Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[rcamkerr]

I have the DFL-210 setup o provide DHCP to our internal lan. I have setup an internal machine to be a domain controller (10.19.86.2) for our internal lan domain. I tell the internal domain controller that the DHCP server for the lan is the lan interface for the DFL-210 (10.19.86.1). The domain controller never seems to get a response to the UDP 137 request. A copy of the logs is below. 172.18.1.101 is the external ip address of the DFL-210. I do not understand why these 135 and 137 requests get sent to the 172.18.1.101 ip address then fail with the LocalUndelivered rule.

2010-01-11 RULE                                                      172.18.1.101   24398    unhandled_local
11:52:08     Notice   6000060 LocalUndelivered TCP lan   10.19.86.1      135        drop
ipdatalen=28 tcphdrlen=28 syn=1

2010-01-11 CONN                                               lan    10.19.86.2    2036    conn_open_natsat
11:52:08     Info       600004  allow_standard   TCP  core  10.19.86.1    135
conn=open connnewsrcip=172.18.1.101 connnewsrcport=24398 connnewdestip=10.19.86.1 connnewdestport=135

2010-01-11  RULE                                                        172.18.1.101  29378    unhandled_local
11:52:06      Notice   6000060 LocalUndelivered UDP   lan   10.19.86.1   137          drop
ipdatalen=58 udptotlen=58

2010-01-11  RULE                                                        172.18.1.101  29378    unhandled_local
11:52:05      Notice   6000060 LocalUndelivered UDP   lan   10.19.86.1   137          drop
ipdatalen=58 udptotlen=58

2010-01-11  RULE                                                        172.18.1.101  29378    unhandled_local
11:52:03      Notice   6000060 LocalUndelivered UDP   lan   10.19.86.1   137          drop
ipdatalen=58 udptotlen=58

2010-01-11   CONN                                               lan   10.19.86.2   137    conn_open_natsat
11:52:03       Info     600004  allow_standard   UDP    core 10.19.86.1    137
conn=open connnewsrcip=172.18.1.101 connnewsrcport=29378 connnewdestip=10.19.86.1 connnewdestport=137

[mitsukai]

I am having a very similar error.  this is what I'm getting in my log, in relation to attempted RDP connections:

2010-01-12  Notice  RULE                                             125.170.133.246  1031  unhandled_local
15:36:38                6000060  LocalUndelivered  TCP   wan  211.128.85.11     3389  drop
ipdatalen=32 tcphdrlen=32 syn=1

Any help would be appreciated!  Like for example, what is unhandled_local?  I have no clue.  Is it related to the  syn=1?  Synflood protection is set to be off for the service "rdp".

I have forwarded port 3389 for the RDP service, and Port 80 for http, but now getting this drop error. HELP!

Regards,
M

[chechito]

maybe a sat rule its neccesary to avoid this log

maybe with more info we can understand the origin of the problem

[mitsukai]

maybe a sat rule its neccesary to avoid this log

maybe with more info we can understand the origin of the problem

I have an allow rule, a sat rule and a nat rule in place.  I have the same rules (for other services) and these services are working fine, no errors or drops of this nature at all.

all rules are in a folder called Port_Forwards and are, top to bottom, as follows:

action: allow
service: rdp
any          core
all-nets     wan-ip

action: SAT
service: rdp
any          core
all-nets     wan-ip
to Destination IP: myPCforRDP

action: NAT
service: rdp
any          core
all-nets     wan-ip
use interface address

followed by same rules as above for service "http" on port 80, as is apparently required for rdp access.

let me know if you need any more specific information.

thanks for the help!
M

[PeterSam]

Hi !
-----------------
action: allow
service: rdp
any          core
all-nets     wan-ip

action: SAT
service: rdp
any          core
all-nets     wan-ip
to Destination IP: myPCforRDP
--------------------

First rule must be SAT, and second Allow.. Try change order
NAT - not need

Regards
Peter

[Fatman]

Also, is there any way I can convince you not to use Any/All-Nets if it is not necessary?

WAN/All-Nets is good if you just need a port forward, and only use 1 WAN (WAN Port)

WANs_Group(Group Made up of WAN and DMZ)/All-Nets is good if you just need a port forward, and use 2 WANs (WAN and DMZ Ports)

Port_Forwards_Group(Group Made up of WAN and LAN)/All-Nets is good if you just need a port forward, with local loopback, and only use 1 WAN (WAN Port)

If you are expecting this traffic to actually come from any interface, i.e. you have 2 WANs (WAN and DMZ) and you have loopback traffic to that IP (LAN), then you can use Any, as creating an equivalent group is pretty silly (not that I haven't done it before to show that I had forethought to my actions).

I am not bringing this up because I honestly think that there is a massive security issue here, but rather because I want to encourage writing exactly the rules we need and not something permissive enough to work without having a concept of why we are setting those values.  It is more work at first but it makes the more advanced subjects waaaaaaaaaay easier.