Hi this is driving me loopy.

Prior to making a purchasing decision in favour of the DG824M I thought I'd done
my homework thoroughly and discovered that with the latest Firmware upgrade
(1.4.5) the uPnP functionality on the DG824M would work 100% with Windows
Messenger 4.7.

My experiences are proving to be far from reliable. This was bought to replace a
2 box modem/linksys solution that worked pretty much flawlessly but I wanted a
neater 1 box solution with wireless LAN.

I've clean built my PC and what I'm finding is I can occasionally get a
successful voice connection if I initiate it. Any incoming attempts will fail
and will also stop me from making an out going connection until I exit messenger
and sign in again.

Is this the normal state of affairs for the DG824M or are there people out there
for whom it is working 100% both inbound and outbound calling?

Thanks a lot

In message <(E-Mail Removed)>, Moonshine
<(E-Mail Removed)> writes
>Hi this is driving me loopy.
>
>Prior to making a purchasing decision in favour of the DG824M I thought
>I'd done
>my homework thoroughly and discovered that with the latest Firmware upgrade
>(1.4.5) the uPnP functionality on the DG824M would work 100% with Windows
>Messenger 4.7.
>
>My experiences are proving to be far from reliable. This was bought to
>replace a
>2 box modem/linksys solution that worked pretty much flawlessly but I wanted a
>neater 1 box solution with wireless LAN.
>
>I've clean built my PC and what I'm finding is I can occasionally get a
>successful voice connection if I initiate it. Any incoming attempts will fail
>and will also stop me from making an out going connection until I exit
>messenger
>and sign in again.

Sounds like your firewall in the DG824M. By default the DG824M firewall
closes all incoming ports except http, ftp etc (but leaves all outgoing
ports open). Messenger requires ports 6891-6900 to be open - which isn't
a default condition.

Have a look in your logs for discarded packets addressed to these ports.
Set a rule opening the ports [1].
>
>Is this the normal state of affairs for the DG824M or are there people
>out there
>for whom it is working 100% both inbound and outbound calling?

It's a not-bad idea to set up your 824 to e-mail you the log when it
gets full. I file mine so if there's something funny going on (like the
latest crop of viruses) I can determine what's happening.

Also disable ICF (and any software firewall you might have running. Some
folk have advised me that these don't make any difference - but they did
for me.

I should add that there's a whole bunch of information on this at
Microsoft's site - just do a search on 'Messenger ports'.
--
Tony Morgan
Smile in the face of adversity - and adversity will probably
think you're taking the **** and kick the **** out of you.

On Sat, 13 Sep 2003 20:23:20 +0100, Tony Morgan <(E-Mail Removed)>
wrote:

>In message <(E-Mail Removed)>, Moonshine
><(E-Mail Removed)> writes
>>Hi this is driving me loopy.
>>
>>Prior to making a purchasing decision in favour of the DG824M I thought
>>I'd done
>>my homework thoroughly and discovered that with the latest Firmware upgrade
>>(1.4.5) the uPnP functionality on the DG824M would work 100% with Windows
>>Messenger 4.7.
>>
>>My experiences are proving to be far from reliable. This was bought to
>>replace a
>>2 box modem/linksys solution that worked pretty much flawlessly but I wanted a
>>neater 1 box solution with wireless LAN.
>>
>>I've clean built my PC and what I'm finding is I can occasionally get a
>>successful voice connection if I initiate it. Any incoming attempts will fail
>>and will also stop me from making an out going connection until I exit
>>messenger
>>and sign in again.
>
>Sounds like your firewall in the DG824M. By default the DG824M firewall
>closes all incoming ports except http, ftp etc (but leaves all outgoing
>ports open). Messenger requires ports 6891-6900 to be open - which isn't
>a default condition.
>
>Have a look in your logs for discarded packets addressed to these ports.
>Set a rule opening the ports [1].
>>
>>Is this the normal state of affairs for the DG824M or are there people
>>out there
>>for whom it is working 100% both inbound and outbound calling?
>
>It's a not-bad idea to set up your 824 to e-mail you the log when it
>gets full. I file mine so if there's something funny going on (like the
>latest crop of viruses) I can determine what's happening.
>
>Also disable ICF (and any software firewall you might have running. Some
>folk have advised me that these don't make any difference - but they did
>for me.
>
>I should add that there's a whole bunch of information on this at
>Microsoft's site - just do a search on 'Messenger ports'.

Hi Tony,

The whole point of uPnP is to dynamically open and map these ports as required -
as far as I was aware it shouldn't be necessary to configure specific firewall
rules.

I have looked at the Firewall config though and you have to specify a single
destination IP address on the LAN for these open ports - kind of defeats the
object of having the router.

Is that how you have yours set-up so only one designated PC can do Messenger
Voice/Video?

In message <(E-Mail Removed)>, Moonshine
<(E-Mail Removed)> writes
>The whole point of uPnP is to dynamically open and map these ports as
>required - as far as I was aware it shouldn't be necessary to configure
>specific firewall rules.
>
>I have looked at the Firewall config though and you have to specify a
>single destination IP address on the LAN for these open ports - kind
>of defeats the object of having the router.
>
>Is that how you have yours set-up so only one designated PC can do
>Messenger Voice/Video?

You can specify IP ranges. There's an example in the Reference Manual on
page 5-11. Alternatively you can specify individual machines (IPs) in
individual rules. Even better, you can specify what log entries are
written on Match. Not Match, Never and Always for each rule. You
probably already know that you do have to be aware of precedence in the
rule table ordering.

The 824M has one of the more comprehensive firewalls for it's price.
For example, you can route a service to a particular machine by using a
port extension to the IP in the rules (like they do on big systems).

The only thing that I'd have liked to have seen would be a default
setting all outgoing ports to closed (except 80), with an interactive
"do you want to open this port always/this time/never like Zone Alarm
has. With the ability of course to switch off the interactive mode off.

Trying to do this via the log is inordinately difficult at this time
(which you could otherwise do) because of the large number of log
entries occurring due to trojan viruses out there. I'm being bombarded
with port 135 to 139 attacks at the moment. I've even thought about
"allowing all" on incoming, then closing those other than the "safe"
ports - then I could specify which rules warranted a log entry.

--
Tony Morgan
Smile in the face of adversity - and adversity will probably
think you're taking the **** and kick the **** out of you.

Moonshine wrote:
>
> The whole point of uPnP is to dynamically open and map these ports as
> required - as far as I was aware it shouldn't be necessary to
> configure specific firewall rules.

Half the point of a firewall is to prevent outside connections to
arbitrary ports.

Having said that, I believe there are consumer firewall appliances that
'understand' UPnP; however I have UPnP switched off - any new internet
technology introduced by Microsoft I consider to be seriously insecure
until I can convince myself otherwise by understanding it. I haven't
bothered to look into UPnP at all.
>
> I have looked at the Firewall config though and you have to specify a
> single destination IP address on the LAN for these open ports - kind
> of defeats the object of having the router.

Rubbish. A router is a computer that has multiple IP interfaces, and
using a routing-table, sends packets arriving on one interface out on
another interface. Port-forwarding is not any job that a router is
supposed to know about.

Consumer firewall-routers all also perform NAT; that isn't specifically
a router's job. But if a router performs NAT, then incoming connections
either get blocked, or they get sent somewhere. The port-forwarding
table tells it where. Your complaint is about that feature, which allows
you to drill holes in the NAT firewall, but only if you know what port
the incoming traffic is expected on.

It's not reasonable to expect a consumer firewall appliance to
understand UPnP, unless it says so on the box (and then you should still
read the manual and the FAQs and the newsgroups before buying it - these
devices do *not* run the latest version of Windows).

--
Jack.

On Sat, 13 Sep 2003 22:04:46 +0100, Tony Morgan <(E-Mail Removed)>
wrote:

>In message <(E-Mail Removed)>, Moonshine
><(E-Mail Removed)> writes
>>The whole point of uPnP is to dynamically open and map these ports as
>>required - as far as I was aware it shouldn't be necessary to configure
>>specific firewall rules.
>>
>>I have looked at the Firewall config though and you have to specify a
>>single destination IP address on the LAN for these open ports - kind
>>of defeats the object of having the router.
>>
>>Is that how you have yours set-up so only one designated PC can do
>>Messenger Voice/Video?
>
>You can specify IP ranges. There's an example in the Reference Manual on
>page 5-11. Alternatively you can specify individual machines (IPs) in
>individual rules. Even better, you can specify what log entries are
>written on Match. Not Match, Never and Always for each rule. You
>probably already know that you do have to be aware of precedence in the
>rule table ordering.
>
>The 824M has one of the more comprehensive firewalls for it's price.
>For example, you can route a service to a particular machine by using a
>port extension to the IP in the rules (like they do on big systems).
>
>The only thing that I'd have liked to have seen would be a default
>setting all outgoing ports to closed (except 80), with an interactive
>"do you want to open this port always/this time/never like Zone Alarm
>has. With the ability of course to switch off the interactive mode off.
>
>Trying to do this via the log is inordinately difficult at this time
>(which you could otherwise do) because of the large number of log
>entries occurring due to trojan viruses out there. I'm being bombarded
>with port 135 to 139 attacks at the moment. I've even thought about
>"allowing all" on incoming, then closing those other than the "safe"
>ports - then I could specify which rules warranted a log entry.

Tony,

First are you actually using your router for Windows Messenger Voice Video? I
appreciate you offereing this advise but I'm keen to know if it based on your
own practical experience or just from info in the manual?

As regards the setting of IP ranges I've looked again at the manual to ensure
I've not missed anything - the range setting is for WAN IP addresses not LAN IP
addresses. This is to allow you to define specific source IP addresses out in
the internet that are allowed to make the connection to the specific service you
define.

Please anyone else who has this working 100% please shout.

In message <(E-Mail Removed)>, Moonshine
<(E-Mail Removed)> writes
>First are you actually using your router for Windows Messenger Voice
>Video?

Yes. My wife uses video link-ups with her two daughters (different
locations) two or three times a week.

>I appreciate you offereing this advise but I'm keen to know if it based
>on your own practical experience or just from info in the manual?

See above.
>
>As regards the setting of IP ranges I've looked again at the manual to
>ensure I've not missed anything - the range setting is for WAN IP
>addresses not LAN IP addresses.

You blind? Page 5-11?

Can you read the words "Outbound Services" and the words "Inbound
Services" (table headers) ?

Then of course each table allows you to enter service definitions in the
"LAN Users" and "Wan Users" columns as appropriate (for the Outbound
Services), and for the Inbound Services you have "LAN Server IP address"
and "WAN Users" columns.

And in both tables, the "Service Name" column indicates the
application/port identifier (you can use the port number where
appropriate [1]).

Not exactly rocket science :-)

>This is to allow you to define specific source IP addresses out in the
>internet that are allowed to make the connection to the specific
>service you define.

>
>Please anyone else who has this working 100% please shout.

Bloody hell.... I don't know why I bother :-)

Please carry on Pal.....

[1] This is especially useful where you're setting up a rule in
response to a log entry.

--
Tony Morgan
Smile in the face of adversity - and adversity will probably
think you're taking the **** and kick the **** out of you.

In message <E+RYL8EGPIZ$(E-Mail Removed)>, Tony Morgan
<(E-Mail Removed)> writes

A thought has occurred to me... Please no comments :-)

You *are* running firmware post Version 1.3 Release 03. You should be on
Version 1.4 Release 05.

V1.3 R03 introduced UPnP support (which is required for Messenger).

Also ensure you have UPnP enabled and set up correctly (Advanced/UPnP
menu selection to bring up the entry pane). The DG824M *should* default
to enabled with the correct settings, but you might have knocked them
off :-)

Also make sure you're using the V1.4 Reference Manual (you can download
it from the Netgear site if you've got an old version)..

--
Tony Morgan
Smile in the face of adversity - and adversity will probably
think you're taking the **** and kick the **** out of you.

In message <Oe0aThGQiIZ$(E-Mail Removed)>, Tony Morgan
<(E-Mail Removed)> writes
>In message <E+RYL8EGPIZ$(E-Mail Removed)>, Tony Morgan
><(E-Mail Removed)> writes

Another thought.... are you running Zone Alarm?

See
http://support.microsoft.com/default...b;en-us;324214
--
Tony Morgan
Smile in the face of adversity - and adversity will probably
think you're taking the **** and kick the **** out of you.

On Sun, 14 Sep 2003 22:21:51 +0100, Tony Morgan <(E-Mail Removed)>
wrote:

>In message <Oe0aThGQiIZ$(E-Mail Removed)>, Tony Morgan
><(E-Mail Removed)> writes
>>In message <E+RYL8EGPIZ$(E-Mail Removed)>, Tony Morgan
>><(E-Mail Removed)> writes
>
>Another thought.... are you running Zone Alarm?
>
>See
>http://support.microsoft.com/default...b;en-us;324214

Hi Tony,

I flashed the Router up to the latest 1.4.5 firmware as soon as I got it, and
enabled UPnP too, no I'm not running any Personal Firewall software on the PC -
including the built-in windows Internet Connection Firewall.

If I swap back to the Linksys set-up everything works fine again.

I promise I've looked very carefully at the user guide, honest.

Yes I can see the options to configure Firewall rules for Outbound & Inbound.

For inbound rules (what we are interested in here) you can only set a single IP
address on the LAN interface for where you want to forward a specific range
ports on the WAN interface ( a Service). You can set a range of addresses on the
WAN side - this is so you can specify which remote sites you will allow to make
an inbound connection. This is not relevant here as any remote address could be
the originator.

Normally this option as it states is to allow you to designate a PC on the LAN
to be your WEB server and receive the inbound port 80 traffic, etc.

The example they use for Video Conference has a single PC (192.168.0.11)
configured to receive the CUSeeMe traffic, from a limited range of remote user
IP addresses 134.177.88.1 to 134.177.88.254. Even if this worked it would not be
what I want as I don't want only a single PC to be able to use Messenger Voice &
Video.

Unfortunately the guide has very little info on the workings of UPnP, but I can
assure you the whole point is for it to open these ports through the firewall
dynamically on your behalf, no manual configuration of the Firewall should be
necessary. If it doesn't do this then its UPnP implementation is broken. I have
read elsewhere that it suffered this one way operation, but I naively thought
this was fixed in this latest version of software.