How to play ofp with a router

[blackdog~ 0]

I made a tutorial after my experiences with this thing

http://www.evilmadman.com/router.html

Enjoy

[Mister Frag 0]

You shouldn't have to put the server in the DMZ to host -- in fact, I would strongly recommend not doing so.

[theavonlady 2]

</span><table border="0" align="center" width="95%" cellpadding="3" cellspacing="1"><tr><td>Quote (Mister Frag @ Mar. 03 2003,08:34)</td></tr><tr><td id="QUOTE">You shouldn't have to put the server in the DMZ to host -- in fact, I would strongly recommend not doing so.<span id='postcolor'>

Mister Frag, can you explain why not?

Blackdog, if this is so, what has to been done instead of STEP 5?

[theavonlady 2]

BTW, Blackdog, you won't be "fancy-shmancy" until you get one of these.

[JAP 2]

Putting a computer in a DMZ means ALL ports are open !

A DMZ is a "zone" the router makes outside its protection.

So ... making it very funerable for hackers.

Why not just opening the ports ofp needs ?

[theavonlady 2]

</span><table border="0" align="center" width="95%" cellpadding="3" cellspacing="1"><tr><td>Quote (JAP @ Mar. 03 2003,11:22)</td></tr><tr><td id="QUOTE">Putting a computer in a DMZ means ALL ports are open !

A DMZ is a "zone" the router makes outside its protection.

So ... making it very vulnerable for hackers.<span id='postcolor'>

Blackdog?!

Blackdog?!

OH NO, BLACKDOG IS DOWN!

Gee, JAP, you must've been right!

[JAP 2]

Blackdog went to the DMZ and now he's MIA, send in the SAS, maybe they get some info from the CIA.

[iNeo 0]

</span><table border="0" align="center" width="95%" cellpadding="3" cellspacing="1"><tr><td>Quote (JAP @ Mar. 03 2003,11:50)</td></tr><tr><td id="QUOTE">Blackdog went to the DMZ and now he's MIA, send in the SAS, maybe they get some info from the CIA.  <span id='postcolor'>

And that was JAP featuring 50

[blackdog~ 0]

DMZ = Demilitarized zone (heh, I couldn't believe this the first time I saw it).

I haven't tried it without it...

With it enabled, it doesn't seem to work (still).

I think it was because of my DHCP settings. I will do some further testing on this, and update the tutorial later today.

Have no fear

[theavonlady 2]

</span><table border="0" align="center" width="95%" cellpadding="3" cellspacing="1"><tr><td>Quote (blackdog~ @ Mar. 04 2003,01:29)</td></tr><tr><td id="QUOTE">DMZ = Demilitarized zone (heh, I couldn't believe this the first time I saw it).

I haven't tried it without it...

With it enabled, it doesn't seem to work (still).

I think it was because of my DHCP settings. I will do some further testing on this, and update the tutorial later today.

Have no fear <span id='postcolor'>

Any update, Blackdog?

[Dutchie 0]

With my Sweex Router recently installed, I have experienced that DMZ is absolutely necessary to keep the ingame Gayspy gamebrowser running.

Without DMZ activated you can refresh the screen only two or three times and aftherthat you cannot refresh the screen at all. Irritating factor !

DMZ however can only be activated on the Sweex Router after the firewall is setup.

Refreshing then is established all the time because of DMZ.

In fact because of Windows XP you have two firewalls running.

In both cases running DMZ with Router firewall or just the XP's one up makes your PC vulnerable for hackers.

Ports are closed some are blocked. Blocked ones: Telnet Port 23, Location Service Port 135, Trojan Port 7789, ICMP Port 8 OPEN. This is when the Router's firewall is disabled.

When enabled with DMZ activated its even worse: Locations Service Port 135, Netbios Port 139, Server Message Block (SMB) Port 445, UPnP Port 5000 ICMP Port 8 WIDE OPEN !

Rest Closed.

I have tested is both cases with http://scan.sygate.com/

Mind just quick scan !!

ONLY CASE YOUR PC IS ABSOLUTELY SAVE IS WHEN ROUTER's NAT FIREWALL IS UP.

Conclusion for me sofar: If I want to play OFP I have to take the risk (Firewall up with DMZ activated in my case). Just to have the Gayspy browser working ! Why they don't change thing on their side ?

[blackdog~ 0]

After seeing Dutchie's post it looks like I will have to do some more testing. It's kind of inconvinient, having to have someone else come and join my game after I reboot my router ever 5 minutes.

[shadowguy 0]

I have also been trying to figure out how to host OFP with my Efficient 5851 router. I have tried all the solutions I could find from some very sincere sites but none of them seem to work. The only way I can host is open all ports and protocols (DMZ)and hope I am not hacked. I will follow this thread with interest and if anyone has experience with my specific router, any advice is welcome.    Shadow

[Skunk Monkey 0]

I can only host with my comp in the DMZ, i would like a work around if anyone knows.

[Mister Frag 0]

I don't host through GameSpy, but my understanding is that the port number it uses is fixed, so in addition to the normal OFP ports, you would only have to open the GameSpy port(s), and that should be sufficient, and putting the server in the DMZ should not be necessary.

I host private games using DirectPlay so we can use the built-in VON feature, and the ports I have opened are as follows:

- TCP/UDP 47624

- TCP/UDP 6073

- TCP/UDP 2234

- TCP/UDP 2300-2400

I believe that TCP and UDP aren't both required for some of these ranges, but the port will be open anyway, so it doesn't matter to me that both datagrams and sessions are being allowed through.

For a thorough assessment of your computer's security measures, go to Gibson Research Corporation, and use their Shields UP! feature.

GameSpy has some information on the ports used by GameSpy Arcade, and how to set up firewalls for it.

Finally, [WKK] has a OFP Server Query Debugger that might be useful.

[Lt_Dan_Sweden 0]

Regarding Dedic behind a Switch/Gateway

http://www.flashpoint1985.com/cgi-bin....ndwidth

[NedFox TZW 0]

I have been hosting all kinds of games, and none require DMZ, as long as all *outbound* is allowed.

For game-hosts to host successfully, clients must be able to reach the computer in your LAN. This means, the data sent from clients to the gamehost must be 'translated' to your inside IP-address.

This is called NAT (Network address Translation).

With NAT, you configure your router, so it sends all data send to a certain PORT on the router to your gamehost.

For OFP (default), this port is 2302.

If you want gamespy-servers to access your host (for the playerlist etc), you need to add one extra NAT-rule, and this is always 1 higher then the port used for OFP (so, by default, 2303).

======

How do you do this ?

Many routers have a setup for NAT. I've seen maufacturers call it "Virtual server" too..

When you want to add such a rule, you need to supply 5 important numbers :

1 ] The outside PORT used (2302)

2 ] The inside PORT used (2302)

3 ] The outside IP used (your internet IP-address)

4 ] The inside IP-address (the IP-address of your gamehost, the INTERNAL ip that is!

5 ] The protocol used. For OFP this is UDP

That's step 1. Do this again for allowing gamespy-servers peeking into your computer ;-)

1 ] The outside PORT used (2303)

2 ] The inside PORT used (2303)

3 ] The outside IP used (your internet IP-address)

4 ] The inside IP-address (the IP-address of your gamehost, the INTERNAL ip that is!

5 ] The protocol used. For OFP this is UDP

**Sometimes you don't need to supply 3.. **

All other data is outgoing (ie. sent from gamehost to the Internet). Normally, all your computers have outside access, so it should work without a problem.

=====

Disabling gamespy

=====

This is kind of hard, and IMHO only possible if your router supports firewall rules.

OFP will always ping the master gamespy server, to announce it's presence. If you want to block that, you will need to block all outgoing UDP traffic on PORT 2303.

I've tried setting "ReportingIP" to 127.0.0.1 , but still my firewall registered data going from gamehost to gamespy.

If you want some visual stuff how all this is done, I can make some webpages. We already have long documents about routers and firewalls on our site, but those are DF related, although I guess it has enough details to understand what's going on...

http://www.timezone-warriors.net/index2.htm

(Look for techTalk, bottom of menu). And yeah, we're working on a new site ;-))))

[Lt_Dan_Sweden 0]

</span><table border="0" align="center" width="95%" cellpadding="3" cellspacing="1"><tr><td>Quote (NedFox TZW @ April 15 2003,10<!--emo&)</td></tr><tr><td id="QUOTE">I have been hosting  all kinds of games, and none require DMZ, as long as all *outbound* is allowed.<span id='postcolor'>

I belive you on other games and if you dont use a high-performance/-bandwidth OFP dedic server but, we did use NAT and opened all required and used it for several months and the bandwith was not fully used by OFP dedic. Solution see link.

http://www.flashpoint1985.com/cgi-bin....th]http

Thats how we broke the world record of largest CTF OFP game above 80 people. The record was only held for an hour or so before being beaten. More interestingly we could play 25vs25 on Everon CTF without desync or lag. We could never do that before behind the NAT of a 3Com 3c855.

[Dutchie 0]

These are the ports I configured in my router

Special Applications

Some applications require multiple connections, such as Internet gaming, video conferencing, Internet telephony and others. These applications cannot work when Network Address Translation (NAT) is enabled. If you need to run applications that require multiple connections,-specify the port normally associated with an application in the "Trigger Port" field,select the protocol type as TCP or UDP, then enter the public ports associated with the trigger port to open them for inbound traffic. Note:The range of the Trigger Port is 0 to 65535.

Trigger Port Trigger Type Public Port Public Type Enabled

1. 2302 TCP 2302-2305 TCP Yes

2. 2392 UDP 2302-2305 UDP Yes

3. 27243 TCP 27243-27345 TCP Yes (ASE)

4. 27243 UDP 272243TCP UDP Yes (ASE)

5. 6073 TCP 6073,6500,6515 TCP Yes (GS) 6073 for DirectX

6. 47624 TCP 47624 TCP Yes ( for DirectX)

7. 28900 TCP 28900 TCP Yes (GS)

8. 29900 TCP 29900 TCP Yes (GS)

9. 13139 TCP 13139 TCP Yes (GS)

10.27900 TCP 27900 TCP Yes (GS)

(GS) stands for Gamespy ASE stands for All Seeying Eye.

DMZ enabled !!

Besides when you host from a local LAN PC you also have to configure as Virtual Server check IP with ipconfig f.i. 192.168.2.102

You can configure the Broadband router as a Virtual Server so that remote users accessing services such as the Web or FTP at your local site via Public IP Addresses can be automatically redirected to local servers configured with Private IP Addresses. In other words, depending on the requested service (TCP/UDP) port number, the Broadband router redirects the external service request to the appropriate internal server (located at one of your LAN's Pirvate IP Address).

Configure for ports 2302, 2303, 2304 both TCP/UDP

With this configuration server shows up both in ASE and ingame Gamespy browser.

[mads bahrt 0]

</span><table border="0" align="center" width="95%" cellpadding="3" cellspacing="1"><tr><td>Quote (JAP @ 03 Mar. 2003,10:22)</td></tr><tr><td id="QUOTE">Putting a computer in a DMZ means ALL ports are open !

A DMZ is a "zone" the router makes outside its protection.

So ... making it very funerable for hackers.

Why not just opening the ports ofp needs ?<span id='postcolor'>

The idea behind the DMZ is to remove the publicly accessable servers from the LAN, to make the LAN more protected.

If you have the servers on the LAN and forward the required ports you are creating a hole in "the line of defence", which might be exploited to gain access to other machines on the LAN.

If you, on the other hand, place the servers in the DMZ where they can't access the LAN machines, you will have increased security for the LAN machines. This doen't mean that the servers should be left "wide open" since these should be protected by a firewall which should only be opened on the neccesary ports.

So if you run a dedicated server where all its services should be accessable from the internet I recommend to put it in the DMZ.