Ubisoft connect port forward - please help

gh256 · November 16, 2020, 2:02pm

Glenn H <theeye21@gmail.com>
13:44 (18 minutes ago)
to me

Hi there,

I notice there is a forwarding section of this board but I have never used the software before (another company set it up).
I have found a place to turn on UPnP which I can see worked as the game Watch Dogs Legion created its own forward.

However I have an issue with the Ubisoft Connect application, I have their game service and it requires you to have an internet connection to verify you have a license to run the game, if it loses internet connection it quits it with no warning at all.

I can use their app and download games fine, but it fails when I run the game. I know if I do not try and forward the ports on their support article that they will not help.

Their site says they use ports TCP: 443, 14000

I am currently trying to forward 14000 and then test to see if it is open by using a port checker website such as https://www.yougetsignal.com/tools/open-ports/ (would this show it open if it worked?)

I have tried a few different combinations of setting this up but I find it confusing and nothing I have tried has worked.

I also am not sure if as well as setting up the forward, do I need to open the firewall to allow the port also?

I have tried Chain=dstnat inInterface= lte protocol=tcp dstport=14000 action=dstnat toAddress=192.168.88.23 toPorts=14000

I have also tried instead of InInterface to use dstAddress but I was not sure what IP should go here? I tried both my router Ip of 88.1 and my public IP.

Not sure what the firewall setting would be.

Please can you help, I cannot play the games and have nothing else to do (I have a heart issue and cannot leave because of Covid).

Thanks.

Kind regards,
Glenn

anav · November 16, 2020, 7:00pm

HI Glenn
Post your config here for review

/export hide-sensitive file=anynameyouwish

gh256 · November 16, 2020, 7:42pm

Please find the contents of the file below

Also for some reason I keep getting blacklisted from posting on here “Spamhaus” because im using a three mobile IP I think.

# nov/16/2020 19:37:51 by RouterOS 6.46.2
# software id = DHM7-INFG
#
# model = RBLHGR
# serial number = B8A40B809E21
/interface lte
set [ find ] band=3,7,20 mac-address=00:11:22:33:44:56 mtu=1480 name=lte1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=three.co.uk
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether1 name=defconf
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=LAN
add comment=defconf interface=lte1 list=WAN
add list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
    192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=internal
add interface=lte1 type=external
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Sob · November 16, 2020, 8:41pm

It sounds wrong, forwarded ports can’t be hard requirement, because half of home users don’t have public address, so they can’t forward any ports at all. They can try, but it won’t work. Another problem is with multiple devices, where one public address means that port with given number can be forwarded only to one device. And almost nobody has more than one public address at home.

You wrote about public IP, so you’re sure you have it, right?

If you do, it should work, your dstnat rule looks ok, assuming that “lte” is typo (should be “lte1”). You can also use interface list, since it’s already defined:

/ip firewall nat
add chain=dstnat in-interface-list=WAN protocol=tcp dst-port=14000 action=dstnat to-address=192.168.88.23

But both should work the same way. When you look at rule’s packet counter, is there anything?

anav · November 16, 2020, 9:47pm

Concur, if you have a valid Public IP, then it should work.
I didnt see a port forwarding rule though in your NAT config did you remove it??

/ip firewall nat
add action=dst-nat chain=dstnat comment=“GamingAddiction”
dst-port=443,8000 in-interface-list=WAN log=yes
protocol=tcp to-addresses=192.168.88.23

(dont need to put in to ports if they are the same as destination ports).

gh256 · November 16, 2020, 9:53pm

I guess it should not be the case with everyone but reading their support article they wont help unless you forward the ports or do that with them and show it has been done.

I tried with the config you both posted but nothing comes out on the packet counter when I try and test the port from a port testing site.

I did remove my attempts before posting my config.
Do I need to allow the ports through the RouterOS firewall as well (my PC one is off right now)?

I google my IP address and it says it starts with 90 and ends with 109, is that valid?

anav · November 16, 2020, 10:02pm

I use grc site to check my ports. https://www.grc.com/x/ne.dll?bh0bkyd2

Nothing I see in your config is preventing success, and thus why Sob suspects its something to do with your ISP part of the connection.
Is there anyother interface besides lte1 which should be added to the WAN interface member list?? what about lte apn??

gh256 · November 16, 2020, 10:14pm

Sorry I never really touch this and didn’t set it up.
What is LTE APN please?

Sob · November 16, 2020, 10:19pm

No, dstnat rule is enough, default firewall allows forwarded ports.

If it starts with 90, then it’s public address. But if you see it on some “what is my ip address?” page, it means nothing. Is the same address also directly on your router (IP->Addresses)? If it is, then you really have it and port forwarding should work. There are some ISPs who block incomming connections, but usually it doesn’t happen. If not, then you still have chance, it could be NAT 1:1, but if that would be the case, ISP would probably tell you about it.

gh256 · November 16, 2020, 10:36pm

On that Addresses page there are 2 entries.
One which is the router IP address (192) and the other is for lte interface.
That IP is 10.xx.xx.75

I’m using Three mobile network 4G

Sob · November 16, 2020, 11:20pm

If it starts with 10, it’s private address (or better, non-public, there’s nothing private about it in a sense that you’d need to mask it), so it’s not reachable from internet and not usable for port forwarding.

gh256 · November 17, 2020, 1:19pm

So does that mean the game client won’t work?

I can browse through Ubisoft’s application, download the game fast and start it.
If I couldn’t authenticate correctly that I have the subscription to play I couldn’t start the game.

So any idea why it would drop/lose connection after 10 mins or so?

I can get other online games to work normally such as plants vs zombies and VR Chat.

Sob · November 17, 2020, 1:48pm

If it really requires incoming connections, then it wouldn’t work. But it’s very hard to believe that it could be the case, because half of the world doesn’t have public address, you’re far from being the only unlucky one who doesn’t have it. And it’s like this for many years already, so everything is made in a way that it can work without it. Especially games, where the target audience is users without technical skills. Public addresses and incoming connections are still good and things can work better with them, but shouldn’t completely break without them.

Unfortunately, diagnosing problems like this is very difficult. There’s no standard protocol used by everything, each game can do something different.

gh256 · November 18, 2020, 12:52pm

I managed to get the client to stay connected by getting ExpressVPN. With that connected I can finally play the games, ideally I would not be paying out for it though, I assume there is just something wrong with the config stopping it from keeping a connection.
It is strange how it has it initially but then it fails.