Router configuration

From VuzeWiki
Jump to: navigation, search

This page does not attempt to be a central place for advice regarding all the routers in the world. Instead, the goal is give advice, where to find more specific adivce regarding your router. In addition, advice about a few industrial network solutions is given.

Home routers and modems[edit]

Most routers and modems used in home networks have NAT functionality and you have to configure Port forwarding in them. The Port forwarding functionality is usually called Virtual server, Port forwarding or something like that.

Even if you don't have a separate router, it is quite possible that your ADSL/cable modem acts like a router and the advice applies to it.

An excellent list of home routers and modems and configuring advice for them can be found from http://www.portforward.com/

They have a browseable list of routers/modems, from which

  1. you can select your router
  2. jump over the advertisement page. (In top-right corner: Click here to skip this advertisement...)
  3. arrive to the application page, where Vuze is listed (and also 'Azureus', the old name for Vuze)
  4. select Vuze there and follow the advice about configuring your router.

Note: disregard the advice regarding port 6881. You only need to configure portforwarding for the one port you have configured Vuze to use.

Juniper Networks Netscreen 5GT[edit]

(sorry about the formatting... I am used to TWiki, if anyone can clean that up a little, I welcome the help :)

%T% These steps will try to walk you through using the admin gui (http).. The same steps are possible using the SSH interface, but if you are in there, you should know what you are doing already :)

  1. http://192.168.0.1/ <-- Login to the admin GUI, if you dont know your admin password, you are going to need a lot more help than I can offer :)
  2. Click on Objects -> Services -> Custom (in the blue bar on the left)
  3. Define a Service for "torrent"
    • Click the "New" button on the top right
    • Service Name: torrent
    • Service Timeout: Use Protocol Default
    • In the table:
        • Transport Protocol: TCP, Destination Port: Low: 56881 / High: 56881
        • Transport Protocol: UDP, Destination Port: Low: 56881 / High: 56881
        • Press OK
        • _Tip: I realize UDP isnt used yet, but trust me, just configure it now and save yourself trouble later.
  1. Define a service for "tracker" (if desired)
    • Click the "New" button on the top right
    • Service Name: tracker*
    • Service Timeout: Use Protocol Default
    • In the table:
        • 1: Transport Protocol: TCP, Destination Port: Low: 56969 / High: 56969
        • Press OK
  1. Define a service for "tracker-ssl" (if desired)
    • Click the "New" button on the top right
    • Service Name: tracker-ssl
    • Service Timeout: Use Protocol Default
    • In the table:
        • 1: Transport Protocol: TCP, Destination Port: Low: 57000 / High: 57000
        • Press OK
  1. Click on Groups under Objects -> Services in the blue bar at the left.
  2. Define a new Service Group for all Bit Torrent services just defined (this will make the policy easier later)
    • Click New in the top right
    • Group Name: Bit Torrent
    • Comment: whatever
    • Select the services you have recently created (torrent, tracker, tracker-ssl) and use the "<<<" to move them into the group.
    • Click OK
  1. Click on Network -> Interfaces (blue bar on the left)
  2. Click "Edit" on the interface that is your "outside" interface... mine is Ethernet3
  3. Click "VIP" in the links at the top
  4. Define VIP Service for "torrent"
    • Click "New VIP Service" in the top right
    • Virtual IP: (your external IP)
    • Virtual Port: 56881
    • Map to Service: torrent (56881)
    • Map to IP: (your desktop IP) .. mine is 192.168.0.51
    • Server Auto Detection (some people say to uncheck this.. I dont seem to have problems either way)
    • Click OK
  1. Define VIP Service for "tracker"
    • Click "New VIP Service" in the top right
    • Virtual IP: (your external IP)
    • Virtual Port: 56969
    • Map to Service: tracker (56969)
    • Map to IP: (your desktop IP) .. mine is 192.168.0.51
    • Server Auto Detection (some people say to uncheck this.. I dont seem to have problems either way)
    • Click OK
  1. Define VIP Service for "tracker-ssl"
    • Click "New VIP Service" in the top right
    • Virtual IP: (your external IP)
    • Virtual Port: 57000
    • Map to Service: tracker-ssl (57000)
    • Map to IP: (your desktop IP) .. mine is 192.168.0.51
    • Server Auto Detection (some people say to uncheck this.. I dont seem to have problems either way)
    • Click OK
  1. Define a Policy to allow the BitTorrent Services in...
    • Click Wizzards -> Policy
    • From Source Zone: UNTRUST
    • To Destination Zone: home
    • NEXT
    • Leave Source Address at ANY
    • Destination Address: VIP::1
    • NEXT
    • Service: BitTorrent (the group we made earlier)
    • Action: Permit
    • NEXT
    • DO NOT SELECT ANYTHING IN THE NAT PAGE
    • NEXT
    • Suggest not selecting anything in this page either
    • NEXT
    • Authentication: NONE
    • NEXT
    • Schedule: NONE
    • NEXT
    • Review the policy rule...
    • Click NEXT
    • Click FINISH
      • YOU ARE DONE!

(uh don't forget to unblock the ports on any host based firewalls as well)

Cisco IOS[edit]

In IOS, port forwarding is called 'static NAT mapping'. To generate this mapping, the following syntax will do:

router#configure terminal
router(config)#ip nat inside source static tcp <inside IP address> 6881 interface <outside interface> 6881

Modulo firewall access-lists, that ought to do it, though some explanations are in order:

<inside IP address> is the IP address your computer (on which you are running your bittorrent client (azureus) is running.

<outside interface> refers to the interface connected to the ISP (this could be the DSL interface or whatever; use "show ip interface brief" for a list of interfaces and IP addresses

6881 is, of course, the port for azureus. If you are not using 6881, replace this with whatever port you are using. Note that 6881 appears on the line twice. Make sure they are both the same (unless you want to forward to a different port, but I doubt that will work for bittorrent clients, which advertise the port they are running on to the outside world.

For UDP, replace the 'tcp' keyword with the keyword 'udp'. The rest stays the same.

An example:

ip nat inside source static tcp 10.0.0.10 6881 interface FastEthernet0 6881
ip nat inside source static udp 10.0.0.10 6881 interface FastEthernet0 6881

In this example, 10.0.0.10 is the IP address of my machine running azureus. The interface connected to the ISP (the cable modem in this case) is FastEthernet0.

NOTE: Make sure to open a hole for port 6881 (tcp and udp, if udp is mapped). If you have a firewall running on the outside interface (a likely scenario), add "permit tcp any any eq 6881" to the firewall access-list BEFORE any 'deny all' statements. One simple way to do this is to run "show ip access-list <list-name>" where <list-name> refers to the access-list on the outside interface (which would sounds like "ip access-list foo in" where foo is the list-name and 'in' tells it to apply it to incoming traffic). The outpu from the show-command above will have 'numbers' in the first column, like 10, 20, 30, etc... If you need to insert a line in the middle, pick a number between the two lines you want to insert between. I.e. 25 if you want to get in between 20 and 30. For example:

router#configure terminal
router(config)#ip access-list extended foo
router(config-ext-nacl)#25 permit tcp any any eq 6881

If you want udp, do the same (with a different line number) for udp instead of tcp.

That should do it.

DISCLAIMER: This works for me on a 1700 router, running 12.3(8)T5. It should work with anything reasonably recent, but I don't have the information to tell "as of version X.Y". Nor can I guarantee that this will work with other esoteric configurations involving vlans (though my 1700 uses some), vrf's, DSL, whatever. Your mileage may vary. Good luck!


Microsoft's ISA Server 2004[edit]

Configuring BitTorrent's ports on ISA is very simple. You only have to create BitTorrent Protocol definitions, a new Access Rule and a Server Publishing Rule. You can skip Server Publishing Rule if you do hot plan to host a tracker. It all boils down to these simple steps:

1. Create three new portocols (please note that I assume that you are using ports range 5973-5983)

  a) Azureus TCP Outbound
     Primary, TCP, Outbound (ports 5973-5983)
     Secondary, TCP, Inbound (ports 5973-5983)
  b) Azureus TCP Inbound
     Primary, TCP, Inbound (ports 5973-5983)
     Secondary, TCP, Outbound (ports 5973-5983)

P.S. ISA Server 2004 (2006) not allow momentary inbound & outbound TCP connection "all in one" for "not server protocol" create this rules:

  a) "P2P client name" TCP Inbound
     Primary TCP Inbound (ports xxxxx - xxxxx)
     Secondary UDP SendRecieve (ports xxxxx - xxxxx)
     Secondary UDP RecieveSend (ports xxxxx - xxxxx)

(Use this for Publishing Rules)

  b) "P2P client name" TCP Outbound
     Primary TCP Outbound (ports xxxxx - xxxxx)
     Secondary UDP SendRecieve (ports xxxxx - xxxxx)
     Secondary UDP RecieveSend (ports xxxxx - xxxxx)

(Use this for Access Rules)


  c) Azureus UDP
     Primary, UDP, SendRecieve (ports 5973-5983)
     Secondary, UDP, SendRecieve (ports 5973-5983)

2. Create access rule

  action: allow
  protocols: all created at step 1.
  from: internal network
  to: external network
  users: users that allowed to use Azureus

3. Edit Firewall Client Application Settings. From Microsoft ISA 2004 Server Management Console open Configuration>>General>>Define Firewall Client Application Settings. Add two new settings

  a) application: Azureus
     key: ServerBindTcpPorts
     value: 5973-5983
  b) application: Azureus
     key: RemoteBindUdpPorts
     value: 5973-5983

4. Apply the setings on the ISA sever to make them effective.

5. Enable firewall client on the client machines and setup Azureus to use tcp and udp ports in range 5973-5983.

Now you are ready to use Azureus behind ISA server 2004 and there should be no NAT problems (i.e you get green smileys). If you also want to host the tracker you have to follow one more simple step i.e creating a server publishing rule.

To create your server publishing rule start the server publishing rule wizard and call the server "BitTorrent (Server)". Enter the local IP address of the server that will be running your bittorrent client. Select the "BitTorrent (Server)" protcol definition we have defined earlier and then select the networks you want to start the listener on. Click finish and the apply button to activate your changes to your ISA server and you are ready to start using BitTorrent on your network.