Troubleshooting NAT type related issues
When your node is behind a Port Restricted Cone/Symmetric NAT
You will still be able to make a P2P connection with the majority of consumers, but not with those who have Symmetric NAT Routers (which are not that common, fortunately).
A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and unpredicted port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host thus making it a non-routable combination with Port Restricted NAT type.
The solution to this problem will involve you adjusting Mysterium config file and configuring your router.
Many recent routers support a feature called UPnP. When it's enabled, hosts in the LAN can request the router to automatically perform needed port conversions. You will need to toggle it on to allow Mysterium to make all the changes required.
Navigate to NodeUI and change the ordering of NAT traversal methods to prioritize UPnP - "upnp,manual,holepunching". To make the changes effective - restart your node. Depending on the type of the router, it might require a restart too.
Go to my.mysterium.network to trigger a monitoring check manually. It will attempt to connect to your Wireguard service. If monitoring agent succeed connecting to your node, the node status will switch to online within 15 minutes.
If UPnP feature is not available or it's not working as intended, manually configuring port forwarding on the router is required (see below).
Enable Port Forwarding
Navigate to NodeUI and change the ordering of NAT traversal methods to prioritize port forwarding - "manual,upnp,holepunching". The default UDP port range could be used (10000:60000) or specify another more suitable range.
Log in to your router and manually configure it to do port-forwarding for UDP ports range (default: 10000:60000). The port-forwarding configuration page will ask you for a port range (eg. Start Port, End Port). Set the Start Port to 10000 and End to 60000. It will also ask you for the IP address of the node host that the data should be sent to (may be called LAN IP, Local IP, or Private IP) and the protocol type to use (set it to UDP).
Unfortunately, it is not possible to offer step-by-step instructions here as every router has a different interface and configuration layout but you may check the following guide for general understanding. To make the changes effective - restart your node. Depending on the type of the router, it might require a restart too.
Navigate to my.mysterium.network to trigger a monitoring check manually. It will attempt to connect to your Wireguard service. If monitoring agent succeed connecting your node, the node status will switch to online within 15 minutes.
Enable Port Forwarding for the Docker container running a node
Range of UDP listen ports used for connections (default: "10000:60000"). We recommend to use a smaller range, e.g. --udp.ports=59850:60000 Map UDP port range e.g. 59850:60000 in the container to port range e.g. 59850:60000 on the Docker host: -p 59850-60000:59850-60000
In the end, it would look like this:
For Linux users:
For Windows users:
For Mac users:
To make the changes effective - restart your container. Depending on the type of the router, it might require a restart too.
When your Docker container is running on a VPS hosting and it's behind a Port Restricted Cone NAT
If your Docker container is hosted on a VPS Hosting, the host network mode for a container could be used thus making container’s network stack to become not isolated from the Docker host. Host mode networking can be useful in handling a large range of ports, as it does not require network address translation.
When you start Docker, a default bridge network (also called bridge) is created automatically, and newly-started containers connect to it unless otherwise specified. Unfortunately, it becomes a challenge for Mysterium Network users that are sitting behind a symmetric NAT.
Enable the host mode by passing --network=host flag to the docker run command.
Note! The host networking driver only works on Linux hosts, and is not supported on Docker Desktop for Mac or Docker Desktop for Windows.
When your node is behind the Mobile Router (extra tips)
If you are running the node behind the Mobile Router (cellular network), then you need to take into account the following:
- Check that "Cone NAT" is used instead of "Symmetric NAT" under "NAT settings/NAT type" of the Router;
- Check the "Firewall" settings of the Router, that it's not blocking the traffic;
- Check your "IP filter" settings, that there are no special rules for the packets;
- Check your "MAC Address Filter" settings, that there are no special rules for the device you are running node on.
A TCP/UDP port identifies an application or service on a machine in a TCP/IP network. On a TCP/IP network, every device must have an IP address that identifies the device which can run multiple applications/services.The port identifies the application/service running on the machine. The use of ports allows computers/devices to run multiple services/applications.