If the external port, as displayed by the server browser, behaves similarly in DEFCON and DedCon, the part of the protocol that determines it probably works correctly. What does not work correctly is the NAT piercing protocol. What is supposed to happen when a client wants to connect to your server is this:
- The client sends a "I want to connect to server <public server ip>:<public server port>" message to the metaserver
- The metaserver sends a "Client on <public client ip>:<public client port> wants to connect to you" message to the server
- The server sends a "Hello!" message to <public client ip>:<public client port>
- The client, ever since it sent the message to the metaserver, tries to connect to <public server ip>:<public server port>
The problem this tries to work around is that NAT routers only handle outgoing connections and can't handle incoming connections. The purpose of the "Hello!" message is to pretend the connection from the server to the client is an outgoing connection, where in fact it is incoming. The whole thing only works if some assumptions are met, the most important one being that the public port the NAT router assigns to a connection does not depend on the target, and that needs to be the case for both the client's and the server's NAT.
Now, why do I ramble about this? The message from the metaserver to the server is a bit odd, it contains two IP:port pairs. The second pair appears to be rubbish, the port constantly changes, so DedCon ignores it. My suspicion now is that your NAT is of the type that is not supported by the protocol as outlined above; since DedCon only uses that method, it fails for you. The regular DEFCON client, as I suspect now, uses an extended version of the protocol that works as long as ONE of the NATs involved is of the good type. That would explain why only some players can connect to you if you host regularly, those are the players with a good NAT. Players with a bad NAT can't connect to you.
The easy way now to go on for you is to set up port forwarding. That always works. Use the designated 5010 port for that (or whatever you want to set up on the server), ignore the public port you get usually; once port forwarding is set up, your public port should match the private port. Once this is done, all players should be able to connect.
The slightly more complicated way would be if you help implementing the full version of the protocol. You'll need to just run a server version with debug output I'd send you. However, once this is done, still only some players will be able to connect to you.
I'm leaning towards not fully implementing the connection protocol; it is, IMHO, better to have a server admin either give up or set up port forwarding if he has a "bad" NAT, I don't like the idea of servers on the server list that some players just cannot reach.
EDIT: Sorry to those who were wrongly accused of spamming on my servers yesterday. It vas an inverted logic error
The events have been cleared from your criminal files, of course.