Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Port mapping made more difficult in 6.0?
  •  
Ranzy

Messages: 6
Karma: 0
Send a private message to this user
I can't seem to forward the Battlefield Vietnam ports to my pc with Winroute 6.0, and it used to be so easy with version 5.0. I'm thinking of downgrading, or does someone know what I'm doing wrong here? "Telenet" is the NIC connected to the internet, "Thuis" is the one connected to the LAN. My pc has 192.168.0.2 as IP-adres. Can someone please help me, I know it should be easy and it's probably something stupid I'm doing wrong, but isn't it allways?
  •  
sidbarker

Messages: 63
Karma: 0
Send a private message to this user
The destination should not be Thuis - as that would mean the rule would be looking for packets coming in from the outside world that had a destination IP of your internal network!

Set the destination to Firewall, and it should work

For packets coming in from the internet, the destination should only ever be a specific Internet IP address (where you have more than one internet IP address), or Firewall.
  •  
Ranzy

Messages: 6
Karma: 0
Send a private message to this user
Allas, that didn't fix it... Thanx for the reply anyways!
  •  
sidbarker

Messages: 63
Karma: 0
Send a private message to this user
If you select "Log" turned on, do you see any packets being logged? If so, then it looks like the translation is at fault. Otherwise sounds like the firewall isn't receiving the data from the internet (or the rule is wrong in some other way)
  •  
Ranzy

Messages: 6
Karma: 0
Send a private message to this user
Yeah it seems the rule is wrong in some freaky way, I just don't understand, how difficult can it be to map some ports!? I think I'm gonna uninstall Winroute and go for some other firewall/router software, because I wanna game dammit! Mad
  •  
Ranzy

Messages: 6
Karma: 0
Send a private message to this user
Am I still safe when I do this? Or are all my ports open to hackers then?
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
The picture shows outgoing rules. That are rules for traffic initiated from a pc in you're network to the internet. This are no rules traffic from the internet. A outgoing rule is needed when you want to browse, get you're mail etc. Every outgoing rule need to have NAT (default outging interface) selected except those for the firewall itself (the firewall is directly connected to the internet).

The possible danger in enabling all outgoing traffic is that a trojan horse, backdoor or spyware can access the internet without any problem.

Feite
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
I also notice that you're network adapters (NIC's) do not have meaningfull names (LAN-verbinding en LAN-verbinding 2). You can give the NIC's a more meaningfull name like LAN en INTERNET. This way you do not have to think which is which.

  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
I looked at your rule for BF Vietnam. This is an incomming rule. Traffic from the internet is allowed in and forwarded to a specific client in the LAN. The services are UDP.

The possible problem here is that KWF does not allow return traffic from your client to the internet. Try adding a second rule like this:

name: BF Vietnam
source: 192.169.0.2 (the ip address of the client)
dest: telenet
service: UDP 14567, 22000, 23000, 4755
translation: NAT (default outgoing interface)

Succes er mee.
  •  
Ranzy

Messages: 6
Karma: 0
Send a private message to this user
Hey feite, thanx for the input man, I immediately closed the firewall back down and I tried adding the rule you gave, but still no gaming for this chap. And oh yeah, in the first rule, I changed the destination to "firewall", and in the second rule I changed the source to that, before that I also tried "Telenet" for both, with (drumroll please) no succes...

Ranzy is het beu aan 't worden... Sad
  •  
Martyx

Messages: 14
Karma: 0
Send a private message to this user
Right! I think I've got the answer!

Outgoing (NAT) connections, as can be seen from the Wizard created 'NAT' rule, go from Thius to Telenet with NAT Translation enabled.

First goto Definitions > Services... then Add

Name: BF Vietnam
Protocol: UDP
Protocol Inspector: (none)
Source Port: Any
Destination Port: List
List: 4755,14567,15567,22000,23000
Description: Battle Field Vietnam

Click OK

Then you will need to change your Traffic Policy rules to how I have put them in my screenshot. I have renamed my connections to match yours... hope this helps!

(You only need to change the BF Vietnam policies, the others are shown just as an example)

  • Attachment: bfvtp.JPG
    (Size: 38.19KB, Downloaded 705 times)

[Updated on: Tue, 24 August 2004 16:21]

  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
Hallo Ranzy,

Both rules are wrong. Try those supplied by Martyx. The are correct.

Hou de moet er in Rolling Eyes
  •  
Ranzy

Messages: 6
Karma: 0
Send a private message to this user
I have done exactly as Martyx said and still can't go online with BF Vietnam... Although it does seems like we're getting somewhere.

Edit/
I finally gave Wingate a try and that piece of software actually works! Even without the manual I mapped the BF Vietnam ports and I can finally battle it out over the net. I'd like to thank you guys for the input, but I probably won't install Winroute again, so I won't be able to try any further tips, sorry.

[Updated on: Fri, 27 August 2004 12:32]

  •  
roadrun777

Messages: 12
Karma: 0
Send a private message to this user
I think it was a rule problem, looking at your provided snapshot I can see why it wasn't working.

Istead of making a rule of firewall -> internal machine, it should have actually been a rule for internet -> internal machine.

Sometimes it can be confusing which direction a packet is coming from and how winroute handles the address. In all the cases I have had a problems with packets not arriving at thier intended target, I would enable logging all droped packets (connections and packets). Try to do the connection and make sure I get the timeout errors, then immediately shut off logging. Go back to the log and examine line by line until I spot the problem. Usually you can see what the problem is, and most of the time its becuase of undocumented port usage for applications. An application will sometimes say it uses only certain ports, but when you examine the log you can clearly see its using more that is documented.

You can also enable a rule to log all traffic from one private computer, and pick one outside server and add that IP as an exclusive logging rule. That way you only see traffic in your logs from client and server. This helps minimize the tediousness of looking over all the dropped packets. The way I understood the documentation, is that 'firewall' is the destination of all packets that have your internet side IP as its final destination.
Which means any packet coming back to your PC which doesn't have an entry in the NAT table will be processed using your incoming generic 'firewall' rule, unless you make a specific rule that supersedes that last. I think where people have problems is the fact that in Kerio, if you don't specifically set a rule for it (or you don't know how to set a rule for it) Kerio will drop it without any kind of warning. Other products may work out of the box for you, but it is only becuase by default nothing is blocked, which is very dangerous. You should always start backwards with your rules, slowly opening up only what you need, instead of opening everything up, and closing off what you think you don't need. Smile
Previous Topic: MAC based port security
Next Topic: Does KWF6 support gigabit?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 24 17:59:53 CET 2017

Total time taken to generate the page: 0.00515 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.