To fix a NAT issue, you have to consider multiple factors that can cause it. Here's a quick outline of what you have to do; for more detailed explanations and instructions have a look at the next chapter.
There are several causes of reachability problems:
- Routers/Broadband modems
- a) Devices without UPnP or NAT-PMP
- you have to set your PC to a static IP (i.e. don't use DHCP) or use your router's MAC-address binding to allocate a specific IP to your network card
- log into your router (if you don't know its address read the manual or determine the gateway address, which should be the address of your router)
- Setup port forwarding by setting up rules to forward Vuze' listening ports (UDP and TCP) as external ports to the IP of your computer and the same ports on your computer.
- Note: The exact wording is different for each router, thus it might be called port forwarding, opening pinholes through the firewall, NAT rules, virtual server or something else.
- Turn off UPnP in Vuze in Tools > Options > Plugins > UPnP, since it may confuse some routers that do not support or correctly support UPnP.
- b) Devices with UPnP/NAT-PMP
- Just enable the UPnP/NAT-PMP plugin under tools -> options -> plugins -> UPnP and set it to report everything to get some feedback, once it works you can turn the messages off again. Sadly some routers that claim to support UPnP don't interoperate with Vuze correctly, if that's the case have a look at point a).
- a) Devices without UPnP or NAT-PMP
- Software firewalls and antivirus software including firewalls:
- If the firewall is port based you have to allow incoming connections to the UDP and TCP ports used by Vuze (tools -> options -> connection)
- For application-based firewalls you have to allow Vuze.exe (or javaw.exe) to access the internet and accept incoming connections
- Some firewalls have a generic setting to prevent incoming (WAN) connections, this should be disabled too
- 1 Quick outline
- 2 Detailed guideline
- 3 Understand what a NAT problem is
- 4 Fix your NAT problem
- 4.1 Routers And NAT Enabled Broadband Modems
- 4.2 VPNs and Windows Routing and Remote Access
- 4.3 Software Firewalls
- 4.4 Anti-virus Programs
- 4.5 Mobile/3G/satellite connections
- 4.6 Final Thoughts
- 5 Conclusion
Understand what a NAT problem is
Basically, a Network Address Translation problem is caused by a router not being able to do what it's supposed to; it is not correctly re-directing data it has received from the outside world to a computer that is connected to it (the one running Vuze in this case).
Can this page assist you to resolve the NAT issue? That entirely depends on several factors. Every computer out there is set up slightly differently - different makes/models of modems and/or routers, different software firewalls, different antivirus programs, receiving service from different providers - these are all factors that must be considered when attempting to solve a NAT error. We'll attempt to approach a NAT problem broadly so as to encompass and help as many users as possible. Below we'll cover some basic terminology and acronyms before you actually give it a shot.
- ISP: Internet Service Provider
- Router: A device that forwards data packets along networks. A router is connected to at least two networks, commonly two LANs (Local Area Networks), WANs (Wide Area Network), WLANs (Wireless LAN), or a LAN and its ISP’s network. Routers are located at gateways, the places where two or more networks connect. Routers use headers and forwarding tables to determine the best path for forwarding the packets, and they use protocols such as TCP/UDP to communicate with each other and configure the best route between any two hosts.
- IP Address: Internet Protocol Address. This is a unique string of numbers that identifies a computer or server on the Internet. These numbers are normally shown in groups separated by periods (example: 18.104.22.168 is Google's IP address).
- Public IP Address: An address that is given to you by your service provider when you connect to them. The majority of users have a dynamic public IP address (this can change every time a connection is established).
- Private IP Address: An address that can be assigned by a router or your Operating System for your connection to a LAN, WAN, or WLAN. The world will never see this address and can be made static (this will never change once set up correctly).
- DHCP: Dynamic Host Configuration Protocol. Used for assigning dynamic IP addresses to devices on a network. With dynamic addressing, a device can have a different IP address every time it connects to the network. DHCP also supports a mix of static and dynamic IP addresses.
- DHCP Pool/Range: The available addresses a router is instructed to use when automatically assigning IP addresses to devices. Example: LinkSys routers almost all default with a starting IP address of 192.168.1.100 with 50 available users, effectively making the range 192.168.1.100 - 192.168.1.149
- MAC Address: Media Access Control Address (sometimes referred to as a device's physical address). MAC addresses are a unique code assigned to most forms of networking hardware (for example: A0:99:E3:76:BE:01). The address is permanently assigned to the hardware (network cards/wireless adapters/routers) to act as a security feature for limiting access on closed networks. This is extremely useful when securing a wireless network.
- MAC Address Binding: An option on some routers to bind a MAC address to an IP address on a closed LAN or WAN network. When available, this method can be used to create a static IP address for port forwarding purposes.
- UPnP: Universal Plug 'n Play. A technological stab at attempting to make networking devices a simple task. This has been met by mixed reviews and levels of effectiveness by manufacturers and consumers. Your network hardware and Operating System may or may not properly employ this technology.
- Port Forwarding: The act of forwarding a network port from one machine to another. One use of this technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router.
- Port Triggering: This allows computers behind a NAT-enabled router access to a special server or use a special application on the Internet using a specified port number. While similar to port forwarding, it is not recommended for usage with bittorrents due to the timing discrepencies involved with a port constantly being told to open with so many connections being generated. It has more functions for gaming servers.
- DMZ: The De-Militarized Zone. When this option is enabled in a router, the computer is now outside of the internal/protected network. Since a DMZ'd computer will be open to allow public access to services, it is considered extremely insecure and dangerous. Do NOT use DMZ in lieu of port forwarding.
Fix your NAT problem
So you really have a NAT problem and never get green smilies and you are not using one of those Internet service providers that do not like file sharing? OK, read on.
- Please Note: If you are using file sharing where you have no access to the router (corporate or campus network, public WLAN from a cyber-cafe or a neighbor, or a housing development where everyone shares the connection), you must contact the network administrator.
You want to select a port that will forward incoming data to your computer's IP address using the port of choice, and ensure that software firewalls and antivirus programs do not interfere. If you skimmed the above passages, you may be confused by the following procedures. You should read the entire page before proceeding.
If you know you own a router, continue reading this page in its intended order.
If you own a router and you are absolutely positive it properly supports UPnP, enable UPnP in Vuze (Tools->Options->Plugins->UPnP) and try the nat/firewall test again. If this doesn't work, skip down to the Software Firewall section.
If you are unsure as to whether or not you own a router (some broadband modems have routers with NAT features built-in), consult your ISP or see your modems manual.
- A simple test for Windows operating system users is to use ipconfig (win2K/XP) or winipcfg (win9X/ME). Go to Start>Run (or hold the Windows key and hit "r"), and type in the command "cmd /k ipconfig" or "winipcfg.exe" without the quotes, then press the Enter key. If the Default Gateway starts with 10.*.*.*, 172.*.*.* or 192.*.*.*, then it is very likely that there is a router involved.
- Apple Mac 8.x/9.x: Pull down the Apple menu, select Control Panels. Open the control panel TCP/IP. Look for the line Router address.
- Apple Mac OS X: use either of the following methods:
- Pull down the Apple menu, select System Preferences, click Network. In the pull-down Show: select the network interface in use. Click tab TCP/IP and look for the line Router.
- Leopard (10.5.x): Apple menu > System Preferences > Network. From list on the left select your connection (Ethernet, AirPort, etc.), which is probably already selected. Click "Advanced" button and from there the TCP/IP tab. The "Router" line will have an IP address listed if you are connected through a router.
- Open a Terminal window, type the command ipconfig getoption en0 router (where en0 is the name of the interface in use)
- Pull down the Apple menu, select System Preferences, click Network. In the pull-down Show: select the network interface in use. Click tab TCP/IP and look for the line Router.
If you are positive you do not own a router or a broadband modem with NAT features, please skip down to the Software Firewall section.
Routers And NAT Enabled Broadband Modems
- Ensure you are using a port number that is not already reserved by a computer process or PC on your network, or that is possibly being blacklisted/throttled by your ISP. (Avoid 6881-6999. Anything from 49160-65534 is fine)
- Create a static IP address for the computer that is running Vuze.
- Log into your router's configuration table. This is normally done by typing the router's Gateway Address into your browser's URL edit box and pressing the Enter key. You should be prompted for a username/password before proceeding. If you don't know the information, consult your owner's manual or ISP if it originated from them. (Note: some devices require utilizing Telnet for access and forwarding; the steps will be left out here due to their uniqueness. Again, refer to the owner's manual for the correct procedure).
- If your router supports MAC address binding, do so save/apply your changes, and skip down to the "Port Forwarding Through The Router" section.
- If your router does not use MAC address binding, disable or limit the DHCP range in the router, then create a static IP address for your computer that is OUTSIDE the router's DHCP server's IP pool/range (example: the DHCP range is 192.168.1.100 - 192.168.1.149 .. you would select 192.168.1.200 as your new static IP address). Here is a static IP guide for individual Operating Systems. Once this step completed, your connection to your router will be temporarily broken and then reconnected a few moments later - this is to be expected. At this point, you should restart both your router and computer(s) on your LAN (some routers do not release the previous login and will interefere with the actual port forwarding step detailed further below).
- Once your computer and router are restarted, use ipconfig or winipcfg to ensure the new static IP address is being used and continue reading the instructions on this page.
Port Forwarding Through The Router
At this point you should now have a static internal/private IP address for the computer that is running Vuze. Log into your router's configuration table so that we may actually port forward. Depending on the device's manufacturer and the model itself, the "place" where you do the forwarding will differ: NAT, NATP, Custom Services, and Virtual Server are the most commonly named sections, though it's entirely feasible yours is named something else, but the fundamental procedure for creating a port forwarding rule is more or less the same and self-explanatory.
You may be lucky and find a step-by-step guide for this procedure at http://www.portforward.com/routers.htm . They have an excellent list of home routers and modems and configuring advice for them. They have a browseable list of routers/modems, from which
- you can select your router
- jump over the advertisement page. (In top-right corner: Click here to skip this advertisement...)
- arrive to the application page, where Vuze is listed (and also 'Azureus', the old name for Vuze)
- select Vuze there and follow the advice about configuring your router.
Typically a forwarding rule for a router contains at least these elements:
- The Rule will need a unique Service Name or a Number to identify it.
- The Rule will need to know what port number to have forwarded to it.
- If the option asks for a range, simply input the same number for From and To (example: From: 56912 To: 56912).
- The Rule will need to know which protocol to use for that port. Use both TCP and UDP.
- Vuze requires the TCP protocol for "regular" incoming data transmissions.
- Vuze (22.214.171.124 and newer) requires the UDP protocol to be enabled for DHT to function properly.
- If the router does not ask for one protocol or the other, it should be safe to assume it defaults to using both.
- If the router only allows you to choose one protocol or the other, then you will need to create two rules for that port (use a different Service Name or Number), one for each protocol.
- The Rule will need to know which IP address to forward to. You will, of course, use the static IP address you have already assigned yourself.
- The Rule will need to be enabled, and then saved/applied.
Port forwarding with two routers
If you have both a smart NATting modem and a NATting router/basestation, or two NAT routers, you may need to configure port forwarding in both of them.
You need to set port forwarding at each router all the way from "public internet" upto your PC, always setting the forward to the next device inwards (from smart modem to router, and from router to PC). See an explanation here: http://www.portforward.com/help/doublerouterportforwarding.htm
If you have not port forwarded from your modem to your router, it will be pointless to port forward from the router to your computer as the TCP traffic from Vuze will never even make it past the modem to the router.
A clear sign of the need for double router port forwarding is if your router has a private IP address also on its WAN/ADSL/internet side (whatever it is called in router status/config screens). "Private" IP address ranges are 10.x.x.x, 172.x.x.x and 192.168.x.x, and IP addresses inside those areas are different from other addresses, as they can not be reached from outside without port forwarding.
Port Forwarding through Windows XP Internet Connection Sharing
Is your Vuze client running on a computer behind Windows XP ICS? ICS is a bad excuse for a router in quite a lot of ways but it can be configured to forward services (read: ports) to other machines in the local network.
To do it:
- On the ICS computer, open Control Panel|Network Connections.
- Right click on your Internet Connection (eg, Local Area Connection X - that accommodates your dial-up/broadband modem connection) and click Properties.
- In the "Local Area Connection X Properties" dialog, go to the Advanced tab.
- Now click the Settings... button in the Internet Connection Sharing group.
- You get the Advanced Settings dialog and a list of services.
- Click the Add... button to display the Service Settings dialog.
- For "Description of service:", type in something to remind you that this is for Vuze' Distributed DB, eg., Vuze DistDB-T.
- In the "Name or IP address ..." field, type in the local network name of the computer that is running Vuze, eg., livingroom.
- In the "External Port ..." and "Internal Port ..." fields type in the port number you have configured your Vuze to use (the port number in Vuze' Tools|Options|Connection).
- Choose TCP (should be default) and click the Ok button and you are done. You now have the DistDB-T service in your Advanced Settings dialog.
- You need UDP access to the port as well, so you have to repeat the above steps to add a UDP service. Just change the service name (eg., Vuze DistDB-U) and remember to choose UDP instead of TCP this time.
You could follow the "Make sure you really have a NAT problem" advice to check if you've done it right, but, really, the more enjoyable test is looking in "My Torrents" to see your smileys start to turn green as soon as you have closed the Advanced Settings dialog.
Port Forwarding on Linux, specifically Ubuntu
Firstly the earlier notes on port forwarding for your router apply as before. Computers running Ubuntu, by default, come with all the ports locked down and you need to open the ports in ubuntu by using the iptables command. Other flavours of linux behave similarly
The commands below can be entered in a root terminal session to open the ports (TCP and UDP)
iptables -I INPUT -p tcp --dport <your_port_number> -j ACCEPT
iptables -I INPUT -p udp --dport <your_port_number> -j ACCEPT
<your_port_number> is the port number you have used for port forwarding (Avoid 6881-6999, any from 49125-65535 is fine)
Once you've established the port is open you need to make the change persist through a reboot; edit file /etc/rc.local and add the lines below:
sleep 220 /sbin/iptables -I INPUT -p tcp --dport <your_port_number> -j ACCEPT /sbin/iptables -I INPUT -p udp --dport <your_port_number> -j ACCEPT
The sleep 220 is there to make the script wait a few minutes to allow subsequent firewall configuration scripts to run. 220 seconds is a large value and you may choose to configure a lower value. The key is that the opening of the Vuze port is not countermanded by the firewall initialisation which runs later.
Your configuration change will now persist through reboots. Further info on the startup process in this ubuntu howto
Futher Ubuntu Support here
VPNs and Windows Routing and Remote Access
If you are connected to a VPN (Virtual Private Network) and getting a NAT error when trying to run Vuze, it is most likely due to all of your internet traffic being routed through the remote network you are connected to. It is possible to configure the remote network to allow the traffic through, but given the added overhead of a VPN, it is better to run Vuze when not connected to the VPN. Vuze will run better and your downloads will be faster.
If you have no choice and must be connected to a VPN, then you must contact the network administrator of the remote network you connect to, and discuss allowing the Vuze port through the VPN to your PC.
Note: If you're using Check Point SecuRemote Client, it will give you NAT problems even when you're NOT connected to any remote networks.
Note: If you're using the Cisco Systems VPN Client, you must disable the Stateful Firewall under Options. (It is disabled if the checkmark next to Stateful Firewall does not appear.)
To avoid the problems, go to network settings and temporarily disable it, before starting Vuze. Or, if you have two network adapters, simply run the VPN client on one, and Vuze on the other.
Windows Routing and Remote Access
Microsoft Windows 2000 and XP contain a service for supporting VPNs, that can cause NAT issues in Vuze if enabled. Even if you don't connect to a VPN, but this service is enabled, it can cause problems. If you're sure you don't use VPN connections, then it's safe to assume you don't need the Routing and Remote Access service enabled.
To disable the Routing and Remote Access service in Windows
- Go to the Windows Control Panel (In Windows XP, switch to Classic View if not already.)
- Open the Administrative Tools
- Open Services
- Find the Routing and Remote Access service, and double-click it.
- If the server status is 'stopped', then it is not running and it is not your problem.
- If the server status is 'started', then use the stop button to stop the service, and see if your NAT problem changes.
If this fixes your NAT problem, and the Routing and Remote Access Service's startup type is set to Automatic, change it to Manual or disabled to prevent it from running upon next reboot.
- Main article: Firewalling
Just like the wide array of routers available to consumers, so too is the list of software firewalls, and each has different features and capabilities. Because of this huge variance, we will again attempt to approach this as broadly as possible. A software firewall can offer the same protection that a router can and it can mimic the symptoms of a NAT error. So why should you use both? A router can only protect you from incoming data on certain ports - a good software firewall can monitor outbound traffic too. Consider this an added layer of security.
For those that use a software firewall on their PC, the following information applies to everyone who hopes to fix their NAT error.
- You should never have more than one software firewall installed and in use at any given time (analogy: two drivers wanting control of a steering wheel).
- In order for Vuze to run correctly, access/permission must be allowed.
- If your software firewall has options for a security level, reduce it from "high" to "medium" if it isn't already there.
- If you are using Vuze 126.96.36.199 or older, your software firewall must allow "javaw.exe" accesss/permission.
- If you are using the current batch of Vuze Betas or a newer stable version after it is released, you will need to allow "Vuze.exe" instead.
Below is a listing of some of today's common software firewalls guides that should help. Additional information on how to open your firewall with some programs and Operating Systems here: Firewalling
- For XP SP1/SP2 firewall at http://support.microsoft.com/default.aspx?scid=kb;en-us;283673
- For Microsoft ISA 2004 Firewall http://Vuze.aelitis.com/wiki/index.php/Router_configuration#Microsoft.27s_ISA_Server_2004
- For F-Secure http://firewalling.com/personalfirewalls/f-secure/f-secure.htm
- For McAfee V6.0 Firewall Plus http://firewalling.com/personalfirewalls/McAfeeV6.0FirewallPlus.htm
- For Norton Personal Firewall 2004 http://firewalling.com/personalfirewalls/nortonpersonalfirewall.htm
- For Norton Internet Security 2005 http://firewalling.com/personalfirewalls/nortoninternetsecurity2005.htm
- For Sygate Personal Firewall Pro http://firewalling.com/personalfirewalls/sygatepersonalfirewallpro.htm
- For ZoneAlarm Pro http://firewalling.com/personalfirewalls/ZoneAlarmPro.htm
- Trend Micro PC-cillin Internet Security 2006 Firewall http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=26628
Also, confirm whether or not your motherboard is based on the NF4 (nVidia nForce 4 chipset). Many of these new motherboards come with onboard firewalls that are enabled at the time the drivers are installed.
Some anti-virus programs are extremely sensitive to incoming data and will report "false positives" when used in conjunction with file sharing applications (though this is no reason to completely remove your anti-virus software). Instead, you should use Google and see if other users have encountered such reports. Other anti-virus programs can at times contribute to a NAT error. At the time this is being written, only one stands out, and others will be added if/when they've been confirmed.
- Norton AntiVirus 2005 and 2006 employ "internet worm protection" by default and should be either disabled or made an exception. Ideally, it would be best to make an exception for Vuze' communications.
Open Norton AntiVirus 2005 - Click "Options"-- Click "Internet Worm Protection"--- Make sure "Enable Internet Worm Protection recommended" is checked.--- Click "Trojan Rules"---- Uncheck "Unused Windows Services Block", (all the way at the bottom of the list)----"OK"---"OK"
goto general rules within the internet worm protection,add a new rule, you need to permit your Incoming TCP Listen Port(tools-options-connection)
Very often the various mobile internet connections, either through 3G/mobile dongles or satellite dishes, have been limited by the ISPs network architecture to only have private IP addresses.
If your "outermost" device, e.g. the 3G modem, has a private IP address (10.x.x.x, 172.16-31.x.x and 192.168.x.x) in its config/status screens as WAN/internet address, then it has been given by ISP's network and there isn't much you can do. As you have no config access to ISPs routers, you might have to live with the yellow smileys and the NAT problem.
- Note: Vuze NAT test will not find this out, as it will always show the first real public IP address it reaches. In the case of mobile dongles with private addresses, the shown IP address is probably a router somewhere at the ISP.
We have seen many Vuze users mistakenly enable or disable an option in Vuze without knowing what they do. While exploring your client is encouraged, some of these options may have adverse effects. Two things of note:
- In Options->Connection->Advanced Network Settings, the "bind to local IP address box" should be left empty. This is NOT the same thing as the "MAC address binding" or creating a "static IP address". This should only be used by experienced users, and those that have more than one network adapter in their computer. Be sure to press Save after clearing this box if you accidentally used it.
- On the other hand - some people have actually reported success by enabling this option. You may want to try it as a last resort (though if it doesn't solve the problem, then remember to remove it).
- Oftentimes, users will leave UPnP enabled in Vuze (it is on by default.. Tools->Options->Plugins->UPnP), and simply disabling this may help clear things up when all the above steps in this guide have been taken. Be sure to press Save after disabling UPnP.
This page's purpose should help the vast majority of those who have encountered a NAT error while using Vuze with a "typical" setup. There are other circumstances, though, that require further investigation. More help sections will be added to this guide in time.
- Some computer owners may not realize there are two NAT enabled devices on their network (modem/router AND router).
- Some users may not have a routing device at all, but instead, are using ICS (Internet Connection Sharing) and not properly port mapping to other machines.
STILL Not Working?
Come to the Vuze forums and ask for assistance there. Be patient. Be prepared to answer these questions:
- What is your Operating System?
- What is your Java Version?
- What is the exact make/model/revision is your router? (if you use one)
- Does the router employ UPnP and MAC binding?
- What is the exact make/model/revision of your broadband modem?
- What software firewall(s) do you use?
- What anti-virus program do you use?
- Which (if any) of the above steps have you already attempted and with what level of success?
Special case: Only private IP addresses
- If your ISP is using NAT itself, it may be impossible to get the NAT/Firewall test to work because it is being cut off at your ISP. Some ISPs (especially mobile/cellular/3G service providers) use carrier grade NAT, meaning they only give users private IP address from those private ranges and then users are most likely doomed to live with yellow faces. (Note: Vuze NAT test will not find this out, as it will always show the first real public IP address it reaches.) If your "outermost" device has a private IP address (10.x.x.x, 172.x.x.x and 192.168.x.x) in its config/status screens as its outer WAN/internet address, then it has been given by ISP's network and there isn't much you can do.