Firewall/NAT

Heyup!

I've had m0n0 up and running for just over a month now and I'm quite impressed. But right now I'm at a point where I'm a bit confused...

As an example I'll use my bittorrent port:

Whenever I try to check if a rule I just set really works (using this http://www.utorrent.com/testport?port= ), the site says the port is still closed. As for my torrent port. But when I start utorrent with the little green symbol at the bottom appearing to indicate an open connection and then go back to that port checking site, the port is open. So, do I get this right? Does m0n0 use triggering? Or did I get the whole idea oftriggering wrong in the first place?

Well, at least for my torrent port its working great. The thing is though, I tried opening a port for Modern Warfare 2 to allow the hosting of private games/parties and it just won't be opened. At first I thought its the same deal as with utorrent: game is closed, so is the port. Game is running, port is open... but it seems like its not that simple. According to the port-checking-site and the game itself (obviously) the port is closed no matter what I do. Rebooting m0n0 didn't help either (just as I thought). I created the rule the same way I did for my utorrent. They basically look the same except for the port number. Switching protocols from UDP to TCP to TCP/UDP and and so on didn't have an effect either. Oh, and the Windows firewall is turned off, too

I've seen people on here posting their NAT/fw settings in a small table. If you need that to help out, tell me where to get it In fact, if you need any info, I'll be happy to provide.


Thanks in advance!

m0n0wal does not use port triggering. I have the same experience as you with that port checking web page and Bittorrent - which is essentially the same program as utorrent. I can't explain it though.

You can take partial screen captures of the relevant pages of your configuration or download, sanitize, and possibly abbreviate your configuration file.

I've seen a lot of post here about opening up ports. I've used bittorrent and a ton of games with m0n0wall for many years without any issues.

The trick really is to make sure that whatever port you NAT is actually pointed to the proper internal IP on the LAN. The only way to do this is to assign an IP via DHCP to whatever machine is using the application or game. If you are unsure if the app uses TCP or UDP, well just enable both.

Provided that m0n0wall is only using one external WAN (gets a bit more tricky with multi-WAN setup). Also, you need to make sure your ISP isn't doing anything weird to the ports. BitTorrent especially since some ISP will block it out right.

The port checker at Utorrent.com only works for TCP, there really isn't a good way to check for a open UDP port because that depends on the application to respond and not the OS. Also, for TCP checking you need a application listening on the other end as well. That again falls on the application to be nice when answering a port ping. 

Thanks for your answers.


Well, as I said, even if the behaviour is weird, the torrent port is indeed working. I think the port for Tunngle (if that rings any bells) is working aswell. Can't check at the moment tho.

DHCP is set up, too. We even use the Alias feature in our network (which btw looks like this: Cable modem -> m0n0 -> 100mbit switch -> everything else. No further hubs, switches, splitters and the like). I put my PC's LAN-IP in the NAT and the port rules, just to be sure. But still closed. Have it set to UDP/TCP now, makes most sense, like you said.

On the game's support pages they tell you to enable UPnP, which firstly I understand is a dead-end in m0n0 and secondly helped nothing for a friend of mine, regarding the game.

I'm pretty stumped as there's nothing much left to do. Plus the weirdness of one port working but not the other.

Thanks for your answers.


Well, as I said, even if the behaviour is weird, the torrent port is indeed working. I think the port for Tunngle (if that rings any bells) is working aswell. Can't check at the moment tho.

Add firewall logging to those ports that are misbehaving and you'll get more detail to what is going on when you check the firewall logs. That way you can see if something is being blocked or dropped for some odd reason.

DHCP is set up, too. We even use the Alias feature in our network (which btw looks like this: Cable modem -> m0n0 -> 100mbit switch -> everything else. No further hubs, switches, splitters and the like). I put my PC's LAN-IP in the NAT and the port rules, just to be sure. But still closed. Have it set to UDP/TCP now, makes most sense, like you said.

On the game's support pages they tell you to enable UPnP, which firstly I understand is a dead-end in m0n0 and secondly helped nothing for a friend of mine, regarding the game.

I'm pretty stumped as there's nothing much left to do. Plus the weirdness of one port working but not the other.

Yeah, there has been a lot of talk over the years about adding UPnP to m0n0wall. It gets a lot of resistance due to the open nature of how UPNP works. Mainly, UPNP is just an automatic NAT rule generator for lack of better terms. For the average non-technical home user, that works great because they don't need/use firewall rules and inbound port mapping on a daily basis. For a network administrator it can be a security nightmare. Mainly, any application can request any inbound port. So if a computer gets infected with a virus (*cough windows/mac *cough*) then they can easily turn into a server for spam/virus/web hosting/etc. without the user ever knowing.

Technically there is nothing UPnP can do that you can't already do manually with NAT rules. So if when game/application problems appear, the first thing I have to do usually is port research to find out *every* single port the game uses. If I have to, I'll load the game up and then drop to the command prompt to list every port the game is using. I don't know how many times I've read technical specs on a game/app that list all the ports the game needs only to find out it uses 2 or 3 other ports not listed for some reason.

You mentioned Tunngle, which on the tech page listed ports 11155 UDP on the inbound and that's it. Then further down on the same page it list disabling SPI on the firewall. Why? I have no idea, but I can say that m0n0wall is basically *always* on with SPI even if you don't see any option for it anywhere.

My guess is that you would have to disable port mapping and setup some custom NAT outbound rules to make this work 100%. Some very hairy guess n' test settings might get this to work for this application, though might break a lot of other applications that you want to use.

I took a closer look to logging now.

In the rule for the port in question, I checked the box to enable packet logging for this rule. However I can't find a "special" log section for it. I understand that the Firewall log will display the information anyway, correct?

So, if I do a portcheck (with either the utorrnent page or canyouseeme.org) and refresh the log, I indeed see incoming requests from the pages to my adress and port, with that green litte arrow to indicate the packet has been accepted. Although both pages see the port as closed.

Then I found the "Show raw filter logs" setting and turned it on. But I can't make much of whats being displayed:

utorrent page:
19:57:32.870719 rl0 @200:7 p 204.152.200.186,52072 -> 192.168.200.87,28960 PR tcp len 20 60 -S K-S IN NAT

canyouseeme.org:
19:57:36.135611 rl0 @200:7 p 204.16.252.112,40102 -> 192.168.200.87,28960 PR tcp len 20 60 -S K-S IN NAT

Same difference, obviously.

Any further help? Thanks!