<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">It doesn't matter or it is 44 addresses
but encapsulation or better a VPN is a way out of the problems you
have.<br>
I have dealt with firewalls you have and much worse and always
could find solution for an AXIP<br>
or AXUDP.<br>
Then there is OpenVPN what especially can deal with changing
source ports if you use it in the client - server <br>
configuration.<br>
<br>
B<br>
<br>
On 13-11-17 11:05 AM, Michael E. Fox - N6MEF wrote:<br>
</div>
<blockquote cite="mid:006b01cee3ae$d7702a30$86507e90$@mefox.org"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \, serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">As I already
mentioned: the other end is not running AMPRnet so this is
straight NAT to the Internet, no encap.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">M<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:.5in"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:nos-bbs-bounces@tapr.org">nos-bbs-bounces@tapr.org</a>
[<a class="moz-txt-link-freetext" href="mailto:nos-bbs-bounces@tapr.org">mailto:nos-bbs-bounces@tapr.org</a>] <b>On Behalf Of </b>Bob
Tenty<br>
<b>Sent:</b> Saturday, November 16, 2013 10:33 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:nos-bbs@tapr.org">nos-bbs@tapr.org</a><br>
<b>Subject:</b> Re: [nos-bbs] UDP Port Unreachable -
problem found<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in">Yes but I mean
it in the context that you encapsulate the relevant 44
addresses at both sides.<br>
(in the local lan addresses).<br>
<br>
<br>
Bob VE3TOK<br>
<br>
On 13-11-17 12:08 AM, Michael E Fox - N6MEF wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="margin-left:.5in">We are. But
the addresses don't matter since both ends are behind a
firewall. The addresses could be anything and the problem
would be the same.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">Michael<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">N6MEF<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:7.0pt;color:#575757">Sent from my
Verizon Wireless 4G LTE smartphone<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in"><br>
<br>
-------- Original message --------<br>
From: Bob Tenty <br>
Date:11/16/2013 8:44 PM (GMT-08:00) <br>
To: <a moz-do-not-send="true"
href="mailto:nos-bbs@tapr.org">nos-bbs@tapr.org</a> <br>
Subject: Re: [nos-bbs] UDP Port Unreachable - problem found
<span style="font-size:12.0pt"><o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="margin-left:.5in">I don't
believe you mentioned about two jnos systems behind the
same firewall but may be I missed it.<br>
<br>
Why are you not using 44 addresses in your axudp link
at both sides?<br>
<br>
Bob<br>
<br>
<br>
On 13-11-16 09:20 PM, Michael E Fox - N6MEF wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="margin-left:.5in">No Bob, I'm
talking about two JNOS systems behind the same firewall.
The firewall has to change the source port of at least
the second one on the way out. Otherwise, the
destination IP and destination port are all the same on
the way back in. I believe I've already mentioned this
a couple of times. This is basic firewall connection
muxing.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">Sonicwall
happens to change the source port all the time, instead
of after the first connection. And it works just fine
for everything but JNOS. If JNOS behaved like a normal
UDP app, it would work fine, too.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">The point is
that there is simply no reason to require a specific
source port. It's just not the way the UDP world works.
And doing so renders the system unworkable when placed
behind 10s of 1000s of commercial firewalls.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">The whole
point of axudp is so it can be used in situations where
axip can't be used. But with this bizarre restriction,
it's defeating that purpose.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">M<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:7.0pt;color:#575757">Sent from my
Verizon Wireless 4G LTE smartphone<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in"><br>
<br>
-------- Original message --------<br>
From: Bob Tenty <br>
Date:11/16/2013 3:38 PM (GMT-08:00) <br>
To: TAPR xNOS Mailing List <br>
Subject: Re: [nos-bbs] UDP Port Unreachable - problem
found <span style="font-size:12.0pt"><o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="margin-left:.5in">Michael,<br>
<br>
You are making a thinking error here.<br>
<br>
If I make a link to another jnos system the destination
ip number is different.<br>
Also the return route from that second jnos system uses
another ip number as the first jnos system so there is
no problem it all.<br>
Even with the same port. It is the combination of ip
number + port.<br>
<br>
Those consumer router/firewall boxes are cheaply
designed and targeted for the average Joe customer user
needs.<br>
Install dd-wrt in it if available for it and you will be
much happier.<br>
<br>
<br>
73,<br>
<br>
Bob VE3TOK<br>
<br>
<br>
<br>
<br>
<br>
<br>
On 13-11-16 12:35 PM, Michael E. Fox - N6MEF wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-left:.5in"><span
style="color:#1F497D">Yes, Linux leaves the source
port alone on the first connection. But that only
works for the first JNOS system. Even a firewall that
initially leave the source port alone will need to
change the source port if a second JNOS system exists
so it can track connections to two different machines.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="color:#1F497D">M</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:1.0in"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a moz-do-not-send="true"
href="mailto:nos-bbs-bounces@tapr.org">nos-bbs-bounces@tapr.org</a>
[<a moz-do-not-send="true"
href="mailto:nos-bbs-bounces@tapr.org">mailto:nos-bbs-bounces@tapr.org</a>]
<b>On Behalf Of </b>Bob Tenty<br>
<b>Sent:</b> Friday, November 15, 2013 11:37 PM<br>
<b>To:</b> TAPR xNOS Mailing List<br>
<b>Subject:</b> Re: [nos-bbs] UDP Port Unreachable
- problem found</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:1.0in"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:1.0in">Yes, I
have seen that with those boxes. That is why I always
replace the firmware with linux when possible.<br>
<br>
Bob<br>
<br>
<br>
On 13-11-16 01:33 AM, Michael E. Fox - N6MEF wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-left:1.0in">I found
the problem with the UDP port 93 unreachable message:
JNOS is (incorrectly) requiring the source port to
also be 93 in AXUDP connections.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in">When I
connect outbound from my JNOS system, through my
firewall, the firewall is changing the source port
when it performs the outbound NAT. But this is normal
for a firewall. In fact, it HAS to do this if it’s
going to allow for multiple connects of the same
protocol from different machines. Many consumer-grade
firewalls will leave the source port alone for the
first connection (if it’s not already in use) and only
change it for subsequent connections. SonicWall is a
bit more strict, frequently changing the source port,
making it harder for intercepted packets to be tracked
to any one machine.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in">Normally,
this doesn’t matter. Applications/services listen on
a particular port and respond to whatever incoming
connections use that *<b>destination</b>* port. They
don’t care what the source port is. Firewalls then
use different source ports to track multiple
conversations so that when the packets return, all
addressed to the same external NAT address, it can
direct them to the proper place by the port number.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in">But when
JNOS receives an AXUDP packet, apparently it doesn’t
behave like a normal UDP application. JNOS apparently
rejects the connection if the *<b>source</b>* port is
not 93, even if the destination port is correctly set
to 93. This is unusual, to say the least. But even
worse, it issues an ICMP “udp port 93 unreachable”
message which is completely wrong, since port 93 is
definitely reachable.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in">It seems
the following is needed: Remove the source port
restriction for AXUDP. JNOS should not care what the
source port is. And, just like any other UDP app,
when responding it should use whatever source port was
specified as the destination port when it constructs
the return packet.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in">Michael<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in">N6MEF<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in"><span
style="font-size:12.0pt;font-family:"Times New
Roman , serif","serif""><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<pre style="margin-left:1.0in">_______________________________________________<o:p></o:p></pre>
<pre style="margin-left:1.0in">nos-bbs mailing list<o:p></o:p></pre>
<pre style="margin-left:1.0in"><a moz-do-not-send="true" href="mailto:nos-bbs@tapr.org">nos-bbs@tapr.org</a><o:p></o:p></pre>
<pre style="margin-left:1.0in"><a moz-do-not-send="true" href="http://www.tapr.org/mailman/listinfo/nos-bbs">http://www.tapr.org/mailman/listinfo/nos-bbs</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal" style="margin-left:1.0in"><span
style="font-size:12.0pt;font-family:"Times New
Roman , serif","serif""> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
<br>
<br>
<o:p></o:p></span></p>
<pre style="margin-left:.5in">_______________________________________________<o:p></o:p></pre>
<pre style="margin-left:.5in">nos-bbs mailing list<o:p></o:p></pre>
<pre style="margin-left:.5in"><a moz-do-not-send="true" href="mailto:nos-bbs@tapr.org">nos-bbs@tapr.org</a><o:p></o:p></pre>
<pre style="margin-left:.5in"><a moz-do-not-send="true" href="http://www.tapr.org/mailman/listinfo/nos-bbs">http://www.tapr.org/mailman/listinfo/nos-bbs</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
<br>
<o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
</blockquote>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
nos-bbs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:nos-bbs@tapr.org">nos-bbs@tapr.org</a>
<a class="moz-txt-link-freetext" href="http://www.tapr.org/mailman/listinfo/nos-bbs">http://www.tapr.org/mailman/listinfo/nos-bbs</a>
</pre>
</blockquote>
<br>
</body>
</html>