Hytale Server Port Forwarding and Firewall Guide

1. Prove the server works locally

Before touching the router, start the server and connect from the same computer or another device on the local network. If local access fails, port forwarding cannot fix the server process, wrong bind address, or startup error.

Confirm the actual port in the server configuration. This guide uses the official default, UDP 5520, but your configured value is the source of truth.

2. Use the correct protocol and port

The official manual describes Hytale server traffic over QUIC using UDP. A TCP-only rule will not replace the UDP rule. Configure only the port the server uses, unless another documented service needs a separate rule.

Keep the internal and external port identical while troubleshooting. Port translation can work, but it adds another value that can be mistyped.

3. Give the host a stable local address

A router forwards traffic to a private address such as 192.168.x.x. If DHCP later assigns a different address, the rule will point to the wrong device.

Prefer a DHCP reservation in the router for the server's network adapter. It is usually easier to maintain than a manually configured static address, especially when DNS and gateway values change.

4. Allow the server in the host firewall

Create a narrow inbound UDP rule for the configured port and, where supported, restrict it to the server executable or service account. Keep network profiles in mind: a rule enabled only for a private profile may not apply if Windows marks the connection as public.

Do not solve the problem by turning the firewall off. A successful test with the firewall disabled only tells you which layer needs a correct rule.

• Windows: create an inbound UDP port or program rule.
• Linux: add the UDP port to the active firewall system, such as UFW or firewalld.
• Hosted server: also check the provider's security group or network firewall.

5. Forward the port in the router

In the router interface, create a UDP forward from the public port to the reserved local IP and the same internal port. Labels vary: Port Forwarding, NAT, Virtual Server, or Gaming.

Avoid DMZ mode and broad port ranges. Save the rule, confirm it is enabled, and restart only the router components that explicitly require it.

6. Test from outside your network

Many routers do not support NAT loopback, so testing your public address from inside the same Wi-Fi can fail even when external access works. Ask a trusted person to connect or use a phone on mobile data.

Generic web port checkers often test TCP and can report a false negative for a UDP service. The most meaningful test is an actual Hytale client reaching the running server.

7. Detect CGNAT and double NAT

Compare the router's WAN address with the public address shown by a reputable IP service. If they differ, or the WAN address is private/shared space, another NAT layer may exist.

Double NAT can come from an ISP modem plus your own router; forward the port on both or place one device in an appropriate bridge mode. With CGNAT, you may need a public IPv4 option, supported IPv6 path, VPN tunnel, or a hosting provider.

8. Keep the exposure limited

Patch the operating system, keep the server updated, use strong administrative credentials, and monitor logs. Do not publish management panels or remote desktop ports alongside the game port unless you fully understand their security.

Use HyTools to generate a checklist for your platform and save the final values with your server documentation.