NAT problem

Jump to: navigation, search

[edit] Understand what a NAT problem is

Basically, a Network Address Translation problem is caused by a router not being able to do what it's supposed to; it is not correctly re-directing data it has received from the outside world to a computer that is connected to it (the one running Azureus in this case).

Can this page assist you to resolve the NAT issue? That entirely depends on several factors. Every computer out there is set up slightly differently - different makes/models of modems and/or routers, different software firewalls, different antivirus programs, receiving service from different providers - these are all factors that must be considered when attempting to solve a NAT error. We'll attempt to approach a NAT problem broadly so as to encompass and help as many users as possible. Below we'll cover some basic terminology and acronyms before you actually give it a shot.

1. ISP: Internet Service Provider
2. Router: A device that forwards data packets along networks. A router is connected to at least two networks, commonly two LANs (Local Area Networks), WANs (Wide Area Network), WLANs (Wireless LAN), or a LAN and its ISP’s network. Routers are located at gateways, the places where two or more networks connect. Routers use headers and forwarding tables to determine the best path for forwarding the packets, and they use protocols such as TCP/UDP to communicate with each other and configure the best route between any two hosts.
3. IP Address: Internet Protocol Address. This is a unique string of numbers that identifies a computer or server on the Internet. These numbers are normally shown in groups separated by periods (example: 216.239.57.99 is Google's IP address).
   • Public IP Address: An address that is given to you by your service provider when you connect to them. The majority of users have a dynamic public IP address (this can change every time a connection is established).
   • Private IP Address: An address that can be assigned by a router or your Operating System for your connection to a LAN, WAN, or WLAN. The world will never see this address and can be made static (this will never change once set up correctly).
4. DHCP: Dynamic Host Configuration Protocol. Used for assigning dynamic IP addresses to devices on a network. With dynamic addressing, a device can have a different IP address every time it connects to the network. DHCP also supports a mix of static and dynamic IP addresses.
   • DHCP Pool/Range: The available addresses a router is instructed to use when automatically assigning IP addresses to devices. Example: LinkSys routers almost all default with a starting IP address of 192.168.1.100 with 50 available users, effectively making the range 192.168.1.100 - 192.168.1.149
5. MAC Address: Media Access Control Address (sometimes referred to as a device's physical address). MAC addresses are a unique code assigned to most forms of networking hardware (for example: A0:99:E3:76:BE:01). The address is permanently assigned to the hardware (network cards/wireless adapters/routers) to act as a security feature for limiting access on closed networks. This is extremely useful when securing a wireless network.
   • MAC Address Binding: An option on some routers to bind a MAC address to an IP address on a closed LAN or WAN network. When available, this method can be used to create a static IP address for port forwarding purposes.
6. UPnP: Universal Plug 'n Play. A technological stab at attempting to make networking devices a simple task. This has been met by mixed reviews and levels of effectiveness by manufacturers and consumers. Your network hardware and Operating System may or may not properly employ this technology.
7. Port Forwarding: The act of forwarding a network port from one machine to another. One use of this technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router.
8. Port Triggering: This allows computers behind a NAT-enabled router access to a special server or use a special application on the Internet using a specified port number. While similar to port forwarding, it is not recommended for usage with bittorrents due to the timing discrepencies involved with a port constantly being told to open with so many connections being generated. It has more functions for gaming servers.
9. DMZ: The De-Militarized Zone. When this option is enabled in a router, the computer is now outside of the internal/protected network. Since a DMZ'd computer will be open to allow public access to services, it is considered extremely insecure and dangerous. Do NOT use DMZ in lieu of port forwarding.

[edit] Fix your NAT problem

So you really have a NAT problem and never get green smilies and you are not using one of those Internet service providers that do not like file sharing? OK, read on.

• Please Note: If you are using file sharing where you have no access to the router (corporate or campus network, public WLAN from a cyber-cafe or a neighbor, or a housing development where everyone shares the connection), you must contact the network administrator.

You want to select a port that will forward incoming data to your computer's IP address using the port of choice, and ensure that software firewalls and antivirus programs do not interfere. If you skimmed the above passages, you may be confused by the following procedures. You should read the entire page before proceeding.

If you know you own a router, continue reading this page in its intended order.

If you own a router and you are absolutely positive it properly supports UPnP, enable UPnP in Azureus (Tools->Options->Plugins->UPnP) and try the nat/firewall test again. If this doesn't work, skip down to the Software Firewall section.

If you are unsure as to whether or not you own a router (some broadband modems have routers with NAT features built-in), consult your ISP or see your modems manual.

• A simple test for Windows operating system users is to use ipconfig (win2K/XP) or winipcfg (win9X/ME). Go to Start>Run , and type in the command "cmd /k ipconfig" or "winipcfg.exe" without the quotes, then press the Enter key. If the Default Gateway starts with 10.*, 172.* or 192.*, then it is very likely that there is a router involved.

• Apple Mac 8.x/9.x: Pull down the Apple menu, select Control Panels. Open the control panel TCP/IP. Look for the line Router address.
• Apple Mac OS X: use either of the following methods:
  • Pull down the Apple menu, select System Preferences, click Network. In the pull-down Show: select the network interface in use. Click tab TCP/IP and look for the line Router.
    • Leopard (10.5.x): Apple menu > System Preferences > Network. From list on the left select your connection (Ethernet, AirPort, etc.), which is probably already selected. Click "Advanced" button and from there the TCP/IP tab. The "Router" line will have an IP address listed if you are connected through a router.
  • Open a Terminal window, type the command ipconfig getoption en0 router (where en0 is the name of the interface in use)

If you are positive you do not own a router or a broadband modem with NAT features, please skip down to the Software Firewall section.

[edit] Routers And NAT Enabled Broadband Modems

1. Ensure you are using a port number that is not already reserved by a computer process or PC on your network, or that is possibly being blacklisted/throttled by your ISP. (Avoid 6881-6999, any from 49125-65535 is fine)
2. Create a static IP address for the computer that is running Azureus.
   • Log into your router's configuration table. This is normally done by typing the routers Gateway Address into your browser's URL edit box and pressing the Enter key. You should be prompted for a username/password before proceeding. If you don't know the information, consult your owner's manual or ISP if it originated from them. (Note: some devices require utilizing Telnet for access and forwarding; the steps will be left out here due to their uniqueness. Again, refer to the owner's manual for the correct procedure).
   • If your router supports MAC address binding, do so save/apply your changes, and skip down to the "Port Forwarding Through The Router" section.
   • If your router does not use MAC address binding, disable or limit the DHCP range in the router, then create a static IP address for your computer that is OUTSIDE the router's DHCP server's IP pool/range (example: the DHCP range is 192.168.1.100 - 192.168.1.149 .. you would select 192.168.1.200 as your new static IP address). Here is a static IP guide for individual Operating Systems. Once this step completed, your connection to your router will be temporarily broken and then reconnected a few moments later - this is to be expected. At this point, you should restart both your router and computer(s) on your LAN (some routers do not release the previous login and will interefere with the actual port forwarding step detailed further below).
     • Once your computer and router are restarted, use ipconfig or winipcfg to ensure the new static IP address is being used and continue reading the instructions on this page.

[edit] IP Forwarding Through the Broadband Modem

If your network consists of a DSL modem connected to a router and the local computers connect to the router, you may need to enable IP Passthrough on the modem.

If you are using a DSL modem that does not support IP Passthrough, it may be necessary to forward the required ports to your router manually. You will first need to find out the IP address of your router. Usually this can be found by logging in to your router and looking at it's status page. Once you have your router's IP address, you will need to log in to your DSL modem and find the "Port Forwarding" section (probably under "Advanced Settings"). You will now need to create a rule that will forward the port you are using for Azureus to the router.

If you have not port forwarded from your modem to your router, it will be pointless to port forward from the router to your computer as the TCP traffic from Azureus will never even make it past the modem to the router.

[edit] Port Forwarding Through The Router

At this point you should now have a static internal/private IP address for the computer that is running Azureus. Log into your router's configuration table so that we may actually port forward. Depending on the device's manufacturer and the model itself, the "place" where you do the forwarding will differ: NAT, NATP, Custom Services, and Virtual Server are the most commonly named sections, though it's entirely feasible yours is named something else, but the fundamental procedure for creating a port forwarding rule is more or less the same and self-explanatory.

You may be lucky and find a step-by-step guide for this procedure at http://www.portforward.com/routers.htm . Select your particular model from the list, go to Port Forwarding the (your modem/router model), and then select the Default Guide link.

• The Rule will need a unique Service Name or a Number to identify it.
• The Rule will need to know what port number to have forwarded to it.
  • If the option asks for a range, simply input the same number for From and To (example: From: 56912 To: 56912).
• The Rule will need to know which protocol to use for that port. Use both TCP and UDP.
  • Azureus requires the TCP protocol for "regular" incoming data transmissions.
  • Azureus (2.3.0.0 and newer) requires the UDP protocol to be enabled for DHT to function properly.
    • If the router does not ask for one protocol or the other, it should be safe to assume it defaults to using both.
    • If the router only allows you to choose one protocol or the other, then you will need to create two rules for that port (use a different Service Name or Number), one for each protocol.
  • The Rule will need to know which IP address to forward to. You will, of course, use the static IP address you have already assigned yourself.
• The Rule will need to be enabled, and then saved/applied.

Example:

[edit] Port Forwarding through Windows XP Internet Connection Sharing

Is your Azureus client running on a computer behind Windows XP ICS? ICS is a bad excuse for a router in quite a lot of ways but it can be configured to forward services (read: ports) to other machines in the local network.

To do it:

• On the ICS computer, open Control Panel|Network Connections.
• Right click on your Internet Connection (eg, Local Area Connection X - that accommodates your dial-up/broadband modem connection) and click Properties.
• In the "Local Area Connection X Properties" dialog, go to the Advanced tab.
• Now click the Settings... button in the Internet Connection Sharing group.
• You get the Advanced Settings dialog and a list of services.
• Click the Add... button to display the Service Settings dialog.
• For "Description of service:", type in something to remind you that this is for Azureus' Distributed DB, eg., Azureus DistDB-T.
• In the "Name or IP address ..." field, type in the local network name of the computer that is running Azureus, eg., livingroom.
• In the "External Port ..." and "Internal Port ..." fields type in the port number you have configured your Azureus to use (the port number in Azureus' Tools|Options|Connection).
• Choose TCP (should be default) and click the Ok button and you are done. You now have the DistDB-T service in your Advanced Settings dialog.
• You need UDP access to the port as well, so you have to repeat the above steps to add a UDP service. Just change the service name (eg., Azureus DistDB-U) and remember to choose UDP instead of TCP this time.

You could follow the "Make sure you really have a NAT problem" advice to check if you've done it right, but, really, the more enjoyable test is looking in "My Torrents" to see your smileys start to turn green as soon as you have closed the Advanced Settings dialog.

[edit] Port Forwarding on Linux, specifically Ubuntu

Firstly the earlier notes on port forwarding for your router apply as before. Computers running Ubuntu, by default, come with all the ports locked down and you need to open the ports in ubuntu by using the iptables command. Other flavours of linux behave similarly

The commands below can be entered in a root terminal session to open the ports (TCP and UDP)

iptables -I INPUT -p tcp --dport <your_port_number> -j ACCEPT
iptables -I INPUT -p udp --dport <your_port_number> -j ACCEPT

<your_port_number> is the port number you have used for port forwarding (Avoid 6881-6999, any from 49125-65535 is fine)

Once you've established the port is open you need to make the change persist through a reboot

      create a file /etc/init.d/iptables_azureus and add the lines below
        (sleep 220
         /sbin/iptables -I INPUT -p tcp --dport <your_port_number> -j ACCEPT
         /sbin/iptables -I INPUT -p udp --dport <your_port_number> -j ACCEPT ) &

The (sleep 220 is there to make the script wait a few minutes to allow subsequent firewall configuration scripts to run. 220 seconds is a large value and you may choose to configure a lower value. The key is that the opening of the azureus port is not countermanded by the firewall initialisation which runs later. At the end is a ) & which allows the script to let the rest of the boot continue, while the script waits.

   chmod +x /etc/init.d/iptables_azureus make the file executable
   update-rc.d iptables_azureus start 51 S . links the file into the startup sequence

Your configuration change will then persist through reboots. Further info on the startup process in this ubuntu howto

Futher Ubuntu Support here

[edit] VPNs and Windows Routing and Remote Access

[edit] VPNs

If you are connected to a VPN (Virtual Private Network) and getting a NAT error when trying to run Azureus, it is most likely due to all of your internet traffic being routed through the remote network you are connected to. It is possible to configure the remote network to allow the traffic through, but given the added overhead of a VPN, it is better to run Azureus when not connected to the VPN. Azureus will run better and your downloads will be faster.

If you have no choice and must be connected to a VPN, then you must contact the network administrator of the remote network you connect to, and discuss allowing the Azureus port through the VPN to your PC.

Note: If you're using Check Point SecuRemote Client, it will give you NAT problems even when you're NOT connected to any remote networks.

Note: If you're using the Cisco Systems VPN Client, you must disable the Stateful Firewall under Options. (It is disabled if the checkmark next to Stateful Firewall does not appear.)

To avoid the problems, go to network settings and temporarily disable it, before starting azureus. Or, if you have two network adapters, simply run the VPN client on one, and Azureus on the other.

[edit] Windows Routing and Remote Access

Microsoft Windows 2000 and XP contain a service for supporting VPNs, that can cause NAT issues in Azureus if enabled. Even if you don't connect to a VPN, but this service is enabled, it can cause problems. If you're sure you don't use VPN connections, then it's safe to assume you don't need the Routing and Remote Access service enabled.

To disable the Routing and Remote Access service in Windows

1. Go to the Windows Control Panel (In Windows XP, switch to Classic View if not already.)
2. Open the Administrative Tools
3. Open Services
4. Find the Routing and Remote Access service, and double-click it.
5. If the server status is 'stopped', then it is not running and it is not your problem.
6. If the server status is 'started', then use the stop button to stop the service, and see if your NAT problem changes.

If this fixes your NAT problem, and the Routing and Remote Access Service's startup type is set to Automatic, change it to Manual or disabled to prevent it from running upon next reboot.

[edit] Software Firewalls

Main article: Firewalling

Just like the wide array of routers available to consumers, so too is the list of software firewalls, and each has different features and capabilities. Because of this huge variance, we will again attempt to approach this as broadly as possible. A software firewall can offer the same protection that a router can and it can mimic the symptoms of a NAT error. So why should you use both? A router can only protect you from incoming data on certain ports - a good software firewall can monitor outbound traffic too. Consider this an added layer of security.

For those that use a software firewall on their PC, the following information applies to everyone who hopes to fix their NAT error.

• You should never have more than one software firewall installed and in use at any given time (analogy: two drivers wanting control of a steering wheel).
• In order for Azureus to run correctly, access/permission must be allowed.
  • If your software firewall has options for a security level, reduce it from "high" to "medium" if it isn't already there.
  • If you are using Azureus 2.3.0.4 or older, your software firewall must allow "javaw.exe" accesss/permission.
  • If you are using the current batch of Azureus Betas or a newer stable version after it is released, you will need to allow "azureus.exe" instead.

Below is a listing of some of today's common software firewalls guides that should help. Additional information on how to open your firewall with some programs and Operating Systems here: Firewalling

• For XP SP1/SP2 firewall at http://support.microsoft.com/default.aspx?scid=kb;en-us;283673
• For Microsoft ISA 2004 Firewall http://azureus.aelitis.com/wiki/index.php/Router_configuration#Microsoft.27s_ISA_Server_2004
• For F-Secure http://firewalling.com/personalfirewalls/f-secure/f-secure.htm
• For McAfee V6.0 Firewall Plus http://firewalling.com/personalfirewalls/McAfeeV6.0FirewallPlus.htm
• For Norton Personal Firewall 2004 http://firewalling.com/personalfirewalls/nortonpersonalfirewall.htm
• For Norton Internet Security 2005 http://firewalling.com/personalfirewalls/nortoninternetsecurity2005.htm
• For Sygate Personal Firewall Pro http://firewalling.com/personalfirewalls/sygatepersonalfirewallpro.htm
• For ZoneAlarm Pro http://firewalling.com/personalfirewalls/ZoneAlarmPro.htm
• Trend Micro PC-cillin Internet Security 2006 Firewall http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=26628

Also, confirm whether or not your motherboard is based on the NF4 (nVidia nForce 4 chipset). Many of these new motherboards come with onboard firewalls that are enabled at the time the drivers are installed.

[edit] Anti-virus Programs

Some anti-virus programs are extremely sensitive to incoming data and will report "false positives" when used in conjunction with file sharing applications (though this is no reason to completely remove your anti-virus software). Instead, you should use Google and see if other users have encountered such reports. Other anti-virus programs can at times contribute to a NAT error. At the time this is being written, only one stands out, and others will be added if/when they've been confirmed.

1. Norton AntiVirus 2005 and 2006 employ "internet worm protection" by default and should be either disabled or made an exception. Ideally, it would be best to make an exception for Azureus' communications.

Open Norton AntiVirus 2005 - Click "Options"-- Click "Internet Worm Protection"--- Make sure "Enable Internet Worm Protection recommended" is checked.--- Click "Trojan Rules"---- Uncheck "Unused Windows Services Block", (all the way at the bottom of the list)----"OK"---"OK"

goto general rules within the internet worm protection,add a new rule, you need to permit your Incoming TCP Listen Port(tools-options-connection)

[edit] Final Thoughts

We have seen many Azureus users mistakenly enable or disable an option in Azureus without knowing what they do. While exploring your client is encouraged, some of these options may have adverse effects. Two things of note:

1. In Options->Connection->Advanced Network Settings, the "bind to local IP address box" should be left empty. This is NOT the same thing as the "MAC address binding" or creating a "static IP address". This should only be used by experienced users, and those that have more than one network adapter in their computer. Be sure to press Save after clearing this box if you accidentally used it.
2. On the other hand - some people have actually reported success by enabling this option. You may want to try it as a last resort (though if it doesn't solve the problem, then remember to remove it).
3. Oftentimes, users will leave UPnP enabled in Azureus (it is on by default.. Tools->Options->Plugins->UPnP), and simply disabling this may help clear things up when all the above steps in this guide have been taken. Be sure to press Save after disabling UPnP.

[edit] Conclusion

This page's purpose should help the vast majority of those who have encountered a NAT error while using Azureus with a "typical" setup. There are other cicurmstances, though, that require further investigation. More help sections will be added to this guide in time.

1. Some computer owners may not realize there are two NAT enabled devices on their network (modem/router AND router).
2. Some users may not have a routing device at all, but instead, are using ICS (Internet Connection Sharing) and not properly port mapping to other machines.

[edit] STILL Not Working?

Come to the IRC channel and ask for assistance there. Be patient. Be prepared to answer these questions:

• What is your Operating System?
• What is your Java Version?
• What is the exact make/model/revision is your router? (if you use one)
• Does the router employ UPnP and MAC binding?
• What is the exact make/model/revision of your broadband modem?
• What software firewall(s) do you use?
• What anti-virus program do you use?
• Which (if any) of the above steps have you already attempted and with what level of success?

Read the Azureus FAQ