yeahh@gmx.ch
2003-Sep-22 18:34 UTC
Problems when outgoing source port is altered by router
hi folks well, tinc is a really nice tool and we implemented it on 3 linux servers and 2 mobile clients (XP notebooks) so far. one of the 3 tinc servers is making troubles, when a connection is initiated from this server over a zyxel 642 adsl router out to the other 2 servers in the internet. the logfiles of the other 2 servers shows: > tinc[1398]: Received UDP packet from unknown source [ip-addr] port [random port number, but not 655] when we monitor the udp ports of the connections that work, all servers always use source and destination port 655, but this particular server behind the zyxel router sends out from port 655 and the zyxel thingy changes the source port to some random port e.g. 513. thus the other tinc servers cant recognize the incoming request properly because the source port is not 655 as expected. thats pretty annoying. if one of the two other servers is initiating the connection, then the source and destination port is as expected 655 and the connection to this server behind the zyxel is working smoothly. (port forwarding 655) the same problem appears using the two XP notebooks. the connection to all 3 tinc servers usually works fine using a direct internet connection or behind most routers, but if you sit with your notebook behind a router that changes the outgoing port of your requests, the udp connection to the tinc server will fail, again with the message "..unknown source.." in the target server log. changing to indirectdata / tcponly is not an option for us, because voice over ip traffic without udp is a nightmare :( any thoughts? thanks! ;) flx -- +++ GMX - die erste Adresse f?r Mail, Message, More! +++ Getestet von Stiftung Warentest: GMX FreeMail (GUT), GMX ProMail (GUT) (Heft 9/03 - 23 e-mail-Tarife: 6 gut, 12 befriedigend, 5 ausreichend) Jetzt selbst kostenlos testen: http://www.gmx.net Tinc: Discussion list about the tinc VPN daemon Archive: http://mail.nl.linux.org/lists/ Tinc site: http://tinc.nl.linux.org/
Guus Sliepen
2003-Sep-22 22:34 UTC
Problems when outgoing source port is altered by router
On Mon, Sep 22, 2003 at 06:34:43PM +0200, yeahh@gmx.ch wrote:> one of the 3 tinc servers is making troubles, when a connection is initiated > from > this server over a zyxel 642 adsl router out to the other 2 servers in the > internet. the logfiles of the other 2 servers shows: > > > tinc[1398]: Received UDP packet from unknown source [ip-addr] port > [random port number, but not 655][...]> changing to indirectdata / tcponly is not an option for us, because voice > over ip traffic > without udp is a nightmare :( > > any thoughts?Use another ADSL router :). But if you don't want to do that, you could run "ping -q -i 60 <VPN IP address of server behind zyxel>" on the two other servers, to make sure the one behind the zyxel is always contacted first and the UDP flow the zyxel tracks never times out. As long as the XP clients always contact that server first instead of the other way around, all will be fine. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.eu.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20030922/20002fba/attachment.pgp
Brian Costello
2003-Sep-22 23:32 UTC
Problems when outgoing source port is altered by router
You can use the TCPOnly setting. There is no source port requirement for TCP/IP. I had to do this until I was able to figure out how to specify the source port for my NAT mappings on my firewall. That should definitely work for you, as it's worked for me in switch & router mode with a variety of firewalls & NAT boxes. bc -----Original Message----- From: yeahh@gmx.ch [mailto:yeahh@gmx.ch] Sent: Monday, September 22, 2003 2:23 PM To: Guus Sliepen Cc: tinc@nl.linux.org Subject: Re: Problems when outgoing source port is altered by router thanks guus for your fast reply!> Use another ADSL router :). But if you don't want to do that, you > could run "ping -q -i 60 <VPN IP address of server behind zyxel>" on > the twoyes I know this router is crap. I would replace it if I could, but I cannot replace every router I dont like in this world :) your ping solution is okay regarding the mentioned server problems. although the XP clients will travel around and connect from various networks.. eg. customer sites, wireless access points and so on. for example today I was at a customer, and there was the same story. customers private network, a (unknown) router to the internet and again the source port was altered while travelling to our tinc server (one of the 2 servers that work fine). If every second router will prevent tinc from connecting home then this will unfortunately render the application useless for us :( is this source port check in tinc really necessary? is there no other way around this? greez, flx ;) -- +++ GMX - die erste Adresse f?r Mail, Message, More! +++ Getestet von Stiftung Warentest: GMX FreeMail (GUT), GMX ProMail (GUT) (Heft 9/03 - 23 e-mail-Tarife: 6 gut, 12 befriedigend, 5 ausreichend) Jetzt selbst kostenlos testen: http://www.gmx.net Tinc: Discussion list about the tinc VPN daemon Archive: http://mail.nl.linux.org/lists/ Tinc site: http://tinc.nl.linux.org/ Tinc: Discussion list about the tinc VPN daemon Archive: http://mail.nl.linux.org/lists/ Tinc site: http://tinc.nl.linux.org/