[nos-bbs] UDP Port Unreachable - problem found

Michael E. Fox - N6MEF n6mef at mefox.org
Sun Nov 17 20:15:19 EST 2013


O.K.  Understood.  But it's better to just eliminate the problem than to
have to build more complexity in order to avoid a problem that shouldn't
exist in the first place.  

 

And you also have to understand that there are lots of folks out there who
don't have the expertise to add more complexity.  So we shouldn't push more
complexity as a "solution", especially when it's really just masking the
problem.  We should be doing everything we can to make implementations as
simple as possible.

 

M

 

 

From: nos-bbs-bounces at tapr.org [mailto:nos-bbs-bounces at tapr.org] On Behalf
Of Bob Tenty
Sent: Sunday, November 17, 2013 4:31 PM
To: TAPR xNOS Mailing List
Subject: Re: [nos-bbs] UDP Port Unreachable - problem found

 

It doesn't matter or it is 44 addresses but encapsulation or better a VPN is
a way out of the problems you have.
I have dealt with firewalls you have and much worse and always could find
solution for an AXIP
or AXUDP.
Then there is OpenVPN what especially can deal with changing source ports if
you use it in the client - server 
configuration.

B

On 13-11-17 11:05 AM, Michael E. Fox - N6MEF wrote:

As I already mentioned:  the other end is not running AMPRnet so this is
straight NAT to the Internet, no encap.

 

M

 

From: nos-bbs-bounces at tapr.org [mailto:nos-bbs-bounces at tapr.org] On Behalf
Of Bob Tenty
Sent: Saturday, November 16, 2013 10:33 PM
To: nos-bbs at tapr.org
Subject: Re: [nos-bbs] UDP Port Unreachable - problem found

 

Yes but I mean it in the context that you encapsulate the relevant 44
addresses at both sides.
(in the local lan addresses).


Bob VE3TOK

On 13-11-17 12:08 AM, Michael E Fox - N6MEF wrote:

We are.  But the addresses don't matter since both ends are behind a
firewall.  The addresses could be anything and the problem would be the
same.

 

Michael

N6MEF

 

 

 

Sent from my Verizon Wireless 4G LTE smartphone



-------- Original message --------
From: Bob Tenty 
Date:11/16/2013 8:44 PM (GMT-08:00) 
To: nos-bbs at tapr.org 
Subject: Re: [nos-bbs] UDP Port Unreachable - problem found 

I don't believe you mentioned about two jnos systems behind the same
firewall but may be I missed it.

Why are you not  using 44 addresses  in your axudp link  at both sides?

Bob


On 13-11-16 09:20 PM, Michael E Fox - N6MEF wrote:

No Bob, I'm talking about two JNOS systems behind the same firewall.   The
firewall has to change the source port of at least the second one on the way
out.  Otherwise, the destination IP and destination port are all the same on
the way back in.  I believe I've already mentioned this a couple of times.
This is basic firewall connection muxing.

 

Sonicwall happens to change the source port all the time, instead of after
the first connection.  And it works just fine for everything but JNOS.  If
JNOS behaved like a normal UDP app, it would work fine, too.

 

The point is that there is simply no reason to require a specific source
port.  It's just not the way the UDP world works.  And doing so renders the
system unworkable when placed behind 10s of 1000s of commercial firewalls.

 

The whole point of axudp is so it can be used in situations where axip can't
be used.  But with this bizarre restriction, it's defeating that purpose.

 

M

 

 

 

 

Sent from my Verizon Wireless 4G LTE smartphone



-------- Original message --------
From: Bob Tenty 
Date:11/16/2013 3:38 PM (GMT-08:00) 
To: TAPR xNOS Mailing List 
Subject: Re: [nos-bbs] UDP Port Unreachable - problem found 

Michael,

You are making a thinking error here.

If I make a link to another jnos system the destination ip number is
different.
Also the return route from that second jnos system uses another ip number as
the first jnos system so there is no problem it all.
Even with the same port.  It is the combination of ip number + port.

Those consumer router/firewall boxes are cheaply designed and targeted for
the average Joe customer user needs.
Install dd-wrt in it if available for it and you will be much happier.


73,

Bob VE3TOK






On 13-11-16 12:35 PM, Michael E. Fox - N6MEF wrote:

Yes, Linux leaves the source port alone on the first connection.  But that
only works for the first JNOS system.  Even a firewall that initially leave
the source port alone will need to change the source port if a second JNOS
system exists so it can track connections to two different machines.

 

M

 

From: nos-bbs-bounces at tapr.org [mailto:nos-bbs-bounces at tapr.org] On Behalf
Of Bob Tenty
Sent: Friday, November 15, 2013 11:37 PM
To: TAPR xNOS Mailing List
Subject: Re: [nos-bbs] UDP Port Unreachable - problem found

 

Yes, I have seen that with those boxes.  That is why I always replace the
firmware with linux when possible.

Bob


On 13-11-16 01:33 AM, Michael E. Fox - N6MEF wrote:

I found the problem with the UDP port 93 unreachable message:  JNOS is
(incorrectly) requiring the source port to also be 93 in AXUDP connections.

 

When I connect outbound from my JNOS system, through my firewall, the
firewall is changing the source port when it performs the outbound NAT.  But
this is normal for a firewall.  In fact, it HAS to do this if it's going to
allow for multiple connects of the same protocol from different machines.
Many consumer-grade firewalls will leave the source port alone for the first
connection (if it's not already in use) and only change it for subsequent
connections.  SonicWall is a bit more strict, frequently changing the source
port, making it harder for intercepted packets to be tracked to any one
machine.

 

Normally, this doesn't matter.  Applications/services listen on a particular
port and respond to whatever incoming connections use that *destination*
port.  They don't care what the source port is.  Firewalls then use
different source ports to track multiple conversations so that when the
packets return, all addressed to the same external NAT address, it can
direct them to the proper place by the port number.

 

But when JNOS receives an AXUDP packet, apparently it doesn't behave like a
normal UDP application.  JNOS apparently rejects the connection if the
*source* port is not 93, even if the destination port is correctly set to
93.  This is unusual, to say the least.  But even worse, it issues an ICMP
"udp port 93 unreachable" message which is completely wrong, since port 93
is definitely reachable.

 

It seems the following is needed:  Remove the source port restriction for
AXUDP.  JNOS should not care what the source port is.  And, just like any
other UDP app, when responding it should use whatever source port was
specified as the destination port when it constructs the return packet.

 

Michael

N6MEF

 








_______________________________________________
nos-bbs mailing list
nos-bbs at tapr.org
http://www.tapr.org/mailman/listinfo/nos-bbs

 







_______________________________________________
nos-bbs mailing list
nos-bbs at tapr.org
http://www.tapr.org/mailman/listinfo/nos-bbs






 

 






_______________________________________________
nos-bbs mailing list
nos-bbs at tapr.org
http://www.tapr.org/mailman/listinfo/nos-bbs

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/nos-bbs_lists.tapr.org/attachments/20131117/74757ab6/attachment.html>


More information about the nos-bbs mailing list