Tech Note 0002
Configuring Firewalls
Ensuring firewalls do not interfere with performance
Tech Note 0002
Configuring Firewalls
Ensuring firewalls do not interfere with performance
As with all networking software, MTP/IP applications must be able to pass through any firewalls or Network Address Translation (NAT) devices you may have. In most cases, this means entering exception rules for any and all server-side firewall functions on the ports indicated below.
Configuring firewalls on the client-side is usually not necessary, but may improve performance on very fast networks. Some corporate firewalls may block unapproved applications from accessing servers outside the corporate network. If a client is unable to reach outside servers ("No Response"), contact your IT administrator with the information below.
Default Ports
All MTP/IP servers let you choose which UDP port is used. Following is a list of the default ports for each. See the product documentation for application specific setup details.
| Application | UDP Ports | TCP Ports | Documentation |
|---|---|---|---|
| ExpeDat | 8080 | None | "Connectivity" |
| CloudDat | 8080 | None | "Connectivity" |
| SyncDat | 8080 | None | "Connectivity" |
Common Functions
Firewalls may perform a variety of functions which can impact network connectivity and performance. Some firewalls allow you to configure a general exception for a specified port. Others require that you give exceptions or disable each function individually. Consult your device documentation or firewall vendor for details.
| Function | Purpose | Action |
|---|---|---|
| NAT "Port Forwarding" | Network Address Translation | If the server has a private address, ensure that your gateway or firewall is configured to pass traffic from its public IP address to the private server address. |
| VPN | Virtual Private Network | Use IPsec with a direct path between client and server. See Tech Note 0038 for VPN guidance. |
| Multihome | Multiple IP Addresses per Node | Ensure that clients, routers, and NATs use the correct address. If the server itself has multiple addresses and you experience connectivity or performance problems, use the Interface or -n option to bind to the correct one. |
| Load Balancer | Distribute to Multiple Servers | Firewall and router based load balancers do not work with UDP. Use the load balancing functions of ExpeDat and SyncDat or a DNS based load balancer instead. See Tech Note 0034 for more about ExpeDat and SyncDat load balancing. |
| Bandwidth Management | Limits network performance | Disable or make an exception for the UDP port. |
| Quality of Service | Limits network performance | Disable or make an exception for the UDP port. |
| Priority or Throttling | Limits network performance | Disable or make an exception for the UDP port. |
| Denial of Service | Blocks high volume data transfers | Disable or make an exception for the UDP port. |
| Stateful Packet Inspection | Blocks patterns of network traffic | Disable or make an exception for the UDP port. |
| Content Inspection | Blocks packets based on content | Disable or make an exception for the UDP port. |
| WAN Acceleration | Caching, Compression, De-duplication | Bypass for the UDP port unless testing shows a clear improvement. |
| ICMP Blocking | Blocks network diagnostic messages | Disable blocking (allow ICMP) for the UDP port or known clients. ICMP is not required, but it will speed up error detection. |
The most common symptom of a firewall blocking MTP/IP is a failure to communicate between the client and the server. This is usually accompanied by an error such as "Failed: Local Network: No Response". If this happens, check that the server is running, that the port numbers used by the client and the server match, and that all firewalls and NAT devices have explicit rules permitting MTP/IP traffic as described above. Also check that the server name and address are correct and have not changed, such as by DHCP.
If you are unable to reach a server and have verified that the server software is running, try reaching the server from clients running on three different machines: the server itself using "localhost" or "127.0.0.1", a different machine on the same LAN using the server's private IP address (if it has one), and a different machine on a different network. This will help isolate the location of the offending firewall. The mtping utility's traceroute function may also be helpful in locating firewall blockages.
In some cases, communication may be lost after a transaction has been running successfully for some time. This can occur if a firewall is automatically making connectivity decisions based on functions like the ones described above. Double check that all functions have exceptions for the server's chosen UDP port.
Whenever setting any firewall configuration, pay close attention to whether TCP or UDP ports are being set. MTP/IP only uses UDP.
Windows Firewall
When you run MTP software under Windows, the system may ask whether the program should be allowed access to the network. You must select "Allow access" to permit connectivity. For the best performance, especially for a server, you should also configure explicit firewall rules.
Amazon Web Services EC2
In addition to any firewall configuration on the guest operating system, you must also open a firewall port in the Security Group for the host instance. See Tech Note 0025 for step-by-step instructions.
Dynamic Firewalls
Some firewalls can be configured to block traffic based on certain patterns of use. Because MTP/IP makes full use of your network resources, a dynamic firewall may mistake this for an attack. If MTP/IP performance degrades or is suddenly cut off, check for such settings. You may need to add the application's port numbers to a second list, or disable such automatic detection features.
SSL VPNs & SSH Tunneling
Devices which tunnel network traffic over TCP/IP, including "SSL VPNs" and Secure SHell tunnels, severely impair performance and are not compatible with MTP/IP. Consider using an IPsec VPN instead. If your VPN's tunneling mechanism is configurable, such as for OpenVPN, be sure to use UDP. See Tech Note 0009 for more about VPN issues.
Tech Note History
| Nov | 03 | 2022 | VPN Tech Note 0038 |
| Aug | 10 | 2021 | Added VPNs, minor updates |
| Apr | 06 | 2017 | Removed Obsolete |
| Dec | 28 | 2015 | Minor Updates |
| May | 08 | 2014 | WAN Acceleration |
| May | 08 | 2013 | Load Balancers |
| May | 11 | 2011 | Corporate firewalls |
| Feb | 02 | 2011 | Utilities TCP Port More VPN details Deprecated Links |
| Nov | 22 | 2010 | AWS EC2 |
| Mar | 30 | 2010 | Windows 7 |
| Mar | 17 | 2010 | Multihome |
| Mar | 16 | 2010 | Default Ports Common Functions |
| May | 14 | 2007 | SSH Tunneling |
| Apr | 25 | 2007 | Vista Firewall |
| Feb | 12 | 2007 | Updated |