cancel
Showing results for 
Search instead for 
Did you mean: 
1

Ask

2

Reply

3

Solution

Sure Signal firewall config

mhumphrey
2: Seeker
2: Seeker

I've been asked to look at setting up a Sure Signal version 3 on our network. As our firewall is set to default deny, not surprisingly it didn't work at first. I've set up what I think are the correct firewall rules based on information in the eforum, but it still does not connect. Initially the power light comes on, then after a while the internet light starts flashing white. After a while longer, the internet light goes out, the service and users lights go solid orange and the power light starts flashing.

 

The firewall is a Fortigate 310B. I've set it to allow:

IP protocols 8 (EGP) and 50 (ESP)

UDP ports 500 and 4500 (IKE) and 123 (NTP)

to addresses 212.183.133.177-212.183.133.182 and 212.183.131.128/255.255.255.192

 

Can anyone confirm that this should be sufficient? I'm not sure what protocol 8 is for, and maybe it should be ICMP type 8 (ping), but ping is allowed anyway.

 

The other possibility seems to be that Vodafone have blocked our IP range, but it's not clear how to get this changed. Our IP range is 194.83.24.0/22 - in this case we are using 194.83.24.240.

 

Any advice, or pointers to documentation, would be appreciated.

1 ACCEPTED SOLUTION

Sorry for the delay getting back to you - rather a lot to be done over the Christmas holidays. Having set up the packet sniffer, I've made some progress. The box needs to connect to some IP addresses that weren't on the list - 88.82.13.177 to 179. It also seems to need traceroute, UDP ports 33434 to 33535. Having added these, it's talking to the server and I no longer get any orange lights.

What happens now is that the Internet light flashes forever. I can see on the packet sniffer that traffic is going through constantly - mostly NTP, interspersed with IPsec traffic. Nothing seems to be blocked as each packet gets a reply. And yet it still doesn't finish connecting and allow me to use the box.

Any suggestions?

View solution in original position

15 REPLIES 15

Nabs
17: Community Champion
17: Community Champion

Sounds like you have covered all bases here. Best thing to do would b esit tight for one of the eForum Team to get in touch and take a look at your IP ranges to ensure they are whitelisted.

Couple additional things that might be useful for the team would be if you were able to do a ping and traceroute to the Vodafone servers and post the results back. Also if you are able to provide the serial number of the Sure Signal unit they will be able to check if it has ever made contact with the servers.

 

Nabs

Good point, I probably should have included those. The serial number is 40132632270.

 

Tracing route to cluster4.vap.vodafone.co.uk [212.183.133.177]
over a maximum of 30 hops:

  1     2 ms     2 ms     2 ms  10.18.1.5
  2     2 ms     2 ms     2 ms  10.0.6.13
  3    <1 ms    <1 ms    <1 ms  city-firewall-int.sheffcol.ac.uk [10.0.6.2
  4    <1 ms    <1 ms    <1 ms  pp-1.sheffcol.ac.uk [194.83.24.2]
  5     1 ms     1 ms     1 ms  80.193.104.8
  6    <1 ms    <1 ms    <1 ms  ge3-3.sff-d01.yhman.net.uk [195.195.130.65
  7     1 ms     1 ms     1 ms  v795.lee-c01.yhman.net.uk [194.81.2.73]
  8     4 ms     3 ms     7 ms  ae5.manckh-sbr1.ja.net [146.97.41.65]
  9     5 ms     8 ms     6 ms  ae29.erdiss-sbr1.ja.net [146.97.33.41]
 10     9 ms     9 ms     9 ms  ae31.londpg-sbr1.ja.net [146.97.33.21]
 11    10 ms    10 ms    10 ms  ae30.londtw-sbr1.ja.net [146.97.33.6]
 12    10 ms    10 ms    10 ms  ae29.londtn-sbr1.ja.net [146.97.33.10]
 13    10 ms    10 ms    10 ms  ae0.lond-gw-ixp4.ja.net [146.97.35.182]
 14    12 ms    11 ms    11 ms  ldngw1.arcor-ip.net [195.66.224.209]
 15    11 ms    11 ms    11 ms  85.205.116.14
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

 

 Pinging 212.183.133.177 with 32 bytes of data&colon;
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 212.183.133.177:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

 

 

DaveCD
Moderator (Retired)
Moderator (Retired)

Hi mhumphrey

 

Everything looks to be fine, apart from the Ping test.

 

Please can you ensure all the following are open:

 

Port Number

 

8             TCP         UDP       All Routers

50           TCP         UDP       All Routers

53           TCP         UDP       Virgin Super Hubs

67                           UDP       Virgin Super Hubs

68                           UDP       Virgin Super Hubs

123                         UDP       All Routers

500                         UDP       All Routers

1723         TCP        UDP       BT Home Hubs

4500                       UDP       All Routers

33434 - 33445          UDP       Virgin Super Hubs        

 

Let us know which light sequence you get.

 

Cheers

 

DaveCD

 

 

OK, I've added TCP and UDP port 8 (unassigned) and 50 (remote mail checking protocol), but still get the same sequence. Initally the power light is solid, then the internet light starts flashing white, then it changes to power light flashing, internet light out, and service and users solid orange.

 

It looks like the next step may be to get the packet sniffer out and see what the box is trying to talk to.

Hi mhumphrey,

 

I've looked over the IPs you listed and you've only included one part of a required range.

 

I'd double-check this is allowed on the router and firewall:

 

212.183.131.128-191

 

Dave

Sorry for the delay getting back to you.

It looks like that is allowed - the ranges allowed are 212.183.133.177-212.183.133.182 and 212.183.131.128/255.255.255.192. The second one matches what you said I should allow.

Retired-James
Moderator (Retired)
Moderator (Retired)

Hi mhumphrey,

 

Everything looks fine with the details you’ve given.

 

If you’re now seeing a flashing power light, internet light is off and the service and in use lights are orange, it would suggest it can’t authenticate through the network.

 

Can you try a different Ethernet cable?

 

It’ll also be worth testing the Sure Signal on a standard internet connection at home to eliminate a faulty Sure Signal.

 

James

grolschuk
Community Champion (Retired)
Community Champion (Retired)

That is a fairly meaty router that you have there :Smiling:

 

I am thinking that the connection problem is down to the IPSec VPN settings and it's ability to initiate and terminate them itself.

Do you have the router configured to terminate inbound VPN traffic at the moment? Or any site to site links using IPSec VPN?

 

Trying on a standard home network router would certainly help narrow down if it is the device, or something stopping the traffic.

 

As well as the sniffer, do the router logs themselves throw any light on what traffic is being blocked as out of policy?

We don't use IPsec VPNs ourself. The firewall settings I've put in should allow IPsec through, but it looks like I may have missed something. The unit has been tested on an ADSL connection and works, so I don't think the unit is the problem.

Unfortunatley we've got a couple of projects on that mean I won't have much more time to look at this before Christmas, but I'm fairly confident that the issue is the firewall rules. I'll get a sniffer set up and have a look at the logs as soon as I have time.

In the meantime, thank you all for your help so far and have a happy Christmas.