Connecting failed

Hi,

I'm trying to connect to a home-run Arma 3 server by a friend, everyone else can manage to connect except me (that's 6 people connecting over public Internet vs me not managing to connect). I'm running pfSense on my router and I'm guessing this in combination with some exotic Arma 3 networking ideas is causing problems (I can successfully connect to a remote home-run DCS A-10C server (where the host is behind NAT as well) without any changes on my end).

I ran tcpdump to inspect what kind of NAT is going on and it seems that asymmetric return leg is giving problems. Notice how 15250 in the server's answer differs from the NAT port my pfsense box chose, hence it doesn't know what to do with it and it is dropped... It could choose to translate it to my private IP (192.168.1.35) as it has seen the previous packet and guess that it's a reply to that packet. But I'm guessing pfSense isn't configured to do this by default.

LAN-side tcpdump:

tcpdump host 82.73.34.xx -i vr0

21:10:48.649089 IP 192.168.1.35.2304 > 5xxxxx.cm-4-2a.dynamic.ziggo.nl.2302: UDP, length 20

WAN-side tcpdump:

tcpdump -i pppoe0 host 82.73.34.xx

21:10:48.649214 IP ip-81-11-172-xxx.dsl.scarlet.be.18425 > 5xxxxx.cm-4-2a.dynamic.ziggo.nl.2302: UDP, length 20

21:10:48.687891 IP 5xxxxx.cm-4-2a.dynamic.ziggo.nl.2302 > ip-81-11-172-xxx.dsl.scarlet.be.15250: UDP, length 20

I am aware of this ticket: http://feedback.arma3.com/view.php?id=2467 and tried to alter my pfSense NAT accordingly but I can't seem to get it to work. I'm wondering why the A3 server-instance doesn't reply to the same port? It just seems to choose a random port to reply to every time; which makes setting up NAT rules particularly difficult. For some reason I can connect to some of the publicly available servers, I'm guessing these a) aren't behind NAT or b) reply to the open port on the NAT.

Regards,

logion

Hi,

I'm trying to connect to a home-run Arma 3 server by a friend, everyone else can manage to connect except me (that's 6 people connecting over public Internet vs me not managing to connect). I'm running pfSense on my router and I'm guessing this in combination with some exotic Arma 3 networking ideas is causing problems (I can successfully connect to a remote home-run DCS A-10C server (where the host is behind NAT as well) without any changes on my end).

I ran tcpdump to inspect what kind of NAT is going on and it seems that asymmetric return leg is giving problems. Notice how 15250 in the server's answer differs from the NAT port my pfsense box chose, hence it doesn't know what to do with it and it is dropped... It could choose to translate it to my private IP (192.168.1.35) as it has seen the previous packet and guess that it's a reply to that packet. But I'm guessing pfSense isn't configured to do this by default.

LAN-side tcpdump:

tcpdump host 82.73.34.xx -i vr0

21:10:48.649089 IP 192.168.1.35.2304 > 5xxxxx.cm-4-2a.dynamic.ziggo.nl.2302: UDP, length 20

WAN-side tcpdump:

tcpdump -i pppoe0 host 82.73.34.30

21:10:48.649214 IP ip-81-11-172-xxx.dsl.scarlet.be.18425 > 5xxxxx.cm-4-2a.dynamic.ziggo.nl.2302: UDP, length 20

21:10:48.687891 IP 5xxxxx.cm-4-2a.dynamic.ziggo.nl.2302 > ip-81-11-172-xxx.dsl.scarlet.be.15250: UDP, length 20

I am aware of this ticket: http://feedback.arma3.com/view.php?id=2467 and tried to alter my pfSense NAT accordingly but I can't seem to get it to work. I'm wondering why the A3 server-instance doesn't reply to the same port? It just seems to choose a random port to reply to every time; which makes setting up NAT rules particularly difficult. For some reason I can connect to some of the publicly available servers, I'm guessing these a) aren't behind NAT or b) reply to the open port on the NAT.

Regards,

logion

First of all I will try to ping his server from your local machine and than from your router (if it has such an option), it can tell you if it is arma 3 alpha issue or other software / hardware issue related. you can try to connect to my server, I'm not behind NAT.

Unfortunately your server is running v0.59 and Arma 3 refuses to connect.

I have made some progress, I managed to setup a NAT rule that forwards the reverse leg back into my LAN. So now the tcpdumps look like this:

LAN-side tcpdump:

tcpdump host 82.73.34.xx -i vr0

21:48:24.131537 IP 192.168.1.35.2304 > 5xxxxx1E.cm-4-2a.dynamic.ziggo.nl.2302: UDP, length 20

21:48:24.144845 IP 5xxxxx1E.cm-4-2a.dynamic.ziggo.nl.2302 > 192.168.1.35.57901: UDP, length 20

21:48:24.145006 IP 192.168.1.35 > 5xxxxx1E.cm-4-2a.dynamic.ziggo.nl: ICMP 192.168.1.35 udp port 57901 unreachable, length 56

WAN-side tcpdump:

tcpdump -i pppoe0 host 82.73.34.xx

21:48:24.131693 IP ip-81-11-172-xxx.dsl.scarlet.be.59818 > 5xxxxx1E.cm-4-2a.dynamic.ziggo.nl.2302: UDP, length 20

21:48:24.144694 IP 5xxxxx1E.cm-4-2a.dynamic.ziggo.nl.2302 > ip-81-11-172-xxx.dsl.scarlet.be.57901: UDP, length 20

21:48:24.145066 IP ip-81-11-172-xxx.dsl.scarlet.be > 5xxxxx1E.cm-4-2a.dynamic.ziggo.nl: ICMP ip-81-11-172-xxx.dsl.scarlet.be udp port 57901 unreachable, length 56

I've also noticed that the server's end isn't responding to ICMP echo requests(pings), so I'd guess the ICMP unreachable isn't arriving either. Also the in-game PING is listed as ? (which uses Gamespy's UDP ping I assume?). I didn't know that ICMPv4 was required to host an A3 server?

---------- Post added at 10:32 PM ---------- Previous post was at 09:52 PM ----------

It appeared this was the issue: http://kentie.net/article/m0n0wallgamespy/index.htm. Setting NAT to 'Manual Outbound NAT rule generation' in pfSense and choosing Static Port so that pfSense won't rewrite the outbound port fixed it. This is the same solution proposed as in http://feedback.arma3.com/view.php?id=2467 (i.e. the Static NAT); it's just a bit more cryptic to find in pfSense.

I'm guessing the problem only arises with servers behind NAT which activates some kind of NAT penetration technique that doesn't play so nicely with dynamic NAT. Luckily I can set up a specific NAT rule per server (well actually per ipv4 subnet that server belongs too) so that I don't have to use static NAT for everything... Maybe using these kind of NAT penetrations techniques could be made optional, as they aren't needed when the server has setup its NAT rules correctly. Would love to get some feedback on this from the devs/community.

It's clear in the above tcpdump that pfSense chooses 59818 as the outbound port in the dynamic NAT case; in the static NAT case it would probably use the 2304 port. The only question I'm asking myself i:, why does the server reply to a totally different port 57901? Is it somehow calculated from the first port? If so, it isn't a simple offset. It seems to me that the A3 server should just reply to the same port (i.e. 59818 and not 57901) and all would be well. I'm guessing when the game is running these kind of ports come into play (ports above 55000> and as these can be asymmetric I could imagine the different ports). But as this is the first connection attempt to the A3 server, the server shouldn't assume that my client has reached this state yet. I'm still convinced that this is bad design of the A3 server and nothing else.

Have you tried remote connection (right corner in arma 3 lobby) ? , what you need is server IP and port. try to update your arma to dev mode (steam - right click arma 3 alpha - properties - betas - development ) and try to connect to my server. These are my connection when in game: http://postimg.org/image/7tm7yp101/

I did try the Remote button, but it didn't work either with the same error. The issue has been resolved now though.

I'm glad to hear that,:D