Hello all,

I recently had my broadband activated and got a BT Voyager 210 router. After I removed McAfee Security Center that had been pre-installed by pc vendor, I installed i.a. LnS.

I'm experiencing some connection problems at the moment (after eg. 1 hour of using Internet web pages are unable to load & connection fails). I assume it may be related with the router and the fact that my LnS ruleset is not compatible in these circumstances.

Please have a look at log contents:
-{ Quote: "06-21-07,09:50:42 D-720 'All other packets ' 192.168.1.1 IGMP Data:148 4 0 0
06-21-07,09:50:45 D-721 'All other packets ' 192.168.1.1 IGMP Data:148 4 0 0
06-21-07,09:50:46 U-722 'All other packets ' ff02::16 IPV6 Protocol:0
06-21-07,09:50:46 U-723 'All other packets ' 224.0.0.22 IGMP Data:148 4 0 0
06-21-07,09:50:46 U-724 'All other packets ' ff02::16 IPV6 Protocol:0
06-21-07,09:50:46 U-725 'All other packets ' 224.0.0.22 IGMP Data:148 4 0 0
06-21-07,09:50:46 U-726 'UDP : Any other UDP pack' ff02::1:3 UDPV6 Ports Dest:LLMNR Src:49883
06-21-07,09:50:46 U-727 'UDP : Any other UDP pack' 224.0.0.252 UDP Ports Dest:LLMNR Src:49884
06-21-07,09:50:47 U-728 'All other packets ' 224.0.0.22 IGMP Data:148 4 0 0
06-21-07,09:50:47 U-729 'All other packets ' ff02::16 IPV6 Protocol:0
06-21-07,09:50:47 U-730 'UDP : Any other UDP pack' ff02::1:3 UDPV6 Ports Dest:LLMNR Src:49883
06-21-07,09:50:47 U-731 'UDP : Any other UDP pack' 224.0.0.252 UDP Ports Dest:LLMNR Src:49884
06-21-07,09:50:47 U-732 'UDP : Any other UDP pack' ff02::1:3 UDPV6 Ports Dest:LLMNR Src:49886
06-21-07,09:50:47 U-733 'UDP : Any other UDP pack' 224.0.0.252 UDP Ports Dest:LLMNR Src:49887
06-21-07,09:50:47 U-734 'UDP : Any other UDP pack' ff02::1:3 UDPV6 Ports Dest:LLMNR Src:49886
06-21-07,09:50:47 U-735 'UDP : Any other UDP pack' 224.0.0.252 UDP Ports Dest:LLMNR Src:49887
06-21-07,09:51:13 U-736 'UDP : Any other UDP pack' ff02::1:3 UDPV6 Ports Dest:LLMNR Src:49899
06-21-07,09:51:13 U-737 'UDP : Any other UDP pack' 224.0.0.252 UDP Ports Dest:LLMNR Src:49900
06-21-07,09:51:13 U-738 'UDP : Any other UDP pack' ff02::1:3 UDPV6 Ports Dest:LLMNR Src:49899
06-21-07,09:51:13 U-739 'UDP : Any other UDP pack' 224.0.0.252 UDP Ports Dest:LLMNR Src:49900" }-

-{ Quote: "06-21-07,09:06:03 D-15 'ICMP : All ICMP types (n' 192.168.1.1 ICMP Type:3 Code:4
06-21-07,09:11:51 D-16 'ICMP : All ICMP types (n' 192.168.1.1 ICMP Type:3 Code:4
06-21-07,09:11:51 D-17 'ICMP : All ICMP types (n' 192.168.1.1 ICMP Type:3 Code:4
06-21-07,09:11:51 D-18 'ICMP : All ICMP types (n' 192.168.1.1 ICMP Type:3 Code:4
06-21-07,09:22:05 D-19 'UDP : Any other UDP pack' 192.168.1.1 UDP Ports Dest:SSDP/UPnP Src:SSDP/UPnP
06-21-07,09:22:05 D-20 'UDP : Any other UDP pack' 192.168.1.1 UDP Ports Dest:SSDP/UPnP Src:SSDP/UPnP
06-21-07,09:22:05 D-21 'UDP : Any other UDP pack' 192.168.1.1 UDP Ports Dest:SSDP/UPnP Src:SSDP/UPnP
06-21-07,09:22:05 D-22 'UDP : Any other UDP pack' 192.168.1.1 UDP Ports Dest:SSDP/UPnP Src:SSDP/UPnP" }-

Those are most recurrent entries.

I'm new to using a pc with router and don't know how to modify the ruleset, so asking for your kind advice. What should I do in this case?

Cheers.

P.S. I searched the forum but didn't come across a solution for that.

Hi na sceiri :)

-{ Quote: "Hello all,

I recently had my broadband activated and got a BT Voyager 210 router. After I removed McAfee Security Center that had been pre-installed by pc vendor, I installed i.a. LnS.

I'm experiencing some connection problems at the moment (after eg. 1 hour of using Internet web pages are unable to load & connection fails). I assume it may be related with the router and the fact that my LnS ruleset is not compatible in these circumstances.
" }-

You're right: the basic rules do not include Router rules therefore somebody have to create it... So look at each type of packets shows here:

-{ Quote: "
Please have a look at log contents:
06-21-07,09:50:42 D-720 'All other packets ' 192.168.1.1 IGMP Data:148 4 0 0
" }-

This is an IGMP packet used to established communication between the router and your PC. I have a "sample" rule for this but this rule required some works from you to adapt it to your configuration...

{A. 60}; [Local] [IGMP] {{ Router }} (see the attached file)

You have to find the MAC addresses of the router and the PC with the ipconfig /all command and modify the rule accordingly...

The rules samples are included with this post. Download the file, rename it by removing the ".TXT" at the end and import in LnS.


-{ Quote: "
06-21-07,09:50:46 U-722 'All other packets ' ff02::16 IPV6 Protocol:0
" }-

IPv6 Hop-by-Hop Option. Ref.: http://tools.ietf.org/html/rfc1883
What's this ? No idea. So let this on the side for the moment.
This will be solved later. Ok ?

-{ Quote: "
06-21-07,09:50:46 U-726 'UDP : Any other UDP pack' ff02::1:3 UDPV6 Ports Dest:LLMNR Src:49883
" }-

Here's a UDP packet. Try the sample rule for UDP and adapt it according to the information shows in the log... That's requiered some job from you ;-)

Start with the sample rule:
{A. 80}; [Local] [UDP] {{ Router - PC }}

-{ Quote: "
Those are most recurrent entries.

06-21-07,09:06:03 D-15 'ICMP : All ICMP types (n' 192.168.1.1 ICMP Type:3 Code:4
" }-

This is an ICMP signal: Fragmentation needed but a flag Don't Fragment is set. This is a normal signal within a local network and this must be allowed by a rule fir this... For the moment we can ignore these ICMP packets...

-{ Quote: "
06-21-07,09:22:05 D-19 'UDP : Any other UDP pack' 192.168.1.1 UDP Ports Dest:SSDP/UPnP Src:SSDP/UPnP

" }-

This is related to the Windows service; Simple Service Discovery Protocol (SSDP). Is it required or not? May be. This required a rule in UDP and port 1900. This service is listening on that port (in UDP) . Is it required for your router? May be...

-{ Quote: "
I'm new to using a pc with router and don't know how to modify the ruleset, so asking for your kind advice. What should I do in this case?

Cheers.

P.S. I searched the forum but didn't come across a solution for that.
" }-

There was a sticky post from Patrice explaining router configuration with LnS.
It was removed : very bad idea...

Also: the rule for Ethernet packets is a raw rule.
{A. 20}; [Local] [ETH] {{ Router - PC }}

Put the fields display in hexa byte split to add the MAC addr.
See the screen captures...

Hope this help. Sorry to give you so much job but I don't have any router here to make tests and no way to create "keys in hand" rules for you.

Let me know if it's working. When you give sample for the log please upload a copy here in text format.

Have a nice day.

:)

BIG thanks Climenole, I'm much obliged for your helpful & comprehensive reply! Also, I'm not expecting a tailor-made solution, so nothing to be sorry about giving myself much job to do :-))

So as to adapt those sample rules I started to read about MAC addresses on Wikipedia, but gave up after a while.

The thing is that I don't know which is a relevant MAC address for pc and router.

I made a screenshot from ipconfig:

http://img255.imageshack.us/img255/2398/ipconfigscreenfn1.jpg (http://imageshack.us)

Please help!

Hi na sceiri :)

This post explain everythings:

http://www.wilderssecurity.com/showthread.php?t=9474

Hope this help. Let us know.

:)

Hello,

I know that thread, it's not been deleted. I read it before I sticked my thread, but was quite difficult to understand. Shall I feel sorry this is the case? I don't think so, and for that reason I'm asking for kind advice of forum members.

Regarding my last post I reckon there is only one part that refers to my query.

-{ Quote: "Now it's time to write a rule for those packets. These packets aren't bad and therefore you should allow them to come through. I suggest that you use the information which is provided by the log of Look'n'Stop. In my example I have the following information:

Packet: IGMP
Source: 00:04:5a:f2:0f:74 (which is the MAC address of my router)
Destination: 01:00:5e:00:00:01 (which is the "all-hosts" group)" }-


Well, I haven't found a blocked IGMP packet in my log, so as to retrieve MAC addresses of pc & router. Can I make it our from any other blocked packet? As you can see, I'm a little lost and need a slight push in right direction.

If anyone is willing to help, I'd be more than grateful.

I attached below screen shots with details of two exemplary packets blocked and logged. Maybe it gives indication, which one is the router MAC address and the pc one.

http://img207.imageshack.us/img207/7613/screen1ne6.jpg (http://imageshack.us)

http://img383.imageshack.us/img383/5463/screen2qu5.jpg (http://imageshack.us)

Regards.

Hi na sceiri :)

1- For the MAC address of the router:

a)
Start | run | cmd /k
C:\> arp -a

b)
in your web browser type the local IP address of your router in the addr. field like 192.168.0.1
(this local IP vary from a router to an other: it may be in the 172.16. range or 10.x.x.x. range: check your documentation...)

C) check the router itself: sometimes the manufacturer put a sticker on it...

2- For the UDP packet for SSDP:

You have to create a rule to allow SSDP like this:

Protocol : UDP
Packets: in and out

In the left side of the editing window:

IP address: Equal my@ (this is the local IP of your PC...)
Port range: in Local

In the right side of the editin window:

IP: Equal 239.255.255.250
Port : 1900

Applications... : Generic Host Process for Windows

and put the rule with the other UDP rules ...

3- For the ICMP packet type 4 code 3:

You have to create a rule to allow this:

Protocol: ICMP
Packets: in and out

code 4
type 3

and put this rule with the other Icmp rules...

save, apply and reboot.

Hope this help. Let us know.

:)

@Climenole Thank you!

Since your last post I've been fighting with these fu[xxx]n' rules. I had connection problems after applying the IMGP one. I got quite pissed about the firewall, but don't want to give up so quickly.

Anyway, I think that the best solution would be creating rules gradually, one by one, so I can diagnose any potential problems without doubt, which rule those are related to.

I suggest to start with the following packets, being blocked by LnS:

-{ Quote: "06-24-07,11:49:14 D-157 'UDP : Any other UDP pack' 192.168.1.1 UDP Ports Dest:SSDP/UPnP Src:SSDP/UPnP
06-24-07,11:49:14 D-158 'UDP : Any other UDP pack' 192.168.1.1 UDP Ports Dest:SSDP/UPnP Src:SSDP/UPnP" }-

I created the following rule:

http://img120.imageshack.us/img120/4331/screenssdpupnpyy2.jpg (http://imageshack.us)

However, the result is that the above given entries are still present in log + the new ones appeared:

-{ Quote: "06-24-07,11:41:13 U+59 'UDP : router -> allow SS' 239.255.255.250 UDP Ports Dest:SSDP/UPnP Src:49182
06-24-07,11:41:13 D-60 'UDP : Any other UDP pack' 192.168.1.1 UDP Ports Dest:49182 Src:SSDP/UPnP
06-24-07,11:41:15 U+61 'UDP : router -> allow SS' 239.255.255.250 UDP Ports Dest:SSDP/UPnP Src:49182
06-24-07,11:41:15 D-62 'UDP : Any other UDP pack' 192.168.1.1 UDP Ports Dest:49182 Src:SSDP/UPnP" }-

How shall I tackle this?

Regards.

Forgot to say that I looked inside the log entry for SSDP/UPnP and it looks like those are incoming packets only, both source & destination UDP port is 1900.

Screen shot attached:

http://img444.imageshack.us/img444/2246/screenssdpupnplogpf9.jpg (http://imageshack.us)

Cheers.

Hi na sceiri :)

Change the rule for this (see screen capture) and tell me if it's working.

No, still logging (the old one) like crazy.

-{ Quote: "06-24-07,15:22:51 D-410 'UDP : Any other UDP pack' 192.168.1.1 UDP Ports Dest:SSDP/UPnP Src:SSDP/UPnP
06-24-07,15:22:51 D-411 'UDP : Any other UDP pack' 192.168.1.1 UDP Ports Dest:SSDP/UPnP Src:SSDP/UPnP" }-

I marked this new rule for inclusion into log (to see if it's working) but nothing has come up.

I don't know but my simple logic tells me that, to allow particular packets blocked by a rule, one should reverse the rule. Means maybe we should try out with details included in the packet's content (see below)?

Regards.

Hi na sceiri :)


Funny... :wacko:

Make a copy of your rules set + a copy of your log and upload it here.


:)

OK, here it goes.

Hi na sceiri :)


You have these packets in your log and I create rules for this.

06-24-07,00:05:19 D-833 'UDP : Any other UDP pack' 192.168.1.1 UDP Ports Dest:SSDP/UPnP =1900 Src:SSDP/UPnP
06-24-07,07:42:41 U-42 'UDP : Any other UDP pack' 239.255.255.250 UDP Ports Dest:SSDP/UPnP Src:49221

06-24-07,00:05:19 D-834 'All other packets ' 192.168.1.1 IGMP Data:148 4 0 0

06-24-07,00:11:10 U-880 'UDP : Any other UDP pack' ff02::1:3 UDPV6 Ports Dest:LLMNR=5355 Src:49496
06-24-07,00:11:10 U-881 'UDP : Any other UDP pack' 224.0.0.252 UDP Ports Dest:LLMNR Src:49497

LLMNR queries are sent to and received on port 5355. The IPv4 link-
scope multicast address a given responder listens to, and to which a
sender sends queries, is 224.0.0.252. The IPv6 link-scope multicast
address a given responder listens to, and to which a sender sends all
queries, is FF02:0:0:0:0:0:1:3.

Responders MUST listen on UDP port 5355 on the link-scope
multicast address(es) defined in Section 2, and on TCP port 5355
on the unicast address(es) that could be set as the source
address(es) when the responder responds to the LLMNR query.

http://tools.ietf.org/html/rfc4795


06-24-07,07:40:49 D-2 'ICMP : All ICMP types 192.168.1.1 ICMP Type:3 Code:4


Load the modified rules set and try again.

Hope this help. Let me know.

:)

Hi Climenole.

Again thank you for engagement in my problem.

As advised, I loaded that ruleset. However, it seems those packets are captured by the firewall as before.

Kindly see the attached log.

To be honest I don't know what to do next.

Regards.

Frederic,
I'd appreciate support from the LnS developer to find a solution in my problem.
Regards.

Hi na sceiri :)

-{ Quote: "Hi Climenole.

Again thank you for engagement in my problem.

As advised, I loaded that ruleset. However, it seems those packets are captured by the firewall as before.

Kindly see the attached log.

To be honest I don't know what to do next.

Regards." }-

Here some packets samples:



06-25-07,12:48:39 U-3 'UDP : Any other UDP pack' ff02::c UDPV6 Ports Dest:SSDP/UPnP Src:49154
06-25-07,12:48:39 U-4 'UDP : Any other UDP pack' 239.255.255.250 UDP Ports Dest:SSDP/UPnP Src:49157
06-25-07,12:48:39 U-5 'UDP : Any other UDP pack' ff02::c UDPV6 Ports Dest:SSDP/UPnP Src:49154
06-25-07,12:48:39 U-6 'UDP : Any other UDP pack' 239.255.255.250 UDP Ports Dest:SSDP/UPnP Src:49157
06-25-07,12:48:42 U-12 'UDP : Any other UDP pack' 239.255.255.250 UDP Ports Dest:SSDP/UPnP Src:49157
06-25-07,12:48:42 U-13 'UDP : Any other UDP pack' ff02::c UDPV6 Ports Dest:SSDP/UPnP Src:49154
06-25-07,12:48:43 U-14 'UDP : Any other UDP pack' 239.255.255.250 UDP Ports Dest:SSDP/UPnP Src:49157


So the only remaining problem is with this SSDP M$ stuff...
Uploading only (U-3 , U-12 : u means upload and the minus sign blocked)

LMNR problem was solved; right? ;)

The easiest way to create on the fly a rule is to check your log, right click on a line corresponding to the blocked packet , choose to authorised to port SSDP (1900) as client.

This will put a new rule line at the top of the rule set...

Save, apply. Start with this...

Hope this help. Let us know.

:)

-{ Quote: "Frederic,
I'd appreciate support from the LnS developer to find a solution in my problem.
Regards." }-
Is the problem just to have a clean log ? or is there still something blocked and a windows service or application not working ?

Thanks,

Frederic

Hello Gentlemen,

@Climenole, uffffffff, I hope it may not be necessary to further fight with the ruleset (kindly see below).

-{ Quote: "Is the problem just to have a clean log ? or is there still something blocked and a windows service or application not working ?

Thanks,

Frederic" }-

As I stated at the beginning of this thread, I started to have connection problems after installing LnS (with enhanced rules set). It was almost clear to me that the firewall is blocking packets that should be allowed in case of connection pc <-> router.

Well, I think I've eventually found the culprit. Most probably my adsl microfilter (at phone socket) was causing difficulties. Now I'm running without that filter, have unplugged phone for testing purposes [:)]. Since today's morning everything's been fine, so hope that's it.

Re. blocked traffic by LnS, shall I then disregard the above presented log entries?

Cheers.

-{ Quote: "
Re. blocked traffic by LnS, shall I then disregard the above presented log " }-
Hi na sceiri,

Yes, if:
1- the number of packets is not so high
2- the sound it generates it not too annoying
3- no service/application is blocked, everything works fine
=> then there is no need to create a special rule.

In case 1-, 2- is not true, you can:
- create a special rule that will drop these packets silently
or
- remove the ! for the current rule cathing the packet

Frederic

HI na sceiri :)

-{ Quote: "Hello Gentlemen,

@Climenole, uffffffff, I hope it may not be necessary to further fight with the ruleset .

As I stated at the beginning of this thread, I started to have connection problems after installing LnS (with enhanced rules set). It was almost clear to me that the firewall is blocking packets that should be allowed in case of connection pc <-> router.

Well, I think I've eventually found the culprit. Most probably my adsl microfilter (at phone socket) was causing difficulties. Now I'm running without that filter, have unplugged phone for testing purposes [:)]. Since today's morning everything's been fine, so hope that's it.

Re. blocked traffic by LnS, shall I then disregard the above presented log entries?

Cheers." }-

All these packets was generated by a defective Adsl filter at phone socket?

:wacko:

I'm very happy to read your post because since a week I have some doubts about the level of my intelligence
( :o alzheimer symptoms? :blink: )

;)

1- Makes sure the filter + Adsl cable + phone cable are connected the right way. If this is the case then:

2- If this filter is provided by your ISP ask for a new working one...

3- For the other packets follow the Frederic's intructions.

:)

-{ Quote: "
All these packets was generated by a defective Adsl filter at phone socket?

:wacko: " }-

Exactly :P
At least right now I don't have to be particularly concerned that those packets have bad influence on network performance.

All the best, bye now.

[na sceiri vanished in space]

:):)