Server replies on a different port, causing trouble for the firewall

Hello HF community! I am trying to set up a server for a conference, but we’re running into trouble. Here is the report from the IT guy as to why it’s not connecting. It appears the server replies on a different port from the one that the request is made on. Are there settings somewhere that changes this behavior?

----- From the IT guy ----

We have tracked down the problem, but it’s not something we can control from our end. The problem we see is with how the server is responding to what we send.

We have captured network traffic and this is what we are seeing:

First, we send a packet to your server

Source IP Destination IP Proto Size Ports

136.41.0.239 171.64.48.239 UDP 65 36159 → 40102

The Source is our firewall on our Google Fiber IP address. We send from our firewall on port 36159 to your server on port 40102.

This is the response we receive:

Source IP Destination IP Proto Size Ports

171.64.48.239 136.41.0.239 UDP 65 40102 → 29156

Your server responds from port 40102, but it sends the packet to a new port - port 29156.

Because the response from your server is going to a new port (29156) instead of the port we sent our request from (36159) the firewall does not have any way to know that this is a response to our request, and the packet is dropped. For normal network traffic, responses are sent back to the request port.

There are some complicated work-arounds that may help us get around this, but nothing that would be robust or work reliably long-term. I expect that this behavior, if consistent, will cause problems with most networks.

Do you have any insight into how the server responds to requests and why it would not send traffic back to the originating UDP port?

Perhaps your technology team or someone familiar with the VR environment can help us with an answer to that question.

---- end email ----

Any thoughts, HF crew?

1 Like

The problem is that the ports are randomized unless otherwise specified. Only port 40100 is typically left alone (domain-server).

To resolve this, you will need to not use the default start up. The new version does have a few arguments for allowing assignment-clients to have a range of ports, which I’m sure would make your IT people much happier (you will need 6 ports minimally opened; the administration panel ports do not need to be open).

What system is the server running (Windows/Linux)?

The system is running on Windows

Hmm… yeah, that would explain a few things. Judging by that, that sounds like you are also using the sandbox control panel, which simplifies everything too much.

In order for it to work, you will need to use a custom BAT file to launch all the assignment-clients with their ports specified or using the new min-port argument. I did write one up in the past but I mostly run linux based servers, so I don’t have it anymore.

I haven’t dealt with Hifi in awhile, so I’ll see if I can’t write something up fresh and new when I’m out of work.