dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3106
share rss forum feed

dda
Premium
join:2003-12-29
Bolton, MA

2 edits

1 recommendation

Issues with new USG 50

Edit:
----
With new firmware, the VPN and torrent issues seem to have gone away; I'll check from work to be sure. The DNS issue was resolved by not using the USG 50 and handling it in Snow Leopard Server. I may try again later with the new firmware.

The IPSEC VPN still persists once closed; the L2TP over IPSEC VPN does close down properly.
----

So I've upgraded from my old reliable Z2+ to a spiffy new USG 50. I've got most things configured the way I need them but am still having a few issues and figured I'd turn to you all fine folks for some help.

Note that I have a fairly simply home network. Comcast provides 50/15 Blast! service and I take the output from their cable modem right into the USG 50. Right now I haven't applied licenses for any of the Anti-X stuff so I assume it isn't enabled.

I converted all the ports to LAN1 and have nothing in the DMZ. Wireless is being taken care of by an older Apple Extreme Base Station which goes into LAN1, as well. I have a 10.6.8 Snow Leopard Server handling some minor server tasks including checking email and handling some DNS. I will admit I am doing a potentially bad thing in that I have dantonio.net as an external domain but also have systems on the lan that use dantonio.net. So imac.dantonio.net is local to the lan (10.1.1.x address) but www.dantonio.net is external. The old Z2+ had no trouble with this.

The issues:
- I get a lot of "Abnormal TCP flag attack, DROPPED" in the log. The culprit is the Snow Leopard Server trying to connect to Comcast's email server on port 993. Why the USG cares about an outgoing packet I cannot say. Searches of this forum and elsewhere haven't shown any solution.

- My torrent client normally would use uPnP or NAT-PMP to map its port but this isn't supported. I've open the port it uses for both TCP and UDP (it's annoying that the object doesn't have a "BOTH" selection for the port but hey) but the client insists its port is closed.

- If I use the USG 50 for DNS queries, it correctly replies to all the "in LAN" addresses I've added but insists www.dantonio.net can't be found! I believe it decides that www.dantonio.net is the same as dantonio.net and punts rather than sending it along to Comcast. Attempting to add dantonio.net as a domain to forward results in an error (-14016 I believe). The upshot is that I can either get to LAN addresses or (by adding a rule to not use the USG for DNS) external addresses but not both.

- If I establish an IPSEC tunnel into the USG from work, it opens fine; I can access services on my home LAN. But closing the tunnel from the Mac client (IPSecuritas if it matters) doesn't drop the tunnel and the USG spams work trying to reconnect. The IT guy at work got annoyed, as you might imagine, and told me to quit it. The connection is *not* nailed up if that matters.

Any help would be appreciated. The torrent issue is minor but the others are rather important; while there are workarounds, the Z2+ handled all this fine and so should the USG!

I can get screenshots or the .conf files it that will help. Thanks!

Kirby Smith

join:2001-01-26
Derry, NH
Sorry for the late response; I've been tied up (figuratively writing) since you made your request. I can address the details of torrent setup later today.

kirby USG50

dda
Premium
join:2003-12-29
Bolton, MA
Thanks, Kirby; there's no real rush but the help is appreciated.

Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
reply to dda
Rather than try to generate a bunch of images of the graphical interface, I have listed below the relevant parts of the configuration file. They should help you find the menu's you need to modify. Note that the state table timeouts have to be set using the CLI interface. (I use PuTTY for this.)

Also, I use two different computers for BT, so the number of NAT, object, and firewall rules for one computer should be half as many.

kirby

P.S. I have the sense that it may be possible to do this with fewer rules by generating a service object that addresses both UDP and TCP, but I haven't looked into it in sufficient depth to make any changes. Others here may be able to throw helpful oars into the water on this.

! saved at 2012-12-01 15:51:41
! model: ZyWALL USG 50
! firmware version: 3.00(BDS.2)
!
hardware-watchdog-timer 10
!
software-watchdog-timer 300
!
interface-name ge1 wan1
interface-name ge2 wan2
interface-name ge3 lan1
interface-name ge4 lan2
interface-name ge5 dmz
 
! massive delete from here down
! only BT relevant objects are shown below
 
address-object BT1 192.168.1.102
address-object BT2 192.168.1.103
! note that these are addresses to two computers on LAN1
! the addresses are fixed in the USG50 DHCP service
 
service-object BT1-TCP tcp range 52890 52890
service-object BT1-UDP udp range 52890 52890
service-object BT2-TCP tcp range 52891 52891
service-object BT2-UDP udp range 52891 52891
! These are arbitrary but fixed BT ports (one per 
! computer) that each respective computer has to 
! have open in its firewall
!
object-group service BT
 description Bit Torrent
 service-object BT1-TCP
 service-object BT1-UDP
 service-object BT2-TCP
 service-object BT2-UDP
!
interface-group WAN_TRUNK
 algorithm llf
 loadbalancing-index outbound
 interface 1 wan1_ppp
 interface 2 wan2_ppp
! This mode seems to work nicely for me
!
session timeout tcp-established 900
!
session timeout udp-deliver 30
!
! These timeouts help keep BT's tendency to never properly
! close connections from making the state table too large
! (Only 10k on the USG50)
! This is the only part of the setup that has to be done
! via the CLI
 
!
ip load-balancing link-sticking activate
ip load-balancing link-sticking timeout 600
!
 
! These are the eight the NAT rules for two computers, two WANs, and two protocols.
ip virtual-server Bit_Torrent_U1_1 interface wan1_ppp original-ip any map-to BT1 map-type port protocol udp original-port 52890 mapped-port 52890
ip virtual-server Bit_Torrent_U1_2 interface wan2_ppp original-ip any map-to BT1 map-type port protocol udp original-port 52890 mapped-port 52890
ip virtual-server Bit_Torrent_T1_1 interface wan1_ppp original-ip any map-to BT1 map-type port protocol tcp original-port 52890 mapped-port 52890
ip virtual-server Bit_Torrent_T1_2 interface wan2_ppp original-ip any map-to BT1 map-type port protocol tcp original-port 52890 mapped-port 52890
ip virtual-server Bit_Torrent_U2_1 interface wan1_ppp original-ip any map-to BT2 map-type port protocol udp original-port 52891 mapped-port 52891
ip virtual-server Bit_Torrent_U2_2 interface wan2_ppp original-ip any map-to BT2 map-type port protocol udp original-port 52891 mapped-port 52891
ip virtual-server Bit_Torrent_T2_1 interface wan1_ppp original-ip any map-to BT2 map-type port protocol tcp original-port 52891 mapped-port 52891
ip virtual-server Bit_Toprrent_T2_2 interface wan2_ppp original-ip any map-to BT2 map-type port protocol tcp original-port 52891 mapped-port 52891
!
! Ewww.  I see a spelling error.
!
!
! These are the four firewall rules allowing both BT incoming message protocols to flow to LAN
!
firewall 3
 from WAN
 to LAN1
 destinationip BT2
 service BT2-UDP
 action allow
!
firewall 4
 from WAN
 to LAN1
 destinationip BT2
 service BT2-TCP
 action allow
!
firewall 5
 from WAN
 to LAN1
 destinationip BT1
 service BT1-UDP
 action allow
!
firewall 6
 description Bit Torrent
 from WAN
 to LAN1
 destinationip BT1
 service BT1-TCP
 action allow
!
! These below are not really relevant except to the USG's 
! software blocking mode that I don't use
!
app bittorrent defaultport 6969
app bittorrent defaultport 6881
app bittorrent defaultport 6882
app bittorrent defaultport 6883
app bittorrent defaultport 6884
app bittorrent defaultport 6885
app bittorrent defaultport 6886
app bittorrent defaultport 6887
!
 
 


bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1

1 edit
Here is my relevant BT config for USG50 with a single WAN port:

!
service-object BitTorrent-tcp tcp range 51413 51413
service-object BitTorrent-udp udp range 51413 51413
!
object-group service BitTorrent
 service-object BitTorrent-tcp
 service-object BitTorrent-udp
!
ip virtual-server BitTorrent interface wan1 original-ip any map-to 192.168.1.4 map-type port protocol any original-port 51413 mapped-port 51413
!
firewall 7
 from WAN
 to LAN1
 service BitTorrent
 action allow
!
 

Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
reply to dda
I'm pretty sure that dantonio.net is the higher level URL of www.dantonio.net, and cannot be defined as two different destinations this way. Maybe with a proxy server they could be separated, or maybe on each computer by using the file Windows includes (if you use Windows; I forget the file name) where specific URLs can be dropped or routed to different IP addresses.

k

dda
Premium
join:2003-12-29
Bolton, MA
NSLOOKUP does show that dantonio.net is the canonical name for www.dantonio.net; what I don't understand is why the USG doesn't just ignore dantonio.net if there is no PTR record for it internally. If I remove all the PTR records (and, potentially, the domain name from the Host Name set up), will it then ignore the domain entirely?

I'm using Mac 10.6.8, not Windows.

dda
Premium
join:2003-12-29
Bolton, MA
reply to dda
Thanks, Kirby Smith and bbarrera; I'll compare my config and see what's different.


bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1
reply to dda
quote:
- If I use the USG 50 for DNS queries, it correctly replies to all the "in LAN" addresses I've added but insists www.dantonio.net can't be found! I believe it decides that www.dantonio.net is the same as dantonio.net and punts rather than sending it along to Comcast. Attempting to add dantonio.net as a domain to forward results in an error (-14016 I believe). The upshot is that I can either get to LAN addresses or (by adding a rule to not use the USG for DNS) external addresses but not both.

Your router config must have something like this in it:
domainname dantonio.net
 
which I believe then causes the USG's DNS to think its authoritative for the zone.

On your Mac try this:
host -t soa dantonio.net 192.168.1.1
 
(assuming your USG50 is at 192.168.1.1

and then try:
host -t soa dantonio.net 4.2.2.1
 
(instead of 4.2.2.1 you may use another public DNS server)

dda
Premium
join:2003-12-29
Bolton, MA
said by bbarrera:


Your router config must have something like this in it:

domainname dantonio.net
 
which I believe then causes the USG's DNS to think its authoritative for the zone.

On your Mac try this:
host -t soa dantonio.net 192.168.1.1
 
(assuming your USG50 is at 192.168.1.1
quote:
[DDAs-MBP:~] dda% host -t soa dantonio.net 192.168.1.1
Using domain server:
Name: 192.168.1.1
Address: 192.168.1.1#53
Aliases:

dantonio.net has SOA record dantonio.net. root.dantonio.net. 2013010123 10800 54000 259200 10800

and then try:
host -t soa dantonio.net 4.2.2.1
 
(instead of 4.2.2.1 you may use another public DNS server)
quote:
[DDAs-MBP:~] dda% host -t soa dantonio.net 4.2.2.1
Using domain server:
Name: 4.2.2.1
Address: 4.2.2.1#53
Aliases:

dantonio.net has SOA record ns1.secure.net. hostmaster.secure.net. 2012022119 86400 7200 2592000 86400

They certainly point to different things! I'll check the configuration when I get home. I did try removing the domain name from the host name section but it didn't really do anything.

Kirby Smith

join:2001-01-26
Derry, NH
reply to bbarrera
I was pretty sure, bbarrera, from previous comments here (perhaps yours) that there was a more compact way to do this. I'll have to revise accordingly when I get a chance.

Thanks

kirby


bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1
reply to dda
said by dda:

They certainly point to different things! I'll check the configuration when I get home. I did try removing the domain name from the host name section but it didn't really do anything.

Removing the domain name from System > Host should stop the router from being authoritative, although you might also have it configured in System > DNS section.

The problem is that once you've done it, then entries like "server 192.168.1.2" in System > DNS will fail to work, and you'll need to have entries like "server.dantonio.net 192.168.1.2" but that will fail if LAN computers aren't setup to default search for dantonio.net (depends on how your DHCP is setup).

dda
Premium
join:2003-12-29
Bolton, MA
I solved the DNS issue the (sorta) hard way; I skipped the USG 50 entirely and added all my internal hosts as Master Zones to the Snow Leopard Server. I had originally tried what you had suggested and it didn't work; that might have been due to caching or other issues.

In any case, it is working now so thanks! Now to try to address the VPN and torrent issues.

Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
reply to dda
Here is the more compact, "bb'd" form of the Bit Torrent configuration rules for dual WANs and two computers. Seems to work fine.

! saved at 2013-01-04 18:12:50
! model: ZyWALL USG 50
! firmware version: 3.00(BDS.2)
 
address-object BT1 192.168.1.102
address-object BT2 192.168.1.103
!
service-object BT1-TCP tcp range 52890 52890
service-object BT1-UDP udp range 52890 52890
service-object BT2-TCP tcp range 52891 52891
service-object BT2-UDP udp range 52891 52891
!
object-group service BitTorrent1
 description Bit Torrent
 service-object BT1-TCP
 service-object BT1-UDP
!
object-group service BitTorrent2
 description Bit Torrent
 service-object BT2-TCP
 service-object BT2-UDP
!
ip virtual-server Bit_Torrent_1to1 interface wan1_ppp original-ip any map-to BT1 map-type port protocol any original-port 52890 mapped-port 52890
ip virtual-server Bit_Torrent_2to1 interface wan2_ppp original-ip any map-to BT1 map-type port protocol any original-port 52890 mapped-port 52890
ip virtual-server Bit_Torrent_1to2 interface wan1_ppp original-ip any map-to BT2 map-type port protocol any original-port 52891 mapped-port 52891
ip virtual-server Bit_Torrent_2to2 interface wan2_ppp original-ip any map-to BT2 map-type port protocol any original-port 52891 mapped-port 52891
!
firewall 3
 from WAN
 to LAN1
 destinationip BT2
 service BitTorrent2
 action allow
!
firewall 4
 from WAN
 to LAN1
 destinationip BT1
 service BitTorrent1
 action allow
!
 

I think earlier I was hesitant to allow "all" rather than just "TCP" and "UDP" to the opened ports, but ICMP doesn't use a port, and in any case, iptables on each computer's firewall is only set to allow UDP and TCP at the BT port.

kirby


bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1
reply to dda
said by dda:

I solved the DNS issue the (sorta) hard way; I skipped the USG 50 entirely and added all my internal hosts as Master Zones to the Snow Leopard Server.

The easy way if you ask me, at least with OS X Server you have full control of BIND.

I gave up on using the router as IPSec endpoint for remote clients, and instead port forward to OS Server's L2TP Server. Works great with Mac and Windows and iOS.

dda
Premium
join:2003-12-29
Bolton, MA
reply to Kirby Smith
said by Kirby Smith:

Here is the more compact, "bb'd" form of the Bit Torrent configuration rules for dual WANs and two computers. Seems to work fine.
kirby

Thanks, Kirby. Using new firmware, Transmission now says the port is open so it looks like all is well.

dda
Premium
join:2003-12-29
Bolton, MA
reply to bbarrera
said by bbarrera:

The easy way if you ask me, at least with OS X Server you have full control of BIND.

Well, it was a lot more clicking and data entry than just using the DNS page in the USG! But yes, I do have more control now.
said by bbarrera:

I gave up on using the router as IPSec endpoint for remote clients, and instead port forward to OS Server's L2TP Server. Works great with Mac and Windows and iOS.

I got the USG because it could be an IPSEC endpoint. Is L2TP as secure as IPSEC? I know the iPhone does L2TP over IPSEC; does Mac OS X do the same thing? I suppose it would be nicer to use OS X Server to handle all of this but then I really don't need the power of the USG.

Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
If you are running BT and exposing yourself [figuratively] to the rest of the world, you may want to run IDS at a minimum. This will use a fair amount of that "excess" power. I also run the Kasperski AV, but it doesn't usually report any detections.

I also see several TCP flag attacks per hour from all over the world that IDS drops. If sent deliberately, it is the result of my IP addresses being available to BT trackers.

I have heard of a queuing theory that is possibly relevant: The wait time is proportional to the reciprocal of (1 minus the fractional utilization). The implication is that one doesn't want to try to utilize all of the power available. If I had money to burn I would have already moved to the USG 300, which is more "powerful" than my dual FTTH connections. The USG50 cannot perform AV and IDS on dual 30/15 data streams. (Some types of data are not examined, but right now I'm not clear how that affects actual throughput in my context of BT and video streaming from Crunchyroll.)

kirby


bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1
reply to dda
said by dda:

I got the USG because it could be an IPSEC endpoint. Is L2TP as secure as IPSEC? I know the iPhone does L2TP over IPSEC; does Mac OS X do the same thing? I suppose it would be nicer to use OS X Server to handle all of this but then I really don't need the power of the USG.

Its actually L2TP over IPSec (L2TP/IPSec), with IPSec used to secure L2TP traffic.

dda
Premium
join:2003-12-29
Bolton, MA
said by bbarrera:

Its actually L2TP over IPSec (L2TP/IPSec), with IPSec used to secure L2TP traffic.

While I have L2TP over IPSec working with the iPhone and iPad, it won't work when I use my work LAN, which is unfortunately double-NATted. It also doesn't work with the MacBook Pro at work, probably for the same reason. For the iDevices, it's easy; I switch to LTE but that doesn't cut it for the Macs. Any idea how to deal with double NATting? Or is that even an issue?


bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1
I dunno, its something I haven't encountered.