Community discussions

 
nl0pat
just joined
Topic Author
Posts: 8
Joined: Mon Aug 28, 2006 8:52 pm

msn audio not working behind NON-NATting setup

Tue Aug 21, 2007 1:50 am

I have my rb532 running v2.9.43 in a pretty straightforward firewall setup.
My isp gives me 'unlimited' public ip's, so I run my home network on public ip space 8) .
Now what I do is basically mark every packet going through the bridge and accept all incoming marked packets with my marking on it, also every established and related packet. Everythinge else goes straight to the binary waste bin. (is dropped)
This works flawlessly, but you should have guessed that I am having a small issue, why else should I write a posting on this board :)
My issue is that my msn messenger is not able to receive audio/video because I do not recognize that I would like this packets to go through my firewall. Because this setup is not initiated from my pc, but from the other side.
Does anyone have a suggestion ?
(UPNP does not seem to solve this problem, I guess because it is more intended for use behind a NAT router, not a firewall only)
TIA
 
User avatar
LatinSuD
Member Candidate
Member Candidate
Posts: 174
Joined: Wed Jun 29, 2005 1:05 pm
Location: Spain
Contact:

Re: msn audio not working behind NON-NATting setup

Thu Sep 06, 2007 8:48 pm

Use less restrictive firewall rules? Like only dropping "invalid" packets, but not new incoming.

Maybe you could configure a range/window of incoming ports to be always open? That is tell msn to use certain ports, and tell MT not to filter those ports.

Maybe MT could implement MSN related connection tracking, but that's another story.
 
nl0pat
just joined
Topic Author
Posts: 8
Joined: Mon Aug 28, 2006 8:52 pm

Re: msn audio not working behind NON-NATting setup

Thu Sep 06, 2007 9:27 pm

Use less restrictive firewall rules? Like only dropping "invalid" packets, but not new incoming.
I can not think of a way to distinguish "invalid" packets from valid packets. Unwanted packets like portscanning and such, are always new incoming (SYN packets)
Maybe you could configure a range/window of incoming ports to be always open? That is tell msn to use certain ports, and tell MT not to filter those ports.
Perhaps that's an option, but I do not remember seeing that kind of options in todays version of 'live messenger'. But I think I should give that a try. Thanks for the hint.
Maybe MT could implement MSN related connection tracking, but that's another story.
I don't think they do that, but if they do I would be very pleased with it.
Come on MT team, make my day :roll:
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Re: msn audio not working behind NON-NATting setup

Sat Sep 08, 2007 12:09 pm

Do you have a compelling reason to use a public address space on your LAN? From a security standpoint this setup is a nightmare. As you've discovered, it's very difficult to secure this while keeping legitimate networking functions working.

My solution would be to bind your public addresses to the outside interface of the MT and do 1:1 NAT to your LAN. Some Messenger functions may require you to run uPNP.

Regards

Andrew
 
nl0pat
just joined
Topic Author
Posts: 8
Joined: Mon Aug 28, 2006 8:52 pm

Re: msn audio not working behind NON-NATting setup

Mon Sep 17, 2007 9:48 am

Those multiple ip's are delivered by means of a dhcp server. How do you suggest to receive multiple dhcp leases on one physical interface ?
Furthermore, do you have any recommendations on the 1:1 NAT setup?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6615
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: msn audio not working behind NON-NATting setup

Mon Sep 17, 2007 3:48 pm

MSN voice is using H.323, such helper exists at RotuerOS.
It should not be used unless NAT is not used at the network.
MSN should work fine at public addresses space, unless firewalls on ISP or your router are not blocking this traffic.

1:1 NAT configuration example is the following,
http://wiki.mikrotik.com/wiki/How_to_li ... Local_ones
 
nl0pat
just joined
Topic Author
Posts: 8
Joined: Mon Aug 28, 2006 8:52 pm

Re: msn audio not working behind NON-NATting setup

Mon Sep 17, 2007 4:19 pm

Thnx sergejs,
Can you also answer my second question regarding the multiple leases on one physical interface?
(I presume this is not possible, but was wondering if there is some kind of solution for this)
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6615
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: msn audio not working behind NON-NATting setup

Tue Sep 18, 2007 4:04 pm

Why do you need multiple leases on the one physical interface ?
What is your configuration scenario goals ?
 
nl0pat
just joined
Topic Author
Posts: 8
Joined: Mon Aug 28, 2006 8:52 pm

Re: msn audio not working behind NON-NATting setup

Tue Sep 18, 2007 10:11 pm

receive multiple leases, to do 1:1 natting with each of the public ip's as suggested.
 
Znuff
Member Candidate
Member Candidate
Posts: 139
Joined: Tue Sep 26, 2006 2:42 am
Contact:

Re: msn audio not working behind NON-NATting setup

Wed Sep 19, 2007 6:15 am

if you plan on using that kind of restrictive firewall then just drop the public ip space, there's no reason for it if you don't accept NEW connections.

My 2 cents.
 
nl0pat
just joined
Topic Author
Posts: 8
Joined: Mon Aug 28, 2006 8:52 pm

Re: msn audio not working behind NON-NATting setup

Wed Sep 19, 2007 6:54 am

if you plan on using that kind of restrictive firewall then just drop the public ip space, there's no reason for it if you don't accept NEW connections.

My 2 cents.
You see whenever I have any service to offer to the world outside i can just accept that particular one. I am currently using this setup you know. Only thing is that I cannot do any special things on msn messenger (WLM) like audio,video,direct file transfers etc.

Who is online

Users browsing this forum: No registered users and 92 guests