external sees it as an Internet server?

[Ysaric]

It's not an oversimplification at all, just that I can get better security by placing the server on a different subnet under Smoothwall. COming out of my SMoothwall firewall + router I use 2 ethernet cards to go into two switches representing my each subnet. By keeping more ports on my workstation subnet closed and by proper and watchful use of external port access, port forwarding and DMZ pinholes, I am increasing security for my main rig while, supposedly, allowing me equal flexibility for my server.

 

Why JKII is being fussy I don't know. I have a rather unhopeful e-mail in to lucasarts. I believe it must be a port issue, and more people than me and my smoothwall are running into it, as indicated by the other thread on firewalls, routers and jkii that you posted in.

[jaustin1]

Maybe it will help to make sure some assumptions are safe. Ok, so with the server setup as 2.2, and the ws as 1.5, from the ws, I assume:

 

The default gateway on the ws is 192.168.1.1 (one of the ethernet cards on the firewall)?

The default gateway on the server is 192.168.2.1 (the other ethernet card on the fw)?

You can ping the server and vice versa?

With the server running as 2.2, external people can see and join your server?

 

Again, remember that my mind is overly simple.

[Ysaric]

Simple is often the best troubleshooter.

 

your gateway assumptions are correct, 1.1 and 2.1.

 

I can ping both ways. I have an ftp on 2.2 that is accessible both from 1.2 and externally on port 21.

 

With JKII dedicated server, I cannot join a 2.2 server from 1.2 and it cannot be seen from the outside from someone inputting my ip on the default port.

 

These symptoms seem to indicate to me that jkii client or server is trying to communicate using ports that are not open or configured correctly. Based on another forum thread I have even enabled UDP and TCP traffic from 1.2 to 2.2 on 28060, 28061 and 28062, opened external access on those ports and also set up port forwarding of those ports to 2.2 (in addition to the rules herein stated for 28070).

 

nada.

[jaustin1]

For what it's worth, I'm using a Linksys BEFR11 router and only have UDP port 28070 forwarded to my server. (I cannot seem to find what the 28060-62 ports are used for, but I don't have them open and my server works fine internally and externally.)

 

If you have UDP port 28070 forwarded to 2.2 in the same way that you have TCP port 21 forwarded to 2.2, I don't understand why your game can't be connected to via IP. Is there any difference, other than protocol, in the way those two ports are forwarded?

 

My config is posted in at least a couple of other threads if you want to look at that.

[Novus]

the 2806* ports are used by the JK2 server to communicate to the master servers. I don't know if these are destination or source ports or both. the 28070 is a source port. The destination port for the client can be anything above 1024 obviously. I'll assume this is a stated firewall since most stateless firewalls are (last time I checked) not within in much consumers price range (Unless it's a linux box w/ IPTables).

 

So, the way I see it :

 

Green :

 

Outgoing Destination 28070 Allowed

Incoming Source 28070 Allowed

 

Orange :

 

Outgoing Source 28070 2806* Allowed

Incoming Destination 28070 2806* Allowed

Incoming Source 2806* Allowed

 

Then do the port forwarding.

 

Then again you're using NAT on Orange. It'd be a lot easier and almost as safe to secure the Linux box and put it on an outside IP, or in a DMZ and drop the firewalling from that port.

 

I mean if your worried about DOS attacks you're pretty much screwed anyways unless you can get a filter on the ISP side, and unless there is really something important on that linux box that you want to be 99.9% sure that it can't be hacked putting it behind a firewall and NAT is not neccesary. What's the worst that could happen? Someone hacks it and you have to reinstall RH and JK2?

[evilpeno]

this may be a limitation in ipchains and not any of your port forwarding. ipchains has a hard time dealing with game ports properly. iptables and the 2.4.x kernels play much nicer with the higher ports, but unfortunately smoothwall is still building their firewall system off the 2.2.x kernels.

[Ysaric]

that sounds like a likely culprit . . . I have since changed my set up and am trying again with the server outside of smoothwall on a second ip.