<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<link href="chrome://translator/skin/floatingPanel.css"
type="text/css" rel="stylesheet">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">I don't believe you mentioned about two
jnos systems behind the same firewall but may be I missed it.<br>
<br>
Why are you not using 44 addresses in your axudp link at both
sides?<br>
<br>
Bob<br>
<br>
<br>
On 13-11-16 09:20 PM, Michael E Fox - N6MEF wrote:<br>
</div>
<blockquote
cite="mid:smwd0v826eqnmun4cut6ni60.1384653334317@email.android.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div>No Bob, I'm talking about two JNOS systems behind the same
firewall. The firewall has to change the source port of at
least the second one on the way out. Otherwise, the destination
IP and destination port are all the same on the way back in. I
believe I've already mentioned this a couple of times. This is
basic firewall connection muxing.</div>
<div><br>
</div>
<div>Sonicwall happens to change the source port all the time,
instead of after the first connection. And it works just fine
for everything but JNOS. If JNOS behaved like a normal UDP app,
it would work fine, too.</div>
<div><br>
</div>
<div>The point is that there is simply no reason to require a
specific source port. It's just not the way the UDP world
works. And doing so renders the system unworkable when placed
behind 10s of 1000s of commercial firewalls.</div>
<div><br>
</div>
<div>The whole point of axudp is so it can be used in situations
where axip can't be used. But with this bizarre restriction,
it's defeating that purpose.</div>
<div><br>
</div>
<div>M</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div style="font-size:9px;color:#575757">Sent from my Verizon
Wireless 4G LTE smartphone</div>
</div>
<br>
<br>
-------- Original message --------<br>
From: Bob Tenty <bobtenty@gmail.com> <br>
Date:11/16/2013 3:38 PM (GMT-08:00) <br>
To: TAPR xNOS Mailing List <nos-bbs@tapr.org> <br>
Subject: Re: [nos-bbs] UDP Port Unreachable - problem found <br>
<br>
<div class="moz-cite-prefix">Michael,<br>
<br>
You are making a thinking error here.<br>
<br>
If I make a link to another jnos system the destination ip
number is different.<br>
Also the return route from that second jnos system uses
another ip number as the first jnos system so there is no
problem it all.<br>
Even with the same port. It is the combination of ip number
+ port.<br>
<br>
Those consumer router/firewall boxes are cheaply designed
and targeted for the average Joe customer user needs.<br>
Install dd-wrt in it if available for it and you will be
much happier.<br>
<br>
<br>
73,<br>
<br>
Bob VE3TOK<br>
<br>
<br>
<br>
<br>
<br>
<br>
On 13-11-16 12:35 PM, Michael E. Fox - N6MEF wrote:<br>
</div>
<blockquote
cite="mid:009701cee2f2$4ca88a80$e5f99f80$@mefox.org"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas","serif";
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Yes,
Linux leaves the source port alone on the first
connection. But that only works for the first JNOS
system. Even a firewall that initially leave the
source port alone will need to change the source port
if a second JNOS system exists so it can track
connections to two different machines.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">M<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:.5in"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:nos-bbs-bounces@tapr.org">nos-bbs-bounces@tapr.org</a>
[<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="mailto:nos-bbs-bounces@tapr.org">mailto:nos-bbs-bounces@tapr.org</a>]
<b>On Behalf Of </b>Bob Tenty<br>
<b>Sent:</b> Friday, November 15, 2013 11:37 PM<br>
<b>To:</b> TAPR xNOS Mailing List<br>
<b>Subject:</b> Re: [nos-bbs] UDP Port Unreachable
- problem found<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in">Yes, I
have seen that with those boxes. That is why I always
replace the firmware with linux when possible.<br>
<br>
Bob<br>
<br>
<br>
On 13-11-16 01:33 AM, Michael E. Fox - N6MEF wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-left:.5in">I found
the problem with the UDP port 93 unreachable message:
JNOS is (incorrectly) requiring the source port to
also be 93 in AXUDP connections.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">When I
connect outbound from my JNOS system, through my
firewall, the firewall is changing the source port
when it performs the outbound NAT. But this is normal
for a firewall. In fact, it HAS to do this if it’s
going to allow for multiple connects of the same
protocol from different machines. Many consumer-grade
firewalls will leave the source port alone for the
first connection (if it’s not already in use) and only
change it for subsequent connections. SonicWall is a
bit more strict, frequently changing the source port,
making it harder for intercepted packets to be tracked
to any one machine.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Normally,
this doesn’t matter. Applications/services listen on
a particular port and respond to whatever incoming
connections use that *<b>destination</b>* port. They
don’t care what the source port is. Firewalls then
use different source ports to track multiple
conversations so that when the packets return, all
addressed to the same external NAT address, it can
direct them to the proper place by the port number.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">But when
JNOS receives an AXUDP packet, apparently it doesn’t
behave like a normal UDP application. JNOS apparently
rejects the connection if the *<b>source</b>* port is
not 93, even if the destination port is correctly set
to 93. This is unusual, to say the least. But even
worse, it issues an ICMP “udp port 93 unreachable”
message which is completely wrong, since port 93 is
definitely reachable.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">It seems
the following is needed: Remove the source port
restriction for AXUDP. JNOS should not care what the
source port is. And, just like any other UDP app,
when responding it should use whatever source port was
specified as the destination port when it constructs
the return packet.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Michael<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">N6MEF<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
<br>
<br>
<o:p></o:p></span></p>
<pre style="margin-left:.5in">_______________________________________________<o:p></o:p></pre>
<pre style="margin-left:.5in">nos-bbs mailing list<o:p></o:p></pre>
<pre style="margin-left:.5in"><a moz-do-not-send="true" href="mailto:nos-bbs@tapr.org">nos-bbs@tapr.org</a><o:p></o:p></pre>
<pre style="margin-left:.5in"><a moz-do-not-send="true" href="http://www.tapr.org/mailman/listinfo/nos-bbs">http://www.tapr.org/mailman/listinfo/nos-bbs</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
nos-bbs mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:nos-bbs@tapr.org">nos-bbs@tapr.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.tapr.org/mailman/listinfo/nos-bbs">http://www.tapr.org/mailman/listinfo/nos-bbs</a>
</pre>
</blockquote>
<br>
</nos-bbs@tapr.org></bobtenty@gmail.com></blockquote>
<br>
<div style="bottom: auto; left: 13px; right: auto; top: 76px;
display: none;" class="translator-theme-default"
id="translator-floating-panel"> </div>
</body>
</html>