Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » KWF 5.1.9 & Microsoft Asheron's Call
  •  
AnthonyB

Messages: 5
Karma: 0
Send a private message to this user
I'm having no luck whatsoever getting the game Microsoft Asheron's Call working through KWF 5.1.9 running on my Win2K SP4 machine.

Following are the official settings from MS on getting it to work through a FW:
Quote:

Initial UDP Outbound AC IP: 12.129.18.* Port: 9000
Subsequent UDP Outbound AC IP: 12.129.18.* Ports: 9004, 9008, 9012
Subsequent UDP Inbound AC IP: 12.129.18.* Ports: 9000, 9001, 9004, 9005, 9008, 9009, 9012, 9013

If you use 9004 as your games setting there are some subtle changes:

Initial UDP Outbound AC IP: 12.129.18.* Port: 9004
Subsequent UDP Outbound AC IP: 12.129.18.* Ports: 9000, 9008, 9012
Subsequent UDP Inbound AC IP: 12.129.18.* Ports: 9000, 9001, 9004, 9005, 9008, 9009, 9012, 9013


I have a small internal network that I am NATing out of. All my internal IPs are 192.168.*.* while the external interface of my KWF PC is picking up a DHCP address from my ISP. All other services (eg. WWW, FTP, email, MS IM, etc) are working fine from all machines.

I have created 2 services to try and get this working:
Service: AC
Protocol: UDP
Source: 9000-9013
Dest: 9000-9013
Service: AC UDP49000+
Protocol: UDP
Source: any
Dest: Greater than 49000

Even though MS don't mention creating the high UDP port rule for 49000+ I have seen traffic originating from the game servers on port 9000 coming back to the client on the high port numbers.

I have created 2 policies:
Policy: AC Outbound
Source: internal NIC
Destination: external NIC
Service: AC and AC UDP49000+
Action: Permit
Log: Packets & Connection
Translation: NAT (default outgoing)
Policy: AC Inbound
Source: external NIC
Destination: internal NIC (also tried Firewall host)
Service: AC and AC UDP49000+
Action: Permit
Log: Packets & Connection
Translation: MAP 192.168.0.40 (I'm only mapping to try and get a single machine up and running. Ultimately I need multiple machines)

The only "odd" things I'm seeing in the filter log are the occasional entry like this:

DROP unknown ICMP packet from internal NIC, proto:1, len:30, ip:192.168.0.40 -> 12.129.18.211, plen:10

In an attempt to rule out any weird ports I didn't have covered I created a full blown set of "everything open" rules as follows:

Policy: OPEN OUT
Source: internal NIC
Destination: external NIC
Service: Any
Action: Permit
Log: Packets & Connection
Translation: NAT (default outgoing)
Policy: OPEN IN
Source: external NIC
Destination: internal NIC
Service: Any
Action: Permit
Log: Packets & Connection
Translation: none

Even with the above rules at the top of my policies list I could not get the game to work.

I decided to do a packet capture using Ethereal (http://www.ethereal.com) which was when I started to find "odd" stuff. In particular these was regularly large bunches of UDP packets with a 0 byte header length, on the ports the game is using (9000/UDP) passing in both directions between the client and game server.

Thinking that maybe KWF was messing something up I ran the game up on the machine running KWF, and therefore with direct access to the external NIC (this worked by the way), and did another packet capture - the exact same packets.

The only conclusion I can draw at this stage is that possibly the Asheron's Call client is maybe encrypting some of the packets and that KWF is not able to correctly route them? I've also just found out from a colleague that Netgear have confirmed the exact same problem in the WGR614v2, WGR614v3, and WGR614v4 wireless routers as a firmware bug and will be releasing a fix in the next 2 weeks.

[Updated on: Sun, 22 February 2004 08:55]

  •  
AnthonyB

Messages: 5
Karma: 0
Send a private message to this user
Wow. The lack of response for what may be a bug in the product is deafening... Sad
  •  
Jeff Wadlow (Kerio)

Messages: 162
Karma: 6
Send a private message to this user
Try these two rules:

Policy: AC Outbound
Source: internal NIC
Destination: external NIC
Service: UDP:9000-9013
Action: Permit
Log: Packets & Connection
Translation: NAT (default outgoing)

Policy: AC Inbound
Source: external NIC
Destination: Firewall host
Service: UDP:9000-9013
Action: Permit
Log: Packets & Connection
Translation: MAP 192.168.0.40
  •  
AnthonyB

Messages: 5
Karma: 0
Send a private message to this user
As mentioned in my original post, already tried that.
Quote:

Policy: AC Inbound
Source: external NIC
Destination: internal NIC (also tried Firewall host)



exact same symptom.
  •  
Mahmoud

Messages: 7
Karma: 0
Send a private message to this user
Not all games can be played by more than one player behind a router. Some will only allow one at the same time to play online.

Quote:

Policy: OPEN IN
Source: external NIC
Destination: internal NIC
Service: Any
Action: Permit
Log: Packets & Connection
Translation: NAT (default outgoing)



This rule allows Everything but does not Forward/Map them to the computer you want to play the game on. You are the Translating the Source which is not required if you already have a default gateway set on the computers.

You can read: (they include more information about the configurations for this game).. More ports are required.

http://www.kerio.com/dwn/wrl/wrl42en.pdf
http://www.deerfield.com/support/winroute-pro/kb/?a=2624
  •  
AnthonyB

Messages: 5
Karma: 0
Send a private message to this user
Quote:

Not all games can be played by more than one player behind a router. Some will only allow one at the same time to play online.


Yep, I appreciate that, although with my old Netgear MR314 hardware cable router I was able to have as many as 3 players logged in simulateously. In this case however, I can't even get ONE SINGLE PC logged in! Thus, my comment that this may be a bug in KWF.

Quote:

Quote:

Policy: OPEN IN
Source: external NIC
Destination: internal NIC
Service: Any
Action: Permit
Log: Packets & Connection
Translation: NAT (default outgoing)

This rule allows Everything but does not Forward/Map them to the computer you want to play the game on. You are the Translating the Source which is not required if you already have a default gateway set on the computers.



Sorry, that was a copy & paste typo on my behalf which I've now edited in my original post. There is no NATing in my OPEN IN policy described above.

I am familiar with most of the ports listed in those 2 links you provided.

6667/TCP and 28800-29000/TCP are Microsoft Zone ports which I also have open (listed in MS KB article 159031) while 9000-9013/UDP are specifically for Asheron's Call (listed in MS KB article 236430). 2300-2400/TCP/UDP is for Microsoft DirectX (specifically DirectPlay as listed in MS KB article 240429) which is incorrectly identified in both those links you provided as Asheron's Call does not use Direct Play. This last statement is confirmed by running DxDiag, saving the information, then going to the section titled "DirectPlay Lobbyable Apps" under which I have none listed.

I'm still in a position where having everything open inbound and MAPPED to a PC (my OPEN IN and OPEN OUT policy example in original post) does not work which would indicate an issue with KWF rather than an error in my rulesets or traffic policy.

[Updated on: Sun, 22 February 2004 09:16]

  •  
AnthonyB

Messages: 5
Karma: 0
Send a private message to this user
Well, given this issue has not been responded to by anyone from Kerio and it is still unresolved and I believe it to be a bug, I don't think I'll consider spending money on this product.

Yes, I know these are not vendor support forums but as a trial user you have to test the waters somehow before you spend the money to get email support. So far, I've very unimpressed.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
AnthonyB wrote on Sat, 28 February 2004 11:49

Well, given this issue has not been responded to by anyone from Kerio and it is still unresolved and I believe it to be a bug, I don't think I'll consider spending money on this product.

Yes, I know these are not vendor support forums but as a trial user you have to test the waters somehow before you spend the money to get email support. So far, I've very unimpressed.


Free email support is available also for trial users of Kerio Winroute Firewall product.

The traffic rules as described in your first post are wrong (even after you edited them).

Traffic rules should look like:
rule #1:
Policy: OPEN OUT
Source: internal NIC
Destination: external NIC
Service: Any
Action: Permit
Log: Packets & Connection
Translation: NAT (default outgoing interface)

rule #2:
Policy: OPEN IN
Source: external NIC
Destination: Firewall !!!
Service: AC
Action: Permit
Log: Packets & Connection
Translation: MAP (local computer IP) !!!

You must define a service named "AC" as: UDP, destination port range 9000-9013

Please read carefully KB article at http://support.microsoft.com/default.aspx?scid=http://suppor t.microsoft.com:80/support/kb/articles/q236/4/30.asp&NoW ebContent=1.

Also make sure you have properly set yout Asheron's Call game settings.
Previous Topic: Configuring Winroute for a VPN
Next Topic: KWF Problem with 2 Eth
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Nov 22 10:28:53 CET 2017

Total time taken to generate the page: 0.00468 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.