Development discussions
Router mistakenly thinks UDP is firewalled « Bug Reports and Feature Requests « I2P Help, Hints, Advice
Sun, 23 Feb 2020, 07:29am #1

For some reason my java router eventually sets UDP to "Firewalled" and it results in less participating traffic.
I don't understand why it happens, I did check my router's UDP port, sent there some random UDP packets and wireshark on router side shown that they arrived. So my UDP port is definetely not firewalled.

Router configuration:

Externally reachable hostname or IP address: Specify hostname or IP: <my public IP>
UDP Configuration: UDP port: Specify Port: <my port>
TCP Configuration: Externally reachable TCP port: Use the same port configured for UDP
Externally reachable hostname or IP address: Always use auto-detected IP address (Not firewalled)

Important thing is: my router itself doesn't have a public IP. It is behind NAT with public IP which is based on iptables. The NAT redirects inbound TCP and UDP with <my port> destination to router. So my router's TCP and UDP ports are externally reachable, nothing else is externally reachable.

Is there something I do wrong or is it a bug? Does router need some other ports being reachable?
Is it possible to force router to always set UDP status to OK?

Sun, 23 Feb 2020, 09:00am #2
I2P Legend


I2P sets the state to firewalled if it does not have incoming connections, for any reasons.
So even with UDP Port open, there maybe issues preventing other I2P routers connecting via UDP on that port, which leads to state firewalled.

Check announced IP/port setup, your NAT. Sometimes NAT is the issue, as it mangles with UDP packages.


Sun, 23 Feb 2020, 09:24am #3

I did check it while router's UDP was "Firewalled" and it was fine.

Mon, 24 Feb 2020, 09:01pm #4
I2P Legend

I2P UDP is very picky about connectivity, unlike TCP.

For IPv6 you need to turn off privacy extensions, making sure the advertised network address on /peers is the same IP your machine sends from.

For IPv4 you need THREE things: a firewall rule letting traffic in (and out), a destination NAT rule to redirect inbound traffic to your machine and a source NAT rule that lets outgoing packets appear is if they were coming from your internet gateway. Many consumer routers do this in one setting, with iptables it is roll your own.

Tue, 25 Feb 2020, 07:06pm #5
I2P Legend

In more than a decade I got Network OK only 10 times or less. If you run a monster gamer machine from RAM with no firewall that gets to MB you might get that OK. Try Knoppix LIVE from RAM or Parrot LIVE from RAM and see what happens (takes about 2-4 hours to get OK if you get it)

Wed, 26 Feb 2020, 05:29pm #6
I2P Legend

Unless I ran NGINX this is how I debug.
I fire up EtherApe (I can use other programs too). I also use Firewalld (but you can use what you like).
If I see UDP-Fragment it is probably a com that got dropped.

Right now some Telnet. some MS-SQL, some SSH are the most annoying interference. This setup is used to gather stats on ips that are interfering with i2p. Future target practice?