Firewall/NAT

I have a WRAP-based M0n0wall.  It has LAN, WAN, and the 3rd Ethernet interface (WLAN 192.168.100.1) is x-connected to my ancient Netgear WAP.  It works fine for my MacBook, and a couple of Toshiba laptops with internal wireless.  I am trying to get my Wii connected to the Internet through this combination.

Here is the WLAN interface firewall rule for the Wii.  Basically, allow any proto and port for any destination from the Wii (192.168.100.6).

 *      192.168.100.6      *      *      *      Anything from the Wii

and it is logged.

When I review the firewall logs, I see that the Wii makes a call to DNS and then connects on port 80 to a Nintendo IP address.

21:14:09.854844      WLAN      192.168.100.6, port 57695      209.67.106.140, port 80      TCP
21:14:09.846642     WLAN    192.168.100.6, port 55978    192.168.100.1, port 53    UDP

I haven't tried putting a sniffer on the connection to see what packets are really traveling.

In the meantime, I'm wondering if anyone has got a Wii to work through M0n0wall.  Options I've tried include allowing fragmented packets on the firewall rule.

Thanks,

Steve

What is the problem?

The Wii can not fully connect to the Internet using the Connection Test button.  It returns error code 52230.  This error code indicates a problem with the firewall.  In reading all the information around this error code, it appears that a "statefull firewall" is the problem.  All documentation to solve the problem says "disable the firewall".  Well, I don't know about those other gamers, but I'm not disabling my firewall.  Hence the reason to ask the question.

Thanks,

Steve

There seem to be some various problems associated with this error code.  i believe the problem to be with the Wii not your monowall.  Some useful posts here

Hi Mark,

Thanks for the pointer to that site.  That was actually one of the sites that I reviewed prior to posting here.

I am using an 802.11b only Netgear AP, the ME102 model.  I do have it on Channel 3 (some suggest 1 or 11), but I think that point is irrelevant because I can associate and send outbound packets from the Wii to the M0n0wall for DNS resolution and to the Nintendo address space (209.67.106.140).  Connection to that site using a normal web browser yields:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
   
<head>
      <title>HTML Page</title>
</head>

<body bgcolor="#FFFFFF">
This is test.html page
</body>
   
</html>

I am guessing by the proposed fix of "disable your firewall" that once they detect this port 80 request from the Wii that they try to send inbound packets on non-established connections and (hence the stateful aspect) that these are blocked.  (Hmmm...  I will try full logging temporarily to see if this is the case.)

Steve

Sounds sensible.  I must admit to thinking along the same lines.  The fact that you can see the request coming from the Wii would indicate that it is talking to the network.  Unfortunately from the posts I saw nintendo would appear to be fairly unhelpful.  Good luck.  Let us know what you find.

Hi Steve,

Just to let you know, I didn't have to do anything to m0n0wall to get my Wii to work with it.  I'm using a Linksys Wireless G router for my WAP.  I set-up the encryption in my connection settings, have it use DHCP for an address and it goes.  I have a reservation for my Wii, based on the MAC address.  I don't really think it will make a difference, but you might want to try that if you alreayd haven't.

Trevor

Thanks for the followup.  I wouldn't think I needed to do anything special, but I'm trying to cover all the bases.  I had another buddy on the Zog Security mailing list do a packet capture of the connection test and I'll try to compare that with mine.

Steve