TKN8931
@com.mx
|  Problem with firewall and remote access through a 2701HG-T
I've recently installed XAMPP, a web server. I forwarded all the necessary ports, 80 for Apache, 21 for FileZilla, etc. and everything went out pretty good.
The problem came when, after some testing, I'd notice that when accessing the server from inside the local network, it has no problem to do it. And when accessing it from the outside, using the public IP, it works, buy tends to time out a lot.
After investigating the problem, and discarding the whole load of possible culprits, I ended up in the router's firewall.
When the firewall is active and with only the necessary ports forwarded, it tends to cause the time outs. But when I enable DMZPlus for the PC that hosts the server, it works without any problem.
I know many would say, -leave it in DMZPlus and the problem's over-, but I would not like to do that, as it isolates that PC from the local network, besides making it hugely unsafe. Would there be any way to use the firewall normally, with only the necessary ports forwarded, without the problem of the timeouts?
Thanks in advance. |
|
wayjac
Premium,MVM
join:2001-12-22
Indy
 ·AT&T Midwest
| said by TKN8931 :
When the firewall is active and with only the necessary ports forwarded, it tends to cause the time outs. But when I enable DMZPlus for the PC that hosts the server, it works without any problem.
The forwarded ports are still valid and working when you enable dmzplus mode
dmzplus won't affect any forwarded ports
You should delete the forwarded ports then enable dmzplus mode for testing |
|
TKN8931
join:2009-10-30
| reply to TKN8931
TKN here.
Sorry if the problem wasn't understood well, it was most likely my fault.
I've tested it as you said, and still the same:
Working normally with only the necessary ports forwarded for the hosting PC. Connects well but tends to timeout a lot.
Working with DMZ+ on the hosting PC. Connects perfectly with no timeouts.
I wanted to know if it was possible to get rid of the timeouts without resorting to the use of DMZ+.
Thanks. |
|
wayjac
Premium,MVM
join:2001-12-22
Indy
·AT&T Midwest
| No problem, I never know what's being done unless I ask 
You're using a 2701HG-T and I think its a lot different than a 2701HG-B
With that said putting the 2wire in bridge mode disables the firewall
Can you give more details about what's going on?
Are you sure the connection is up
Is the firewall dropping the traffic |
|
TKN8931
join:2009-10-30
| reply to TKN8931
Well, to answer each of the questions:
I've noticed that when accessing from inside the network, I mean, from another local PC, the connection to the webserver presents no problems. However, when accesing from outside, using the public IP, DMZ+ has to be enabled for the hosting PC to serve a stable connection, as when DMZ+ is off, and the firewall is working normally with only the necessary ports forwarded, it tends to -forget I forwarded those ports- at times, and the connection gets refused/timed out.
Everytime I test, I check the connection is up and running. Also, the internet connection hasn't had any issues in the last months, so it would be very rare for something to happen.
Regarding the firewall, now that you mention it, it may be dropping the traffic the times it -forgets the forwarded ports-.
Would there be a fix for this?
Thanks a lot for your time, and sorry for bothering you so much. |
|
TKN8931
join:2009-10-30 | reply to TKN8931
Bump.
Does anyone else has an idea about how this could get solved?
Thanks. |
|
wayjac
Premium,MVM
join:2001-12-22
Indy | Can you access the "event log" it would show what the firewall is doing with that traffic
Add the text below to the 2wire ip address
xslt?PAGE=J17
Its the url for the event log |
|
TKN8931
join:2009-10-30
| reply to TKN8931
Strange...
The event log reports the connection as "Packet Passed", even if it gets timed out.
And just to make it easier and faster, no, it can't be a problem in the server's software, as I've confirmed that when the firewall is in DMZ+ mode for the server, there are no timeouts.
What could it be...? |
|
wayjac
Premium,MVM
join:2001-12-22
Indy
·AT&T Midwest
| You call it strange........if the firewall is allowing the traffic the problem is elsewhere in my view
If you're convinced the problem is the firewall......then the problem is the firewall
I see your options as
install a software firewall on the server and use dmzplus
bridge the 2wire
get another modem |
|
muiredised
ESSE QUAM VIDERI
join:2007-06-11
Tacoma, WA
| reply to TKN8931
Which service is timing out? Just Apache or other services as well? Are pings intermittent as well? This is key for troubleshooting whether this is an actual connection issue or a service issue. What do your service logs look like, anything unusual?
Do you have a firewall running on the XAMPP server at all? If so, do the logs indicate any traffic when experiencing the timeouts?
What is the OS of the server?
How are you testing from the outside? Are you truly initiating the request from outside your LAN or are you inside your LAN using the public IP address?
Is this XAMPP server connected directly to one of the 2wire switch ports with an ethernet cable or is there something in between?
When you forward only the necessary ports are you able to get connectivity at all (sounds like you can intermittently)? If so, I would not focus on the 2wire as the issue because it is rare for the firewall port forwarding to fail only intermittently. It would typically be it works or it doesn't.
If it does turn out to be caused by the 2wire firewall I agree that it is strange. Would be a first for me.
--
Assiduus usus uni rei deditus et ingenium et artem saepe vincit |
|
TKN8931
join:2009-10-30
3 edits | Which service is timing out? Just Apache or other services as well? Are pings intermittent as well? This is key for troubleshooting whether this is an actual connection issue or a service issue. What do your service logs look like, anything unusual?
Well I got convinced it was the firewall, because all of the services from the hosting PC time out intermittently. It is a game server, a webserver, and a FTP server, and all of them tend to time out when the firewall is working normally (not in DMZ+ mode). I've made ping requests via the public IP and I've never seen timeouts though. The service logs don't seem to have anything out of normal.
Do you have a firewall running on the XAMPP server at all? If so, do the logs indicate any traffic when experiencing the timeouts?
The only firewall in the hosting PC is Windows Firewall, I've discarded it as a culprit already, by disabling it and still getting timeouts.
What is the OS of the server?
Windows 7 Ultimate x86
How are you testing from the outside? Are you truly initiating the request from outside your LAN or are you inside your LAN using the public IP address?
I'm testing from inside my LAN, using the public IP. I came to think it worked the same as when accessing via the local IP or the name of the PC I experience no problems.
EDIT: I've tested from the true outside using several webproxies and I have had no timeouts. Could it be possible the problem is only from inside the LAN using the public IP?
Is this XAMPP server connected directly to one of the 2wire switch ports with an ethernet cable or is there something in between?
It is connected wirelessly to the 2wire modem. I've also thought of this, by thinking it could be due to interference or noise. Discarded already by testing with the router's firewall switching DMZ+ on and off, the -already mentioned a lot- most suspicious possible culprit.
When you forward only the necessary ports are you able to get connectivity at all (sounds like you can intermittently)?
I do get connectivity, but it tends to fail by timing out intermittently. |
|
muiredised
ESSE QUAM VIDERI
join:2007-06-11
Tacoma, WA
1 edit | said by TKN8931  :I'm testing from inside my LAN, using the public IP. I came to think it worked the same as when accessing via the local IP or the name of the PC I experience no problems. EDIT: I've tested from the true outside using several webproxies and I have had no timeouts. Could it be possible the problem is only from inside the LAN using the public IP? This may be the issue. At least part of it. What firmware version are you running?
For the longest time 2wire devices had no support for NAT loopback. I was not aware that 2wire had added support for it at all so it is curious that you have any connectivity whatsoever when testing using this method. If this were my network (services) I would now test a bit more thoroughly from a definitive remote location to isolate NAT loopback as the issue.
EDIT: typo
--
Assiduus usus uni rei deditus et ingenium et artem saepe vincit |
|
TKN8931
join:2009-10-30 | Version 5.29.51
At least I think. It is the only version-like number the router's Home shows. |
|
muiredised
ESSE QUAM VIDERI
join:2007-06-11
Tacoma, WA
1 edit | I was not able to find any information stating that 2wire implemented NAT loopback support in version 5.29.51 (or any versions for that matter). Thus I suspect that this is likely the cause of your timeout observations as I know for a fact that 2wire has not had NAT loopback support in the past. That being said I don't get a chance to play with them as much as I did in years past so you may want to look into it further yourself.
FYI, not sure if this is any worry to you, but you may want to have a look at this:
hxxp://www.milw0rm.com/exploits/9422 [ »www.milw0rm.com/exploits/9422 ]
EDIT:
And just in case you are not aware, 2wire's seeming inability to handle NAT loopback will also adversely affect things if you point a domain name to your broadband IP.
--
Assiduus usus uni rei deditus et ingenium et artem saepe vincit |
|
TKN8931
join:2009-10-30 | But if the lack of support for NAT Loopback was the culprit of the timeouts... Why did turning DMZ+ on, on the hosting PC solve the timeout problem? |
|
muiredised
ESSE QUAM VIDERI
join:2007-06-11
Tacoma, WA
| Well we can only really guess because 2wire plays things so close to the vest when it comes to their firmware. A source of mine has not got back to me on the matter. Here is my effort at a best guess...
When you put the machine in DMZ+ it assigns the public IP address to that machine. No idea what mechanisms 2wire has put in place behind the scenes to handle this, but this is no longer a simple NAT. So packet flow may be a bit different than when a machine is behind simple NAT. It is also possible that they have provisional support for NAT loopback that is not complete yet and therefore not officially supported.
At this point one of the 2wire support members lurking here may be able to chime in with some insight, however, I suspect they are not privy to the inner workings either. So we are probably left to guess (which is why I chose to ditch 2wire products some time ago) as to what the root cause of your problem is.
I ran into strange issues such as this often when configuring 2wire products for anything other than very simple home internet use. Hosting services, assigning static IPs, using non-PC network devices (cameras, dvrs, etc), and really anything marginally advanced became frustrating. Add to that the fact that all-in-one devices become single points of failure and pfSense became my friend along with standalone modem and WAP.
Best of luck.
--
Assiduus usus uni rei deditus et ingenium et artem saepe vincit |
|
Anon
@cox.net
| This is correct you are not supposed to be able to access the WAN IP address of the network from your local LAN. You would only use your LAN IP address. Sometimes there are circumstances which allow this to happen(although they shouldn't). This was put in place for a reason.
The reason it is working from DMZ+ is because DMZ+ assigns you the WAN gateway address the 2wire gateway is getting. I take it you have public addresses allocated and are not using DDNS?
Test it from outside of your LAN and I ensure you that you won't see this problem as long as you have setup your port forwarding correctly.
The fact that you are able to access it at all from the WAN side is surprising, although alarming. |
|
