Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[ptimmons]

Hi. I have a recurrent problem with my DIR-655 (had similar problem with DIR-615) where new outbound connections aren't going through. The setup is a DIR-655 with a WAN fixed IP behind a Linksys WRT54G connected to the Internet with ADSL (sympatico.ca) The DIR-655 is configured as the DMZ on the WRT54G. DIR-655 has 192.168.2.80 as a DMZ. The WRT54G is connected to the Internet but the DIR-655 won't allow outbound traffic. Can't connect to the admin interface either. The DIR-655 is returning a TCP RST:

Client IP : 192.168.2.197 (LAN port #3), router IP : 192.168.2.1

No.     Time            Source                Destination           Protocol Info
      4 11:03:00.922126 192.168.2.197         192.168.2.1           TCP      64479 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2

Frame 4 (66 bytes on wire, 66 bytes captured)
    Arrival Time: Feb 27, 2010 11:03:00.922126000
    [Time delta from previous captured frame: 1.026447000 seconds]
    [Time delta from previous displayed frame: 1.026447000 seconds]
    [Time since reference or first frame: 8.030837000 seconds]
    Frame Number: 4
    Frame Length: 66 bytes
    Capture Length: 66 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
    [Coloring Rule Name: HTTP]
    [Coloring Rule String: http || tcp.port == 80]
Ethernet II, Src: AsustekC_0e:66:51 (00:24:8c:0e:66:51), Dst: D-Link_f1:61:97 (00:24:01:f1:61:97)
    Destination: D-Link_f1:61:97 (00:24:01:f1:61:97)
        Address: D-Link_f1:61:97 (00:24:01:f1:61:97)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: AsustekC_0e:66:51 (00:24:8c:0e:66:51)
        Address: AsustekC_0e:66:51 (00:24:8c:0e:66:51)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.2.197 (192.168.2.197), Dst: 192.168.2.1 (192.168.2.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 52
    Identification: 0x09f7 (2551)
    Flags: 0x02 (Don't Fragment)
        0.. = Reserved bit: Not Set
        .1. = Don't fragment: Set
        ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x6ab6 [correct]
        [Good: True]
        [Bad : False]
    Source: 192.168.2.197 (192.168.2.197)
    Destination: 192.168.2.1 (192.168.2.1)
Transmission Control Protocol, Src Port: 64479 (64479), Dst Port: http (80), Seq: 0, Len: 0
    Source port: 64479 (64479)
    Destination port: http (80)
    [Stream index: 1]
    Sequence number: 0    (relative sequence number)
    Header length: 32 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgement: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish request (SYN): server port http]
                [Message: Connection establish request (SYN): server port http]
                [Severity level: Chat]
                [Group: Sequence]
        .... ...0 = Fin: Not set
    Window size: 8192
    Checksum: 0x5c59 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (12 bytes)
        Maximum segment size: 1460 bytes
        NOP
        Window scale: 2 (multiply by 4)
        NOP
        NOP
        SACK permitted

No.     Time            Source                Destination           Protocol Info
      5 11:03:00.922281 192.168.2.1           192.168.2.197         TCP      http > 64479 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Frame 5 (60 bytes on wire, 60 bytes captured)
    Arrival Time: Feb 27, 2010 11:03:00.922281000
    [Time delta from previous captured frame: 0.000155000 seconds]
    [Time delta from previous displayed frame: 0.000155000 seconds]
    [Time since reference or first frame: 8.030992000 seconds]
    Frame Number: 5
    Frame Length: 60 bytes
    Capture Length: 60 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
    [Coloring Rule Name: TCP RST]
    [Coloring Rule String: tcp.flags.reset eq 1]
Ethernet II, Src: D-Link_f1:61:97 (00:24:01:f1:61:97), Dst: AsustekC_0e:66:51 (00:24:8c:0e:66:51)
    Destination: AsustekC_0e:66:51 (00:24:8c:0e:66:51)
        Address: AsustekC_0e:66:51 (00:24:8c:0e:66:51)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: D-Link_f1:61:97 (00:24:01:f1:61:97)
        Address: D-Link_f1:61:97 (00:24:01:f1:61:97)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
    Trailer: 000000000000
Internet Protocol, Src: 192.168.2.1 (192.168.2.1), Dst: 192.168.2.197 (192.168.2.197)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0x2cb4 (11444)
    Flags: 0x00
        0.. = Reserved bit: Not Set
        .0. = Don't fragment: Not Set
        ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (0x06)
    Header checksum: 0xc805 [correct]
        [Good: True]
        [Bad : False]
    Source: 192.168.2.1 (192.168.2.1)
    Destination: 192.168.2.197 (192.168.2.197)
Transmission Control Protocol, Src Port: http (80), Dst Port: 64479 (64479), Seq: 1, Ack: 1, Len: 0
    Source port: http (80)
    Destination port: 64479 (64479)
    [Stream index: 1]
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x14 (RST, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgement: Set
        .... 0... = Push: Not set
        .... .1.. = Reset: Set
            [Expert Info (Chat/Sequence): Connection reset (RST)]
                [Message: Connection reset (RST)]
                [Severity level: Chat]
                [Group: Sequence]
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 0
    Checksum: 0xbd12 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 4]
        [The RTT to ACK the segment was: 0.000155000 seconds]

Connections can go through after a power cycle on the router. I guess the DIR-655 connection table is full. Could it be because of the DMZ or is it a known problem ?

[ptimmons]

The more I think about this, the more it is likely the DMZ.

The PC targeted by the DMZ is not always on. When it is off, it can't reject connections which would allow the router to free the entry in the connection table and this leads to a full table.

Base line is if you use DMZ, make sure you have a computer always on that will either accept or reject connections not drop them.