cruller
join:2008-05-07
South Bend, IN
| open port 443 / ScottradeElite problem
I have had a problem running ScottradeElite, a stock trading platform, since switching to AT&T Elite almost a year ago. The problem is that streaming stock quotes will occasionally stop / start for one or two seconds, up to 10 or even 30 seconds. I never had the problem for the two years I used Earthlink and switched to ATT only to increase my speed from 1500kbps to 6000kpbs. Sometimes the missing data is never processed; other times it comes rushing through as a burst and catches up to real time.
Scottrade tech support says the problem is because port 443 is not open. I think I followed all of the instructions for the 2Wire 2701HG-B Gateway I was supplied but don't know of a proven way to test if the port is open.. any suggestions? I have tried making exceptions on the 2701 and I've also run it in DMZplus mode. Ideally, I'd like to turn the firewall totally off and rely on my PC firewall (currently the Microsoft Firewall, which I know is not the best). I have even run with the PC firewall off and the Microsoft Security Center saying I have no firewall - but still run into the problem and still cannot see a test where 443 is open so that I can prove it's a Scottrade issue.
After a few months of this, I had the house rewired for a "home run" so the DSL is run into my office, bypassing the rest of the phone outlets in the house. This seemed to fix the problem up until the middle of August. The problem has returned, and the only pattern I can see is that it seems to get worse if the volume of data increases. It is still an intermittent problem of a second or two every few minutes when the volume of data is reduced.
AT&T has tested my lines, coming to the house and in my office and it seems to be clean and all AT&T Elite bandwidth is available.
I have been running all these years on the same Dell PC, Pentium 4, 2.80ghz, 1.5GB of ram, using XP. I am about a half mile from the CO. I don't seem to have an issue with any other application, including streaming video.
Basically, I'd like to be able to have a test that proves port 443 is open and/or have some help making sure the firewall in the 2Wire is not hosing up the data stream. Scottrade also suggests making an exception for the quote feed IP address .. would like to make sure I've got that correct.
Thanks. |
|
d_l
Barsoom
Premium,MVM
join:2002-12-08
Reno, NV
edit:
September 26th, @10:06AM
| You could try the Gibson Research ShieldsUp test: »www.grc.com/default.htm Go to the site and then pick the ShieldsUp link (I can't provide a direct link to the test). Then enter 443 in the entry box and select the "User Specified Custom Port Probe" button.
You should then see the open, closed, or stealth status results for that port. |
|
cruller
join:2008-05-07
South Bend, IN
| reply to cruller
I have tried:
yougetsignal (closed)
shieldsup (closed)
HQ42.net (open)
hackerwatch.org (not blocked)
auditmypc (closed)
the mixed results make me wonder which is working. Not being an expert, I'm not sure what to believe - have also been told (true or not) that having the 2Wire negates any of these tests? |
|
Gus K
join:2003-08-22
Hammond, IN
| reply to cruller
You have gone over this a number of times I assume:
»www.portforward.com/english/rout···ault.htm
Maybe this forum might be of help:
»2Wire
And in Windows firewall you have made an exception I assume. |
|
Dennis
Premium,Mod
join:2001-01-26
Algonquin, IL
 ·AT&T Yahoo
Host:
Chicago
Users find Hot Deals
Users find Hot Dea..
Requests for Hot D..
Home Repair & Impr..
| reply to cruller
wait....TCP port 443 or UDP port 443...either way it doesn't matter. Port 443 is https, so if you can go to any https site (such as a bank or the CIA) then port 443 is 100% open.
On top of that AT&T does not block that port for obvious reasons, or throttle it, or in any way "mungle" the data. I think a traceroute to the scrottrade server in question would be more enlightening.
--
My Blog. Because I desperately need the acknowledgement of others.
Visit the Judd Family website to see my kids! |
|
cruller
join:2008-05-07
South Bend, IN | reply to Gus K
thanks for the info ... didn't know about the 2wire forum.. a quick glance didn't find anything I haven't tried yet but will keep looking. |
|
cruller
join:2008-05-07
South Bend, IN
| reply to Dennis
thanks for the info .. I had assumed that, too about the 443 working for other secure sites. In addition, found this (text below)at microsoft so I feel the port is open but am confused as to why the port scans seem to contradict that .. which leaves me at Scottrade's mercy. Will followup on the trace idea.
=== from Microsoft:
For Windows Product Activation to succeed, configure firewalls or other devices that are between the client and the Internet to allow traffic to pass over ports 80, and 443.
You can use Microsoft Internet Explorer or other Internet browsers to test connectivity through these ports.
To test whether port 80 is open: 1. Open Internet Explorer.Type »www.microsoft.com:80 in the Address bar, and then press ENTER.
2. Type »www.microsoft.com:80 in the Address bar, and then press ENTER.
To test whether port 443 is open: 1. Open Internet Explorer.Type »https://www.microsoft.com:443 in the Address bar, and then press ENTER.
2. Type »https://www.microsoft.com:443 in the Address bar, and then press ENTER.
If you can access the Microsoft Web site each time, ports 80 and 443 are accessible.
If your browser displays an error message such as "connection timed out," the corresponding port may be blocked.
-------------------------------------------------------------------------------- |
|
David
Last man standing
Premium,VIP
join:2002-05-30
Granite City, IL
clubs:
 ·magicjack.com
·AT&T Midwest
|  Thank you cruller  for posting that!
Another test you could do is pingplotter will allow you to ping certain ports as well. I use that for troubleshooting the "AT&T blocks this port" threads. |
|
wayjac
Premium
join:2001-12-22
Indy
·AT&T Midwest
| reply to cruller
said by cruller :Basically, I'd like to be able to have a test that proves port 443 is open and/or have some help making sure the firewall in the 2Wire is not hosing up the data stream. Here's a link to a port scan web site:
www.t1shopper.com/tools/
The 2wire listens to 443 but it does not block it. |
|
cruller
join:2008-05-07
South Bend, IN | I tried to scan 443 using this site .. the result was:
76.242.51.47 isn't responding on port 443 (https)
can you interpret?
my 2wire is now set to DMZplus .. all applications allowed. |
|
wayjac
Premium
join:2001-12-22
Indy
·AT&T Midwest
| Here's a scan result of port 443 from the site I linked and grc
Both scans were done from a computer behind a 2701HG-B the DMZplus is not used.
|
|
cruller
join:2008-05-07
South Bend, IN
| thanks for taking the time to show me your results .. here's what I got..
in DMZplus mode:
GRC - shows as stealth
t1shopper - isn't responding
with exceptions for HTTPS and Scottrader.exe
GRC - shows as stealth
t1shopper - isn't responding
with defaults set
GRC - closed
t1shopper - isn't responding
on the advance settings screen for the 2wire I do not have stealth mode enabled..
under the inbound and outbound control everything is checked to be allowed except for NetBIOS
I was once talking to a tech at Scottrade who directed be to the GRC site and when I told him it said 443 was closed but I was still streaming quotes, he said that's weird. |
|
wayjac
Premium
join:2001-12-22
Indy
·AT&T Midwest
| reply to cruller
Have you looked at the 2wire mdc event log?
It may show the port scans you did.... they may not show up when using DMZplus
Here's the event log messages generated by the two port scans I posted:
fw,fwmon: src=208.64.252.230 dst=99.10.109. ipprot=6
sport=40888 dport=443 Local Session, Packet Passed
fw,fwmon: src=4.79.142.206 dst=99.10.109. ipprot=6
sport=60309 dport=443 Local Session, Packet Passed |
|
cruller
join:2008-05-07
South Bend, IN | not sure where to find that log.. |
|
wayjac
Premium
join:2001-12-22
Indy | Here's the link:
192.168.1.254/xslt?PAGE=J17
Use the menu Edit "find on this page" command search for 443 |
|
cruller
join:2008-05-07
South Bend, IN
| now I'm getting somewhere !!! I am going to have to rerun the tests to double check the results for each specific test.
Based on the time stamps right before my post, I ran 5 tests, one for each web site (I had posted one result before).. unfortunately, I have to be leaving in about 5 minutes for an appointment. I can at least see that one of the settings seems to be letting data thru 443.
I hate to stop now but .. thanks for getting me this far.. may not be able to post again until Sunday due to weekend plans (daughter arriving from overseas).. thanks for all your help so far. If you have any comments on the log below - they'd be greatly appreciated.
INF 2008-09-26T14:51:30-04:00 fw,fwmon: src=4.79.142.206 dst=0.0.0.0 ipprot=6 sport=61748 dport=443 Session Matches User Pinhole, Packet Passed
INF 2008-09-26T14:53:14-04:00 fw,fwmon: src=208.64.252.230 dst=0.0.0.0 ipprot=6 sport=41499 dport=443 Session Matches User Pinhole, Packet Passed
INF 2008-09-26T14:55:28-04:00 fw,fwmon: src=208.64.252.230 dst=76.242.xx.xx ipprot=6 sport=41606 dport=443 Unknown inbound session stopped
INF 2008-09-26T14:56:02-04:00 fw,fwmon: src=4.79.142.206 dst=76.242.xx.xx ipprot=6 sport=62150 dport=443 Unknown inbound session stopped
INF 2008-09-26T14:59:11-04:00 fw,fwmon: src=4.79.142.206 dst=76.242.xx.xx ipprot=6 sport=62418 dport=443 Unknown inbound session stopped |
|
wayjac
Premium
join:2001-12-22
Indy
·AT&T Midwest
| The 4.79.142.206 is the GRC ip address
The 208.64.252.230 is the T1 port scan ip address
The Session Matches User Pinhole means you made a rule for this port
The Unknown inbound session stopped means it was dropped
The thing is you don't need to make a rule for port 443 it will passthru because the session was started from your browser. |
|
Gus K
join:2003-08-22
Hammond, IN
| reply to cruller
said by cruller :thanks for the info... === from Microsoft: For Windows Product Activation to succeed, configure firewalls or other devices that are between the client and the Internet to allow traffic to pass over ports 80, and 443. You can use Microsoft Internet Explorer or other Internet browsers to test connectivity through these ports. To test whether port 80 is open: 1. Open Internet Explorer.Type » www.microsoft.com:80 in the Address bar, and then press ENTER. 2. Type » www.microsoft.com:80 in the Address bar, and then press ENTER. To test whether port 443 is open: 1. Open Internet Explorer.Type » https:// www.microsoft.com:443 in the Address bar, and then press ENTER. 2. Type » https:// www.microsoft.com:443 in the Address bar, and then press ENTER. If you can access the Microsoft Web site each time, ports 80 and 443 are accessible. If your browser displays an error message such as "connection timed out," the corresponding port may be blocked. -------------------------------------------------------------------------------- Well I went both MS sites and the CIA and they loaded normally. While there I went to Shield's Up and tested both ports 80 and 443.
80
Stealth http
World Wide Web HTTP
443
Stealth https
http protocol over TLS/SSL |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| reply to cruller
So, Scottrade is attempting to initiate a connection inbound to your PC on port 443? If so, you would need to have a firewall rule that allows the Sottrade network inbound to your workstation on port 443. If you are NATing your IP address through your router, you will have to make sure you configure a static NAT rule inbound for port 443 to map it to port 443 on your workstation. |
|
Dennis
Premium,Mod
join:2001-01-26
Algonquin, IL
·AT&T Yahoo
Host:
Chicago
Users find Hot Deals
Users find Hot Dea..
Requests for Hot D..
Home Repair & Impr..
| said by rolande :So, Scottrade is attempting to initiate a connection inbound to your PC on port 443? If so, you would need to have a firewall rule that allows the Sottrade network inbound to your workstation on port 443. If you are NATing your IP address through your router, you will have to make sure you configure a static NAT rule inbound for port 443 to map it to port 443 on your workstation. But if that's the case then wouldn't DMZ have worked?
--
My Blog. Because I desperately need the acknowledgement of others.
Visit the Judd Family website to see my kids! |
|
