Port Forwarding issues
I can access the server locally but not publicly (outside my local network) even though the port is forwarded. I tried from my phone hotspot so I don't think its interference with the local network.
63 Replies
Thanks for asking your question!
Make sure to provide as much helpful information as possible such as logs/what you tried and what your exact issue is
Make sure to mark solved when issue is solved!!!
/close
!close
!solved
!answered
Requested by thegoatler#0
Show the rule
local server, firewall and ports is all you need really. Something went wrong along that path. Check both those and all devices that have this.
You forwarded both TCP and UDP?
Also the server has firewall opened?
I have something simmilar, i have getsockopt error and I'm unsure why, maybe router is blocking, maybe ISPs router is in the way
You only need TCP for Java, or UDP for bedrock. The only case you would need both is Java + Geyser (for bedrock)
Being able to access the server locally means the local firewall is setup right
Can you share what your port forwarding rules look like?
And also check if you're behind CGNAT?
!cgnat
We may have bad news for you :C
You may be under a CGNAT which is a method that ISP's use to conserve IPV4 IP's due to how limited they are now. What this means in plain terms is that your IP address is being shared with other people as your router goes to the ISP's router, by default this means port forwarding doesn't work.
We need to check if you are under a CGNAT and we got 2 options.
Option 1: commands
Depending on your OS, run the following command:
- Windows:
iex (Invoke-RestMethod -Uri "https://raw.githubusercontent.com/DominicTWHV/Is-It-CGNAT/refs/heads/main/windows.ps1")
- Linux: curl -s https://raw.githubusercontent.com/DominicTWHV/Is-It-CGNAT/refs/heads/main/linux.sh | bash
-# You should never run such things without reviewing and understanding the code
Option 2: manually
Open your router's configuration interface. Somewhere, you'll see something like 'external' or 'public' IP.
If your external IP is in one of the following ranges, you're basically screwed as long as port forwards go:
- 10.0.0.0/8
- 172.16.0.0/20
- 192.168.0.0/16
- 100.64.0.0/10
- any IPv6 address/range - This shouldn't be a problem, but Minecraft's IPv6 support is still rather quirky. You're at your own, but we're happy if you share your experience.
What do I do now?
You should ask your ISP for a public and IPv4 address (but this may cost you money).
NB: your internal IP should and most probably will be in one of the first three ranges, don't mix them upIn my case, that's what i have set in Opnsense, changed to default minecraft port for now. below are similar rules but configured for SSH and other things (which work) And between internet and my OpnSense router there is ISP's router with DMZ set. In the the future i plan to avoid ISPs router but i need specialized hardware for that.
Yeah, that does look correct
So yea, I can connect through my local network but not through my domain or public adress.
on a seperate network correct?
same newtork. Now I'm trying to do a test why it doesn't work, then I will be moving my serwer to a VLAN
if yes, check cgnat, have also seen isps wanting you to call em to unlock portforwarding before
hairpin nat can cause it to not work
so test on a device outside your network
mcsrvstat.us doesn't show anything and I can't connect through my phones hotspot.
and if I had CGNAT then Wireguard wouldn't work, right?
wireguard as a server iirc no, but client wise should?
hm, so one year ago I created a server and my friend was able to join it, but that was only on ISPs router, now I have OpnSense between, and firewall on the server is set properly as I can access from my local network but it pings for a long time
cgnat can be applied whenever
Yeah, but i set up wireguard server recently and it works fine
from outside? does it show up on a port checker+
yeah, i stream videos via jellyfin regulary when I'm outside.
My issue isn't CGNAT and this is my forwarding rule, I have no firewall rules on my server
Also port forwarding works fine, I had my proxmox port forwarded for a couple days while I was on vacation
I'm not able to reach the port over telnet either
And I am running a stock vanilla minecraft server through lodestone on debian 12
version 1.21.1
it seems like none of the ports I forward to that computer work whatsoever
1.60 and 2.17 are two different subnets
Can your router even speak with that other subnet?
i.e. do you have a static route on your ISP router (if you can even add one) saying 192.168.2.x via opensense or does it have an ip address on the 192.168.2.x range?
the router is 2.1
I'm not sure how it all works because my dad set it up but I know it does work
opensense or isp?
I don't know but I know this works like this
its how we have always done it in the past
and he checked this
where do you even see 1.60?
.
oh thats a different dude lmao
Oh, completely different person
:D
no idea who that is
I mean, next step would be to see if any traffic is reaching port 25565 when connecting from a different internet connection / from mcstatus
yeah mcstatus can't connect
Yeah, but is any traffic hitting the port or not
where does it drop off? router, computer?
I'm not really sure how to check that
should I use tracert?
wait that wont check the port
is the machine running the game server windows or linux based?
its running Debian
there is no firewall
If it's linux, something like
tcpdump -i any port 25565 will check on the end machineok I'll try that
But the router would probably be a difficult one to check
Thats what the command gave me
different dude, sam eproblem
does not have this issue as an opnsense user
he has 2 routers no?
depends on his second router setup
2 routers?
That might be your issue
Double nat is usually a major problem
@ππππΎππΎπΈ
In my case, ISPs router has DMZ set up, but I want to aviod that router which comes with a risk that I'm not using their infrastructure and I could get banned. And that ISP is the only one providing internet in my building
Does the router not have a modem-only mode?
Nope. And that drives me mad. No bridge mode, no modem only. That company is one of the biggest and they have 8Gbps down 1Gbps up, yet they deliberately limit the functionality for homelab users. They have ONT but I can get it while signing new contract. So I'm left with GPON SFP card.
GPON is pretty common amongst ISPs nowadays
My isp also uses GPON with their SFP module and ONT
Maybe I have the same problem as Katnax but for me I tried changing the static IP to a different one, I disabled the firewall, I added the rules in the firewall to allow all traffic and enabled it. Neither of these worked. I tried TCPdump and it didn't show any traffic. I tried making a new VM on a different OS and using the same steps to no avail. However, both VMs were Debain based (Debain 12 and Ubuntu Server). If anyone has any new ideas that would be great!
-# also no ports work, I can't forward any of the ports I'm using including ssh and lodestone
I would check for CGNAT if no port forwarding is working
!cgnat
We may have bad news for you :C
You may be under a CGNAT which is a method that ISP's use to conserve IPV4 IP's due to how limited they are now. What this means in plain terms is that your IP address is being shared with other people as your router goes to the ISP's router, by default this means port forwarding doesn't work.
We need to check if you are under a CGNAT and we got 2 options.
Option 1: commands
Depending on your OS, run the following command:
- Windows:
iex (Invoke-RestMethod -Uri "https://raw.githubusercontent.com/DominicTWHV/Is-It-CGNAT/refs/heads/main/windows.ps1")
- Linux: curl -s https://raw.githubusercontent.com/DominicTWHV/Is-It-CGNAT/refs/heads/main/linux.sh | bash
-# You should never run such things without reviewing and understanding the code
Option 2: manually
Open your router's configuration interface. Somewhere, you'll see something like 'external' or 'public' IP.
If your external IP is in one of the following ranges, you're basically screwed as long as port forwards go:
- 10.0.0.0/8
- 172.16.0.0/20
- 192.168.0.0/16
- 100.64.0.0/10
- any IPv6 address/range - This shouldn't be a problem, but Minecraft's IPv6 support is still rather quirky. You're at your own, but we're happy if you share your experience.
What do I do now?
You should ask your ISP for a public and IPv4 address (but this may cost you money).
NB: your internal IP should and most probably will be in one of the first three ranges, don't mix them upits not CGNAT, the ports only can't be forwarded to this VM, my dad has all kinds of crazy port forwards in place that all work fine
sorry for the ping, I meant to disable it
Then likely you should ask your dad
If traffic isn't even hitting the machine
You'd have to troubleshoot the router itself.
id be glad to accept some kind of a pr to fix my janky scripts
Thats the thing though, he says everything in the router is fine and he does this stuff for a living
But other services like SSH work fine?
what should we watch out for in server config?
server ip should be 0.0.0.0 or localhost or 127.0.0.1 and the default minecrafts port is 25565. those query and rcon ports do matter?
Server ip should be 0.0.0.0 or blank
No to query and rcon
If the traffic is not hitting the machine, then it is not fine
Β―\_(γ)_/Β―
thats what I'm saying
I'll bring it up again, sometimes he just doesn't wanna talk networking after he gets home from work doing networking all day
it was the router smh, my dad broke it a while ago, thanks guys
broke the router???
Nice
yeah actually
!close
router just needed a reboot