Firewall issues


#1

Has anyone had any issues with firewalls blocking one or more services from getting through?

It’s interesting that at the office I can log in and chat with XMPP and jump/move around, but I cannot see any voxels, cannot hear anyone and generally don’t seem to really “exist” in-world.

What’s doubly strange is that here at the office I have the same router software as at home (pfSense) and there aren’t any crazy rules here that would obviously cause issues.

Works:

  • Login
  • Client “knows” position in xyz space
  • Can move, and jump to known positions (eg @home)
  • Chat works fine, and I can see others who are online
  • 3D “box of balls” near @home seems to render/move just fine

Does not work:

  • No voxels anywhere (and voxel input bandwidth is zero, output is ~2Kbps)
  • No audio of any kind (and audio input bandwidth is zero, output is ~45Kbps)
  • No avatars except mine (and avatar input bandwidth is zero, output is ~51Kbps, my mirror works fine)

I’m wondering if there’s some trickery going on with the voxel/audio/avatar server(s) that’s not playing nicely with my firewall. I’m open to any suggestions. :smile:

— EDIT —

–SNIP–
On relog:
[2014-03-25T17:14:09] Application title set to: {d1c4e83c-f5c3-4b13-a920-8068e4565620} @ root.highfidelity.io (build dev)
[2014-03-25T17:14:09] VoxelSystem… voxel server {f90727d9-0e2b-4f54-a407-f00aa208a313} added…
[2014-03-25T17:14:10] Activating public socket for node “Particle Server” § {17f397f4-999b-4e85-a939-fd767cd7dde8} 54.219.87.183:55172 / 10.202.162.137:55172
[2014-03-25T17:14:10] Activating public socket for node “Voxel Server” (V) {f90727d9-0e2b-4f54-a407-f00aa208a313} 54.219.87.183:43539 / 10.202.162.137:43539
[2014-03-25T17:14:11] Activating public socket for node “Avatar Mixer” (W) {cabce915-76d4-46a2-9003-2a2b0dd87c21} 50.18.103.79:34730 / 10.168.233.29:34730

–Persistent–

[2014-03-25T17:12:38] Killed “Audio Mixer” (M) {b19457de-044a-412c-8162-db7a4b1d7ce3} 54.193.6.78:46847 / 10.0.30.203:46847
[2014-03-25T17:12:39] Added “Audio Mixer” (M) {b19457de-044a-412c-8162-db7a4b1d7ce3} 54.193.6.78:46847 / 10.0.30.203:46847
[2014-03-25T17:12:42] Killed “Audio Mixer” (M) {b19457de-044a-412c-8162-db7a4b1d7ce3} 54.193.6.78:46847 / 10.0.30.203:46847
[2014-03-25T17:12:43] Added “Audio Mixer” (M) {b19457de-044a-412c-8162-db7a4b1d7ce3} 54.193.6.78:46847 / 10.0.30.203:46847
[2014-03-25T17:12:46] Killed “Audio Mixer” (M) {b19457de-044a-412c-8162-db7a4b1d7ce3} 54.193.6.78:46847 / 10.0.30.203:46847


#2

This has to do with the hole punching to the those servers.

Is it possible at your office that you are behind a more complex NAT setup than at home?


#3

Basically it means that at your office you are unable to punch a hole to talk to those servers (who themselves are normally not open to the outside world).

There’s a specific configuration in Pfsense that makes it act as a cone NAT or not that is important for this - I remember having to change it on our office Pfsense box a while ago.

I haven’t touched the hole punch stuff for a while so I’ll have to look back into this so we can sort this out.


#4

Cool, thanks. Let me know if there’s anything I should do. I’ll try to compare my home/office NAT settings when I get back to the office tomorrow.


#5

Alright - looked into this to confirm.

A while back at High Fidelity I had to change our pfsense config for the hole punching to work. It needs to be changed so it is an asymmetric NAT.

Basically this means it needs to assign a static port to outgoing ip/port mappings - so that the port the STUN server detects for you as the reachable port via your NAT is the same port that the servers can use to punch through to you.

This pfsense doc explains the setting you need to change.

https://doc.pfsense.org/index.php/Static_Port


#6

Tony,

We ran into this issue last night trying to demo, and I think I can fix this for servers whose ports are open (which is the case with alpha).

Hold off on changing your router at work for now if you can since you’ll be a good test case to see if the new code actually works!


#7

I also have a similar issue where when I attempt to login it never actually logs me in. I also can’t connect to the chat server - obviously because I can’t login. Here is a screen shot of the issue I really hope someone has advise here.

In addition I turned off all anti-virus products, anti-virus firewall and windows firewall.


#8

I wanted to give an update on my issue.

I had to make sure the dll files above with OpenSSL were connected in the QT bin directory.

I am now able to successfully login and utilize chat.


#9

@birarda and I worked out the issue in gitter, but I just realized that I never posted here after the resolution. I’m not experiencing any firewall-related problems anymore.