<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Yes but I mean it in the context that
you encapsulate the relevant 44 addresses at both sides.<br>
(in the local lan addresses).<br>
<br>
<br>
Bob VE3TOK<br>
<br>
On 13-11-17 12:08 AM, Michael E Fox - N6MEF wrote:<br>
</div>
<blockquote
cite="mid:jb8eecikpfc6k6fsf64hoix6.1384664901886@email.android.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div>We are. But the addresses don't matter since both ends are
behind a firewall. The addresses could be anything and the
problem would be the same.</div>
<div><br>
</div>
<div>Michael</div>
<div>N6MEF</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div style="font-size:9px;color:#575757">Sent from my Verizon
Wireless 4G LTE smartphone</div>
</div>
<br>
<br>
-------- Original message --------<br>
From: Bob Tenty <bobtenty@gmail.com> <br>
Date:11/16/2013 8:44 PM (GMT-08:00) <br>
To: <a class="moz-txt-link-abbreviated" href="mailto:nos-bbs@tapr.org">nos-bbs@tapr.org</a> <br>
Subject: Re: [nos-bbs] UDP Port Unreachable - problem found <br>
<br>
<div class="moz-cite-prefix">I don't believe you mentioned about
two jnos systems behind the same firewall but may be I missed
it.<br>
<br>
Why are you not using 44 addresses in your axudp link at
both sides?<br>
<br>
Bob<br>
<br>
<br>
On 13-11-16 09:20 PM, Michael E Fox - N6MEF wrote:<br>
</div>
<blockquote
cite="mid:smwd0v826eqnmun4cut6ni60.1384653334317@email.android.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<div>No Bob, I'm talking about two JNOS systems behind the
same firewall. The firewall has to change the source port
of at least the second one on the way out. Otherwise, the
destination IP and destination port are all the same on the
way back in. I believe I've already mentioned this a couple
of times. This is basic firewall connection muxing.</div>
<div><br>
</div>
<div>Sonicwall happens to change the source port all the time,
instead of after the first connection. And it works just
fine for everything but JNOS. If JNOS behaved like a normal
UDP app, it would work fine, too.</div>
<div><br>
</div>
<div>The point is that there is simply no reason to require a
specific source port. It's just not the way the UDP world
works. And doing so renders the system unworkable when
placed behind 10s of 1000s of commercial firewalls.</div>
<div><br>
</div>
<div>The whole point of axudp is so it can be used in
situations where axip can't be used. But with this bizarre
restriction, it's defeating that purpose.</div>
<div><br>
</div>
<div>M</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div style="font-size:9px;color:#575757">Sent from my
Verizon Wireless 4G LTE smartphone</div>
</div>
<br>
<br>
-------- Original message --------<br>
From: Bob Tenty <bobtenty@gmail.com> <br>
Date:11/16/2013 3:38 PM (GMT-08:00) <br>
To: TAPR xNOS Mailing List <nos-bbs@tapr.org> <br>
Subject: Re: [nos-bbs] UDP Port Unreachable - problem
found <br>
<br>
<div class="moz-cite-prefix">Michael,<br>
<br>
You are making a thinking error here.<br>
<br>
If I make a link to another jnos system the destination
ip number is different.<br>
Also the return route from that second jnos system uses
another ip number as the first jnos system so there is
no problem it all.<br>
Even with the same port. It is the combination of ip
number + port.<br>
<br>
Those consumer router/firewall boxes are cheaply
designed and targeted for the average Joe customer user
needs.<br>
Install dd-wrt in it if available for it and you will be
much happier.<br>
<br>
<br>
73,<br>
<br>
Bob VE3TOK<br>
<br>
<br>
<br>
<br>
<br>
<br>
On 13-11-16 12:35 PM, Michael E. Fox - N6MEF wrote:<br>
</div>
<blockquote
cite="mid:009701cee2f2$4ca88a80$e5f99f80$@mefox.org"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<meta name="Generator" content="Microsoft Word 14
(filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas","serif";
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Yes,
Linux leaves the source port alone on the first
connection. But that only works for the first
JNOS system. Even a firewall that initially leave
the source port alone will need to change the
source port if a second JNOS system exists so it
can track connections to two different machines.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">M<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:.5in"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:nos-bbs-bounces@tapr.org">nos-bbs-bounces@tapr.org</a>
[<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="mailto:nos-bbs-bounces@tapr.org">mailto:nos-bbs-bounces@tapr.org</a>]
<b>On Behalf Of </b>Bob Tenty<br>
<b>Sent:</b> Friday, November 15, 2013 11:37
PM<br>
<b>To:</b> TAPR xNOS Mailing List<br>
<b>Subject:</b> Re: [nos-bbs] UDP Port
Unreachable - problem found<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in">Yes, I
have seen that with those boxes. That is why I
always replace the firmware with linux when
possible.<br>
<br>
Bob<br>
<br>
<br>
On 13-11-16 01:33 AM, Michael E. Fox - N6MEF
wrote:<o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-left:.5in">I
found the problem with the UDP port 93 unreachable
message: JNOS is (incorrectly) requiring the
source port to also be 93 in AXUDP connections.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">When I
connect outbound from my JNOS system, through my
firewall, the firewall is changing the source port
when it performs the outbound NAT. But this is
normal for a firewall. In fact, it HAS to do this
if it’s going to allow for multiple connects of
the same protocol from different machines. Many
consumer-grade firewalls will leave the source
port alone for the first connection (if it’s not
already in use) and only change it for subsequent
connections. SonicWall is a bit more strict,
frequently changing the source port, making it
harder for intercepted packets to be tracked to
any one machine.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Normally,
this doesn’t matter. Applications/services listen
on a particular port and respond to whatever
incoming connections use that *<b>destination</b>*
port. They don’t care what the source port is.
Firewalls then use different source ports to track
multiple conversations so that when the packets
return, all addressed to the same external NAT
address, it can direct them to the proper place by
the port number.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">But
when JNOS receives an AXUDP packet, apparently it
doesn’t behave like a normal UDP application.
JNOS apparently rejects the connection if the *<b>source</b>*
port is not 93, even if the destination port is
correctly set to 93. This is unusual, to say the
least. But even worse, it issues an ICMP “udp
port 93 unreachable” message which is completely
wrong, since port 93 is definitely reachable.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">It
seems the following is needed: Remove the source
port restriction for AXUDP. JNOS should not care
what the source port is. And, just like any other
UDP app, when responding it should use whatever
source port was specified as the destination port
when it constructs the return packet.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Michael<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">N6MEF<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:12.0pt;font-family:"Times
New Roman","serif""><br>
<br>
<br>
<o:p></o:p></span></p>
<pre style="margin-left:.5in">_______________________________________________<o:p></o:p></pre>
<pre style="margin-left:.5in">nos-bbs mailing list<o:p></o:p></pre>
<pre style="margin-left:.5in"><a moz-do-not-send="true" href="mailto:nos-bbs@tapr.org">nos-bbs@tapr.org</a><o:p></o:p></pre>
<pre style="margin-left:.5in"><a moz-do-not-send="true" href="http://www.tapr.org/mailman/listinfo/nos-bbs">http://www.tapr.org/mailman/listinfo/nos-bbs</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:12.0pt;font-family:"Times
New Roman","serif""><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
nos-bbs mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:nos-bbs@tapr.org">nos-bbs@tapr.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.tapr.org/mailman/listinfo/nos-bbs">http://www.tapr.org/mailman/listinfo/nos-bbs</a>
</pre>
</blockquote>
<br>
</nos-bbs@tapr.org></bobtenty@gmail.com></blockquote>
<br>
<div style="bottom: auto; left: 13px; right: auto; top: 76px;
display: none;" class="translator-theme-default"
id="translator-floating-panel"> </div>
</bobtenty@gmail.com></blockquote>
<br>
</body>
</html>