dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
65
share rss forum feed

Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
reply to dda

Re: Issues with new USG 50

Rather than try to generate a bunch of images of the graphical interface, I have listed below the relevant parts of the configuration file. They should help you find the menu's you need to modify. Note that the state table timeouts have to be set using the CLI interface. (I use PuTTY for this.)

Also, I use two different computers for BT, so the number of NAT, object, and firewall rules for one computer should be half as many.

kirby

P.S. I have the sense that it may be possible to do this with fewer rules by generating a service object that addresses both UDP and TCP, but I haven't looked into it in sufficient depth to make any changes. Others here may be able to throw helpful oars into the water on this.

! saved at 2012-12-01 15:51:41
! model: ZyWALL USG 50
! firmware version: 3.00(BDS.2)
!
hardware-watchdog-timer 10
!
software-watchdog-timer 300
!
interface-name ge1 wan1
interface-name ge2 wan2
interface-name ge3 lan1
interface-name ge4 lan2
interface-name ge5 dmz
 
! massive delete from here down
! only BT relevant objects are shown below
 
address-object BT1 192.168.1.102
address-object BT2 192.168.1.103
! note that these are addresses to two computers on LAN1
! the addresses are fixed in the USG50 DHCP service
 
service-object BT1-TCP tcp range 52890 52890
service-object BT1-UDP udp range 52890 52890
service-object BT2-TCP tcp range 52891 52891
service-object BT2-UDP udp range 52891 52891
! These are arbitrary but fixed BT ports (one per 
! computer) that each respective computer has to 
! have open in its firewall
!
object-group service BT
 description Bit Torrent
 service-object BT1-TCP
 service-object BT1-UDP
 service-object BT2-TCP
 service-object BT2-UDP
!
interface-group WAN_TRUNK
 algorithm llf
 loadbalancing-index outbound
 interface 1 wan1_ppp
 interface 2 wan2_ppp
! This mode seems to work nicely for me
!
session timeout tcp-established 900
!
session timeout udp-deliver 30
!
! These timeouts help keep BT's tendency to never properly
! close connections from making the state table too large
! (Only 10k on the USG50)
! This is the only part of the setup that has to be done
! via the CLI
 
!
ip load-balancing link-sticking activate
ip load-balancing link-sticking timeout 600
!
 
! These are the eight the NAT rules for two computers, two WANs, and two protocols.
ip virtual-server Bit_Torrent_U1_1 interface wan1_ppp original-ip any map-to BT1 map-type port protocol udp original-port 52890 mapped-port 52890
ip virtual-server Bit_Torrent_U1_2 interface wan2_ppp original-ip any map-to BT1 map-type port protocol udp original-port 52890 mapped-port 52890
ip virtual-server Bit_Torrent_T1_1 interface wan1_ppp original-ip any map-to BT1 map-type port protocol tcp original-port 52890 mapped-port 52890
ip virtual-server Bit_Torrent_T1_2 interface wan2_ppp original-ip any map-to BT1 map-type port protocol tcp original-port 52890 mapped-port 52890
ip virtual-server Bit_Torrent_U2_1 interface wan1_ppp original-ip any map-to BT2 map-type port protocol udp original-port 52891 mapped-port 52891
ip virtual-server Bit_Torrent_U2_2 interface wan2_ppp original-ip any map-to BT2 map-type port protocol udp original-port 52891 mapped-port 52891
ip virtual-server Bit_Torrent_T2_1 interface wan1_ppp original-ip any map-to BT2 map-type port protocol tcp original-port 52891 mapped-port 52891
ip virtual-server Bit_Toprrent_T2_2 interface wan2_ppp original-ip any map-to BT2 map-type port protocol tcp original-port 52891 mapped-port 52891
!
! Ewww.  I see a spelling error.
!
!
! These are the four firewall rules allowing both BT incoming message protocols to flow to LAN
!
firewall 3
 from WAN
 to LAN1
 destinationip BT2
 service BT2-UDP
 action allow
!
firewall 4
 from WAN
 to LAN1
 destinationip BT2
 service BT2-TCP
 action allow
!
firewall 5
 from WAN
 to LAN1
 destinationip BT1
 service BT1-UDP
 action allow
!
firewall 6
 description Bit Torrent
 from WAN
 to LAN1
 destinationip BT1
 service BT1-TCP
 action allow
!
! These below are not really relevant except to the USG's 
! software blocking mode that I don't use
!
app bittorrent defaultport 6969
app bittorrent defaultport 6881
app bittorrent defaultport 6882
app bittorrent defaultport 6883
app bittorrent defaultport 6884
app bittorrent defaultport 6885
app bittorrent defaultport 6886
app bittorrent defaultport 6887
!
 
 


bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1

1 edit
Here is my relevant BT config for USG50 with a single WAN port:

!
service-object BitTorrent-tcp tcp range 51413 51413
service-object BitTorrent-udp udp range 51413 51413
!
object-group service BitTorrent
 service-object BitTorrent-tcp
 service-object BitTorrent-udp
!
ip virtual-server BitTorrent interface wan1 original-ip any map-to 192.168.1.4 map-type port protocol any original-port 51413 mapped-port 51413
!
firewall 7
 from WAN
 to LAN1
 service BitTorrent
 action allow
!
 

Kirby Smith

join:2001-01-26
Derry, NH
I was pretty sure, bbarrera, from previous comments here (perhaps yours) that there was a more compact way to do this. I'll have to revise accordingly when I get a chance.

Thanks

kirby