Port change and still being hit

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
FlangeMonkey
Posts: 7
Joined: Mon Oct 12, 2015 4:56 pm

Port change and still being hit

Post by FlangeMonkey » Sat Jan 28, 2017 12:06 am

Hi Guys,

I changed the port some time ago for SoftEther. I have recently upgraded my firewall and PAT/NAT to SoftEther however I have noticed that I'm getting hit by port 40000 and 50657 from the same client.

Anyone know what port 50657 is? and why after changing the port it still tries to connect.

Thanks,

FlangeMonkey
Posts: 7
Joined: Mon Oct 12, 2015 4:56 pm

Re: Port change and still being hit

Post by FlangeMonkey » Sat Jan 28, 2017 12:58 am

I've just upgraded to 4.20.9608 and tested this and the source port from the client is currently 51365 (so I may have mixed up the previous ports I mentioned) and the two destination ports are now 65248 and 40001.

Thanks,

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Port change and still being hit

Post by moatazelmasry » Sat Jan 28, 2017 1:36 pm

These are arbitrary ports that could be used for communication. This is an accepted behavior I guess.

What is the problem exactly?

FlangeMonkey
Posts: 7
Joined: Mon Oct 12, 2015 4:56 pm

Re: Port change and still being hit

Post by FlangeMonkey » Sun Jan 29, 2017 11:25 pm

The thing is I've selected a port for SE and normal behaviour that I would expect is no other ports would be used, other than what is required.

There isn't a problem with communication, everything works as expected, however because the ports aren’t open they are being blocked and I get an excessive amount, very much like a flood and when I implement IDS it may block all traffic.

I don't feel that SE should be sending traffic on this port when it has already established a connection. What also crosses my mind is if its required, why is it working and could there be an issue that I’m not aware of.

Thanks for your response,

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Port change and still being hit

Post by moatazelmasry » Mon Jan 30, 2017 9:39 am

These arbitrary ports are from the sender. You don't have to worry about them. This is how networking works. Example when connecting to ssh, you connect to port 22 on the destination server, but on your machine, the connection is initiated from an arbitrary port above in the range 1024-65553.

To allow connections on your SE server, accept connection from the following ports:

443 Used for server administration, vpncmd and SE VPN protocol itself
1194 OpenVPN
500,4500,1701 L2TP, L2TPv3, etc..

Depending on your needs, open only the corresponding ports

FlangeMonkey
Posts: 7
Joined: Mon Oct 12, 2015 4:56 pm

Re: Port change and still being hit

Post by FlangeMonkey » Mon Jan 30, 2017 12:26 pm

I’m not talking about the source ports which can be arbitrary, I’m specifically talking about destination ports. I don’t think you understand the situation and what I’m trying to convey?

I have ports 500 (isakmp), 4500 (ipsec-nat-t) and 13333 (softether) open. I have a remote SE client configured to connect to destination port 13333 to my site where softether is configured to use port 13333 and this works without issues. I do not want to use a destination port of 40000, 40001, etc. The client has specifically been configured to connect via 13333. Therefore, why is the SE remote client repeatedly trying to connect to the destination port 40000 or 40001 after it has established a connection via 13333?

Even just for the question of why the question still stand because its odd behaviour. Like I have previously mentioned when IDS is implemented it will see a flood on these ports and it will block the IP address of the SE client. This also currently floods my message log that this port has been hit, when more clients are deployed, this problem will be exasperated.

Just to clarify further an SE client is configured to connect to a destination port of 13333. What I see if after SE connects and starts passing traffic, is a repeated connection attempt to destination port 40000, 40001, etc. In my opinion, this should not be happening.

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Port change and still being hit

Post by moatazelmasry » Tue Jan 31, 2017 12:09 pm

Interesting.

I just configured SE to connect on port 13333 and tried with an SE client. It worked fine. No other ports are being hit. I examined this through iptables logging on PREROUTING, POSTROUTING etc.. Everything is working fine, and no unexpected ports are being hit by the client, i.e. I'm not able to reproduce the described behavior.

Is this reproducible? If so would you please create a minimum vpn_server.config file and attach it here, or even better open a github issue with it?
https://github.com/SoftEtherVPN/SoftEtherVPN

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: Port change and still being hit

Post by thisjun » Wed Feb 15, 2017 7:48 am

Which is port that the client sends to TCP or UDP?
If it is UDP, it is for NAT-traversal.

Post Reply