<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Michael,<br>
<br>
You are making a thinking error here.<br>
<br>
If I make a link to another jnos system the destination ip number
is different.<br>
Also the return route from that second jnos system uses another ip
number as the first jnos system so there is no problem it all.<br>
Even with the same port. It is the combination of ip number +
port.<br>
<br>
Those consumer router/firewall boxes are cheaply designed and
targeted for the average Joe customer user needs.<br>
Install dd-wrt in it if available for it and you will be much
happier.<br>
<br>
<br>
73,<br>
<br>
Bob VE3TOK<br>
<br>
<br>
<br>
<br>
<br>
<br>
On 13-11-16 12:35 PM, Michael E. Fox - N6MEF wrote:<br>
</div>
<blockquote cite="mid:009701cee2f2$4ca88a80$e5f99f80$@mefox.org"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas","serif";
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Yes, Linux
leaves the source port alone on the first connection. But
that only works for the first JNOS system. Even a firewall
that initially leave the source port alone will need to
change the source port if a second JNOS system exists so it
can track connections to two different machines.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">M<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:.5in"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:nos-bbs-bounces@tapr.org">nos-bbs-bounces@tapr.org</a>
[<a class="moz-txt-link-freetext" href="mailto:nos-bbs-bounces@tapr.org">mailto:nos-bbs-bounces@tapr.org</a>] <b>On Behalf Of </b>Bob
Tenty<br>
<b>Sent:</b> Friday, November 15, 2013 11:37 PM<br>
<b>To:</b> TAPR xNOS Mailing List<br>
<b>Subject:</b> Re: [nos-bbs] UDP Port Unreachable -
problem found<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in">Yes, I have seen
that with those boxes. That is why I always replace the
firmware with linux when possible.<br>
<br>
Bob<br>
<br>
<br>
On 13-11-16 01:33 AM, Michael E. Fox - N6MEF wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-left:.5in">I found the
problem with the UDP port 93 unreachable message: JNOS is
(incorrectly) requiring the source port to also be 93 in
AXUDP connections.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">When I connect
outbound from my JNOS system, through my firewall, the
firewall is changing the source port when it performs the
outbound NAT. But this is normal for a firewall. In fact,
it HAS to do this if it’s going to allow for multiple
connects of the same protocol from different machines. Many
consumer-grade firewalls will leave the source port alone
for the first connection (if it’s not already in use) and
only change it for subsequent connections. SonicWall is a
bit more strict, frequently changing the source port, making
it harder for intercepted packets to be tracked to any one
machine.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Normally, this
doesn’t matter. Applications/services listen on a
particular port and respond to whatever incoming connections
use that *<b>destination</b>* port. They don’t care what
the source port is. Firewalls then use different source
ports to track multiple conversations so that when the
packets return, all addressed to the same external NAT
address, it can direct them to the proper place by the port
number.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">But when JNOS
receives an AXUDP packet, apparently it doesn’t behave like
a normal UDP application. JNOS apparently rejects the
connection if the *<b>source</b>* port is not 93, even if
the destination port is correctly set to 93. This is
unusual, to say the least. But even worse, it issues an
ICMP “udp port 93 unreachable” message which is completely
wrong, since port 93 is definitely reachable.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">It seems the
following is needed: Remove the source port restriction for
AXUDP. JNOS should not care what the source port is. And,
just like any other UDP app, when responding it should use
whatever source port was specified as the destination port
when it constructs the return packet.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Michael<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">N6MEF<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
<br>
<br>
<o:p></o:p></span></p>
<pre style="margin-left:.5in">_______________________________________________<o:p></o:p></pre>
<pre style="margin-left:.5in">nos-bbs mailing list<o:p></o:p></pre>
<pre style="margin-left:.5in"><a moz-do-not-send="true" href="mailto:nos-bbs@tapr.org">nos-bbs@tapr.org</a><o:p></o:p></pre>
<pre style="margin-left:.5in"><a moz-do-not-send="true" href="http://www.tapr.org/mailman/listinfo/nos-bbs">http://www.tapr.org/mailman/listinfo/nos-bbs</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
nos-bbs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:nos-bbs@tapr.org">nos-bbs@tapr.org</a>
<a class="moz-txt-link-freetext" href="http://www.tapr.org/mailman/listinfo/nos-bbs">http://www.tapr.org/mailman/listinfo/nos-bbs</a>
</pre>
</blockquote>
<br>
</body>
</html>