Home/Support/Support Forum/Ca I have a specific FW script for use on a specific interface?
Welcome to Digi Forum, where you can ask questions and receive answers from other members of the community.

Ca I have a specific FW script for use on a specific interface?

0 votes
Hello:

We have a WR44 connected via GRE tunnels inside IPSec tunnels over GPRS via ppp1.
We have the FW enabled currently on ppp1 as follows:

#Allow outbound FTP traffic
pass out break end proto ftp from any to any port=ftpcnt flags S!A inspect-state
#Allow any other outbound traffic and the replies back in
pass out break end inspect-state
#Allow incoming IPSEC
pass break end proto 50
pass in break end proto udp from any to any port=ike
pass in break end proto udp from any to any port=4500
#Allow any traffic within an IPSEC tunnel in both directions
pass break end oneroute any
#Allow incoming SSH and SFTP
pass in break end proto tcp from any to any port=22222 flags S!A inspect-state
#Allow incoming HTTPS
pass in break end proto tcp from any to any port=443 flags S!A inspect-state
#Block and log everything else including incoming telnet, http and FTP
block log break end

This is working fine.

Our problem is, the instrumentation we have at the site sends a real-time stream over the link from source TCP port 5018 and this is the traffic we are interested in. The system also stores its data locally and at the top of the hour, the central server will check if any data is missing, if it is it will passively ftp it up from the instrument. The problem is this ftp session swamps the BW of the link causing the real-time data to get delayed during the ftp.

What we want to do is prioritize the source TCP port 5018 traffic over the ftp data.

This source data enters interface eth0 and leaves interface ppp1.

The FW rule to mark the data should be something like this:
dscp 46 in on eth0 proto tcp from any to any port=5018

Can someone confirm that?

Now, my thinking is that I should mark this packet as it comes INTO the router on eth0, is that correct?
Question: If I enable the fw on eth0 all FW rules will be in effect on eth0, right? I don't want to block anything on eth0 from coming into the router but there is only a single fw.txt file in the router which means whichever interface I enable this on, all the rules will apply, right? Which means I lock myself out of my http interface on eth0 if I enable the fw on eth0....so how do I do this?

Then, I enable QoS on interface ppp1, is that correct?

In short, I need a clarification on whether I need to enable the FW on eth0, on ppp1 or on both. If I do it on both, how do I do so that I don't block myself our of the web interface on eth0?

Sorry for the dump questions.

Cheers,
john
asked May 3, 2018 in Digi TransPort Cellular by jserink New to the Community (44 points)

Please log in or register to answer this question.

6 Answers

0 votes
OK the first part of the question you can add a rule to be intrested on the traffic on eth 0

pass break end on eth 0

this is a catch all rule for the eth 0 interface to allow all traffic

then you would create a rule for the traffic you claim its source address is on port 5018 so the rule would be

you would have the port on the first any as this is source

dscp 46 in on eth0 proto tcp from any port=5018 to any

i take it you have read

http://ftp1.digi.com/support/documentation/QN_015_Quality%20of%20Service%20(QoS)%20on%20a%20TransPort%20router.pdf

as the data is from eth -> wan you are mainly intrested on fixing bandwidth on the uplink and as such you need to make sure the bandwidth out off WAN is priority for your steam and not FTP

so the next thing is to set qos up on the PPP interface and estimate the bandwidth you think you are going to get on the UP channel.

your not realy intrested in qos inbound witch is harder as the packets will have hit the interface and is already consuming bandwidth until TCP backs off

regards

James
answered May 3, 2018 by James.Wilson Veteran of the Digi Community (1,225 points)
0 votes
Hi James:

Ok, great. So, just to review:
I add these rules to the FW script:
pass break end on eth 0
dscp 46 in on eth0 proto tcp from any port=5018 to any

Ans this won't affect what the FW is doing on ppp1, right?

Now, the PPP1 BW estimation is a bit tricky as I have 16 sites in various areas, about half on 3G, some on Edge, some on GPRS class 12 so I don't really know what my max BW. In this type of case, how would you recommend I set the BW?

Cheers,
john

PS. Yes I read QN15 but that note:
1. It assumed a knowledge of the uplink BW,
2. The source was a specific IP,
3. the FW was operating on only in the incoming interface.

All of those are different in my application.
answered May 3, 2018 by jserink New to the Community (44 points)
you also have to include the

pass end break on eth 0

after your rule this should allow all traffic in and out of eth 0

if you do not you will lock yourself out again
0 votes
Hi James:

So I add this to the fw.txt:

dscp 46 in on eth0 proto tcp from any port=5018 to any
pass break end on eth 0


Should I add that at the top of the fw script or the bottom?

After that, i just adjust the QoS on ppp1, correct?


Cheers,
john
answered May 3, 2018 by jserink New to the Community (44 points)
the firewall rules are read top down so you need your rules at the top

then yes enable qos on ppp 1 and set the bandwidth
0 votes
Hi Everyone:

I tried to enter these rules into my test router and got this:
1 pass in break end proto icmp icmp-type echo
2 dscp 46 in on eth0 proto tcp from any port=5018 to any
# Error(line 2): Interface Expected
0 3 #Allow outbound FTP traffic

Here is my current fw.txt.
This is applied to ppp1.
pass in break end proto icmp icmp-type echo
#Allow outbound FTP traffic
pass out break end proto ftp from any to any port=ftpcnt flags S!A inspect-state
#Allow any other outbound traffic and the replies back in
pass out break end inspect-state
#Allow incoming IPSEC
pass break end proto 50
pass in break end proto udp from any to any port=ike
pass in break end proto udp from any to any port=4500
#Allow any traffic within an IPSEC tunnel in both directions
pass break end oneroute any
#Allow incoming SSH and SFTP
pass in break end proto tcp from any to any port=22222 flags S!A inspect-state
#Allow incoming HTTPS
pass in break end proto tcp from any to any port=443 flags S!A inspect-state
#Block and log everything else including incoming telnet, http and FTP
block log break end

So the FW editor throws that error when I try and add the line.

What am i doing wrong?

Cheers,
john
answered May 11, 2018 by jserink New to the Community (44 points)
Hi

in this case the interface should have a space

"Eth 0" not eth0

this then should work

sorry my bad

dscp 46 in on eth 0 proto tcp from any port=5018 to any
pass break end on eth 0

regards

James
0 votes
Hi James:

Got that and got it in the FW script.
Now, before I do anything else, how can I check its working?

What I have done is this:
netsh interface portproxy add v4tov4 listenport=5018 listenaddress=192.168.173.10 connectport=7 connectaddress=192.168.173.10

What this does is take any TCP connection request for 192.168.173.10:5018 and internally send it to tcp port 7, the echo service, and then send it back out TCP 5018.
Here is netstat when I am connected using telnet 192.168.173.10 5018:
C:\>netstat -a -p tcp -n | find "5018"
TCP 192.168.173.10:5018 0.0.0.0:0 LISTENING
TCP 192.168.173.10:5018 192.168.111.199:40964 ESTABLISHED

You can see the socket is connected to 192.168.173.10:5018....but the Configuration - Security > Firewall shows no hits on rule 2:
dscp 46 in on eth 0 proto tcp from any port=5018 to any

There is also nothing here:
Management - Network Status > Firewall

How can I check if the fw tagging is working?


Second question:
I did some testing using hping like this:
hping -p 5018 -c 20 -s 6000 -d 2000 -S 192.168.173.10

But the results were nonsense and it occurred to me that hping doesn't actually establish the tcp connection, it just send sync packets so the FW in the digi might not be tagging them. As such, it would mean I can't use hping for testing.

Cheers,
john
answered May 14, 2018 by jserink New to the Community (44 points)
Are you ftping the file from the laptop behind the digi or from somewhere on the internet?

if from the internet its not going to work as the ftp data would be already on the interface off PPP so you have already fludded the link.  only the control channel would be slowed down.

you would need qos in to the PPP and this would have to be done by the ISP / Internet

if its from the laptop then it should work as shown in the appl;ication note

regards

james

regards

James
Hi James:

sorry, i was not clear.
the ftp server is on the laptop behind the digi. This simulates exactly the instrumentation we have on site, a device with an ftp server and a real-time stream on 5018. I need to keep the latency on the 5018 stream down even during an ftp upload.

Problem is, its not working. The ftp upload speed is completely consistant regardless of the QoS values i select and the latency jump on the 5018 data goes from ~40ms to 400ms. I've done this before on Debian based routers and use the HTB qdisc and it works perfectly. This should accomplish the same thing, its just not working. The packets are marked correctly, its like the QoS is just not doing anything.

Scratching my head here.

cheers,
john
Hi try reducing the

Queue profiles are:
0   1800    2000   50  25  50  10  1
4   1000    2000   50  25  50  10  1

so q4 has a smaller max value 1000

this should just cam the q4

regards
ok, will try that in the morning.
any other suggestion in case that one doesn't work?

cheers,
john
ok, will try that in the morning.
any other suggestion in case that one doesn't work?

Might the router require a reboot before the settings take effect?

cheers,
john
0 votes
James!!!

The reboot fixed it.
It works like magic, lovely.

I guess when I change something on ppp1 I need to cycle the interface.

Cheers,
john
answered May 16, 2018 by jserink New to the Community (44 points)
Hi John.

i never remember which options on PPP need to have the interface reloaded (ppp 1 deact_rq) to take effect.

clad you got it working

regards

James
...