Search code examples
serverfirewallminecraftnatwindows-firewall

No access from foreign IP to Minecraft server

https://i.sstatic.net/DBAaT.png

Overview

This is a general error, but I'm unable to locate the problem and hence solution. I'm hosting a Minecraft server on my localhost (192.168.0.2) on port 25565. It can be accessed from the host by its internal IP (localhost and 192.168.0.2) but is unable to be accessed from the external IP (101.xxx.xx.xx).

Have you tried turning it on and off again?

Yes. I've restarted my host. Also the server says

[14:32:14] [Server thread/INFO] [net.minecraft.server.dedicated.DedicatedServer]: Starting Minecraft server on *:25565

so it must be true.

Port Forwarded?

I can verify that the port is open to HTTP through a simple Node.JS server hosted on the device. This can be accessed on through 101.xxx.xx.xx:25565 on my mobile device on the same network but times-out on the browser of the host. Moreover, it is forwarded on both TCP and UDP.

Proof of UDP and TCP forward

const { createServer } = require('http')

createServer((req, res) => {
    console.log('Request', req.url)
    res.end('Ok')
}).listen(25565)

Firewalls

Additionally, I modified my firewalls: Windows and antivirus. I turned off Avast Web Shield which blocks foreign unrecognized internet connections and followed both these tutorials to add firewall exceptions for Java and port exceptions. I allowed my Telstra Arcadyan modem to keep its firewall because I could still access my internal network from a foreign address.

Wireshark and Nmap

I suspected that the internal connection was the issue so I used nmap. I ran it on the host and another device on the network, my Raspberry Pi (192.168.0.69).

On my Raspberry Pi, nmap -p 25565 -T4 -Pn -A -v 192.168.0.2 on my raspberry pi (192.168.0.69) returned

25565/tcp open minecraft Minecraft 1.12.2 (Protocol: 127, Message: Rebirth of the Night! (Optifine 1.12.2), Users: 0/6)

Additionally the same command but with a different destination (WAN IP), returned the same message.

On my host Windows device, the result was identical for the internal IP (192.168.0.2), but the external IP (101.xxx.xx.xx) returned filtered. This is primarily why I believe there is a firewall in the way.

25565/tcp filtered minecraft

Host - Local Address

Host Local

Host - Foreign Address

Host Foreign

Raspberry Pi - Local Address

RasPi Local

Raspberry Pi - Foreign Address

RasPi Foreign

Summary

I suspect it must be because of an inbound connection to firewall issue due to my trials with nmap and wireshark. Sadly, I'm unable to locate it. Am I missing something?

Update

The answer might be here. though I'm not certain. It might be a NAT Loopback problem.

Footnotes

  • The server is Rebirth of the Night v2.76.2

  • There is no server logging when I try to connect from the external address i.e. no evidence of a connection attempt

  • There are other servers on this LAN

  • MC Server Status returns the correct information. (The server is visible)

  • This article gives the possibility that the internal to external to internal connection is the problem.

    "The LH1000 does not support NAT which means that even if the ports are open you can not connect to a device on your network from another device on your network using the public address of the modem and the port number of the device."

  • When doing the testing below, I did not invoke the Node.JS and the MC server concurrently.

  • This somewhat resembles the problem where I cannot ssh to my raspberry pi from the external ip (101.xxx.xx.xx). I can only connected to it through the internal ip (192.168.0.69) PuTTY error

  • This is the log from the Minecraft game output Minecraft Game Log - io.netty.channel

  • As a side note, Wireshark with the filter udp.port == 25565 || tcp.port == 25565 had three different outputs.

For the Node.JS HTTP server accessed from a mobile device with VPN, it output enter image description here

For the Node.JS HTTP server accessed from the host device, it output enter image description here

For the Minecraft server, it output enter image description here

Solution

  • NAT Loopback (Hairpinning)

    My router (Telstra Arcadyan LH1000) doesn't support NAT loop back, where the external address of the network can be accessed from an internal IP. It rewrites the connection directly to the other network address (itself in my case) which the client rejects because it doesn't expect the rewrite.

    Solutions

    There are two solutions: a masquerade NAT rule which most routers do not support and using the internal IP. Additionally, upgrading router firmware may solve the issue, but it's unlikely. In my case, the Technicolor modem has full NAT loop back support, but I'm unable to get one.

    Solution 1

    This rule should be added to the router (accessible at something like 192.168.0.1).

    /ip firewall nat
    add chain=srcnat src-address=192.168.1.0/24 \
    dst-address=192.168.1.2 protocol=tcp dst-port=80 \
    out-interface=LAN action=masquerade

    Solution 2

    This is not a resolution of the problem but merely avoidance of the issue. The Minecraft server can be accessed on localhost and 192.168.0.2 but not on the external IP.

    Solution?

    The network address can be reached from a different adapter. If the port-forward is to Wi-Fi (distinct from the Ethernet adapter), then an attempt to access it from the Ethernet connection may allow you to bypass the error.

    TL;DR

    My router doesn't support accessing its own network from an internal address. Change a rule or avoid accessing it from its external IP.