How to setup HLDS behind a router/firewall
Revised August 29th, 2003 by [LADT]Weasel
weasel@ladt.us
http://www.ladt.us
Warning: This page is still under construction!
These instructions assume that:
- You know what the term HLDS means. (Hint: it means Half-Life Dedicated Server.)
- You already have the computer hardware up, running, operating system tested, etc.
- You already have your Internet connectivity up, running and tested.
- You know how to play multi-player Half-Life, Counter-Strike or
whatever game you are going to be hosting, and have actually played it successfully from a computer on your network.
- You will be running a dedicated server, not a non-dedicated server (aka listen-server).
- Your computer is using some form of Microsoft Windows (Windows’95, Windows’98, Windows ME, Windows NT 4.0, Windows 2000 or Windows XP). There is a Linux version of HLDS too - but it is not covered here.
- You are not using some form of software-based firewall running on
your game server computer - including but not limited to ZoneAlarm
or Norton Internet Security.
- You will be running the separately downloaded version of HLDS - not the
version that is included with the Half-Life retail or Counter-Strike
retail CD's.
These instructions do not cover:
- Linux or any operating system other than Microsoft Windows.
- Setting-up your hardware, installing your operating system, etc.
- Setting-up and testing your Internet connection.
- Non-dedicated servers (aka listen-servers).
- Anything having to do with Steam.
- Setting-up server-side modifications such as bots, Admin-Mod,
AMX-Mod, HLGuard, etc.
- Any form of software-based firewall running on your game server computer - including but not limited to ZoneAlarm
or Norton Internet Security.
Determine how things are connected:
There are two basic ways to
connect your game server computer (i.e. the computer that will be running HLDS)
to the Internet using DSL/Cable.
-
Hub/Switch Scenario:
In this scenario, your game server computer is
either directly connected to your DSL or cable modem, or it is connected
to an Ethernet "Hub" or "Switch" which is then
connected to your DSL or cable modem. A diagram of what this
typically looks like is shown below.
For
our purposes a "Hub" and a "Switch" are essentially
the same. So for the balance of this document, we will refer to
that type of device as hub/switch. Hub/switch type devices are
produced by a number of different manufacturers, including (but not
limited to) LinkSys,
NetGear, D-Link
and others. If you have such a device between your game server
computer and your DSL or cable modem, take a good look at it to see what
type of device it actually is.
If there is no intervening device
between your game server computer and the DSL or cable modem, or the
device is in fact a hub/switch you can stop right
here, because you don't need these instructions.
That's
because in this scenario, there is no "Router" or
"Firewall" to configure. If the device between your game
server computer and your DSL or cable modem is a "Router" or
"Firewall", then see the second scenario outlined below.
-
Router/Firewall Scenario:
In this scenario your game server computer
is connected to a device that calls itself a "Router" or a
"Firewall". The "Router" or
"Firewall" is then connected to your DSL or cable-modem.
A diagram of what this
typically looks like is shown below.
Although this scenario may look a lot like the Hub/Switch scenario,
it operates completely differently. The reason is the difference
between the function "Hub" (or "Switch") and a
"Router" (or a "Firewall").
As with hub/switch
type devices, for our purposes the difference between a
"Router" and a "Firewall" are negligible. So,
for the balance of this document we'll refer to that type of device as a
router/firewall. Some times these
devices are referred to (or market as) a "NAT Router" or a "SOHO
Router" or a "SOHO Firewall" or a "Cable/DSL
Router" or even as an "Internet Gateway Router/Firewall".
Don't be confused the the marketing, they all basically perform the same
function.
Note: "SOHO" is an acronym meaning "Small-office/Home-office".
Please note that many router/firewall type devices also have the equivalent
to a built-in hub/switch. But don't be confused by this. If
it has the word "Router" or "Firewall" or
"Gateway" in it's name, it's a router/firewall type device -
not a simple hub/switch type of device.
Router/firewall type devices are produced by a number of different manufacturers, including (but not
limited to) LinkSys,
NetGear, D-Link
and others. If you have such a device between your game server
computer and your DSL or cable modem, stop and find the manual for it
right now. Do not proceed until you've found the manual.
By now you may be asking yourself: "What's the difference between a hub/switch and a
router/firewall?"
The
answer isn't obvious. Both types of devices look very similar, and
both types of devices allow multiple
computers to connect to the Internet using your DSL or cable
modem. The main difference is in how they accomplish that
task.
A hub/switch is a relatively dumb device. Think of
it as kind of a "splitter" to allow multiple Ethernet devices
to talk to each other. While it is true that a hub/switch will
allow you to connect multiple computers to your DSL or cable modem, each
of those computers must be assigned it's own IP address by
your Internet Service Provider (ISP). Most DSL and cable modem
ISP's assign these IP addresses dynamically (i.e. automatically) to
computers as they plug in and power-up. However, some ISP's limit
you to a single IP address for your entire house. Other ISP's
allow multiple IP addresses, but charge for an extra monthly fee for the
additional IP addresses.
A router/firewall is a little smarter.
It will do something called Network Address Translation (NAT).
This allows you to use a special range of IP addresses for your little
network at home, and translate (essentially "hide") all those
computers behind a single IP address that the router/firewall acquires
from your ISP. Essentially, it makes your entire network at home
seem to the ISP to be a single device using that single IP address.
Router/firewalls
also have security advantages. It's substantially harder to hack
into a computer behind NAT that it is to hack into one that's directly
attached to a DSL or cable modem. Most router/firewalls also have
a "packet-filtering" or "firewall" feature that is
specifically intended to filter-out unwanted or unwelcome traffic trying
to access your computer from the outside world. Hub/switch
devices don't provide any security.
The downside to
router/firewalls is that when you want to intentionally allow incoming
traffic to your computer to do something like host a game (as is our
case), you have do so some extra configuration. This is because by
default, router/firewalls usually deny all incoming traffic that you
don't explicitly tell it to allow.
I strongly suggest to anyone
with a computer directly attached to their DSL or cable modem (or have
just a hub/switch in between) that they pick-up a cheap
router/firewall. Your computer (and your personal data) will be
significantly safer if you do.
If you haven't purchased a router/firewall yet, and are looking to do
so, I suggest NetGear
or D-Link
rather than LinkSys.
I say this mostly because of the mixed success that I and several
friends have had with making HLDS work consistently behind LinkSys
router/firewalls. If you're more technically savvy (i.e. a geek
like me) - go for a Netopia
R9100. The Netopia (which is not related to NetGear) is great for tech-heads who love configuring
things using telnet. However, I'd recommend that you stick to NetGear
or D-Link if you don't have extensive networking experience.
Document your computer's current IP configuration:
Next you need to find out what IP information your game server computer is currently using.
You can do this under Windows 2000 or Windows XP by opening a command-prompt window (under Start/Programs/Accessories) and
then entering the command "ipconfig /all". It should respond with something like this:
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\>ipconfig /all
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : somecomputername
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . :
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Connected
Description . . . . . . . . . . . : BrandName 10/100 Ethernet
Physical Address. . . . . . . . . : AA-BB-CC-DD-EE-FF
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.2.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1
Lease Obtained. . . . . . . . . . : Tuesday, July 29, 2003 9:53:10 AM
Lease Expires . . . . . . . . . . : Friday, August 01, 2003 9:53:10 AM
C:\>
|
Of all that stuff, we really only care about three lines. Write-down what it says for
IP Address, Subnet Mask and Default Gateway.
The IP Address will probably be 192.168.something1.something2
Make note of what is actually in the place of something1 and something2.
The Subnet Mask will almost certainly by 255.255.255.0
The Default Gateway will probably be 192.168.something1.something3
The number for something1 from the Default Gateway and the
number for something1 from the
IP address should be identical. If not, take another look - because
you've written-down something wrong.
The numbers for something2 and something3 should definitely not be the same as each other.
Document your router/firewall's current IP configuration:
Next you need to get very similar information from your
router/firewall. Since every make/model router is a little different, I can't really help you too much here. I can only really tell you what to look
for. You'll have to read your router's manual to find out where to get this information. Usually, the router will have
sort of web interface with a "status" page that has what we're looking for.
What we need from the router is
it's IP Address - specifically we want it's Internet IP address. On some models this is
called it's "WAN" IP address or it's "outside" IP address. This is the IP
address that the router is getting from your Internet Service Provider
(ISP). It will be in the same format as the other numbers, but will definitely
not start with 192.168.
We do not want the router's "LAN" or "inside" or "local" IP address - we
already have that (192.168.something1.something3).
We also need to know what DNS
servers the router is using. There should be two IP addresses for this. They might be shown as two
addresses marked Primary DNS and Secondary DNS, or it may just show
two IP addresses marked "DNS" - separated by commas.
Two
example values might be:
206.13.29.12 for Primary DNS
206.13.30.12 for Secondary DNS
or simply
206.13.29.12, 206.13.30.12
for DNS
Be sure to write-down what your router is actually using - not the
example numbers above. The DNS numbers shown above just happen to be
SBC/Pacific-Bell's DNS servers.
Review what you've gathered so far:
Listed below is what you should have gathered so far.
- Your game server computer's current IP address.
- Your game server computer's Subnet Mask.
- Your game server computer's Default Gateway (which is your router's inside/LAN/local IP address).
- Your router's Internet (aka WAN, aka Outside) IP address.
- Your router's Primary DNS.
- Your router's Secondary DNS.
If you don't have all this information, stop now and get it. You can not proceed any further without this information.
Change your game server's IP address:
The IP address that your game server computer is currently using was probably dynamically assigned to it by your
router/firewall.
You will need to over-ride that will a manually assigned (aka "static") IP address.
Do not confuse this with a static IP address that you could get from your ISP.
This is static IP address for your internal network comprised of all your
computer stuff protected behind your router/firewall.
You need to pick an IP address that's valid for your network, but is outside the range of IP addresses that your router/firewall
might try to automatically assign to computers on your network.
Usually, a safe number would be above 128 but less than 255. So what we'll use is
196.168.something1.129 - understand that you
must insert whatever number was something1 in your IP address before - not the word "something1".
For example: If your computer's IP address was 196.168.2.3 before, we're going
change it to be 192.168.2.129 for the new IP address.
If you're running Windows 2000 you'll need to open Start/Settings/Network and Dial-up
Connections, and then right-click on your Ethernet adapter and click Properties. The name of your Ethernet
adapter may show-up as the brand name of the Ethernet card in your computer, or it may just say
something generic like "Local Area Connection" or some such.
In the Properties dialog, you should see a list of protocols enabled. The one we care about is called
Internet Protocol (TCP/IP).
Double-click on that to open the configuration dialog for TCP/IP.
It's probably configured for Obtain and IP address automatically. We're going to change this to
Use the following IP address and then enter the following settings:
Enter 192.168.something1.129 for IP
Address.
Enter 255.255.255.0 for Subnet Mask.
Enter 192.168.something1.something3 for
Default Gateway.
Remember, do not enter the word something1 or
something3. Instead, enter the numeric value that was used there when you wrote-down all that stuff at the beginning.
TCP/IP is probably also configured for Obtain DNS server addresses
automatically. We're going to change this too. This is where you need to enter those two IP addresses for
the DNS servers that we got from your router.
Click Ok on the TCP/IP properties dialog to close it, and then click Ok on the
"Local Area Connection" properties to close that dialog too.
Test using Internet Explorer to get to the Internet and make sure it's still working.
If not, change everything back to automatic.
Reboot and make sure it still works. If not, change everything back to
automatic.
If you can't get your Internet access to work without having those settings configured for automatic, then you've written down some information wrong. Go back and try
to get the right information this time.
I don't have Windows XP here, so I can't say exactly what those screens look
like under Windows XP instead of Windows 2000. However, it shouldn't be too much different.
Open-up your router's "firewall" feature:
Ok, this is where your can get really lost really fast. As I said before, every make/model or router/firewall is a little different. Since I don't have every make/model of router in front of me, I can't really be of too much help.
Most router's will have what's called a "firewall" feature. This prevents incoming traffic from accessing the computer(s) on your network. We need to open that up to allow players to connect to HLDS running on your game server computer.
Basically, what we need to tell your router is allow incoming traffic to access
what's known as TCP port 27015 to IP address 192.168.something1.129 - your game server computer's IP address.
The entire point of making your game server computer's IP address static is so
that it has a fixed address which your can specify in this part of your
router/firewall's configuration.
On some routers, this is a two-step process. On others, it's all one screen.
When it's a two-step process, this first step is usually referred to as "firewall" or "filtering" or "filters" setup, and the other
second step is usually referred to as "translation" or "NAT" or "address translation" or "port mapping" or something like that.
On router's where it's a single-step process, it could be referred to by any of those names.
You'll really need to read your router's manually for this, there's no getting around it.
Below is a table that indicates what page(s) in your router/firewall's manual to consult for this stuff. Please note that not every make/model of router/firewall is listed.
I will try update this list every once in a while - but don't count on it. If you have already
successfully gotten your server to work from behind your router/firewall, drop me an e-mail and let me know your make/model
you have and at what pages or sections in the manual you found the correct information.
Setup and test HLDS:
See the appropriate help page for setting-up HLDS for HL
Death-Match, HL Team-Play, Team
Fortress Classic (TFC),
Counter-Strike, Snow-War or Buzzy-Bots.
In addition to those instructions, add a line to your server.cfg file with the parameter
"ip" followed by a space followed by your router's Internet (aka WAN, aka Outside) IP address.
Make sure you use the Internet IP address of your router (sometimes called it's "WAN" or outside "IP" address). Do *NOT* user your router's LAN IP address or your game server computer's IP address.
This *MUST* be your router's Internet IP address. Let me say that again, it must be your router's Internet IP address, not your computer's IP address and not your router's LAN IP address. If it's 192.168.whatever you've got the wrong IP address.
The format for this parameter is:
Where the "www.xxx.yyy.zzz" is your router/firewall's Internet IP address.
Be sure to use your router/firewall's Internet IP address - not your game server computer's IP address.
If you don't put this parameter into your server.cfg file, your server
will not show-up on the server list. Consequently, players won't be able to find your server even though it may be up and running fine.
Note: Any time your router's Internet IP address changes you will need to find out what it is, and change this line in your
server.cfg file to reflect the current value. On some systems, your router will
potentially get a different IP address every time it is restarted. On other systems (like Cox Internet), the IP address may remain the same for several days, months or even years.
Additional resources:
The information above only cover's the very basics, and only for simple installation using the Windows platform. There are many more CVAR's and other setup options that are beyond what has been covered here. More information about various console commands, options and mod-specific information can be found at several of the following links:
Number of hits since August 8th, 2003:
