I have port forwarding set up, and now I’d like to lock down my firewall.
What’s required to be open for nodes to have optimal network access? I’m asking because it appears, though I could be mistaken, that nodes require more than UDP to the ports that are being forwarded to the nodes. I’m seeing many HandshakeTimeOut errors in node logs, and much blocked traffic in to UDP ports outside of the range of ports that are being forwarded to nodes.
Only UDP is used.
The handshake errors happen at times, and unless its hundreds/thousands in short time then you’ll be fine if the nodes are earning
If you have a lot of other blocked traffic to other ports then maybe check you have port forwarding setup right in the router and in starting the nodes.
Read the post, I go on to say if you have too much other traffic to ports then check over things. IMPLIES that it should not be happening
Yes a node only needs its listening port. Absolutely right and its only udp
The RPC & metrics ports are supposed to be local to the machine.
You will have to do this test a number of times since the handshake errors are very dependent on the particular peers that node is connecting to and also affected by the random errors in UDP comms
They listen on that port for any other node/client that wants to contact them unsolicited. The node tells the peers it contacts that its listening port is that, makes up part of its global network address. Each node has its own unique global address made up of IP Port and peerID
A node will contact other nodes on their IP:port and give to your node a reply address using their listening IP:port.
Incoming packets will have the sender’s IP:port being sent to your node’s IP:listen port
Thus the sending is to the other node’s port
The node listens on all interfaces by default or only specific ones if specified by the user on the cli
If you get --ip or --node-ip to work well then tell me.
The node would not function (communicate) and I tried many forms from the actual IP address of the NIC in the PC to the gateway IP to the network (eg 192.168.1.0/24) and a few other guesses. Only using the Nic IP would get the node appearing to function, but no real communications.
I was waiting till after TGE launch to raise this as a support issue. In the mean time I set the default gateway in my PC so that the 2nd nic can operate on a local LAN. I do this for my starlink SBCs
sudo ip route replace default via 192.168.0.1
need to execute this on each bootup
The 192.168.0.1 would be the starlink gateway (ie router IP address)
Also for the 2nd nic it is connected to the local LAN and the local LAN router (not starlink’s router) has the DHCP give out a static lease and that nic’s options having the gateway set to the 2nd nic ip static address. IE nic has a MAC address, and dhcp has for that MAC an address of EG 192.168.2.101 and DHCP option 3 as 192.168.2.101. This prevents the local lan trying to be used for internet as well.
So the internet is only accessible via the starlink router and the nodes will use that. The SBC can then access the NAS devices etc on the local LAN via the other NIC and not try to use that NIC for internet.
No network traffic after initial burst.
I was moving through the different settings relatively quickly and when seen as not working I moved on. wasn’t particularly interested in documenting just how far it got. Sorry.
Basically if you get records and good traffic through the NIC then that’d be more than I got after a few minutes
I went for the default gateway method as it was a lot easier and reliable
5 minutes typically will see some records. Sometimes longer and often quicker
As @neo says: records very quickly, within minutes. They will be records your node is responsible for that were already on the network
But records that you are paid for that are new to the network could take hours or days for an individual node to get any. Or minutes. Start 100 nodes and you should see some after a couple of hours at the current rate.
Yes, with the current network at the moment I think you’d get some earnings from at least a couple of nodes out of 100 within an hour.
That was with the old network of course. With the new one we don’t know how big it will be or how many uploads will run or when they’ll start. Rule of thumb: When someone with a similar number of nodes as you is reporting earnings you should be getting them as well.
There a few types off NATs that can be at play: full cone nat, symmetric nat, restricted cone nat, and port restricted cone nat etc.
Depending on the NAT on the VPS side, your ports that you set for your local LAN may not be the same ports seen by external peers outside of the VPS’s public IP. In other words, it may not be mapping 1:1 port mappings (internal vs external port range) regardless of your port forwarding (inbound rules).
Symmetric NAT & Variation of Restricted NAT will be further prevent connections from coming in bound back to your LAN depending on src ip/port vs dst ip/port of the request, and vice versa. In addition, it requires an initiation from your side first to outbound host, before the outbound peer can communicate back through the NAT (the rest off external hosts would get blocked).
That could cause issues in your network, especially if you stream stuff on other machines.
If your nodes are using 49000 and above then do >= 49000
antctl is showing instantaneous active connections and not routing table peers. Routing table peers is the important figure since this shows how connected your nodes are. Look at logs or use the /metrics function and look for routing table
https://127.0.0.1:49000/metrics
Do you mean VPS? VPN might be another issue to deal with (double NAT and all that)
If VPS who is the provider and do they apply their own firewall upstream to your VPS and there is a web page to set the firewall rules for that one
So that worked for you. Does your machine have multiple NIC’s ?
And it has been said it is noted for future change when they have time
This topic was automatically closed after 60 days. New replies are no longer allowed.