# Geyser {% hint style="info" %} Bedrock support is a strictly Premium Plan only feature. To update, please go to our [plans](https://tcpshield.com/plans) page. {% endhint %} ## Setup ### Panel Setup First, create a **separate** backend set which points to your instance. {% hint style="info" %} To avoid lengthy debugging process, make sure you can login to your **IP:Port** on the Minecraft Bedrock client first i.e., please don't come to us with a broken Geyser instance. {% endhint %} ![An example for a Geyser backend set](https://530345640-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWXTvAX8gueFZ5txjDV%2F-MWXYNSy4NrCKwl7VGyL%2F-MWXYV05amAysqUOMaVf%2Fi05X29P.png?alt=media\&token=240ceb86-045a-422f-8dac-7610ccfa635c) After you've created a backend set, you can head to the Bedrock section on our panel and create a Bedrock tunnel:

Select the backend set that you have created:

Click 'Done,' and you will be able to create your Dedicated Bedrock CNAME. Here's what it does: * Since Minecraft: Bedrock edition does not support virtual hostname routing, we cannot offer a shared anycasted IP as we can with Java. To overcome this limitation, each IP must be provisioned statically per tunnel. * This IP address will efficiently redirect all traffic from Minecraft: Bedrock edition to the backend set you created above. Therefore, you don't need to attach a domain to this backend set on the TCPShield panel. You can now proceed to the next step: DNS Setup.

Copy your Bedrock CNAME and use it for the next step

{% hint style="danger" %} **Important**: while your Bedrock tunnel is active, you won't be able to delete the underlying backend set. If you want to change the your IP address later, you can simply click on **Edit**. Or you can Delete the tunnel and make another one again. {% endhint %} ### DNS Setup The DNS setup is quite similar to the setup one normally goes through to setup TCPShield. You need to point a new CNAME to the Bedrock CNAME target we've provided you. ![An example how to setup the CNAME](https://530345640-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWXTvAX8gueFZ5txjDV%2F-MWXYNSy4NrCKwl7VGyL%2F-MWXYYZHxnC0eQijTgXe%2FsFYMbwi%20$1$.png?alt=media\&token=52a509c0-e25c-4358-bbb3-b11db73cd1bc) #### Using the same domain to connect to both Geyser and Java Edition Because Bedrock CNAMEs use a special IP address which supports both Java and Bedrock traffic together, the same `example.bedrock.tcpshield.com` CNAME **can be used** **for both connection types**. Meaning, you can simply create a DNS record pointing only to this value for any subdomain, including root, and both will work together. **OPTIONAL: Setup a SRV record which points to your Java Edition server** The purpose of this section is if you as a customer want more control over the **providers** in which Java vs Bedrock traffic use. In the case you are using our Cloudflare network, this will be necessary to ensure Java traffic stays on Cloudflare. Say for for example, you would like to use `play.example.tld` to connect to both your Java Edition and Bedrock server. We can do that like below: {% hint style="warning" %} The CNAME for your Java Edition server has to be a different one than the one you want your players to connect to. In this case, we will use `tcpshield` as the name of the CNAME. {% endhint %} In order to get the SRV record setup, you can follow the guide [here](https://docs.tcpshield.com/panel/dns-setup#aside-allowing-players-to-login-without-a-subdomain). **Change the name of your Geyser CNAME** If you have already created the CNAME as described above, change its name to the subdomain you want your players to be able to connect to. If you haven't created the CNAME yet, you can follow the steps as outlined above with the difference to set your name to, in this example, `play`. ![An example of a full setup](https://530345640-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWXTvAX8gueFZ5txjDV%2F-MWXYNSy4NrCKwl7VGyL%2F-MWXYa4GOTnlnxvQtbnV%2FyQVzEGA.png?alt=media\&token=3ec04aa5-834c-4437-afcd-baa6f032d9bd) ### Proxy Protocol Setup When using Geyser in combination with Java it's **highly recommended** that you switch to `proxy protocol`. Detailed instructions can be found [here](https://docs.tcpshield.com/commonly-asked-questions#1.-differences-between-our-plugin-vs-proxy-protocol). After this is done, you should be able to connect to both your Java Edition and Bedrock server with `play.example.tld`! ### Plugin Setup If you decide to use the plugin instead of proxy protocol, it should be noted the plugin does authorize incoming Geyser connections directly. Please create a new file under `plugins/TCPShield/ip-whitelist`. In this example, we will call this name `geyser.list`. Add these lines to the file: ``` 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ``` After you have saved the newly-created file and restarted your server, the plugin has been setup. ### Firewall Setup If you are using proxy protocol or want to use improve the secure your backend: You should considered block all incoming connections using a firewall solution. For this example, `iptables` is used. ```bash ipset -F tcpshield ipset -X tcpshield ipset -N tcpshield nethash for IP in $(curl -q https://tcpshield.com/v4/); do ipset -A tcpshield $IP done iptables -t raw -F iptables -t raw -A PREROUTING -m set --match-set tcpshield src -p udp --dport 19132 -j ACCEPT iptables -t raw -A PREROUTING -p udp --dport 19132 -j DROP ``` ### Additional Setup: To avoid Geyser ratelimiting our IP addresses causing sudden disconnections / players unable to login, you should add this startup flag:\ `-DGeyser.RakRateLimitingDisabled=false` . Which will disable Geyser's IP ratelimit.