Hosting for Dummies
A beginners guide to hosting.
This little guide is written to help people understand the basics of hosting. I have tried to keep away from the technical babble, but some basic knowledge is needed, so lets go on to chapter one: Internet basics.
Internet Basics
All Internet communications is using 3 main parts: IP addresses: This is the address you have, or the address of the host you are connecting to. Ports are used to keep traffic separated, and give the ability to have several services (like http @ port 80, https @ port 443) or programs running at one IP-address. Protocols are the “language” used. For LFS we need TCP and UDP. TCP is using “Handshake” for each packet, so that every packed delivery is confirmed. This creates more traffic, but is reliable and sender knows that data was delivered. TCP also resends packets that were lost automatically. LFS uses TCP for control data, like race restarts. UDP is just sending packets, and hope they arrive at the recipient. It’s much quicker method, but unreliable. LFS uses UDP for sending car position data.
To be able to communicate we need some hardware: NIC: Network Interface Card, or for short: Network card. Routers keep track of where to send the traffic.
Some services: DNS Dynamic Name Server, this helps you to use names for hosts, so you just need to remember www.google.com, instead of 66.102.11.99 (Google’s IP-address) DNS is not necessary for LFS, but used for almost everything else …
Security: Firewall is a system or program used to only let approved traffic thru.
And finally, some other terms used: DHCP, Dynamic Host Configuration Protocol. This is assigning a unused IP-address automatically, helping to reduce the number of unused IP-addresses. Some ISPs force a new IP-address every now and then. Public IP is the IP-address you use to connect to the Internet, or the IP you connects to. This must be a unique address (You will be assigned this from your ISP using your ISP’s DHCP-server) Also called “outside” Private IP Your home router assigns you a Private IP, this address is within some specific ranges, a common used range is: 10.x.x.x , the second range, the most common default for your typical home router is 192.168.x.x, The third range is 172.16-31.x.x. Also called “inside” NAT Network address Translation. This is a very clever system; it protects you very well from the Internet, and gives you the possibility to have several PC’s on the “Inside” [PC1] --> [PC2] --> [Router with NAT] --> Internet [PC3] --> When using NAT your Private IP address is translated to your Public IP, making it possible for you to get on the net Lots of stuff, and new words, but its needed to understand why you need port-mapping.
Lets move on to “How it works”
How the Internet works
A simple sample, direct connection to the Internet: [PC1] --> [Internet] --> [www.google.com]
Your PC has a valid Public IP, and you want to browse google’s web pages Your PC first makes a DNS lookup to find Google’s Public IP. Http is using Port 80, so your PC connects to Google’s public IP at port 80 and you can read the page. What you don’t see is that your PC is using an unused port above 1024 to connect to google, lets say, port 1050, so what really happens is: Your PC opens port 1050 for outgoing traffic, and sends a “Get” request to google’s web server at port 80. The server opens the file and sends it back to your client at port 1050.
A sample with NAT, Connection with a router: [PC1] --> [PC2] -- [Router with NAT] --> [Internet] --> [www.google.com] [PC3] –
Your PC has a valid private IP, and your Router has a valid Public IP Your PC request a page at Google, it uses a port over 1024, lets reuse 1050. The request goes thru your Router, and is translated to your routers public IP, with a new port, lets say the request that reaches google.com is from your routers public IP at port 23050. Google answers back to your routers public IP at port 23050, and it remember that it was your PC, at its Private IP and at port 1050 the request came from and sends the data back to your PC’s Private IP at port 1050.
LFS's default server port is 63392, which means your PC uses a port higher than 1024 and connects to the LFS hosts IP at port 63392. LFS can be set to use any port.
Still hanging on? Lets move on to Security
Security
Security is a BIG issue when connected to the Internet. “Out there” you have hackers and Internet spreading viruses that wants to spoil your fun, it’s just like the demo servers
To protect yourself you must use a firewall.
The most common thing is the built in firewall in Windows XP. This is turned on when enabling the Internet connection sharing function. Windows XP SP2 also turns the firewall on by default.
Another common solution is a “Personal Firewall” This is an application you run on your computer. Making sure that only approved programs can access the Internet. The usual way is: when a “new program” request a internet connection, a dialog pops up asking you to grant or deny access, or grant a permanent access.
Another solution is to have an extra “box”, a PC or a “Black box” (black box is a term for a system running a “unknown” OS with a “unknown” firewall).
At home this is most commonly your home gateway. It’s a small box with lots of lights on it. It can also run on a separate PC, using Linux (or other Unix-like OS, FreeBSD is very secure and quite popular), but if you have that solution you probably are no dummy and don’t need to read this guide.
Most external router/firewall solutions come with NAT. The default behaviour of NAT makes sure that NO connections from the outside makes it thru the router, but ANY connection from the inside will be let out.
Problems with the firewall can be hard to diagnose, very often it “just don’t work” with no error messages. You might be able to see blocked traffic in your routers log though, look for message that packet sent to port 63392 (or your chosen LFS port) was blocked.
Still hanging around? Wanna be crazy? Go on to “Security, the tuff stuff” Or just a little bit crazy? Check out, “LFS hosting with a firewall”
Or move on to “why we need port mapping”
Security the tuff stuff ...
WARNING This chapter may make you feel dizzy or fall asleep
The problem with an external firewall is that it doesn’t see which application that is requesting Internet access. It needs rules for the traffic. The first rule is usually “DENY ALL” everything is closed if not a specific rule allows it. New sample: [PC1] --> [PC2] --> [Router with NAT and Firewall] --> [Internet] --> [LFS Host@port 63392] [PC3] -->
PC1 wants to connect to a LFS host at the Host IP and port 63392. To get this traffic thru the router, the router must have a rule that: Allow PC1 to connect to the LFS host, at its IP address and port 63392.
But, there is not only one LFS host out there so the rule needs an update: Allow PC1 to connect to ANY host at port 63392
And then someone else in your company wants to try LFS, new update: Allow ANY pc to connect to ANY host at port 63392
OK, not too bad. Outbound traffic to a specific port is usually granted already (e.g. to be able to browse the Internet you must be able to use port 80 (http)).
But LFS can use any port and now you will dig a real hole in the firewall: Allow ANY pc to connect to ANY host at ANY port.
Most company firewall operators do not want to use “Any”, as this gives no control. 3x ANY in one line is something you really don’t want. Therefore, playing LFS behind a company firewall can be very hard. Hosting LFS behind a company firewall will usually be impossible...
Allow all out deny all in setup is actually a very good firewall for home use, but if you download a program, lets call it Crack.exe, that really is a small program recording your bank account information, and sending it to a host outside, you will never see it, without a Personal Firewall. But … who runs software downloaded from the net without running a virus-scan?
Lets move on to “Hosting LFS with a firewall”.
LFS Hosting with a firewall
WARNING This chapter is also tuff one...
Because of DENY ALL IN rule, you must set up a rule for your LFS host. Your firewall must let incoming traffic to port 63392 (default LFS, or any other port you decided to use in server configuration) pass thru. Remember that LFS is using both TCP and UDP protocols. The rule will look something like: Allow ANY Source IP to connect to your LFS host IP at port 63392 (using both TCP and UDP).
Some firewalls have problems with UDP. If this is the issue, your host will be visible on the master list, but no one will be able to connect.
I would recommend to disable the personal firewall when testing, especially if you are behind a router with NAT. Just remember to enable it when done testing. (For home users with residential gateways this would mean pulling cables and changing setups. I wouldn’t recommend that. If you are setting up the server behind a home gateway, I guess the best way to test would be to have a friend that you can call and ask to try and connect to your server.)
Problems with the firewall can be hard to diagnose, very often it “just don’t work” with no error messages. You might be able to see blocked traffic in your routers log though, look for message that packet sent to port 63392 (or your chosen LFS port) was blocked.
Now we should be able to understand “why we need port mapping”
Why we need port mapping
When hosting, you want other people to be able to connect to your LFS host. Going back to the Router with NAT example: [PC1] -- [PC2] -- [Router with NAT] <-- [Internet] <-- [Computer running LFS] [PC3] –
The router just blocks all traffic from the outside. So we need to create a port mapping to tell the router that this is traffic we want to deal with. A port mapping tells the router that all traffic from the outside to port 63392 (default for LFS) will be sent to an IP on the inside at port 63392. [PC1] -- [PC2] -- [Router with NAT] <-- [Internet] <-- [Computer running LFS] [PC3] <--
Remember: The port mapping must include both TCP and UDP
How this is set up depends on your router. Most home routers provide a web interface to configure the router; some have a separate program running on your PC for configuration. Some routers also have the possibility to use “telnet” to change the configuration (start – run – cmd – telnet 10.0.0.1 (or 192.168.0.1 or 192.168.1.1 or any other IP address of your router)) Read the manual, check your ISP's faq, ask your ISP.
Most home gateways will let you set them up via web interface. Open your web browser and enter http://192.168.0.1 (or other possible addresses). You will almost certainly be asked for username and password by the router.
If you don’t know the password for your router configuration you have three options: 1) Your password is the default factory one: Check you router manual to find out the default password and change it. 2) Your password is not default one and you never changed it yourself: This is most common with routers that were provided by your ISP as part of the service. ISP sometimes sets their own passwords, so that you cannot change the configuration and complain to customer support about it. You will have to talk to your ISP customer support in that case. 3) You changed your password, but forgot it: This is the worst case. You can reset the password by doing the “hard reset” procedure on router to reset to defaults. DON’T DO THIS UNLESS YOU KNOW ALL ABOUT YOUR ROUTER! Resetting the router means all configuration needs to be entered again.
See the “routers guide” and check if your router is in there.
Problems? LFS is using a very high port. Some routers use a high range for “outgoing NAT”. Some ISPs also reserve these high ports for their internal use. If your router/ISP does this you must: Exclude the “LFS range” from the “outgoing NAT” range or Use a lower port for LFS
Some ISPs force your router to change IP every now and then. This is not good for the clients connected when this happens, but (AFAIK) the LFS host reconnects to the master server and updates its new IP.
Routers guide
Here I have a plan to add guides to set up port mapping on specific routers...
See here how to forward ports on your hardware firewall/router
http://portforward.com/routers.htm
Netopia 4542 router
D-link 804HV Setting up a LFS Host
Technical background Here I have tried to collect some words about hosting, and LFS..
TCP and UDP in LFS (By Scawen) The TCP connection of course has to work because the in-sync game code relies on TCP, as everything needs to match, and stay in sync.
But the position updates (PosPackets) don't match perfectly, because they are run without delay (there is always "error" in remote car positions - seen as warping - because of inevitable time delay) and that system uses UDP packets because they are quicker but do suffer from packet loss and it's better to forget about ones that didn't arrive and just use the next packet that does arrive). However, guests which are failing to receive UDP packets can request the host to send TCP PosPackets to the guest, and it will do so. But guests *never* send TCP PosPackets to the host.
That's because sometimes guests are behind firewalls and for some reason can't receive UDP packets sent back to them - and another problem that a UDP connection that worked at first can later be "forgotten" by the router for some reason. However, they can always *send* UDP packets to the host, because the host must be properly set up on the internet, so the problem of losing the UDP connection in that direction shouldn't arise.
So... in summary, it can work if the guest can't *receive* UDP packets, in which case it will request the PosPackets to be sent to it in TCP packets, but it must be able to *send* UDP packets because there is no fallback system in that direction.
Ranges used for LAN games (aka. IETF private IP ranges): (By Scawen) These are the ranges :
10.x.x.x 192.168.x.x 172.16-31.x.x
More info: http://www.suse.de/~mha/linux-ip-nat/diplom/
Why other ranges do not work: (by scawen) That's because direct connection is restricted to local networks. It's a security measure so that people who want to play on the Internet must go through the master server (not connect direct by IP, but they can simply connect by “name” to a "hidden" game for the same effect - this stops people with a hacked version being able to happily race over the internet). So I’ve researched the special IP addresses, which are reserved for local networks and allowed direct connection for those addresses.
I don't really know why your network is using addresses outside the reserved IP address ranges. I guess there may be a good reason or else someone just chose the 200.x.x.x range because it sounded good? Don't know much about that really but you might not be able to connect to some "real" IP addresses in that range, and I guess that's why there are some special reserved ranges.
A beginners guide to hosting.
This little guide is written to help people understand the basics of hosting. I have tried to keep away from the technical babble, but some basic knowledge is needed, so lets go on to chapter one: Internet basics.
Internet Basics
All Internet communications is using 3 main parts: IP addresses: This is the address you have, or the address of the host you are connecting to. Ports are used to keep traffic separated, and give the ability to have several services (like http @ port 80, https @ port 443) or programs running at one IP-address. Protocols are the “language” used. For LFS we need TCP and UDP. TCP is using “Handshake” for each packet, so that every packed delivery is confirmed. This creates more traffic, but is reliable and sender knows that data was delivered. TCP also resends packets that were lost automatically. LFS uses TCP for control data, like race restarts. UDP is just sending packets, and hope they arrive at the recipient. It’s much quicker method, but unreliable. LFS uses UDP for sending car position data.
To be able to communicate we need some hardware: NIC: Network Interface Card, or for short: Network card. Routers keep track of where to send the traffic.
Some services: DNS Dynamic Name Server, this helps you to use names for hosts, so you just need to remember www.google.com, instead of 66.102.11.99 (Google’s IP-address) DNS is not necessary for LFS, but used for almost everything else …
Security: Firewall is a system or program used to only let approved traffic thru.
And finally, some other terms used: DHCP, Dynamic Host Configuration Protocol. This is assigning a unused IP-address automatically, helping to reduce the number of unused IP-addresses. Some ISPs force a new IP-address every now and then. Public IP is the IP-address you use to connect to the Internet, or the IP you connects to. This must be a unique address (You will be assigned this from your ISP using your ISP’s DHCP-server) Also called “outside” Private IP Your home router assigns you a Private IP, this address is within some specific ranges, a common used range is: 10.x.x.x , the second range, the most common default for your typical home router is 192.168.x.x, The third range is 172.16-31.x.x. Also called “inside” NAT Network address Translation. This is a very clever system; it protects you very well from the Internet, and gives you the possibility to have several PC’s on the “Inside” [PC1] --> [PC2] --> [Router with NAT] --> Internet [PC3] --> When using NAT your Private IP address is translated to your Public IP, making it possible for you to get on the net Lots of stuff, and new words, but its needed to understand why you need port-mapping.
Lets move on to “How it works”
How the Internet works
A simple sample, direct connection to the Internet: [PC1] --> [Internet] --> [www.google.com]
Your PC has a valid Public IP, and you want to browse google’s web pages Your PC first makes a DNS lookup to find Google’s Public IP. Http is using Port 80, so your PC connects to Google’s public IP at port 80 and you can read the page. What you don’t see is that your PC is using an unused port above 1024 to connect to google, lets say, port 1050, so what really happens is: Your PC opens port 1050 for outgoing traffic, and sends a “Get” request to google’s web server at port 80. The server opens the file and sends it back to your client at port 1050.
A sample with NAT, Connection with a router: [PC1] --> [PC2] -- [Router with NAT] --> [Internet] --> [www.google.com] [PC3] –
Your PC has a valid private IP, and your Router has a valid Public IP Your PC request a page at Google, it uses a port over 1024, lets reuse 1050. The request goes thru your Router, and is translated to your routers public IP, with a new port, lets say the request that reaches google.com is from your routers public IP at port 23050. Google answers back to your routers public IP at port 23050, and it remember that it was your PC, at its Private IP and at port 1050 the request came from and sends the data back to your PC’s Private IP at port 1050.
LFS's default server port is 63392, which means your PC uses a port higher than 1024 and connects to the LFS hosts IP at port 63392. LFS can be set to use any port.
Still hanging on? Lets move on to Security
Security
Security is a BIG issue when connected to the Internet. “Out there” you have hackers and Internet spreading viruses that wants to spoil your fun, it’s just like the demo servers
To protect yourself you must use a firewall. The most common thing is the built in firewall in Windows XP. This is turned on when enabling the Internet connection sharing function. Windows XP SP2 also turns the firewall on by default.
Another common solution is a “Personal Firewall” This is an application you run on your computer. Making sure that only approved programs can access the Internet. The usual way is: when a “new program” request a internet connection, a dialog pops up asking you to grant or deny access, or grant a permanent access.
Another solution is to have an extra “box”, a PC or a “Black box” (black box is a term for a system running a “unknown” OS with a “unknown” firewall).
At home this is most commonly your home gateway. It’s a small box with lots of lights on it.
It can also run on a separate PC, using Linux (or other Unix-like OS, FreeBSD is very secure and quite popular), but if you have that solution you probably are no dummy and don’t need to read this guide. Most external router/firewall solutions come with NAT. The default behaviour of NAT makes sure that NO connections from the outside makes it thru the router, but ANY connection from the inside will be let out.
Problems with the firewall can be hard to diagnose, very often it “just don’t work” with no error messages. You might be able to see blocked traffic in your routers log though, look for message that packet sent to port 63392 (or your chosen LFS port) was blocked.
Still hanging around? Wanna be crazy? Go on to “Security, the tuff stuff” Or just a little bit crazy? Check out, “LFS hosting with a firewall”
Or move on to “why we need port mapping”
Security the tuff stuff ...
WARNING This chapter may make you feel dizzy or fall asleep
The problem with an external firewall is that it doesn’t see which application that is requesting Internet access. It needs rules for the traffic. The first rule is usually “DENY ALL” everything is closed if not a specific rule allows it. New sample: [PC1] --> [PC2] --> [Router with NAT and Firewall] --> [Internet] --> [LFS Host@port 63392] [PC3] -->
PC1 wants to connect to a LFS host at the Host IP and port 63392. To get this traffic thru the router, the router must have a rule that: Allow PC1 to connect to the LFS host, at its IP address and port 63392.
But, there is not only one LFS host out there so the rule needs an update: Allow PC1 to connect to ANY host at port 63392
And then someone else in your company wants to try LFS, new update: Allow ANY pc to connect to ANY host at port 63392
OK, not too bad. Outbound traffic to a specific port is usually granted already (e.g. to be able to browse the Internet you must be able to use port 80 (http)).
But LFS can use any port and now you will dig a real hole in the firewall: Allow ANY pc to connect to ANY host at ANY port.
Most company firewall operators do not want to use “Any”, as this gives no control. 3x ANY in one line is something you really don’t want. Therefore, playing LFS behind a company firewall can be very hard. Hosting LFS behind a company firewall will usually be impossible...
Allow all out deny all in setup is actually a very good firewall for home use, but if you download a program, lets call it Crack.exe, that really is a small program recording your bank account information, and sending it to a host outside, you will never see it, without a Personal Firewall. But … who runs software downloaded from the net without running a virus-scan?
Lets move on to “Hosting LFS with a firewall”.
LFS Hosting with a firewall
WARNING This chapter is also tuff one...
Because of DENY ALL IN rule, you must set up a rule for your LFS host. Your firewall must let incoming traffic to port 63392 (default LFS, or any other port you decided to use in server configuration) pass thru. Remember that LFS is using both TCP and UDP protocols. The rule will look something like: Allow ANY Source IP to connect to your LFS host IP at port 63392 (using both TCP and UDP).
Some firewalls have problems with UDP. If this is the issue, your host will be visible on the master list, but no one will be able to connect.
I would recommend to disable the personal firewall when testing, especially if you are behind a router with NAT. Just remember to enable it when done testing. (For home users with residential gateways this would mean pulling cables and changing setups. I wouldn’t recommend that. If you are setting up the server behind a home gateway, I guess the best way to test would be to have a friend that you can call and ask to try and connect to your server.)
Problems with the firewall can be hard to diagnose, very often it “just don’t work” with no error messages. You might be able to see blocked traffic in your routers log though, look for message that packet sent to port 63392 (or your chosen LFS port) was blocked.
Now we should be able to understand “why we need port mapping”
Why we need port mapping
When hosting, you want other people to be able to connect to your LFS host. Going back to the Router with NAT example: [PC1] -- [PC2] -- [Router with NAT] <-- [Internet] <-- [Computer running LFS] [PC3] –
The router just blocks all traffic from the outside. So we need to create a port mapping to tell the router that this is traffic we want to deal with. A port mapping tells the router that all traffic from the outside to port 63392 (default for LFS) will be sent to an IP on the inside at port 63392. [PC1] -- [PC2] -- [Router with NAT] <-- [Internet] <-- [Computer running LFS] [PC3] <--
Remember: The port mapping must include both TCP and UDP
How this is set up depends on your router. Most home routers provide a web interface to configure the router; some have a separate program running on your PC for configuration. Some routers also have the possibility to use “telnet” to change the configuration (start – run – cmd – telnet 10.0.0.1 (or 192.168.0.1 or 192.168.1.1 or any other IP address of your router)) Read the manual, check your ISP's faq, ask your ISP.
Most home gateways will let you set them up via web interface. Open your web browser and enter http://192.168.0.1 (or other possible addresses). You will almost certainly be asked for username and password by the router.
If you don’t know the password for your router configuration you have three options: 1) Your password is the default factory one: Check you router manual to find out the default password and change it. 2) Your password is not default one and you never changed it yourself: This is most common with routers that were provided by your ISP as part of the service. ISP sometimes sets their own passwords, so that you cannot change the configuration and complain to customer support about it. You will have to talk to your ISP customer support in that case. 3) You changed your password, but forgot it: This is the worst case. You can reset the password by doing the “hard reset” procedure on router to reset to defaults. DON’T DO THIS UNLESS YOU KNOW ALL ABOUT YOUR ROUTER! Resetting the router means all configuration needs to be entered again.
See the “routers guide” and check if your router is in there.
Problems? LFS is using a very high port. Some routers use a high range for “outgoing NAT”. Some ISPs also reserve these high ports for their internal use. If your router/ISP does this you must: Exclude the “LFS range” from the “outgoing NAT” range or Use a lower port for LFS
Some ISPs force your router to change IP every now and then. This is not good for the clients connected when this happens, but (AFAIK) the LFS host reconnects to the master server and updates its new IP.
Routers guide
Here I have a plan to add guides to set up port mapping on specific routers...
See here how to forward ports on your hardware firewall/router
http://portforward.com/routers.htm
Netopia 4542 router
D-link 804HV Setting up a LFS Host
Technical background Here I have tried to collect some words about hosting, and LFS..
TCP and UDP in LFS (By Scawen) The TCP connection of course has to work because the in-sync game code relies on TCP, as everything needs to match, and stay in sync.
But the position updates (PosPackets) don't match perfectly, because they are run without delay (there is always "error" in remote car positions - seen as warping - because of inevitable time delay) and that system uses UDP packets because they are quicker but do suffer from packet loss and it's better to forget about ones that didn't arrive and just use the next packet that does arrive). However, guests which are failing to receive UDP packets can request the host to send TCP PosPackets to the guest, and it will do so. But guests *never* send TCP PosPackets to the host.
That's because sometimes guests are behind firewalls and for some reason can't receive UDP packets sent back to them - and another problem that a UDP connection that worked at first can later be "forgotten" by the router for some reason. However, they can always *send* UDP packets to the host, because the host must be properly set up on the internet, so the problem of losing the UDP connection in that direction shouldn't arise.
So... in summary, it can work if the guest can't *receive* UDP packets, in which case it will request the PosPackets to be sent to it in TCP packets, but it must be able to *send* UDP packets because there is no fallback system in that direction.
Ranges used for LAN games (aka. IETF private IP ranges): (By Scawen) These are the ranges :
10.x.x.x 192.168.x.x 172.16-31.x.x
More info: http://www.suse.de/~mha/linux-ip-nat/diplom/
Why other ranges do not work: (by scawen) That's because direct connection is restricted to local networks. It's a security measure so that people who want to play on the Internet must go through the master server (not connect direct by IP, but they can simply connect by “name” to a "hidden" game for the same effect - this stops people with a hacked version being able to happily race over the internet). So I’ve researched the special IP addresses, which are reserved for local networks and allowed direct connection for those addresses.
I don't really know why your network is using addresses outside the reserved IP address ranges. I guess there may be a good reason or else someone just chose the 200.x.x.x range because it sounded good? Don't know much about that really but you might not be able to connect to some "real" IP addresses in that range, and I guess that's why there are some special reserved ranges.
.
