12 Messages

Tuesday, January 30th, 2024 5:13 PM

Unifi Port Forwards not Working, does Xfinity have a hidden firewall? - Palworld

Hello, I hope you're doing well.

Disclaimer: Palworld is here and if I want to play with my friends (five of us on the game at once), we need to run a dedicated server software that requires port 8211 to be open. I intend to have myself and 4 friends connect to my IP so we can play the game. The server will shut off when we log off for the night. I am not intending on hosting long running large volume servers. This will not be used for business.

The problem: I do not rent any xfinity gear. Everything is my own. Port forwards are being ignored. I think it might be a top level filter that uses settings from the app?

My modem is a single modem unit, the CM1000. Bridge mode is not the solution here, it's a straight modem not a modem/router hybrid.
I have a USG-3port connected to a Unifi Switch. My desktop connects through the switch.

I have my port forwards setup correctly. I've tried using a static IP for the device, that way I know the IP is not changing somehow.

I verified the server file is setup correctly. I've had two peers double check it for extra commas or errors. It's not the config file of the server.
I verified I opened the port on my windows firewall.

If I run netstat -aon, I can see the 8211 port under UDP for for *:* foreign addresses.

However, if I use port checker or a telnet scan, port 8211 for my public IP is always closed... I can connect to the server locally, but using the public IP no one can connect. 

So it's definitely that 8211 is closed...
To reiterate, my modem is a straight modem, so it can't be a problem with bridge connection.

I can see I setup the port forwarding correctly on the USG Controller. I setup the windows defender firewall to allow the 8211 port for all connection types...

I'm at a loss... The only thing I can think of is Xfinity has a separate firewall that's run at a higher level beyond my house.

So now I need to ask, does Xfinity block port 8211? Is this some weird top level setup xfinity has to force you to use their app for advanced settings? I did see some users claim that after they went into the advanced settings on their xfinity app and port forward there things worked. That sounds nice, but I don't rent xfinity gear... The App can't do anything except see my modem. So since I'm on my own gear I can't control the port forwards with the xfinity app....

I checked the web page with the list of blocked ports and didn't see 8211 on there. Was it added due after Palworld came out and not put into the site possibly? I'd be impressed if your developers closed the port for one game. Is it maybe something to do with public IP's handed out by xfinity?

I think Xfinity having some sort of extra firewall would make sense. Separately, that would explain why my NAT on the xbox one is defaulting to Moderate.

If anyone has any ideas, please let me know. I cannot think of any reason it would be messed up on my end. I'm hopeful it's something an admin at Xfinity can fix for me.

Thanks for your time!

12 Messages

6 months ago

Hello again,

I figured out the solution.

I reconfirmed the Port forwarding in the controller settings. I reconfirmed my firewall settings. Confirmed 8211 was open for all ipv4 addresses on my firewall using netstat.

As a nothing else works method, I turned off my firewall briefly and tried connecting using my public IP.

It worked...

Portchecker was still saying 8211 is closed, but I could connect to the server.

I asked a friend to try connecting with the firewall down, they also connected with no issues. I turned the firewall back on, we both were disconnected.

So I found a thread where someone had the problem of their server only connecting with the firewall off... and they suggested checking the Network profile.

Here's what happened: I guess when I moved to College dorm life I must've gotten a prompt to change my network to "PUBLIC" mode. (Protect yourself while on a public network) It hides things by default and ignores your privately set firewall rules. I never moved it to Private when I moved back home.

So, I right clicked on the network icon in the bottom right hand corner, clicked "Open Network and Internet Settings" and then clicked "Properties" under my ethernet connection.
And there it was... Right there this whole time... I was using the public profile. "Your PC is hidden from other devices on the network and can't be used for printer and file sharing"

I swapped to private mode... and baam no issues anymore. I could connect to the dedicated server with no issues and so could my friends.

TLDR: If your port forwards aren't working and you definitely set them up right and definitely setup your firewall settings correctly... Check your network profile and see if you're in public or private. If you're in public move to private.

5 Messages

What ports did you setup besides 8211? And ping still does not work?

From here there are PC and steam ports. But I have dedicated windows server on my machine. I put both types (tcp and udp) for both steam and pc (so 4 services port forwarded)



12 Messages

Hi Rob,

I learned something new, telnet and port checker can't check my 8211 port because Telnet and Port checker use TCP and I'm trying to check 8211 UDP. UDP is stateless, take this statement with a grain of salt but "there is no way to reliably determine if a UDP port is open." To reiterate, if I use telnet or Port checker it'll say closed because they can't check UDP.

For your friends to connect, you need to setup a port forward on 8211 only for UDP. I set a static IP to my computer so I knew the IP rules for the port forward were always directed at the PC that is hosting the server executable. (By that, I mean I set it so my computers IP was always,

If you want your server to show up in the public server list, you need to also port forward  27015-27016 for both TCP and UDP.

25575 for both TCP and UDP is the last port you need to forward if you're going to use the remote admin features for your server.

After that, setup the firewall rules in windows defender firewall. I only have 27015 and 8211 setup.

The two inbound rules I have are.
Name: Palworld Dedicated Server
Group: Null
Profile: All
Enabled: Yes
Action: Allow
Override: No
Program: (the Palserver.exe executable file)
Local Address: Any
Remote Address: Any
Protocol: UDP
Local Port: 8211
Any to the rest except PolicyAppId

If you repeat the above for 27015, then you'll be on the same setup as me. You may notice that I only have 27015 and am missing 27016. That's correct, I am. I just learned what the ports were for today while reviewing server files. I am telling you this because that would help show that you really only need 8211 open for friends to connect.

Those are the only two I have port forwarded and it works. Please let me know if you have any questions!

TroubleChute's guide is the guide I followed if you'd like to take a look at the same thing I did.


5 Messages

@SystemWANalyst​ Thank you!

Yeah I can confirm that I was going crazy wondering why the port was working with this:


I ended up testing the connection anyway with my friend connecting to my dedicated server via hotspot and server password and it works! Despite failing on that website.

I ended up port forwarding all the ports for PC and Steam and for TCP and UDP (but as you mentioned I technically only need UDP 8211)

I changed my BitDefender firewall to "Home/Office" (Private Profile). I had set to "Dynamic" before and the other option was "Public".

Even though I had BitDefender firewall, I checked Windows firewall and although it was disabled and set to "Guest or Public Network", I turned off my BitDefender in order to use Windows firewall (and Windows Defender) temporarily to switch my wifi to use the "Private Network" just in case. Then turned my bitdefender back on.

I did turn off BitDefender's port scan protection in the firewall settings. Might try test to see if it works with it on.

I didn't create any inbound/outbound rules though.

But in my netgear router's advanced settings, I :

- (Setup/WAN SETUP) Unchecked "Disable Port Scan and DoS Protection" (I will probably test to see if I can turn this on)

- (Setup/WAN SETUP) Changed "NAT Filtering" from "Secure" to "Open" (I will probably test to see if I can turn this on; I saw some people had this issue where changing to Open helped, but is less secure)

- (Administration/Attached Devices) Made sure I was using a static local IP address for stability (I had set it earlier (prior to palworld release), but I double checked)

- (Advanced Setup) Disabled my router's Dynamic DNS (DDNS) with no-ip. I made it just for palworld, but it wasn't syncing correctly even after router reboot. So I used their desktop client to check and sync my public IP every 5 minutes. 



I also rebooted my router and computer a few times. I even completely turned off my router and modem for like 15 minutes (in hopes it would give me a new public IP to test out; it didn't)

But it might still be worth trying a good old reboot for both pc and router to make sure things are in order!


12 Messages

Awesome, I'm happy to hear they could connect!

Some people were having issues with people connecting while a password was active. If you ever run into problems again just something to consider.

It's not really dangerous to leave 8211 set for both, but IF something does end up listening to TCP 8211 later on it could be a problem. Packet loss mostly, maybe something malicious but that's not likely. I wouldn't worry about it, but to keep things proper and tidy it couldn't hurt to set it to only UDP.

Oh, okay you're using a firewall separate from Windows Firewall. I did some Googling and it looks pretty straight forward, setting up an inbound rule is essentially the same for BitDefender.
Here's how (if you don't trust my link you can google the headline and you'll find it): How to allow an app or program through Bitdefender Firewall

If I'm reading this right, Dynamic looks like BitDefender will allow all connections from local machines, but will pick and choose public settings for other traffic. The portion of traffic that isn't local will use your inbound/outbound rules. Public setting would filter all traffic.

Just curious, when you turned BitDefender back on did Windows defender auto-shut off? (Double firewall?)

Probably more info than you wanted but: Port scanning is an unfortunate part of the web. Anyone or any bot can pick a random IP address and ping it, if it's online they can run tests for random ports to see if any are open and vulnerable. Here's the thing, BitDefender is a local firewall application on your PC, it'll protect only your PC from local and external port scans. Not anything else on your network, that'd have to be done by the router.

So it would make sense that routers would have a port scan protection protocol at the network level protecting your other devices from outside traffic. The firewall for your PC is the base layer of network protection in case you're ever connected to something like a friend's house where they turned all security off, plus it will protect you from potential local attacks. (Unlikely on your home network but..)

I checked and some Netgear routers do have a port scan feature in the same screen as ddos protection. As long as you've setup a port forward rule in the router, and an inbound firewall rule for the firewall, you should have no issues with leaving port scan protection enabled. If you've got the port forward and inbound connection rules setup correctly, and it's a TCP connection, you can probably ping test the port. PSP and DOS protection shouldn't stop that, I think.

You can probably leave the dos protection enabled, because that would only prevent unreasonable amounts of packets from flooding your network. A normal server connection would not be a problem.

The NAT part is interesting, that may have definitely done something. Swapping from Strict to Open means your router would be more relaxed about the type of traffic it let's through. I'm not 100% positive if that's what did it, but something to note. 

Sounds fine to me with no ip , I checked out how their system works and the desktop client is what I'd have tried. I don't think it was really necessary, but if you want to guarantee that your public IP isn't changing and don't really want to give your public ID to friends, that's proper.

I think my only question would be if you didn't set up any inbound rules for BitDefender or WindowsFirewall how was your friend able to connect? Maybe something to do with the DDNS?

Well, if you start to troubleshoot things by turning stuff on and off again, go one by one if possible to narrow it down and make a list. You'll figure out what changed to fix it. 

I'm still here if you need any help with anything, if you do end up needing more help please let me know the model # of the devices that run your network. (Router/Modem)

I hope you have a great weekend! Happy Pal-Worlding



5 Messages



Sorry for the late reply. Been busy with life and playing Palworld!

Server password seems to be okay, but it is a pain each time. I wish there was a one click kinda thing if the person already joined the server.

After I turned Bitdefender back on it did auto shut off Windows Defender. 

I can't click the "Private networks" nor the "Guest or public networks" in the Windows Defender Firewall window.

Thank you for that! I will test the ddos protection and port scanning. I mainly turned them off because I thought that was blocking me from pinging my server. 

I will also test the NAT! One change at a time!

Yeah maybe the DDNS from no-ip was allowing it?

I'll post shortly!

Enjoy your weekend and palworlding!

forum icon

New to the Community?

Start Here