Your connection to the Internet might be going through a router or a firewall.
These devices can improve the security of your computer, and can allow a single
Internet address to be shared by more than one computer on your network.
However, routers and firewalls can be a problem for peer-to-peer programs such as
EchoLink. The reason is that EchoLink nodes communicate directly with each other
over the Internet, rather than sending all of their packets through a server.
This is good for the efficiency and scale of the system, but it is not always "firewall-friendly".
By far, the most common problem involves a device called a NAT router. Now that
broadband Internet connections are so common, NAT routers are more widespread than
ever. NAT stands for network address translation. If you have a home network
or DSL service, you're likely to have one of these. It poses a problem for EchoLink
because it normally does not allow unsolicited packets from the Internet to reach
your PC. The solution to this problem is to configure the port forwarding
feature of the router to allow certain packets to reach the EchoLink software.
However, port forwarding is not always a good solution. Each make and model of router
has a different procedure for setting up port forwarding, so the steps to follow
aren't easy to document. (A good starting point, however, is
Furthermore, in many situations (such as public Wi-Fi hotspots
and wireless Internet service), you might not even have access to the router to be
able to change its configuration.
A new feature has recently been rolled out on the EchoLink system that allows EchoLink
to work through most types of NAT routers without any special configuration changes. It
accomplishes this by automatically setting up a flow within the router when a
new connection is being established.
Firewall-friendliness is a feature of version 2.0 or above of the software.
Although this is the version of EchoLink most commonly found in the system, many
nodes are still running earlier versions. Until all nodes on the system upgrade
to 2.0, some types of connections still won't work through an unconfigured NAT router.
If you're running 2.0 behind a NAT router, you may find that you can connect to
conference servers, EchoIRLP nodes, and EchoLink nodes running 2.0 or above without
making any adjustments to your router. To connect to other nodes, you'll need to
adjust your router just as before.
Please note that we still recommend that you configure Port Forwarding in your NAT
router for use with EchoLink, if you can. The firewall-friendly feature is provided as a convenience
for users who are unsure about how to configure their router, or who are using a
type of Internet service that doesn't allow router changes, such as a satellite ISP or a public hot-spot.
Frequently Asked Questions
Q: How can I tell if I have a router?
Q: If I haven't set up my router, can I make connections to other
A: Choose Firewall/Router Test from EchoLink's Tools
menu. When the test finishes, the message will say, "There appears to be a router
between this computer and the Internet", if you have a NAT router. Note that
the router might not be visible; it might be contained in your DSL or cable-modem
box, or it might be located at your Internet provider, particularly if you are using
wireless or satellite service.
A: In most cases, you will be able to connect to conference
servers, EchoIRLP nodes, and nodes running EchoLink 2.0 or above, without setting
up your router. You probably will not be able to connect to nodes running earlier
versions of EchoLink, however. To ensure that you can connect to all nodes,
you will need to set up port forwarding in your router, or use an EchoLink Proxy, just
Q: If I haven't set up my router, can I still receive incoming
A: You might be able to receive incoming connections,
but only from nodes running EchoLink version 2.0 or above. To ensure that you can
receive all incoming connections, you will need to set up port forwarding in your
router, or use an EchoLink Proxy, just as before.
Q: Do I still need to configure my router for use with EchoLink?
A: Configuring port forwarding in your router is still
recommended, if you have access to it. This will ensure that you can connect to
(and receive connections from) any other node on the EchoLink network. Until port
forwarding is set up, you might notice that you can connect to some nodes, but not
others. The exact steps for configuring your router vary considerably from one
model to another; find yours in the list at
portforward.com for specific instructions.
Q: I'm already running version 2.0.908 or 2.0.902. Do I need to upgrade
to a newer version of EchoLink, or make a change to my EchoLink settings?
A: No, the version you have is already the latest. No
upgrade is required, and no settings changes are necessary.
Q: I configured my router a long time ago, and EchoLink has been
working fine ever since. Will this affect my node?
A: No. This feature has no effect on nodes that already
have a properly-configured router, or for nodes which do not have a NAT router at
all. It also has no effect on Proxy operation. However, if you are running
a version of EchoLink older than 2.0.902, you are strongly encouraged to upgrade,
to make it easier for others who are using NAT routers to connect to your node,
and yours to theirs.
Q: Does this new feature mean that I don't need to use a Proxy
when I'm at an Internet hot-spot?
A: You may find that you can establish connections to
most nodes on the system without requiring a Proxy. However, using a Proxy will
allow you to connect to nodes that are not running the latest version of the EchoLink
software. It will also avoid problems that might arise if more than EchoLink
node happens to be sharing the same hot-spot.
Q: Is it now possible to run more than one node over a single
A: You may find that it is now possible to run
more than one EchoLink node behind a single IP address, as long as each of the nodes
is making outbound connections only. Incoming connections will still be a problem,
however; there will be no guarantee that an incoming connection will be accepted
by the right node (or accepted at all). Also, there may be undesirable interactions
between the two nodes in the way they log into the system, since the EchoLink servers
track each node by its public IP address. For these reasons, running
more than once instance behind a single IP address, as a regular practice, is strongly
discouraged. If you have a need to share a single Internet connection by more than
one node full-time, the best solution is to obtain a second IP address from your Internet
Q: How does this affect the Firewall/Router Test function (on
the Tools menu in EchoLink)?
A: The Firewall/Router Test utility is unaffected. It
will still indicate whether you are behind an unconfigured firewall or router.
Q: Is there any change in the Windows XP (or Vista) Firewall
A: No. If you are running the built-in firewall in Windows
XP, Windows 7, or Windows Vista, you still need to set up an exception for EchoLink, as described
here for XP or here for Windows 7 and Vista.
Q: Does this new feature work with all types of routers and firewalls?
A: No; it only works with the most common types of NAT routers,
such as the type typically found in home networks. If you have some other type of firewall,
including software firewalls such as Norton Internet Security, you will still need to take
extra steps to allow the EchoLink software to work correctly. This feature also might not work
with more restrictive firewalls such as the type found in offices and businesses.
In these situations, an EchoLink Proxy is usually the best alternative.
Q: How does this actually work, from a technical perspective?
A: There are two parts to it.
The first is simple; the program now uses the same ports (5198 and 5199) for both
source and destination when it sends UDP packets. Prior to this, it used
dynamically-assigned source port numbers. Most types of NAT routers will establish
a "flow" when they see a request and a
corresponding response with precisely reversed addresses (including port number),
allowing other unsolicited packets to be received over the same "flow" within a
certain time period. Using fixed source ports ensures that the source and
destination addresses are exactly swapped in a response packet. This also avoids
false triggering of denial-of-service protections built into some firewalls, which
had been a problem for a few users.
The second part is a way to accommodate a firewall on incoming connections.
When a node initiates a connection, it sends an additional packet to its
addressing server indicating that it wishes to connect to the other node. The
addressing server relays this request to the receiving node, which responds by
sending a pair of packets back to the initiating node to establish the "flow" described
above. (Nodes maintain a UDP "flow" with the addressing server to prepare to
receive these requests by sending packets to it periodically.) This works even if
the two nodes are on different addressing servers, because these connection-request
packets are relayed internally amongst the addressing servers as well.