Obchod
HELLION
Vše Diskuze Snímky obrazovky Obrázky Přenosy Videa Novinky Návody Recenze

HELLION

Obchod
Zobrazit statistiky:
Globální achievementy
HELLION > Obecné diskuze > Detaily tématu
Hades 20. led. 2018 v 1.39
Dedicated server "offline" -> NAT hairpin config anyone?
Hi all,

Firstly let me say that I've hosted Ark, Space Engineers, 7 Days to Die etc. etc. servers for years without issues... and I have running servers now that work fine. So my Cisco ASA port forwarding configs are proven and working now. I also followed the server install doco, made the batch file which generates the Start_ALL etc. batch files.... and the server starts up fine, and gets an ID.

The issue I'm having is the dreaded "Server offline" error when trying to connect to a Hellion server I made.

I believe this is due to a NAT complexity issue known as "hairpinning" or "reflection"... because Hellion doesn't have a direct IP connection option. This means I am connecting to the external public IP address of the server through my firewall/router... rather than it's local private IP.

I realize this game is super EA and is yet to have a direct IP option.... so can I ask 2 questions here:

1) Does anyone happen to have a working Cisco ASA 8.x/9.x hairpin/reflection config that works? I have tried various configs but Hellion server still says offline.

2) Could someone running a dedi server tell me if their UDP ports are open when testing from the Internet?

I can see both 5969/5970 TCP ports are open... but UDP ports are not open, and running a "netstat -a" I don't see them opened locally either.

So I'm not sure whether the NAT hairpin config is broken (doubtful) or the Hellion exe isn't even listening on UDP ports.

P.S. Devs... please get your direct IP code in even if it's via Steam server... it's really really complicated otherwise for private server hosters.
< >
Zobrazeno 111 z 11 komentářů
sumfuka 20. led. 2018 v 10.44 
Same problem here with a Cisco 887VA. I think it might require NAT configuring for both inbound and outbound. Tried a few configs but still no joy.
#1
Zorz 20. led. 2018 v 12.11 
so, another router is working? oO
#2
sumfuka 20. led. 2018 v 15.58 
Zorz původně napsal:
so, another router is working? oO

It's likely a Cisco router configuration issue not a Hellion server problem.
#3
Hades 20. led. 2018 v 22.12 
Although when I run the Hellion server I am not seeing the executable opening any listening UDP ports... hence my question 2) above.

Otherwise yes, without the game client supporting direct IP connections... it's extremely complicated for a local player to configure any router to connect to an internal server using an external IP address. :(
#4
CheeseJedi 21. led. 2018 v 6.10 
Storm původně napsal:
Although when I run the Hellion server I am not seeing the executable opening any listening UDP ports... hence my question 2) above.

Otherwise yes, without the game client supporting direct IP connections... it's extremely complicated for a local player to configure any router to connect to an internal server using an external IP address. :(

In many cases it's not about difficulty - either your router supports it, or it doesn't. There's not usually anything to configure either! I suspect lack of NAT Hairpinning support accounts for the almost all of the relatively few people with issues such as this.

However you have the added complexity of using a Cisco device and it may not simply be a case of "switching it on" but I'd expect a Cisco router in this user-sphere (SMEE) to support NAT hairpinning.

It seems many 'domestic' grade routers these days support hairpinning out of the box. If you do get a working config for the Cisco ASA, please post here how you managed it in case others have the same issue. :)

Good luck!
#5
sumfuka 21. led. 2018 v 6.13 
Storm původně napsal:
Although when I run the Hellion server I am not seeing the executable opening any listening UDP ports... hence my question 2) above.

UDP ports don't usually show as being 'open' like TCP as it is a connectionless protocol - they're either closed or inaccessible.

Concerning your 'ASA' device there (of which I'm not familiar), could your problem be related to the apparent 'tcp-state-bypass' limitation? I was looking for info on my own issue here and read some information that seemed to suggest that this bypass function to allow hairpinning was only valid for TCP protocol.

I can't even remember if Hellion is using UDP anymore - it's been a while since I messed with it. I should go and refresh my memory a bit to see what's going on...

EDIT: The gaming connection itself looks to be TCP based. Check whether you can hairpin to any local TCP server on your machine, e.g. webserver on 80, as if not you should probably concentrate on getting that running first.
Naposledy upravil sumfuka; 21. led. 2018 v 11.27
#6
Hades 21. led. 2018 v 16.49 
Thanks guys for your ideas.

I have tried a few hairpinning configs (Cisco ASA 9.x does support it) but no luck. I was thinking maybe the problem was the Hellion server because there was no UDP listed.

But maybe I need to get NAT hairpinning working so I can connect on TCP before the UDP port will become visible.

As you can see from below, TCP ports are open and listening and can be connected from the Internet:
- 1.1.1.22 is my internal IP
- 28010 and 28012 are the ports I'm using (I also tried default ports but same result)

C:\WINDOWS\system32>netstat -a Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 JASON-PC:0 LISTENING TCP 0.0.0.0:445 JASON-PC:0 LISTENING TCP 0.0.0.0:5357 JASON-PC:0 LISTENING TCP 0.0.0.0:27036 JASON-PC:0 LISTENING TCP 0.0.0.0:28010 JASON-PC:0 LISTENING <--- HELLION TCP 0.0.0.0:28012 JASON-PC:0 LISTENING <--- HELLION TCP 0.0.0.0:49664 JASON-PC:0 LISTENING TCP 0.0.0.0:49665 JASON-PC:0 LISTENING TCP 0.0.0.0:49666 JASON-PC:0 LISTENING TCP 0.0.0.0:49667 JASON-PC:0 LISTENING TCP 0.0.0.0:49668 JASON-PC:0 LISTENING TCP 0.0.0.0:49669 JASON-PC:0 LISTENING TCP 0.0.0.0:49702 JASON-PC:0 LISTENING TCP 1.1.1.22:139 JASON-PC:0 LISTENING TCP [::]:135 JASON-PC:0 LISTENING TCP [::]:445 JASON-PC:0 LISTENING TCP [::]:5357 JASON-PC:0 LISTENING TCP [::]:49664 JASON-PC:0 LISTENING TCP [::]:49665 JASON-PC:0 LISTENING TCP [::]:49666 JASON-PC:0 LISTENING TCP [::]:49667 JASON-PC:0 LISTENING TCP [::]:49668 JASON-PC:0 LISTENING TCP [::]:49669 JASON-PC:0 LISTENING TCP [::]:49702 JASON-PC:0 LISTENING

However UDP ports are not listening and obviously can't be connected to from the Internet

UDP 0.0.0.0:500 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:4500 *:* UDP 0.0.0.0:5050 *:* UDP 0.0.0.0:5353 *:* UDP 0.0.0.0:5353 *:* UDP 0.0.0.0:5353 *:* UDP 0.0.0.0:5353 *:* UDP 0.0.0.0:5355 *:* UDP 0.0.0.0:27036 *:* UDP 0.0.0.0:49531 *:* UDP 0.0.0.0:50817 *:* UDP 0.0.0.0:52372 *:* UDP 0.0.0.0:53483 *:* UDP 0.0.0.0:55228 *:* UDP 0.0.0.0:56016 *:* UDP 0.0.0.0:61124 *:* UDP 0.0.0.0:61134 *:* UDP 0.0.0.0:63164 *:* UDP 0.0.0.0:63210 *:* UDP 1.1.1.22:137 *:* UDP 1.1.1.22:138 *:* UDP 1.1.1.22:1900 *:* UDP 1.1.1.22:2177 *:* UDP 1.1.1.22:64503 *:* UDP 127.0.0.1:1900 *:* UDP 127.0.0.1:5353 *:* UDP 127.0.0.1:64094 *:* UDP 127.0.0.1:64504 *:* UDP [::]:500 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:4500 *:* UDP [::]:5353 *:* UDP [::]:5353 *:* UDP [::]:5353 *:* UDP [::]:5355 *:* UDP [::]:50818 *:* UDP [::]:53483 *:* UDP [::]:61125 *:* UDP [::]:61135 *:* UDP [::]:63211 *:* UDP [::1]:1900 *:* UDP [::1]:64502 *:*
#7
[LC] Blackhawk 10. čvc. 2018 v 10.40 
Not the solution you ask about but i can higly recomend getting pfsense (pc) for a firewall and get your fiber/internet modem bridged to the firewall.
Easy to do nat reflection or other nat/portforwarding so issues like this will work. This is a issue you see more and more of, specaly on new alfa/beta games.
Did have same issue when hosting Ark and now when tryed hosting Hellion.
#8
sumfuka 13. čvc. 2018 v 8.33 
I can't help specifically with Cisco ASA, though I did manage to get it working on a Cisco 887VA running IOS 15.4(3)M2. It required configuring 'NVI' aka 'NAT Virtual Interface' on the appropriate interfaces to enable bi-directional translation (equivalent to both 'nat inside' and 'nat outside' configured on each interface) and a few other bits.

Anyhow, here's a stripped-down copy of the working config for anyone interested:

! ! working loopback config ! personal data [removed] ! version 15.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec service timestamps log datetime localtime service password-encryption ! hostname C887VA ! boot-start-marker boot-end-marker ! ! no logging buffered no logging monitor enable secret [removed] enable password [removed] ! no aaa new-model memory-size iomem 10 clock timezone GMT 0 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00 ! ! ! ! ! ! ! ip dhcp excluded-address 192.168.0.1 192.168.0.10 ! ip dhcp pool 0 network 192.168.0.0 255.255.255.0 default-router 192.168.0.1 dns-server [removed] ! ! ! ip name-server [removed] ip name-server [removed] ip cef no ipv6 cef ipv6 multicast rpf use-bgp ! ! cts logging verbose license udi pid CISCO887VA-K9 sn [removed] ! ! username [removed] privilege [removed] ! ! ! ! ! controller VDSL 0 no cdp run ! ip tcp selective-ack ip tcp path-mtu-discovery ! no crypto isakmp enable ! ! ! ! ! ! ! ! ! interface Ethernet0 no ip address ! interface Ethernet0.101 encapsulation dot1Q 101 no ip redirects pppoe enable group global pppoe-client dial-pool-number 1 ! interface ATM0 no ip address shutdown no atm ilmi-keepalive ! interface FastEthernet0 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface Vlan1 ip address 192.168.0.1 255.255.255.0 no ip redirects ip nat enable ! interface Dialer0 ip address negotiated ip access-group 101 in ip access-group 102 out no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip nat enable encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 ppp authentication chap callin ppp chap hostname [removed] ppp chap password [removed] ppp ipcp dns request ppp ipcp route default ppp ipcp address accept no cdp enable ! no ip forward-protocol nd ip http server ip http access-class 2 no ip http secure-server ! ip nat translation tcp-timeout 600 ip nat translation udp-timeout 60 ip nat translation finrst-timeout 10 ip nat translation syn-timeout 10 ip nat translation dns-timeout 10 ip nat translation icmp-timeout 10 ip nat translation max-entries 3000 ip nat source list NAT interface Dialer0 overload ip nat source static tcp 192.168.0.7 80 [removed] 80 extendable [removed] ! ip access-list extended NAT permit ip 192.168.0.0 0.0.0.255 any ! ip access-list log-update threshold 1 logging trap debugging logging host 192.168.0.2 dialer-list 1 protocol ip permit ! snmp-server community public RO 2 snmp-server enable traps tty access-list 1 permit 192.168.0.0 0.0.0.255 access-list 2 permit [removed] access-list 101 permit [removed] access-list 102 permit [removed] [removed] ! ! line con 0 no modem enable transport output all line aux 0 transport output all line vty 0 4 access-class 2 in exec-timeout 60 0 password [removed] login local transport input telnet ssh transport output none ! ntp logging ntp update-calendar ntp server [removed] ! end
#9
kenetiks 25. srp. 2018 v 5.20 
I never had this issue running a private server. I forwarded the hellion ports through my router to my server machine with no issues.

Sorry I can't help.
#10
Morggin 26. srp. 2018 v 0.09 
I don't have Cisco ASA, i use a custom linux server with routing enabled and iptables, but i would think the concept may be similar. To "hairpin" i do this.

# Enable hairpining from LAN to external IP of the server
iptables -t nat -A PREROUTING -d $PUBIP -s 172.32.232.0/24 -j DNAT --to-destination 172.32.232.232
iptables -t nat -A POSTROUTING -d $PUBIP -s 172.32.232.0/24 -j SNAT --to-source 172.32.232.232

(NOTE: I have a dynamic public IP as my untrusted interface. So in order to make the rules adjust when the IP changes, I map the untrusted interface to a variable $PUBIP using a tool called ifdata. If i run the command line /usr/bin/ifdata -pa em2 it returns the IP (public) of em2 (ethernet interface 2) on my linux server. So in order to get that in my firewall script i map the command line to a variable PUBIP="$(/usr/bin/ifdata -pa em2)". )


This basicly uses DNAT(destination NAT) and SNAT (source NAT) to route LAN traffic bound for the public IP to the private IP address of my server. (NOTE: address blocks changed to protect the innocent). I don't know if Cisco ASA is capable of destination / source routing but maybe it will help with the general concept.

Also, if your using a Windows machine as your server, you have to take into account the Windows Firewall Service. (if your using it) Make sure you have entries in the Windows Firewall Service to allow UDP as well as the TCP ports to public and private.
Naposledy upravil Morggin; 26. srp. 2018 v 1.03
#11
< >
Zobrazeno 111 z 11 komentářů
Na stránku: 1530 50

HELLION > Obecné diskuze > Detaily tématu
Datum zveřejnění: 20. led. 2018 v 1.39
Počet příspěvků: 11

Pravidla a pokyny k diskuzím