Mindustry Server Network Configuration and Port Forwarding

1. Port Forwarding Fundamentals (Port 6567)

Mindustry relies almost entirely on Port 6567 for both its networking discovery and actual game data transit.

When hosting a server on a residential or small business network behind a traditional home router (NAT - Network Address Translation), the public IP address displayed to the internet acts as a rigid wall. Any incoming traffic requesting access to port 6567 is unceremoniously dropped by the router, unless explicitly directed.

To forward Port 6567:

1. Determine the internal IPv4 address of the computer or server running the application (e.g., 192.168.1.104 on Windows using `ipconfig`, or Linux using `ip a`).
2. Access your Router's Gateway Panel typically by browsing to `192.168.0.1`, `192.168.1.1`, or `10.0.0.1`. Log in using your admin credentials.
3. Locate Port Forwarding, Virtual Server, or NAT settings (this terminology changes vastly by manufacturer like Netgear, TP-Link, or ASUS).
4. Create a new rule. Name it `MindustryServer`. Assign both the External Start/End ports to 6567. Assign the Internal Start/End ports to 6567. Set the protocol precisely to "Both TCP & UDP". Input the device IP `192.168.1.104` and save.

Many games only require TCP (reliable, ordered delivery). Mindustry requires extreme synchronization for hundreds of bullets traversing belts concurrently. It uses UDP (fast, connectionless data packets). Failing to explicitly forward the UDP variant of 6567 guarantees players will be permanently stuck on a "Connecting..." screen in the web browser interface.

2. Firewalls (UFW, iptables, Windows Defender)

Even if the physical router allows the traffic to reach the local machine, the machine's software firewall might block the raw packets from entering the JVM.

Configuring Windows Defender Firewall:

• Open Windows Security, navigate to Firewall & network protection -> Advanced Settings.
• Select Inbound Rules -> New Rule...
• Choose Port, specify UDP and TCP, typing 6567 for specific local ports. Provide the rule a recognizable name and explicitly allow the connection on Domain, Private, and Public profiles.

Configuring Linux UFW (Ubuntu/Debian recommended option):

sudo ufw status
sudo ufw allow 6567/tcp
sudo ufw allow 6567/udp
sudo ufw reload

Verify execution utilizing `sudo ufw status verbose` to confirm both protocols map directly.

3. Multi-instance Scaling and Binding IP Interfaces

Many server communities attempt to run five or six separate maps (Survival, PvP, Sandbox, Attack) concurrently on the precise same bare-metal hardware. Because you cannot run dual services mapping identically onto UDP port 6567, you must increment the port definitions inside each iteration.

When running multiple servers, navigate into your respective folders (e.g., `~/pvp-server/config/server.properties`).

Locate the line configuring the port and increment it to 6568, 6569, etc. You must also port forward each incremental version across both protocols respectively.

If you've purchased a monstrous physical dedicated server possessing multiple network interfaces or failover elastic IP addresses, you can force each Mindustry instance to exclusively bind its traffic to a singular public IP by utilizing the property `bindAddress`. By editing `server.properties`, finding `bindAddress`, and setting it securely to the secondary IP (e.g., `185.10.*.*`), the JVM will never cross-contaminate networking over your primary interface, resolving complex tunneling issues beautifully.

4. Network Troubleshooting & Bypassing CGNAT

What if you've opened ports in Windows, configured your hardware router flawlessly, but external networks still cannot detect your server utilizing `status.mindustry.io` or `canyouseeme.org`?

You are extremely likely trapped behind Carrier Grade NAT (CGNAT). Commonplace on mobile 4G/5G connections, Starlink satellites, and budget or modern fiber ISPs, CGNAT implies you share a single public IP address with hundreds of other regional households. You physically cannot forward ports because the authentic border router physically belongs to the ISP, not your living room.

How to bypass CGNAT for Mindustry:

• Request a Static/Public IPv4: Call your ISP and explicitly ask for a Static IP. Some charge an extra $5 to $10 monthly.
• Rent a cheap VPS mapping: Purchase a $3 minimal Linux VPS hosted via DigitalOcean/Linode and leverage a VPN wireguard tunnel or `frp` (Fast Reverse Proxy) to encapsulate and push all UDP traffic hitting the remote public port straight into your home network through the encrypted tunnel.
• Utilize ZeroTier or Radmin: Invite your friends onto a Virtual LAN. They must install the application, connect directly to your network ID, and type your Virtual IP directly into the Add Server bar to bypass typical WAN architecture.

5. Securing the Server (Strict Mode and Limits)

A globally listed Mindustry server is inevitably targeted by automated scanning networks seeking vulnerabilities.

In `config/server.properties`, prioritize setting strict to `true`. Strict mode enforces rigorous checks against users utilizing invalid names, proxies, VPN evasion patterns, and enforces limits on exceptionally massive blueprint pastes or suspicious chat packet flooding rates that DDOS typical UDP handlers.

Furthermore, block IP subnets locally via `iptables` or UFW if tracking automated bots repeatedly hammering connection pipelines. Proper network configurations dictate a robust defensive posture natively before installing plugin extensions.