Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[swehjo]

Hi there,
On my network I have a Netgear ReadNAS connected and I'm using an add-in (ReadyNAS Remote) that simplifies the log in to for both internet and LAN-users. However, I get a lot of the following entries in the log when that add-in is being used.


When an internet user log in via ReadyNAS Remote:
"Blocked outgoing TCP packet from 192.168.0.xxx:3649 to xx.xxx.xxx.xxx:50125 with unexpected acknowledgement 3320366884 (expected 754541166 to 755655246)"


When a LAN-user log in via ReadyNAS Remote:
"Blocked incoming TCP packet from 69.xxx.xxx.xx:80 to xx.xx.xx.xxx:50329 with unexpected sequence 3004123085 (expected 3004136875 to 3004393915)"


What do they mean and do you have any idea on how to prevent them from occuring?

[FurryNutz]

What are you NAT settings under Firewall set for?

[swehjo]

UDP Address restricted
TCP Port and address restricted
Antispoof and all ALG are checked. DMZ not

[FurryNutz]

Does setting a EndPoint Independent TCP and UDP do anything to help resolve?

[swehjo]

Hmm, now I don't get this message at all, neither with your suggested parameter setup nor without them. "Demo bug". I'll have to come back when this occurs again.

But with your setup I got a lot off "Blocked ???going TCP packet from xxx to xxxxas FIN:ACK received but there is no active connection" (not 100% sure because this time the router didn't mail the log before rebooting). Why this message instead?

However, maybe you could briefly explain what this change in the Endpoint filtering means and if there are any security considerations with it.

Another source suggested turning off SPI. Is that really recommendable?

[FurryNutz]

Shutting OFF SPI is not recommended.

[PacketTracer]

However, maybe you could briefly explain what this change in the Endpoint filtering means and if there are any security considerations with it.

Hi swehjo,

your question is aimed at the so called "filtering behaviour" of a NAT (another question is the so called "mapping behaviour" of a NAT which must not be confused with its filtering behaviour, although the same or similar sounding terms "Enpoint-Independent", "Address-Dependent " and "Address- and Port-Dependent" are used to distinguish between the three possible mapping types).

What D-Link calls "restricted" is officially called "dependent". For UDP protocol you'll find a perfect explanation of the three terms "Endpoint-Independent Filtering", "Address-Dependent Filtering" and "Address and Port-Dependent Filtering" in Section 5 of RFC4787. For TCP protocol it's almost the same with a minor difference, details can be found in Section 4.3 of RFC5382.

In general, if you establish an outgoing UDP or TCP NAT session, the filtering behaviour of a NAT tells to what extent it is allowed to reuse the external address and port that is tied to the NAT session for another connection that is initiated from outside and targeted to your internal endpoint of the NAT session. In general you only want to allow traffic coming from the external destination address and port your outgoing NAT session was directed to (this is "Address and Port-Dependent Filtering" which is the most secure filtering mode). If you want to allow return traffic initiated from the same external destination address but coming from a different port, you can do this by configuring "Address-Dependent Filtering". And if you want to allow return traffic initiated from anywhere (any external host), you have to configure "Endpoint-Independent Filtering". This may be necessary in some cases to get peer to peer based applications (often: games) to work and it is the least secure filtering mode, because your NAT is quite open to the Internet (if I knew the external  address and port of your alive NAT session I could try to start a connection to your PC that initiated the NAT session, at least your NAT router will not prevent me from doing so, because it allows it while operating in "Endpoint-Independent Filtering" mode).

PT

Edit: As I guess from the descripton how ReadyNAS works (see here), ReadyNAS server and client both seem to establish outgoing connections to some kind of rendezvous server operated by someone (Netgear?) somewhere in the Internet. Otherwise ReadNAS' use wouldn't be that easy to configure without the need to modify any NAT router's configuration. It is the job of that rendezvous server to push data arriving from the connection to the ReadyNAS client into the connection established by the ReadyNAS server and vice versa. I guess while doing so the operator of that rendezvous server can see the data unencrypted, so I hope you trust him... (maybe that's the price you have to pay for simplicity of use). If it works like this, there should be no influence of changing the default filtering behaviour of your router, because there seems to be no need to allow "Endpoint-Independent Filtering" (or perhaps "Address restricted" in case of TCP) in order to get ReadyNAS to work.

[swehjo]

PacketTracer, thanks a lot for your response. I will have a look at your links!

Edit: As I guess from the descripton how ReadyNAS works, ReadyNAS server and client both seem to establish outgoing connections to some kind of rendezvous server operated by someone (Netgear?) somewhere in the Internet.

There's nothing written about it but I have had that thought somewhere in the back of my head. I'll try to check it out.

If it works like this, there should be no influence of changing the default filtering behaviour of your router, because there seems to be no need to allow "Endpoint-Independent Filtering" (or perhaps "Address restricted" in case of TCP) in order to get ReadyNAS to work.

Interesting. But wouldn't that require UPnP (which is off on my router) or something  like that?!

I guess while doing so the operator of that rendezvous server can see the data unencrypted, so I hope you trust him...

Hmmm, well in this case it doesn't really matter but thanks for the heads up!

[PacketTracer]

Interesting. But wouldn't that require UPnP (which is off on my router) or something  like that?!

Hello swehjo,

I can't see why you should need UPnP, because ReadyNAS doesn't have to open a port in order to allow some external arriving connection requests to be forwarded to your ReadyNAS server. If I am right, there is only an outgoing connection from your ReadyNAS server to the rendezvous server, and that's a normal operation for a NAT without the need for extra configuration.

As you can see from the description within the help text of your router, SPI in addition to the immanent protection that is provided by NAT alone watches if the sequence and acknowledgement numbers of TCP packets passing your NAT have values that are within the expected range. If not SPI drops the packet which results in the entries you had observed within your router log. So as you suggested, and of course not recommended by Furry, if you deactivate SPI you won't see any log entries any more but this does not mean that the problems if there exists any have gone.

If TCP packets are dropped occasionally, in general this is no problem, because it is the job of TCP to resend a packet that was lost. Hence if it not happens too often and if you don't feel any drawbacks concerning the file transfer to and from your ReadNAS server via ReadyNAS remote, you can safely ignore it.

My router log is full of those dropped TCP packet messages, but in practice no drawbacks result from that.

The interesting question is, where those wrong packets come from. I really don't know. Perhaps they result from servers in the Internet suffering from a heavy load so they don't manage to keep their TCP connections synchronized. Or maybe it is a side effect of load balancers working between you and a server farm of a service you use (in your case perhaps a rendezvous server farm). It is speculative! Maybe some TCP expert reading this may tell us some reasons why this may happen.

PT

[swehjo]

Again a very informative response! Thanks!

Now I have recieved the confirmation that an external server is involved if the traffic isn't going on local LAN.

One other thing that is strange is that the download speed to my ReadyNAS server is extremely slow. Even if I'm on my LAN using ReadyNAS Remote (the traffic shouldn't go via the external server) download is almost 4 times slower than a normal file copy. I assume that this is connected to the issue with the dropped packages in some way...

[FurryNutz]

Can you connect a external network switch between router and NAS and check xfer speeds? Connect the PC to the switch as well.

[PacketTracer]

...
Now I have recieved the confirmation that an external server is involved if the traffic isn't going on local LAN.

One other thing that is strange is that the download speed to my ReadyNAS server is extremely slow. Even if I'm on my LAN using ReadyNAS Remote (the traffic shouldn't go via the external server) download is almost 4 times slower than a normal file copy. ...

Are you sure that traffic is not going via the external server if you use ReadyNAS Remote on LAN clients? I guess ReadyNAS Remote always uses the external server because it was programmed for doing that. Hence, using ReadyNAS Remote on LAN clients that could access the NAS directly by other means (CIFS, FTP or whatever it supports) should be avoided because it is inefficient. To be sure about that you should ask ReadyNAS support.

PT

[swehjo]

Furry and Packet, I think I'll skip this add-on and test pure FTP-access instead... Seems to be more trouble and work than anticipated/it's worth. Many, many thanks to you both! (and hopefully I won't need to come back here to get assistance on how to set that up  )

[FurryNutz]

Give the external network switch a try when you get a chance. Definitely helps on LAN to LAN connections.

Always here if you need help man. Here to help each other.

Enjoy.