EchoLink icon

EchoLink, Firewalls, and Routers
Take a Tour
Support and FAQs
Help Files
News and Tips
Vanity Node Numbers
Conference Servers
Routers and Firewalls
Current Logins
Link Status

ARRL Book on
Internet Linking

Nifty E-Z

[Overview] [FAQs]


Your connection to the Internet might be going through a router or a firewall. These devices can improve the security of your computer, and can allow a single Internet address to be shared by more than one computer on your network.

However, routers and firewalls can be a problem for peer-to-peer programs such as EchoLink. The reason is that EchoLink nodes communicate directly with each other over the Internet, rather than sending all of their packets through a server. This is good for the efficiency and scale of the system, but it is not always "firewall-friendly".

By far, the most common problem involves a device called a NAT router. Now that broadband Internet connections are so common, NAT routers are more widespread than ever. NAT stands for network address translation. If you have a home network or DSL service, you're likely to have one of these. It poses a problem for EchoLink because it normally does not allow unsolicited packets from the Internet to reach your PC. The solution to this problem is to configure the port forwarding feature of the router to allow certain packets to reach the EchoLink software.

However, port forwarding is not always a good solution. Each make and model of router has a different procedure for setting up port forwarding, so the steps to follow aren't easy to document. (A good starting point, however, is Please use this is a good information resource, and not necessarily for the software being sold on that site.) Furthermore, in many situations (such as public Wi-Fi hotspots and wireless Internet service), you might not even have access to the router to be able to change its configuration.

A Solution

A new feature has recently been rolled out on the EchoLink system that allows EchoLink to work through most types of NAT routers without any special configuration changes. It accomplishes this by automatically setting up a flow within the router when a new connection is being established.

Firewall-friendliness is a feature of version 2.0 or above of the software. Although this is the version of EchoLink most commonly found in the system, many nodes are still running earlier versions. Until all nodes on the system upgrade to 2.0, some types of connections still won't work through an unconfigured NAT router.

If you're running 2.0 behind a NAT router, you may find that you can connect to conference servers, EchoIRLP nodes, and EchoLink nodes running 2.0 or above without making any adjustments to your router. To connect to other nodes, you'll need to adjust your router just as before.

Please note that we still recommend that you configure Port Forwarding in your NAT router for use with EchoLink, if you can. The firewall-friendly feature is provided as a convenience for users who are unsure about how to configure their router, or who are using a type of Internet service that doesn't allow router changes, such as a satellite ISP or a public hot-spot.

Frequently Asked Questions

Q: How can I tell if I have a router?

A: Choose Firewall/Router Test from EchoLink's Tools menu. When the test finishes, the message will say, "There appears to be a router between this computer and the Internet", if you have a NAT router.  Note that the router might not be visible; it might be contained in your DSL or cable-modem box, or it might be located at your Internet provider, particularly if you are using wireless or satellite service.

Q: If I haven't set up my router, can I make connections to other nodes?

A: In most cases, you will be able to connect to conference servers, EchoIRLP nodes, and nodes running EchoLink 2.0 or above, without setting up your router. You probably will not be able to connect to nodes running earlier versions of EchoLink, however. To ensure that you can connect to all nodes, you will need to set up port forwarding in your router, or use an EchoLink Proxy, just as before.

Q: If I haven't set up my router, can I still receive incoming connections?

A: You might be able to receive incoming connections, but only from nodes running EchoLink version 2.0 or above. To ensure that you can receive all incoming connections, you will need to set up port forwarding in your router, or use an EchoLink Proxy, just as before.

Q: Do I still need to configure my router for use with EchoLink?

A: Configuring port forwarding in your router is still recommended, if you have access to it. This will ensure that you can connect to (and receive connections from) any other node on the EchoLink network. Until port forwarding is set up, you might notice that you can connect to some nodes, but not others. The exact steps for configuring your router vary considerably from one model to another; find yours in the list at for specific instructions.

Q: I'm already running version 2.0.908 or 2.0.902. Do I need to upgrade to a newer version of EchoLink, or make a change to my EchoLink settings?

A: No, the version you have is already the latest. No upgrade is required, and no settings changes are necessary.

Q: I configured my router a long time ago, and EchoLink has been working fine ever since. Will this affect my node?

A: No. This feature has no effect on nodes that already have a properly-configured router, or for nodes which do not have a NAT router at all. It also has no effect on Proxy operation.  However, if you are running a version of EchoLink older than 2.0.902, you are strongly encouraged to upgrade, to make it easier for others who are using NAT routers to connect to your node, and yours to theirs.

Q: Does this new feature mean that I don't need to use a Proxy when I'm at an Internet hot-spot?

A: You may find that you can establish connections to most nodes on the system without requiring a Proxy. However, using a Proxy will allow you to connect to nodes that are not running the latest version of the EchoLink software. It will also avoid problems that might arise if more than EchoLink node happens to be sharing the same hot-spot.

Q: Is it now possible to run more than one node over a single Internet connection?

A: You may find that it is now possible to run more than one EchoLink node behind a single IP address, as long as each of the nodes is making outbound connections only. Incoming connections will still be a problem, however; there will be no guarantee that an incoming connection will be accepted by the right node (or accepted at all). Also, there may be undesirable interactions between the two nodes in the way they log into the system, since the EchoLink servers track each node by its public IP address. For these reasons, running more than once instance behind a single IP address, as a regular practice, is strongly discouraged. If you have a need to share a single Internet connection by more than one node full-time, the best solution is to obtain a second IP address from your Internet service provider.

Q: How does this affect the Firewall/Router Test function (on the Tools menu in EchoLink)?

A: The Firewall/Router Test utility is unaffected. It will still indicate whether you are behind an unconfigured firewall or router.

Q: Is there any change in the Windows XP (or Vista) Firewall configuration?

A: No. If you are running the built-in firewall in Windows XP, Windows 7, or Windows Vista, you still need to set up an exception for EchoLink, as described here for XP or here for Windows 7 and Vista.

Q: Does this new feature work with all types of routers and firewalls?

A: No; it only works with the most common types of NAT routers, such as the type typically found in home networks. If you have some other type of firewall, including software firewalls such as Norton Internet Security, you will still need to take extra steps to allow the EchoLink software to work correctly. This feature also might not work with more restrictive firewalls such as the type found in offices and businesses. In these situations, an EchoLink Proxy is usually the best alternative.

Q: How does this actually work, from a technical perspective?

A: There are two parts to it. The first is simple; the program now uses the same ports (5198 and 5199) for both source and destination when it sends UDP packets. Prior to this, it used dynamically-assigned source port numbers. Most types of NAT routers will establish a "flow" when they see a request and a corresponding response with precisely reversed addresses (including port number), allowing other unsolicited packets to be received over the same "flow" within a certain time period. Using fixed source ports ensures that the source and destination addresses are exactly swapped in a response packet. This also avoids false triggering of denial-of-service protections built into some firewalls, which had been a problem for a few users.

The second part is a way to accommodate a firewall on incoming connections. When a node initiates a connection, it sends an additional packet to its addressing server indicating that it wishes to connect to the other node. The addressing server relays this request to the receiving node, which responds by sending a pair of packets back to the initiating node to establish the "flow" described above. (Nodes maintain a UDP "flow" with the addressing server to prepare to receive these requests by sending packets to it periodically.) This works even if the two nodes are on different addressing servers, because these connection-request packets are relayed internally amongst the addressing servers as well.

Copyright © 2002-2020