# Forwarding ports for Peer-To-Peer gaming on retroarch

## jerol

Hey,

So I'm trying to forward my ports to be able to play with a friend of mine.

So I'm wondering as to what ip to put in the port forwarding section? Is it the one found when running ip a, and searching for the inet part under the network interface you're currently using?

Also, after the ports are forwarded, the ip I'll give to my friend is my public ip, right? Which to my understanding can't be looked up from the command line, if you don't count curling a website (correct me if I'm wrong).

----------

## alamahant

You can get external ip by

```

emerge -av bind-tools

dig +short myip.opendns.com @resolver1.opendns.com

```

But it will change from time to time.

Best to use a dynamic dns service like dynu.

Yes you have to porrt-forward in your router the range of needed ports to your lan ip address.

But best if you configure your ip statically and NOT via dhcp.

----------

## jerol

Wait my public address will also change?

And by configuring my LOCAL ip statically it won't change after awhile if my isp changes it?

And yeah I'm aware of the range of the needed ports.

----------

## alamahant

 *Quote:*   

> 
> 
> Wait my public address will also change? 
> 
> 

 

most probably yes.

Unless you have a fixed public ip given by your isp.

 *Quote:*   

> 
> 
> And by configuring my LOCAL ip statically it won't change after awhile if my isp changes it?
> 
> 

 

No it will always remain the same.

Plz see

https://wiki.gentoo.org/wiki/Netifrc#Static_address_.28CIDR_notation.29

----------

## jerol

Bear with me here, I don't know much if anything when it comes to networking.

That being said, why would I want to configure it statically if it will always remain the same?

----------

## alamahant

 *Quote:*   

> 
> 
> That being said, why would I want to configure it statically if it will always remain the same?
> 
> 

 

It will only remain the same if you configure it statically.

----------

## jerol

Oops, I read the previous replies wrong, I get it now.

Are the public and local ip changes somehow interlinked with each other?

----------

## alamahant

No

----------

## szatox

 *Quote:*   

>  Also, after the ports are forwarded, the ip I'll give to my friend is my public ip, right? Which to my understanding can't be looked up from the command line, if you don't count curling a website (correct me if I'm wrong).

 

This bit sound like you are behind a NAT controlled by your ISP. Which is hardly surprising. They all do that to save some IPs and claim it's for your security.

UPnP may or may not work, I wouldn't get my hopes too high, but if it does, yes, you share your public IP with your friend - the one visible from the internet.

Have you considered bridging your machines with a VPN? You will most likely need a VPS (with an actual public IP) to serve as a proxy, unless you can pull off a trick like UDP Hole Punching to setup a direct connection through 2 NATs.

Once you have this overlay link established, you use it's local IPs instead - you're effectively in a LAN.

----------

## jerol

They do what exactly to save IPs? Make it so that I can't look up the public IP from the terminal?

Also I have no idea whatsoever when it comes to UPnP, all I know frankly is that I need to forward the port TCP 55435. I did infact consider the possibility of bridging our machines through hamachi or other derivatives, but I came to the conclusion (after reading up about it and based on previous experiences) that it's best for me to do things manually both security wise and the fact that I can actually learn something while doing it. 

Though if all else fails there's still another possibility, that being my own cloud server. I wonder if I could use it to bridge our machines?

----------

## szatox

 *Quote:*   

> They do what exactly to save IPs? Make it so that I can't look up the public IP from the terminal? 

 Yes. NAT. Multiple people using the same public IP address at the same time.

 *Quote:*   

> all I know frankly is that I need to forward the port TCP 55435

 And how were you going to achieve that?

Are you the one in control of the NAT in question? If it's just your personal router that mangles your traffic, you can fix it by simply adding a rule in its configuration. But ISPs commonly do that too, and you don't have access required to configure THEIR toys.

Hamachi is one (but not the only) way to setup a LAN over public network, I think you can even manually connect GRE tunnels. Or wireguard. Haven't tried it, but knowing how wireguard handles sessions, I think it is a pretty good fit for punching through nats (assuming you can punch through at least one of those nats).

Anyway, if you already have an actual server in the outer world, then using it as a hub for your VPN will be the easiest way forward.

Wireguard is designed for full-mesh, but you can very easily set it up with a single central hub instead. It does not forward L2 traffic though, which is required by some games, so it may or may not work for your particular use case.

OpenVPN is more messy in setup and single-threaded, but its tap interface is capable of forwarding everything on the wire, so probably your best choice right now.

----------

## jerol

I'm not sure if we're all using the same public IP.

And yeah I can add a rule in the "Port Forwarding" -section in my router's web interface. Wait some ISP's they really do that nowadays, that you can't access it or modify it through the interface? Also what do you do when you punch through a NAT? The same thing as adding a role to forward traffic coming from outside the NAT?

Not sure about OpenVPN or Wireguard, the only thing I've done with Wireguard was to setup my other vpn for my own traffic to go through. I'll have to study some things I guess.

----------

## Hu

I think it may be useful to take a step back and explain some of the principles involved here.

To communicate with other machines, you need an IP address on each end, and the peers need to know the relevant port on the remote machine.  If you were both on a LAN in the same room, this would be trivial.  You would be 192.168.0.2 and friend would be 192.168.0.3. [1]  You stated the port you wanted for your game.  Friend would connect to that port on your IP, and you would be done.  You are not on the same LAN in the same room, so this is more complicated.  The first level of extra complication, which was common for home users for many years, is that your Linux desktop has address 192.168.0.2, your router has a public IP address of 1.2.3.4, and friend has a public IP address of 5.6.7.8. [2]  You would configure your router such that traffic sent to 1.2.3.4 on port 55435 would be rewritten by your router to be destined for 192.168.0.2 on port 55435, and then sent into your LAN, where your Linux desktop would receive it.  As an implementation detail, which you would not configure, the router would handle the reverse rewrite when you respond to your friend.  In this case, you would tell your friend to connect to 1.2.3.4, because you want the traffic to go to your router.  (Since your friend is on the far end of the public Internet, it is not valid for him to use your Linux desktop's IP address of 192.168.0.2.  The intervening Internet Service Providers will not route that address to you, so it will either mean nothing, or it will refer to some other computer on friend's LAN.  Either way, it doesn't do what you want.)

As others have noted here, it is common for ISPs not to give you an indefinite lease on a single specific public IP address.  They rely on most people not remaining online constantly, and rotate the public IP addresses that they have available among the customers who need them at the time.  For routing purposes, your ISP neither knows nor cares how many private range addresses are hidden behind your router, nor what systems use them.  As far as the ISP is concerned, you have one IP addresss, 1.2.3.4.  Since your ISP does not know, they cannot correlate their operational decisions to your private addresses.

The rationale for statically assigning private range IP addresses to specific systems is that it eases maintenance for you.  If you tell your router to give your Linux desktop a randomly chosen address in the range 192.168.0.x, then on every renewal, you might get a different private IP address, at which point you need to go reconfigure the NAT rule in your router.  This is unnecessary work when you can guarantee that your Linux desktop is always 192.168.0.2, and then direct the router's NAT rule once accordingly, and have it remain correct indefinitely.

Separately, there is a concern here about whether your "public" IP address issued by your ISP is truly public in the sense that you could give it to one of us and we could send a packet to your router, or if your ISP is running another address-rewriting router in their local office.  If they are, then your "public" address on the router will itself be a private non-routable address that is not useful to share with us.  In that case, you would need someone with NAT-administrative access on that router to write the forwarding rule for you.  It's possible, but in my opinion not likely, that your ISP would offer a web portal where you could change that.

I suggest you do the following:Look up the IP address of your Linux desktop's Ethernet card.Look up via your router's administrative interface what public IP address it claims to have.Look up via a public service your apparent public IP address.Tell us:For each such address, is it an rfc1918 private range IP address [3], or not.  If it is, you can tell us the specific value.  If it is not, you may wish to assign it a fictitious value for discussion.Whether the addresses in points 2 and 3 are the same.  If your router and the public service agree, then you are not behind a Carrier-Grade NAT, and we only need to sort out basic port forwarding in your router.  If they are different, your setup is more complicated.

[1] These are example values that commonly appear, but other values are also possible.

[2] Again, fictitious addresses.  The key part is that they are not rfc1918 private range IP addresses.

[3] Any of 10.x.x.x, 172.16.x.x - 172.31.x.x, 192.168.x.x.  Also known as 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

----------

## jerol

Thanks for the reassuring info as well as the things I weren't aware of before.

Since I'm not using Ethernet, but Wifi instead, I think it's safe to say that I need to look up the IP of the Wifi card. Also I'd like to clarify that I'm on a laptop, if that matters.

So I managed to get ahold of all the addresses:

[1] Probably safe to share since it starts with 192.168, right?

[2] Same thing here, it start with 192.168 so it should be safe to share.

So the first two are same right because they both start with 192.168? Also as a side note, below the IP aswell as the Subnet Mask there's a toggle option for the DHCP server. And below it is the IP pool as well as the lease time. I guess that refers to the router's IP.

[3] Pretty sure this one is not safe to share, because it doesn't start with any of those that you specified.

----------

## Hu

 *jerol wrote:*   

> Since I'm not using Ethernet, but Wifi instead, I think it's safe to say that I need to look up the IP of the Wifi card.

 Correct, examine whichever card you use to get network access from the Linux computer. *jerol wrote:*   

> Also I'd like to clarify that I'm on a laptop, if that matters.

 It doesn't, but I appreciate you bringing up the potentially relevant detail.  I referred to "Linux desktop" to differentiate between the system at which you are sitting and the potentially Linux-based router doing NAT for you. *jerol wrote:*   

> [1] Probably safe to share since it starts with 192.168, right?

 Yes. *jerol wrote:*   

> [2] Same thing here, it start with 192.168 so it should be safe to share.

 Yes. *jerol wrote:*   

> So the first two are same right because they both start with 192.168?

 Maybe.  For the comparison, you want to check all four octets.  192.168.0.2 and 192.168.0.15 both start with 192.168, but are not "the same" for our purposes. *jerol wrote:*   

> Also as a side note, below the IP aswell as the Subnet Mask there's a toggle option for the DHCP server. And below it is the IP pool as well as the lease time. I guess that refers to the router's IP.

 I don't think so.  That sounds more like the DHCP server configuration that controls what addresses the router will offer to your LAN. *jerol wrote:*   

> [3] Pretty sure this one is not safe to share, because it doesn't start with any of those that you specified.

 OK.  By "safe" I mean that some people prefer not to disclose their public IP on an open forum, because it can be used to at least approximate their real world location, as well as being the first step in performing a targeted attack on the user.  For now, we can just refer to this address by a fictitious placeholder.

I am a bit concerned that you reported that [2] is a private range address.  Assuming you did that lookup correctly, that confirms the fears earlier in the thread that your ISP is using Carrier-Grade NAT and issuing a private non-routeable address as the "public" side of your router.  If so, that makes your original problem more difficult, since most ISPs that resort to CG-NAT do not offer a way for customers to configure it to forward traffic to the home router.  Without that way, there will be no usable public address to give to your friend.  At this point, we have a few options:Assume you did the lookup wrong.  Hope that you do have a routable public IP.  Investigate your router in more detail to determine how to do the lookup properly.  If you want to go this route, I suggest providing us with its name and model number.  If possible, a link to an online copy of its user manual would be nice.Assume you did the lookup correctly, and that you are behind a CG-NAT.  You cannot host games without resorting to VPN tricks.As (2), but instead of trying to let you host, hope that your friend is able to host, and that you can join your friend's game as a guest.How would you like to proceed?

----------

## jerol

The first one [1] being my computer's address is 192.168.32.133.

While the second one [2] being the router's address is 192.168.32.1. It is also the same address as the one I put on the URL bar when I want to access the web interface of the router.

The model of the router is ZTE MC801A and upon further inspecting the manual on my ISP's web page, it infact states that if you want to have two way connections, you'll need to pay an additional fee. Had no idea of restrictions like that, wow. But yeah I guess that's ruled out then.

I'm willing to try the mentioned VPN tricks.

----------

## szatox

Your router has at least 2 IP addresses and you picked the wrong one

----------

## jerol

After looking around some more I found the WAN address. That's it, right? It starts with 10.

----------

## alamahant

```

dig +short myip.opendns.com @resolver1.opendns.com

```

This is how to find it from termnal.

----------

## pietinger

 *jerol wrote:*   

> After looking around some more I found the WAN address. That's it, right? It starts with 10.

 

This is possible but it means: Your router is not the edge router into the internet, because 10.x.y.z is a private adress also (like 192.168.x.y and therefore not possible to be routed into the internet; see also: https://en.wikipedia.org/wiki/IPv4#Private_networks ). If your router has really 10.x.y.z on the WAN side, you are either in the middle of a company network OR you have a special Internet-Provider doing nasty business ...   :Evil or Very Mad: 

----------

## Hu

 *alamahant wrote:*   

> 
> 
> ```
> dig +short myip.opendns.com @resolver1.opendns.com
> ```
> ...

 No, because we specifically want to see what address the router thinks it has.  The command you showed will return the public IP address as seen by external sites, after applying any Carrier-Grade NAT.  That is useful in some contexts, but we need to understand whether the router knows it has that address, as an indirect method of determining whether the friend can send unsolicited traffic to OP's router.

OP: generally speaking, what kind of Internet Service Provider are you using for Internet access?  We don't need a name if you want to keep that private, but a category like DSL/cable, wireless via mobile phone hotspot, wireless to an ISP central office, etc. would be helpful.  As a general statement, wireless via mobile phone is very likely to have CG-NAT involved.  The others are less so, but it's not unheard of.

----------

## NeddySeagoon

Team

So far, we are all talking IPv4. The NAT tricks are to get around the fact that the IPv4 address space was exhausted a few years ago. 

If everyone involved has IPv6, that could just work.

```
$ ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.100.25  netmask 255.255.255.0  broadcast 192.168.100.255

        inet6 2a02:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx  prefixlen 64  scopeid 0x0<global>

        inet6 fe80::fe34:97ff:feb7:d44  prefixlen 64  scopeid 0x20<link>
```

IPv6 addresses starting with a 2 are all global. That is, they are on the big bad internet.

My public IPv4 address geolocates to the English Midlands and my public IPv6 address, mangled above, geolocates to Ireland.

I'm actually in Scotland :)

----------

## jerol

So let me just once again confirm: Although the Wide Area Network (WAN) address, theoretically should be a Wide Area Network address like stated, however it is not the case because the ISP has scrambled it into a private address, for their own profit. Or as they call it, for my own security?

And also I have a gateway, if that simplifies things. Therefore it is wireless to the ISP's central office.

As for the IPv6, I'm only seeing the one that starts with fe80.

----------

## NeddySeagoon

jerol,

The IPv6 address starting fe80 is not useful. Its site local and not routable outsite of your network.

Your end of the problem looks like this

```
               ___________ 

              |           |

              |           |

----External-+   Router   +++++  Your Devices

    IP Addr   |    NAT    |        192.168.32.0/24

              |___________|
```

You have control of the IP range that the router allocates to your systems.

The External IP Address is provided by your ISP, you don't have much, if any, influence over that.

With many IPs, the external IP is public but not fixed. There are not enough public IPs in the world for everyone to have one each, so ISPs dynamically assign addresses to customers as they ask.

That is, several customers share the same IP address but not at the same time.

NAT allows several systems to share the same IP Addr at the same time but it only works well from, in your case, the 192.168.32.0/24 subnet. To accept connections from the outside, the router has to have port forwarding configured and connecting systems need to know your External IP Address at the time they connect. If it changes mid session, they need to know the new one.

That's not the problem it may seem. There are services that will track your IP for you.

That's the (relatively) simple case. Its like that both ends, or everywhere, if its a multiplayer game.

It appears that your NAT may be behind another NAT. That is, your ISP shares the same address among several customers at the same time. 

Now you would need to set up port forwarding through both NAT layers. That's not going to happen. That illustrates the problem.

If your friend is not double NATted, they could host the game and you could connect. Outgoing connections for you will work correctly.

You need a network tunnel, like a VPS, if you are to host the game, or a new ISP.

----------

## jerol

Alright I think I'm starting to grasp the situation at hand here. That being said however, I'm calling it quits atleast for now because my current VPS plan wouldn't cut it for the server and my friend won't budge.

Thanks for the help all of you. The situation was a lot more complex than I initially thought, but atleast I learned quite a lot.

----------

