New node - getting “connection reset by peer” on all satellites - tried everything I can think of

Hey everyone, I’ve been banging my head against this for 2 days straight and I’m completely stuck. Would really appreciate some help here.

My setup

Running a fresh node on a MeLE Cyber X1 mini PC (Intel N150) with Windows 11. Installed using the official MSI installer, version v1.150.3. Got a 14TB WD My Book on USB for storage (NTFS, 11.5TB allocated). ISP is A1 Bulgaria with a Technicolor TC7200 modem/router.

External address is set to alexstorj.duckdns.org:28967

What’s happening

Every single satellite ping fails with “connection reset by peer”. It’s been like this since I set it up — the node has never successfully contacted any satellite:

ERROR contact:service ping satellite failed
"error": "ping satellite: failed to ping storage node, your node indicated error code: 0, 
rpc: tcp connector failed: rpc: read tcp 10.54.6.4:42996->213.191.163.143:28967: 
read: connection reset by peer"

All 4 satellites (eu1, us1, ap1, saltlake) give me the same error.

What actually works

The weird thing is — the node is clearly reachable from the outside. When I check port 28967 on yougetsignal.com it shows open. When I access the IP from a different PC trough HTTP in a browser, I get a response back (empty page or the DRPC JSON message). The dashboard loads fine on localhost:14002 and shows the node is running but offline with QUIC Misconfigured.

The node starts up fine, creates all it’s databases, and reaches out to satellites. It’s only when the satellites try too connect back that it fails.

All the network configs I’ve tried

I went pretty deep on this one. My setup has an A1 Technicolor modem/router and behind it a TP-Link TL-WR940N.

With TP-Link in router mode (it was getting its own public IP via portbase passthrough):

• Set up port forwarding for 28967 TCP+UDP on the TP-Link

• Connection reset by peer

With TP-Link in Access Point mode and MeLE getting a direct public IP (NO NAT at all):

• The passthrough feature on the Technicolor gives the MeLE a public IP directly

• No port forwarding needed at all — completely open to the internet

• Still connection reset by peer

So it’s not a NAT issue and its not a port forwarding issue.

Software stuff I’ve tried

• Turned off Windows Firewall completely — same result

• Added Windows Defender exclusions for the Storj folders and the storagenode.exe process

• Disabled SPI Firewall on the TP-Link

• Disabled DoS protection on the TP-Link

• Tried Docker first (had USB drive mount issues with WSL2), then native binary, then the MSI installer — all gave me the same connection reset

• Tested with v1.151.1-rc and v1.150.3 — no difference

• No Hyper-V adapters leftover from Docker (checked with ipconfig /all)

• No VPN, no extra antivirus besides Defender

Identity

identity.cert: 2 x BEGIN markers
ca.cert: 1 x BEGIN marker

I know the auth token step isnt required anymore per the docs.

Netstat while node is running

TCP    0.0.0.0:28967    0.0.0.0:0    LISTENING
TCP    [::]:28967       [::]:0       LISTENING
UDP    0.0.0.0:28967    *:*
UDP    [::]:28967       *:*

The thing that confuses me most

Regular HTTP connections from outside reach the node no problem. It’s specifically the DRPC/TLS handshake from the satellites that gets reset. To me this looks like something is messing with TLS connections specifically but not blocking the port.

Could this be the ISP hardware (Technicolor TC7200) doing some kind of deep packet inspection even in pass-through mode? Or is there something else on Windows that could interfere with TLS handshakes that I’m missing?

I’ve rebooted everything multiple times, reinstalled the node from scratch 3 times, tested with and without every firewall and NAT config I can think of. I’m out off ideas.

Any help would be hugely appreciated. Thanks!

Hello @darylBlane,
Welcome to the forum!

Is not opening for me, the IP

It also doesn’t open. So what address and port did you use to check with yougetsignal?

Please, make sure that WAN IP on your router matches IP on yougetsignal, and your DDNS is resolvable to the same IP:

nslookup alexstorj.duckdns.org 8.8.8.8

Also, does your node running?
Please, check your logs for FATAL or Unrecoverable errors.
DDoS protection must be disabled, TCP+UDP listening port should be enabled in both firewalls.

Please also consider to switch your DDNS provider to a more reliable NoIP or Cloudflare: Search results for 'duckdns order:latest' - Storj Community Forum (official)

Hey @Alexey , thanks for the quick response!

So I just checked from my home PC (different network, different ISP) and hitting http://213.191.163.143:28967 in the browser does connect — it returns “sent back an empty page” which I believe is expected since the node speaks DRPC not HTTP. So the port is definitely reachable from the outside.

About the FATAL error — yeah good catch, the node did crash at one point because DNS on the machine couldn’t resolve duckdns.org temporarily. I’ve since hardcoded 8.8.8.8 and 8.8.4.4 as DNS servers on the ethernet adapter and confirmed nslookup alexstorj.duckdns.org 8.8.8.8 resolves correctly to the current IP (213.191.163.143). Node is back up and running now.

The IP does change pretty frequently tho because my ISP modem (Technicolor TC7200) is in passthrough mode giving the machine a direct public IP via DHCP. DuckDNS updates every 5 minutes so there will be small windows where it’s stale, but right now everything matches up — WAN IP, DuckDNS, and what the node advertises are all the same.

I don’t think its a DNS issue because the connection reset errors show the satellites reaching the correct current IP. They’re connecting to the right place, the TCP connection starts, but then gets reset during what looks like the TLS/DRPC handshake. Here are the latest errors:

2026-04-04T12:34:11+03:00 ERROR contact:service ping satellite failed 
"satellite_id": "1wFTAgs9DP5RSnCqKV1eLf6N9wtk4EAtmN5DpSxcs8EjT69tGE", "attempts": 11, 
"error": "ping satellite: failed to ping storage node, your node indicated error code: 0, 
rpc: tcp connector failed: rpc: read tcp 10.101.5.103:45286->213.191.163.143:28967: read: connection reset by peer"

2026-04-04T12:34:21+03:00 ERROR contact:service ping satellite failed 
"satellite_id": "12L9ZFwhzVpuEKMUNUqkaTLGzwY9G24tbiigLiXpmZWKwmcNDDs", "attempts": 5, 
"error": "ping satellite: failed to ping storage node, your node indicated error code: 0, 
rpc: tcp connector failed: rpc: read tcp 10.54.6.4:52904->213.191.163.143:28967: read: connection reset by peer"

2026-04-04T12:34:25+03:00 ERROR contact:service ping satellite failed 
"satellite_id": "121RTSDpyNZVcEU84Ticf2L1ntiuUimbWgfATz21tuvgk3vzoA6", "attempts": 10, 
"error": "ping satellite: check-in ratelimit: node rate limited by id"

As you can see the satellites are hitting the right IP. The connection gets established but then reset. Regular HTTP from a browser works fine, only the DRPC/TLS handshake fails.

I’ve tried this with Windows Firewall completely off, with Defender exclusions for the storj folders and processes, with the TP-Link removed from the equation entirely (direct public IP, no NAT whatsoever), with DoS and SPI protection disabled — always the same result.

I’ll look into switching to NoIP or Cloudflare for the DDNS, but I dont think thats the root cause here since the IPs match up. Any other ideas what could be resetting the TLS handshake?

This is only confirms, that the node is not available. You should get a clear response with a node’s health.
For example - I cannot, it says, that the port is closed, which is also confirmed by yougetsignal, if you would put your external address and port here.
The successful connection from your home network means nothing, if your node is not available outside, you know.

I’m far outside as you can imagine - on an island in an ocean (yeah, I have a 5G here). Your node is 100% offline.

Unfortunately it’s permanent. Please, try other DDNS providers. Or at least try to use your current public IP (matches with WAN IP and yougetsignal, if any difference - no way, you are behind CGNAT).

I can only confirm it’s completely offline now. So, either your portforwarding rule doesn’t work or your firewall is protecting you to be online, and it’s working hard - 100% of success.

This provider is proven that it cannot handle their domains properly. It could be available from the one place and will be offline from another. I strongly suggest to change it, or, at least, trying to use an IP, even if it’s dynamic. Likely your node will be online until your ISP will change the IP.

This is literally mean - your host/provider/router/etc. just dropped a connection. So, if you didn’t disable DDoS feature - it’s time, also - on your ISP, because nobody is allowed to block you, except your firewall. Speaking of it - please make sure that you allowed both TCP and UDP on every firewall on the route to your node.

Doesn’t help, if it’s blocked, the node cannot respond and received on its request to the satellite the response, that you are blocking connections (“ping satellite failed” is mean, that the satellite is tried to use a dRPC “Ping” request to the provided external address and port, but your node didn’t respond, because of “connection reset by peer”. It’s not an ICMP “ping”, it’s an dRPC request, it’s more complicated).

This means that the satellite is tired of receiving an address and port from your node that is not responding, and it sends a message saying “please try again later after you’ve fixed the problem…”.

This is likely not a root cause. Something is blocking connections even before it reaches your Windows. Maybe it’s your ISP, or you actually do not have a public IP or you are using more than a one router between your ISP and the node.

It can be, however, you can easily remove it from the equation - just try to use the WAN IP = yougetsignal IP instead of a DDNS name. Then we can dive deeper.

I would try another port. Just in case your ISP is blocking the default port…

@Alexey Same connection reset on port 14567, so it’s not port-specific blocking.

You were right about the two routers. Here’s my full setup:

Internet → ISP modem/router (Technicolor TC7200, WAN IP: 130.204.146.186) → TP-Link TL-WR940N → MeLE (the node)

The Technicolor has “portbase passthrough” which gives the TP-Link its own public IP via DHCP (currently 213.191.161.104). I’ve been using this passthrough IP, and it seems reachable locally but not internationally — which would explain why satellites can’t reach it.

The Technicolor also has a static IP from my ISP: 130.204.146.186. I can set up port forwarding on the Technicolor, but that means double NAT:

• Technicolor: 28967 → TP-Link’s 192.168.0.x

• TP-Link: 28967 → MeLE’s 192.168.1.100

Problem is: every time I disable passthrough to put the TP-Link on 192.168.0.x, the network crashes. The Technicolor only seems to work properly with passthrough enabled.

Is there a way to use the static IP 130.204.146.186 for port forwarding while keeping passthrough on? Or should I call my ISP and ask them to configure the modem properly for routing mode?

Is there nothing like “exposed host” or “dmz host” setting in your ISP router? I am using this to forward everything from my ISP router to my pfSense box.

You need either to switch your ISP router to a bridge mode, or use a double NAT, if there is no option like DMZ on the ISP router.

Hey guys, just wanted to update — the node is online! Status: Online, QUIC: OK, Last Contact: 0m ago. Finally.

So here’s what the actual problem was for anyone who stumbles across this thread with similar issues:

The Technicolor TC7200’s “portbase passthrough” feature gives connected devices their own public IP, but those IPs are NOT globally routable. They work within the country (I could reach my node from another local ISP) but not from the international internet. Satellites are outside the country so they could never complete the DRPC handshake — hence “connection reset by peer.”

The fix:

1. Connected the node directly to the ISP modem/router via LAN cable

2. Disabled portbase passthrough

3. Set DMZ (exposed host) on the ISP router pointing to the node’s local IP

4. Used the actual static IP from the ISP as the external address in the storj config

Took me 3 days of troubleshooting to figure this out lol. Lesson learned — if your ISP modem has a passthrough/bridge-like feature, don’t assume those IPs are reachable from everywhere. Test from outside your country if you can.

Thanks @Alexey and @alpharabbit for pushing me to look deeper at the network setup and for the DDNS suggestion. Wouldn’t have gotten there without the nudge. Cheers!

Usually you need to do one of:

or

but not both. Please make sure that you have a firewall on the exposed host.

Yep, Windows Firewall is on across all profiles. Only port 28967 TCP+UDP is allowed through for the storagenode. Thanks for the heads up!