Tech Note 0002
Ensuring firewalls do not interfere with performance
As with all networking software, MTP/IP applications must be able to pass through any firewalls or Network Address Translation (NAT) devices you may have. In most cases, this means entering exception rules for any and all server-side firewall functions on the ports indicated below.
Configuring firewalls on the client-side is usually not necessary, but may improve performance on very fast networks. Some corporate firewalls may block unapproved applications from accessing servers outside the corporate network. If a client is unable to reach outside servers ("No Response"), contact your IT administrator with the information below.
All MTP/IP servers let you choose which UDP port is used. Following is a list of the default ports for each. See your product manual or online documentation for application specific setup details.
|Application||UDP Ports||TCP Ports||Manual|
Even if a firewall has been disabled, it is still recommended that you enter an exception rule for the indicated ports in case the firewall is later activated. This is mandatory for the built-in firewall on Windows systems, as the Windows firewall cannot be completely disabled.
Firewalls may perform a variety of functions which may impact network connectivity and performance. Most such functions are not designed to work with high-performance data transfers. Some firewalls allow you to configure a general exception for a specified port. Others require that you give exceptions or disable each function individually. Consult your device documentation or firewall vendor for details.
|Network Address Translation||If the server has a private address, ensure that your gateway or firewall is configured to pass traffic from its public IP address to the private server address.|
|Multihome||Multiple IP Addresses per Node||Ensure that clients, routers, and NATs use the correct address. If the server itself has multiple addresses and you experience connectivity or performance problems, use the Interface or -n option to bind to the correct one.|
|Load Balancer||Distribute to Multiple Servers||Gateway/NAT load balancers do not work with UDP. Use the load balancing functions built-in to the ExpeDat and SyncDat clients and configure the device to pass through UDP traffic as for NAT above. See Tech Note 0034 for details.|
|Bandwidth Management||Limits network performance||Disable or make an exception for the UDP port.|
|Quality of Service||Limits network performance||Disable or make an exception for the UDP port.|
|Priority or Throttling||Limits network performance||Disable or make an exception for the UDP port.|
|Denial of Service||Blocks high volume data transfers||Disable or make an exception for the UDP port.|
|Stateful Packet Inspection||Blocks patterns of network traffic||Disable or make an exception for the UDP port.|
|Content Inspection||Blocks packets based on content||Disable or make an exception for the UDP port.|
|WAN Acceleration||Caching, Compression, De-duplication||Bypass for the UDP port unless testing shows a clear improvement.|
|IP Fragmentation||Permits or denies large datagrams||If you are experiencing timeouts in the middle of data transfers (they start, but then stop partway through), try reversing this setting.|
|ICMP Blocking||Blocks network diagnostic messages||Disable blocking (allow ICMP) for the UDP port or known clients.|
ICMP is not required, but may speed up error detection.
The most common symptom of a firewall blocking MTP/IP is a failure to communicate between the client and the server. This is usually accompanied by an error such as "Failed: Local Network: No Response". If this happens, check that the server is running, that the port numbers used by the client and the server match, and that all firewalls and NAT devices have explicit rules permitting MTP/IP traffic as described above. Also check that the server name and address are correct and have not changed, such as by DHCP.
If you are unable to reach a server and have verified that the server software is running, try reaching the server from clients running on three different machines: the server itself using "localhost" or "127.0.0.1", a different machine on the same LAN using the server's private IP address (if it has one), and a different machine on a different network. This will help isolate the location of the offending firewall.
In some cases, communication may be lost after a transaction has been running successfully for some time. This can occur if a firewall is automatically making connectivity decisions based on functions like the ones described above. Double check that all functions have exceptions for the server's chosen UDP port.
Whenever setting any firewall configuration, pay close attention to whether TCP or UDP ports are being set. MTP/IP only uses UDP.
When you run MTP software under Windows, the system may ask whether the program should be allowed access to the network. Selecting "Allow access" will permit minimal connectivity. For full performance and connectivity, especially for a server, you must also configure explicit firewall rules.
In addition to any firewall configuration on the guest operating system, you must also open a firewall port in the Security Group for the host instance. See Tech Note 0025 for step-by-step instructions.
Some firewalls can be configured to block traffic based on certain patterns of use. Because MTP/IP makes full use of your network resources, a dynamic firewall may mistake this for an attack. If MTP/IP performance degrades or is suddenly cut off, check for such settings. You may need to add the application's port numbers to a second list, or disable such automatic detection features.
Devices which tunnel network traffic over TCP/IP, including "SSL VPNs" and Secure SHell tunnels, severely impair performance and are not compatible with MTP/IP. Consider using an IPsec VPN instead.
If your VPN's tunneling mechanism is configurable, such as for OpenVPN, be sure to use UDP. See Tech Note 0009 for more about VPN issues.
Tech Note History
|Feb||02||2011||Utilities TCP Port|
More VPN details