Hi,

someone from Brazil had problems connecting to my login server. It works perfectly fine on the web server on port 443 (https), but he just cannot connect to port 12345. I can confirm it is working on my PC (in Germany), I can connect to port 443 and 12345. It happens on both his phone and his PC on the mobile network and regular cable internet (same ISP though). traceroute only gives timeouts on 12345 (but works fine on port 80). What can cause this? Is his ISP just blocking the port? Or is it something I can prevent, e.g. by changing the server's port? Is there a better port choice or will there always be people who have problems with blocked ports?

Does the routing over the internet depend on the port in some cases? That would not make sense though, because ports are local addresses...

Cheers,

Magogan

Different ISPs block or forward different amounts of ports. He really needs to get the documentation from his ISP for what is supposed to work.

If only 80 and 443 works, then perhaps they are implementing a web proxy of some sort. ISPs in places where bandwidth is expensive will do this to install web caches that save some bandwidth from heavy sites like pinterest, youtube, or instagram. (Some of them even install a man-in-the-middle HTTPS certificate, and require the client to install their own certificate into the trusted root store; typically not advertising this is what they do, but just providing "an installer that makes it work.")

The continual fight between users and developers on one hand, worms and illegal traffic on the other hand, and ISPs in the middle, keeps pushing the frontiers of "it's not compliant, but it seems to work," and is all-around pretty bad, but it's what we have to live with. Pretty much all TCP traffic will likely end up running over HTTP/2.0 with protocol upgrade over port 443, as that's really the only thing that seems to work consistently. (Except for the certificate cracking part, although that's usually more about malware protection and caching, than legitimately spooky surveillance. Except if you'r in a nation-state with a fully state controlled internet.)

Well, the problem is that I have an additional server written in C++ running on the login server, so I cannot run it on port 443 because the web server already occupies this port. Getting a documentation from the ISP isn't feasible either because it may affect a lot of my customers/players in different locations in the world. Isn't there another port number that is free on most of the ISPs? Maybe 8080?

There are many ways around this. Here are some:

If port 80 works, use port 80 for the game server, and if you receive a connection that seems like a HTTP request, respond with a 301 REDIRECT to your HTTPS server, and close the connection, but for your actual game protocol, just keep talking it. This has the added benefit that all HTTP traffic runs over HTTPS.

Use a protocol decoding proxy in front of the two services, and send the appropriate protocol traffic to the appropriate server (they can listen on arbitrary local ports that the proxy does DNAT forwarding to.)

Use UDP for your game, because port 443 UDP does not collide with port 443 TCP.

Use multiple IP addresses for your server, one for web and one for game. Even if it's a single machine, you can have multiple IP addresses on the same machine (and even network card, with configuration.) This obviously means that your local hosting facility needs to cooperate and let you multi-home the server. Or just run multiple physical machines, might be easiest.