Can you hear me now?-MM6, Firewalls, UPnP & Port Forwarding

[Mark]

FRUSTRATIONS
I have spent an incredible amount of time trying to get
audio to work in MM6. This includes reading the white
papers linked from MSNMessenger help but still can't get
audio to work when both are behind routers. I find it
very frustating that there isn't a technical document or
help file that simply lists the ports and protocols by
service used by MM6 so that I can set this up and get on
with my life! If anyone has a confirmed port table please
post it.

I have a port table that I am working on but since I
can't get a definitive answer I am reluctant to post it.
I will post the whitepaper links at the bottom but
unfortunately they never completely tell you the port
range and protocol for each MM6 service.


OBSERVATIONS
There seems to be two camps forming regarding the use of
router/firewalls with MM6:

1) If your router supports UPnP, (and you are running
WinXP) then enable it and make sure your operating system
recognizes it in Network Connections (Internet Gateway)
and My Network Places (Linksys Router)(see posts by Lucky
One). Once it does, then you should not have to set up
any specific port forwarding in the router.

2) If your router does not support, or you have not
enabled UPnP, then you need to proceed with the maze of
mapped ports and protocols.

SUCCESSES & FAILURES
I am running XP Pro with ICF disabled and QoS enabled. I
have a Linksys router (non UPnP firmware), static LAN IP,
with individual ports mapped/forwarded for everything
from Whiteboard, Text chat, Video, File Send, Audio,
Remote Assistance, etc to my LAN IP.

I have one friend running XP Pro on dialup with ICF
disabled and McAfee firewall installed. Our only
limitation is his connection speed as I am on broadband.
We have 2-way Webcam & audio communication, 2-way file
send, 2-way play tic-tac-toe & checkers, etc. Whiteboard
and Remote assistance are strained on his 50kbps dial up
however, they attempt to start. Most importantly, voice
and video are perfect and we are on opposite sides of the
world!

I have another friend that has my exact configurations
(XP Pro, broadband & Linksys router). She and I have 2-
way Webcam but no Audio.

I have another friend that is running Win98 with the same
Linksys router configured identically. We share text and
presence but audio, video and whiteboard are dead.

CONCLUSIONS
I am no technical authority on this and all of my efforts
are the result of reading everything from
http://www.practicallynetworked.com/ to mIRC help files
to the kind and helpful posts in this group and just
trying one thing at a time. I think I am almost there.

IMHO, if you want this to work with a router and MM6, you
have to be running WinXP. You have to set up a static LAN
IP for your machine and you have to map/forward the ports
manually due to a number of concerns about UPnP security.
The problem as I see it now is that Audio dynamically and
randomly chooses a port between 5004 and 65535 (UDP).
Unless both the sender/iniator and the receiver have this
range of ports open, audio will not work. I think this is
a scary large range of ports to have open.

Hope this helps. Below are the links to the white papers:

Windows Messenger in Windows XP: Issues With Firewalls
and Network Address Translation Devices
http://www.microsoft.com/windowsxp/pro/techinfo/deployment
/natfw/default.asp

Inside Windows Messenger - How it Communicates
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/winxppro/evaluate/insid01.asp?
frame=true

Look at the links at the bottom of the articles as well.

 

[Hofbrau]

Your frustration, to put it bluntly and directly, it caused by your dumbass
self-obstructionism evidenced by your refusal to install and enable UPnP NAT
Traversal support in your gateway.

UPnP NAT Traversal is the solution to the problem of efficient direct peer to
peer connectivity behind NAT gateways, not the problem itself, and by refusing
to install and enable it, you are intentionally obstructing yourself.

If you can name a valid intellectually honest and consistent "security issue"
with UPnP in general, or with UPnP NAT Traversal in specific, you'll be the
first person to do so that i've ever encountered.

So, I have a suggestion - get a UPnP-enabled firmware for your Linksys gateway,
then enable the UPnP service within it.

Cogitate,
Hofbrau

P.S. MSN Messenger 6 only uses UPnP NAT Traversal for audio connectivity behind
NAT gateways - no other other backup server-relay methodology is used for audio.

 

[x062pea]

If you are running Linksys firmware that is so old that
it does not have UPnP support, then UPnP is the least of
your security concerns. There has been some serious
security holes corrected with the latest Linksys firmware
and you would be a fool not to upgrade.

Now, if you are running the latest firmware and just have
UPnP disabled, then that is your choice. If you do not
trust UPnP then go out and download ZoneAlarm Free and
run that in combination with your Linksys firewall. You
will have to add the other parties IP address to the
trusted zone but that is the price we pay for security.

I personally use the BEFSR41 V2 with Firmware 1.44.3. I
also use ZoneAlarm Pro version 4 running on my PCs. With
UPnP enabled, it really does work and contrary to urban
legend, quite safe. Good Luck.

 

[Mark]

1) What is the status of your ICF in WinXP?

2) Are you successfully connecting for 2-way audio in MM6?

3) Are you connecting to someone else behind a Linksys
BEFSR41 V2?

4) Why are you using a hardware *and* software firewall
*and* if the answer to 1 is enabled then a 2nd software
firewall?

5) Why do you think there are so many postings here
regarding non-working audio in MM6?

BTW, it looks like since Linksys released UPnP support in
v1.41 Dec 19,01 there were five(5) subsequent firmware
releases addressing UPnP issues up to v1.44.2 Dec 13, 02.

 

[Hof]

| Hofbrau, any credibility you might have had when you
| started your reply to my thread quickly dissipated with
| your vulgarity.

Yes, thats right, because i pointed out you are being intentionally obtuse and
self-obstructionist, you should ignore everything else - thats rational.

So, hey, how's that audio connectivity working, eh?

| You have offered nothing and only raised
| more questions.

I told you to upgrade your gateway firmware and enable its UPnP support. Since
you are too dumb to follow direct advice and simple instructions, one has to
wonder what else is amiss in your cogitative capabilities..

| Since it is my thread, I will answer the
| questions that I can.

You make it sound as if you have some sort of "original right" to post. You do
realize these are public newsgroups, correct?

| If you have nothing constructive to
| contribute then don't say anything at all.

Once again, upgrade your Linksys gateway's firmware, and enable the UPnP support
in it.

Also, i highly recommend you install DirectX 9.0b.

You do realize this is a public newsgroup, and anyone can post, right?

If you dont want to read the solutions provided by others to your problem, i
suggest you use your newsreader to filter them out. I'm going to continue to
post at will, as people in free societies tend to do.

| First, Linksys cautions against firmware upgrades unless
| absolutely necessary.

Well, gosh, you should always listen to to anything and everything that Linksys
(or any company) says about using their products, even with the inherent
contradictions - they are never wrong or inconsistent, and always right and
consistent.

You really are obtuse arent you?

Here is just one of a plethora of such examples:

Statement # 1: Linksys states in several places on its web site
(http://www.linksys.com/tech_helper/faq.html) that firmware upgrades dont
increase transfer/connection speeds or enhance performance:

"Your Router does NOT need the latest firmware upgrade if your Internet
connection is already successful, as firmware upgrades will not increase your
connection speed or enhance your Router's performance."

Contradicting Statement #2: Yet, if you look in the ver.txt file that comes
with virtually all firmware upgrades, you will see that several revisions of
firmware specifically increased bandwidth and throughput issues - they increased
speed in several ways:

"1.38.5 Apr 12, 01
18. Speed up throughput rate
19. Add "multicast pass through" option in Filter UI page
20. Modified Max MTU setting value of PPPoE from 1446 to 1492.
21. Speed up throughput under PPPoE.

1.39 June 5, 01
1. Support Fragmented packet pass through
2. Speed up throughput rate"

But remember, according to the Linksys website, firmware upgrades will not
increase speed or performance. Right. You see where this is going?

| From Linksys Knowledge Base "Note -
| Firmware upgrades are for the resolution of any problems
| you may be encountering with the router and not for
| additional features.

Right. Not for additional features? I guess all the new features and functions
listed for virtually every new firmware version are all imaginary eh? Go ahead
and read the ver.txt file that comes with firmware upgrades. Tell me how many
new features you see listed, and reconcile that fact with this utter nonsense
you think has real meaning.

This is what i mean about contradictions and inconsistencies. And this is
typical of just about any company, so dont think this is limited to Linksys.

And you are dumb enough to take the information on the web site or elsewhere at
face value without applying any other facts or logic or common sense.

This is classic Dumbassism.

| Installing newer firmware on a
| presently-functioning router may result in router
| malfunction. Please be aware of this when downloading
| firmware" They say this because the upgrades frequently
| fail leaving little blue lifeless boxes with red flashing
| lights in front.

And they are almost always recoverable. If you were familiar with Linksys
gateways, you would know this.

| Failed firmware upgrades are not covered
| under warranty either. -linksys.com Knowledge Base How to
| upgrade the firmware on the Router.

Linksys will also almost always replace such dysfunctional gateways if you cant
figure out how to properly get them functioning again (and they will even send
you a new version of the same model with newer firmware too). Again, this is
common knowledge with Linksys products.

| UPnP Security Concerns
| UPnP technology has been adopted by a wide range of
| device vendors due to its simplicity and adherence to
| open standards. The initial implementation of UPnP
| technology in Windows XP, however, had some security
| vulnerabilities, which an attacker could have used to
| slow the operation of your PC or, under very rare
| circumstances, obtain elevated privileges on your system.
| However, none of these issues would surface if you
| install a firewall on Windows XP. Windows XP, in fact,
| ships with the Internet Connection Firewall (ICF), which
| is installed by default on your Internet connection,
| thereby protecting you from attackers on the Internet.
| The security vulnerabilities found have since been fixed.

This was only specific to Microsoft's code that implemented UPnP, not to UPnP in
general or any device standard or protocol in specific.

This was discovered and fixed (with a patch) back in December 2001 (more than a
year and a half ago), and was only relevant to Microsoft's UPnP code in its
Window's operating systems - not the UPnP code or services in other devices
(such as a UPnP-enabled Linksys gateway).

| Microsoft Security Bulletin MS01-059 discusses these
| issues and provides links to more information in
| Knowledge Base articles and to the patch download. -
| microsoft.com What's the Big Deal about UPnP? By Sharon
| Crawford
|
| So the question remains; If I am installing the Linksys
| router as a firewall in either a UPnP enabled or disabled
| mode (mapped ports), why do I need to enable the ICF in
| WinXP?

You dont "need" ICF or any software firewall at all behind a NAT gateway -
thats simply a user preference for those that think additional security is
necessary.

|Will the software firewall conflict with the
| hardware firewall?

Not generally, but two levels of firewalls can interfere with your connectivity
capabilities within applications. I certainly wouldnt recommend such a nested
firewall configuration.

Regardless, you need to download and install a UPnP-capable firmware version
from Linksys, then enable the UPnP support in it - that is, if you want your
audio connectivity to function in Messenger.

If you want to be childish and obtuse and silly and dumb, you can continue to do
no such thing and complain about the lack of audio connectivity in messenger
behind your Linksys gateway.

Cogitate,
Hofbrau


|
| >-----Original Message-----
| >Your frustration, to put it bluntly and directly, it
| caused by your dumbass
| >self-obstructionism evidenced by your refusal to install
| and enable UPnP NAT
| >Traversal support in your gateway.
| >
| >UPnP NAT Traversal is the solution to the problem of
| efficient direct peer to
| >peer connectivity behind NAT gateways, not the problem
| itself, and by refusing
| >to install and enable it, you are intentionally
| obstructing yourself.
| >
| >If you can name a valid intellectually honest and
| consistent "security issue"
| >with UPnP in general, or with UPnP NAT Traversal in
| specific, you'll be the
| >first person to do so that i've ever encountered.
| >
| >So, I have a suggestion - get a UPnP-enabled firmware
| for your Linksys gateway,
| >then enable the UPnP service within it.
| >
| >Cogitate,
| >Hofbrau
| >
| >P.S. MSN Messenger 6 only uses UPnP NAT Traversal for
| audio connectivity behind
| >NAT gateways - no other other backup server-relay
| methodology is used for audio.
| >
| >
| >| >> FRUSTRATIONS
| >> I have spent an incredible amount of time trying to get
| >> audio to work in MM6. This includes reading the white
| >> papers linked from MSNMessenger help but still can't
| get
| >> audio to work when both are behind routers. I find it
| >> very frustating that there isn't a technical document
| or
| >> help file that simply lists the ports and protocols by
| >> service used by MM6 so that I can set this up and get
| on
| >> with my life! If anyone has a confirmed port table
| please
| >> post it.
| >>
| >> I have a port table that I am working on but since I
| >> can't get a definitive answer I am reluctant to post
| it.
| >> I will post the whitepaper links at the bottom but
| >> unfortunately they never completely tell you the port
| >> range and protocol for each MM6 service.
| >>
| >>
| >> OBSERVATIONS
| >> There seems to be two camps forming regarding the use
| of
| >> router/firewalls with MM6:
| >>
| >> 1) If your router supports UPnP, (and you are
| running
| >> WinXP) then enable it and make sure your operating
| system
| >> recognizes it in Network Connections (Internet Gateway)
| >> and My Network Places (Linksys Router)(see posts by
| Lucky
| >> One). Once it does, then you should not have to set up
| >> any specific port forwarding in the router.
| >>
| >> 2) If your router does not support, or you have not
| >> enabled UPnP, then you need to proceed with the maze of
| >> mapped ports and protocols.
| >>
| >> SUCCESSES & FAILURES
| >> I am running XP Pro with ICF disabled and QoS enabled.
| I
| >> have a Linksys router (non UPnP firmware), static LAN
| IP,
| >> with individual ports mapped/forwarded for everything
| >> from Whiteboard, Text chat, Video, File Send, Audio,
| >> Remote Assistance, etc to my LAN IP.
| >>
| >> I have one friend running XP Pro on dialup with ICF
| >> disabled and McAfee firewall installed. Our only
| >> limitation is his connection speed as I am on
| broadband.
| >> We have 2-way Webcam & audio communication, 2-way file
| >> send, 2-way play tic-tac-toe & checkers, etc.
| Whiteboard
| >> and Remote assistance are strained on his 50kbps dial
| up
| >> however, they attempt to start. Most importantly, voice
| >> and video are perfect and we are on opposite sides of
| the
| >> world!
| >>
| >> I have another friend that has my exact configurations
| >> (XP Pro, broadband & Linksys router). She and I have 2-
| >> way Webcam but no Audio.
| >>
| >> I have another friend that is running Win98 with the
| same
| >> Linksys router configured identically. We share text
| and
| >> presence but audio, video and whiteboard are dead.
| >>
| >> CONCLUSIONS
| >> I am no technical authority on this and all of my
| efforts
| >> are the result of reading everything from
| >> http://www.practicallynetworked.com/ to mIRC help files
| >> to the kind and helpful posts in this group and just
| >> trying one thing at a time. I think I am almost there.
| >>
| >> IMHO, if you want this to work with a router and MM6,
| you
| >> have to be running WinXP. You have to set up a static
| LAN
| >> IP for your machine and you have to map/forward the
| ports
| >> manually due to a number of concerns about UPnP
| security.
| >> The problem as I see it now is that Audio dynamically
| and
| >> randomly chooses a port between 5004 and 65535 (UDP).
| >> Unless both the sender/iniator and the receiver have
| this
| >> range of ports open, audio will not work. I think this
| is
| >> a scary large range of ports to have open.
| >>
| >> Hope this helps. Below are the links to the white
| papers:
| >>
| >> Windows Messenger in Windows XP: Issues With Firewalls
| >> and Network Address Translation Devices
| >>
| http://www.microsoft.com/windowsxp/pro/techinfo/deployment
| >> /natfw/default.asp
| >>
| >> Inside Windows Messenger - How it Communicates
| >> http://www.microsoft.com/technet/treeview/default.asp?
| >> url=/technet/prodtechnol/winxppro/evaluate/insid01.asp?
| >> frame=true
| >>
| >> Look at the links at the bottom of the articles as
| well.
| >>
| >
| >.
| >

 

[Hof]

| 1) What is the status of your ICF in WinXP?

Disabled, its unnecessary in my rational estimation behind the NAT gateway

| 2) Are you successfully connecting for 2-way audio in MM6?

It works perfectly fine, as long as UPnP is enabled in the Linksys. You did
download and install a UPnP-enabled firmware and enabled UPnP services in it,
right?

If you didnt, good luck getting audio connectivity to work.

| 3) Are you connecting to someone else behind a Linksys
| BEFSR41 V2?

Assuming that Linksys is also firmware updated and has UPnP enabled, it will
work fine.

| 4) Why are you using a hardware *and* software firewall
| *and* if the answer to 1 is enabled then a 2nd software
| firewall?

You are assuming all of his PCs have Windows XP installed....

| 5) Why do you think there are so many postings here
| regarding non-working audio in MM6?

Incompetence? Dumbasses that refuse to read or comprehend that their NAT
gateway/firewall needs UPnP support, anmd to therefore get a firmware upgrade
with UPnP support and enable it as well?

Dumbasses that are using outdated versions of DirectX and refuse to upgrade to
DirectX 8.1 or later (9.0b is the very latest) in order to get UPnP NAT
Traversal support (which Messenger uses..)

Dumbasses that run software firewalls and/or cant properly configure them?

| BTW, it looks like since Linksys released UPnP support in
| v1.41 Dec 19,01 there were five(5) subsequent firmware
| releases addressing UPnP issues up to v1.44.2 Dec 13, 02.

And your point is....that you can read a ver.txt file?

But dont forget, the Linksys web site says that you shouldnt upgrade the
firmware to add new functions..

I'm sure Linksys doesnt offer firmware upgrades that add new functions or
increase speed..etc etc, right? After all, that would contradict what the info
on their web site says, and we all know, that info couldnt possibly be outdated,
wrong, silly, and incorrect, right?

Cogitate,
Hofbrau

|
|
| >-----Original Message-----
| >If you are running Linksys firmware that is so old that
| >it does not have UPnP support, then UPnP is the least of
| >your security concerns. There has been some serious
| >security holes corrected with the latest Linksys
| firmware
| >and you would be a fool not to upgrade.
| >
| >Now, if you are running the latest firmware and just
| have
| >UPnP disabled, then that is your choice. If you do not
| >trust UPnP then go out and download ZoneAlarm Free and
| >run that in combination with your Linksys firewall. You
| >will have to add the other parties IP address to the
| >trusted zone but that is the price we pay for security.
| >
| >I personally use the BEFSR41 V2 with Firmware 1.44.3. I
| >also use ZoneAlarm Pro version 4 running on my PCs. With
| >UPnP enabled, it really does work and contrary to urban
| >legend, quite safe. Good Luck.
| >
| >.
| >