Firewall Rules for Beta Software Server
September 8, 2020 at 9:29 pm1 year, 4 months ago(@bbotello)
I have looked through the online documentation and I am having a difficult time finding the firewall rules necessary to connect to the beta software server named “Mix Server Nürnberg.” I need to put in a request with our security office to open ports on an edge firewall to allow access to this server for several client machines. Can I get the following information:
– Which ports with protocols need to be open outgoing on the SoundJack clients to connect to the software server?
– Which ports with protocols need to be open incoming on the SoundJack clients to accept traffic from the software server or other SoundJack clients?
– What is the IP address, or addresses, for the software server(s)?
Thank you in advance for your help, it is much appreciated.September 9, 2020 at 11:38 pm1 year, 4 months ago(@bbotello)
Thanks Mike! I did see that section in the documentation. I’m trying to get a little more detailed information for my security office so they can build firewall rules. The port number is super helpful though. 🙂September 11, 2020 at 1:35 am1 year, 4 months ago(@oconnorstp)
Sorry it took me so long to get back to you.
Soundjack will often work without a firewall port open on your end, because you’re initiating the connection to the server. Have you tried connecting to the Nürnberg server?
Oof! I just realized that the FAQ kinda got garbled during the transition to the new server. Here’s a recap of the port-forwarding stuff that might cheer up your security team. The very last line is the reason I was asking whether you’d tried to connect to Nürnberg. It should be possible, because Nürnberg is wide open, so you should be able to connect to it even if no ports are open at your end. I hope this (retyped) version helps.
– – – from FAQ
Soundjack provides a very helpful tool to check the port-forwarding configuration of your router. The behavior of your router’s NAT (network address translation) is displayed as a three-digit number in brackets behind the UDP-Port2-Info at the “i”-symbol tooltip.
<picture of the i-symbol tooltip>
The first number indicates whether the default port is being changed from 50050 to anything else. Here are the possible values:
”1″ – NAT preserves the outbound port
“3” – NAT changes the outbound port.
The second number indicates port filtering. Here are the possible values:
”1″ or “3” – the outbound port can be reached by an external sender
“8” – Soundjack assumes that the sender’s address has previously been used as the destination
The third number (port mapping) relates to the first number. Here are possible values:
”1″ – port remains the same for additional connections
”8″ – port changes for each new connection
Thus “111” can be considered a completely open NAT while “388” is the most restrictive type. However, if one peer of a bidirectional connection is “388” and the other is “111” it is possible to establish a link because the “111” will know the outbound port of the “388” NAT and will in turn use it as the destination (via port bending). Thus, connectivity always has to take both peers’ behavior into consideration.September 11, 2020 at 10:01 pm1 year, 4 months ago(@oconnorstp)
Oh, one further note. Hovering over the “i” information-icon for the person/server you’re connecting with will give you their IP address, if that’s required by the firewall. Forgot…February 26, 2021 at 11:13 pm1 year, 4 months ago(@debbiek)
I see that you have a clean version of the FAQ on the NAT “code” above. Thanks for that!! I have a question on the middle number. Would you be able to explain the difference between “1” and “3”? In other words, what’s the difference between “111” and “131”? I used to show 111, but I had to put in a different router and even though the setup is the same (port forwarding and all that), I’m showing 131 now. I’m wondering what makes the difference and what I might have missed. Any info would be greatly appreciated!!
—DebbieFebruary 27, 2021 at 12:21 pm1 year, 4 months ago(@jgspix)
I’m not Mike, but anyway it may help you to understand:
Regarding the mix servers (and mirrors):
For the mix server and the mirrors, you don’t need a port forwarding at all. Even 388 should work, I think. At least 381 does.
With SoundJack, for every connection one side needs a port forwarding or be able to be directly addressed on the internet (no NAT on that side), but the other end doesn’t need the port forwarding. Since the machines that do the mirror reflections or are the mixing servers are either directly addressable on the internet or have a port forwarding active, neither for mirrors nor for mix servers a port forwarding is needed. Everyone only connects to the server/mirror, so due to the server/mirror end being reachable, the other ends don’t need the port forwarding in their home NAT routers.
But if you want to connect p2p, only one participant that does not have a port forwarding can communicate with all others. If there are two, they cannot connect to each other and therefor cannot hear each other, but they can connect to all others with a port forwarding.
The mirrors do reflect your own signal and nothing else. They are meant to check if the SoundJack SJC and website run and your audio is setup correctly. For testing the sound and network buffer settings, I put some music out, disable the own signal in the left column on the stage and listen to the reflected signal. That way I can hear rather quickly if there are dropouts with a certain setting and find out what works best with minimum latency.
The Mix servers so not reflect your own signal, only the signals of other connected users. So you need someone else to be connected to the Mix Server at the same time to get anything in your headphones. (You need headphones if you are using a microphone, since with a speaker you won’t get the echo of the others back, but the the others get it, just a bit delayed.)
Regarding the NAT identifier and port forwarding:
The middle number is important, but only if it is 8 in contrast to 3/2/1. If you get an 8 in the middle you don’t get the SoundJack UDP-port communication at the the internet side of your router to your computer. That can be no port forwarding at all, a wrong IP or port number in the port forwarding, wrong IP-number selected on stage (if you have LAN and WLAN active at once you might have selected the wrong interface) or the IP-number of your computer has changed due to a new DHCP number distribution.
But if you have 1, 2 or 3 in the middle it just says something about how your computer is reached. This is no practical limitation, regardless of 1, 2 or 3 you get the full SoundJack-connectivity.
Personally I have two cascaded routers (for reasons outside of SoundJack), the first forwards all ports (except VoIP, that gets processed by the first router) to the second one and the second router then is my main router (except for VoIP and provider access). That way, I have an NAT identifier of 321. The 2 is a bit strange because Alex said this would no longer happen, but nonetheless it’s there and it works.
If the first or third digit are different from 1, then the port numbers on the LAN side have been changed by the router, but this change is communicated to the computer and therefor the communication still works. And these changed port numbers will be shown on stage in front of the NAT identifier. Nothing to worry about as long as the middle digit of the NAT identifier is not 8.
BTW, the menaing of the numbers are documented in the FAQ under the headline “port forwarding” (in the last third of the FAQ), only a bit difficult to read, because some spaces and paragraphs are missing that would made it more easy to read.March 1, 2021 at 2:14 am1 year, 4 months ago(@debbiek)
Thank you for this info, Jörg. Appreciate you jumping in to answer my question!! Happy to get the confirmation that the NAT indicator 131 will afford me full connectivity. I had a suspicion that the middle number might be important. I’m with a group of singers, and when we last got together, we could not connect. There are six of us — two were showing 131, the rest 181. The 131s could connect with everyone, the 181s could connect with both 131s, but the 181s could not connect with each other, except for one pair. I went to the FAQ page and figured there should be no more than one 181 amongst us — glad to see you mention that too (yay I understood something!) But I wasn’t certain if the connectivity would be worse with 131 compared to 111. It sounds like they both work just as well. But why the difference and what is the difference? I was hoping I could use that info to figure out what we did wrong (or differently) when we set up the current router. It isn’t explained in the FAQ unfortunately, perhaps more detail than most people have time for…but I’m still curious!! 🙂 Thanks again.March 2, 2021 at 12:38 am1 year, 4 months ago(@jgspix)
I got the impression that at least sometimes 181 can connect with 181. But I wouldn’t count on it.
As I said, a server/mirror connection always works, but a peer-to-peer connection needs the port forwarding.
I ónce asked Alex for the difference, but as far as I can remember he said that there is no practical difference between 1, 2 and 3 as the second digit.
In the FAQ the 2 even vanished some time ago, I think because he thought it would no longer happen. And then I came with 321…
Since it does not have any influence on the use of SoundJack, an explanation might be too complicated to understand for most people and probably leads to questions that takes time away from Alex development.
And it is nothing that you can influence unless you use a different router. This is a built-in behaviour in the router software that you cannot change.
Here in Germany I have several musician collegues who have a FritzBox-Router and they all get 111 with their FritzBoxes. So, if you really want 111, even though it won’t change anything beyond the number, you may want to buy a FritzBox if your internet provider allows to use user provided routers.
- You must be logged in to reply to this topic.