Tech Note 0002

Configuring Firewalls

Ensuring firewalls do not interfere with performance

As with all networking software, MTP/IP applications must be able to pass through any firewalls or Network Address Translation (NAT) devices you may have.  In most cases, this means entering exception rules for any and all server-side firewall functions on the ports indicated below.

Configuring firewalls on the client-side is usually not necessary, but may improve performance on very fast networks.  Some corporate firewalls may block unapproved applications from accessing servers outside the corporate network.  If a client is unable to reach outside servers ("No Response"), contact your IT administrator with the information below.

Default Ports

All MTP/IP servers let you choose which UDP port is used.  Following is a list of the default ports for each.  See the product documentation for application specific setup details.

Application UDP Ports TCP Ports Documentation
ExpeDat 8080 None "Connectivity"
CloudDat 8080 None "Connectivity"
SyncDat 8080 None "Connectivity"

Common Functions

Firewalls may perform a variety of functions which can impact network connectivity and performance.  Some firewalls allow you to configure a general exception for a specified port.  Others require that you give exceptions or disable each function individually.  Consult your device documentation or firewall vendor for details.

Function Purpose Action
NAT
"Port Forwarding"
Network Address Translation If the server has a private address, ensure that your gateway or firewall is configured to pass traffic from its public IP address to the private server address.
SSL VPN Network Tunneling SSL and other TCP based VPNs are not compatible with UDP data transfer.  Switch to a packet based VPN such as IPsec.
IPsec VPN Network Tunneling Multiple layers of VPNs, MPLS, or other tunneling protocols may trigger IP fragmentation.  If you are experiencing poor performance or dropped connections, try reducing the MaxDatagram option of the MTP/IP software to less than its default of 1408 bytes.
Multihome Multiple IP Addresses per Node Ensure that clients, routers, and NATs use the correct address.  If the server itself has multiple addresses and you experience connectivity or performance problems, use the Interface or -n option to bind to the correct one.
Load Balancer Distribute to Multiple Servers Firewall and router based load balancers do not work with UDP.  Use the load balancing functions of ExpeDat and SyncDat or a DNS based load balancer instead.  See Tech Note 0034 for more about ExpeDat and SyncDat load balancing.
Bandwidth Management Limits network performance Disable or make an exception for the UDP port.
Quality of Service Limits network performance Disable or make an exception for the UDP port.
Priority or Throttling Limits network performance Disable or make an exception for the UDP port.
Denial of Service Blocks high volume data transfers Disable or make an exception for the UDP port.
Stateful Packet Inspection Blocks patterns of network traffic Disable or make an exception for the UDP port.
Content Inspection Blocks packets based on content Disable or make an exception for the UDP port.
WAN Acceleration Caching, Compression, De-duplication Bypass for the UDP port unless testing shows a clear improvement.
ICMP Blocking Blocks network diagnostic messages Disable blocking (allow ICMP) for the UDP port or known clients.
ICMP is not required, but it will speed up error detection.

The most common symptom of a firewall blocking MTP/IP is a failure to communicate between the client and the server.  This is usually accompanied by an error such as "Failed: Local Network: No Response".  If this happens, check that the server is running, that the port numbers used by the client and the server match, and that all firewalls and NAT devices have explicit rules permitting MTP/IP traffic as described above.  Also check that the server name and address are correct and have not changed, such as by DHCP.

If you are unable to reach a server and have verified that the server software is running, try reaching the server from clients running on three different machines: the server itself using "localhost" or "127.0.0.1", a different machine on the same LAN using the server's private IP address (if it has one), and a different machine on a different network.  This will help isolate the location of the offending firewall.  The mtping utility's traceroute function may also be helpful in locating firewall blockages.

In some cases, communication may be lost after a transaction has been running successfully for some time.  This can occur if a firewall is automatically making connectivity decisions based on functions like the ones described above.  Double check that all functions have exceptions for the server's chosen UDP port.

Whenever setting any firewall configuration, pay close attention to whether TCP or UDP ports are being set.  MTP/IP only uses UDP.

Windows Firewall

When you run MTP software under Windows, the system may ask whether the program should be allowed access to the network.  You must select "Allow access" to permit connectivity.  For the best performance, especially for a server, you should also configure explicit firewall rules.

Amazon Web Services EC2

In addition to any firewall configuration on the guest operating system, you must also open a firewall port in the Security Group for the host instance.  See Tech Note 0025 for step-by-step instructions.

Dynamic Firewalls

Some firewalls can be configured to block traffic based on certain patterns of use.  Because MTP/IP makes full use of your network resources, a dynamic firewall may mistake this for an attack.  If MTP/IP performance degrades or is suddenly cut off, check for such settings.  You may need to add the application's port numbers to a second list, or disable such automatic detection features.

SSL VPNs & SSH Tunneling

Devices which tunnel network traffic over TCP/IP, including "SSL VPNs" and Secure SHell tunnels, severely impair performance and are not compatible with MTP/IP.  Consider using an IPsec VPN instead.&bnsp; If your VPN's tunneling mechanism is configurable, such as for OpenVPN, be sure to use UDP.  See Tech Note 0009 for more about VPN issues.

Tech Note History

Aug102021Added VPNs, minor updates
Apr062017Removed Obsolete
Dec282015Minor Updates
May082014WAN Acceleration
May082013Load Balancers
May112011Corporate firewalls
Feb022011Utilities TCP Port
More VPN details
Deprecated Links
Nov222010AWS EC2
Mar302010Windows 7
Mar172010Multihome
Mar162010Default Ports
Common Functions
May142007SSH Tunneling
Apr252007Vista Firewall
Feb122007Updated