Hi Guys,
I changed the port some time ago for SoftEther. I have recently upgraded my firewall and PAT/NAT to SoftEther however I have noticed that I'm getting hit by port 40000 and 50657 from the same client.
Anyone know what port 50657 is? and why after changing the port it still tries to connect.
Thanks,
Port change and still being hit
-
- Posts: 7
- Joined: Mon Oct 12, 2015 4:56 pm
Re: Port change and still being hit
I've just upgraded to 4.20.9608 and tested this and the source port from the client is currently 51365 (so I may have mixed up the previous ports I mentioned) and the two destination ports are now 65248 and 40001.
Thanks,
Thanks,
-
- Posts: 336
- Joined: Sat Aug 15, 2015 7:41 pm
Re: Port change and still being hit
These are arbitrary ports that could be used for communication. This is an accepted behavior I guess.
What is the problem exactly?
What is the problem exactly?
-
- Posts: 7
- Joined: Mon Oct 12, 2015 4:56 pm
Re: Port change and still being hit
The thing is I've selected a port for SE and normal behaviour that I would expect is no other ports would be used, other than what is required.
There isn't a problem with communication, everything works as expected, however because the ports aren’t open they are being blocked and I get an excessive amount, very much like a flood and when I implement IDS it may block all traffic.
I don't feel that SE should be sending traffic on this port when it has already established a connection. What also crosses my mind is if its required, why is it working and could there be an issue that I’m not aware of.
Thanks for your response,
There isn't a problem with communication, everything works as expected, however because the ports aren’t open they are being blocked and I get an excessive amount, very much like a flood and when I implement IDS it may block all traffic.
I don't feel that SE should be sending traffic on this port when it has already established a connection. What also crosses my mind is if its required, why is it working and could there be an issue that I’m not aware of.
Thanks for your response,
-
- Posts: 336
- Joined: Sat Aug 15, 2015 7:41 pm
Re: Port change and still being hit
These arbitrary ports are from the sender. You don't have to worry about them. This is how networking works. Example when connecting to ssh, you connect to port 22 on the destination server, but on your machine, the connection is initiated from an arbitrary port above in the range 1024-65553.
To allow connections on your SE server, accept connection from the following ports:
443 Used for server administration, vpncmd and SE VPN protocol itself
1194 OpenVPN
500,4500,1701 L2TP, L2TPv3, etc..
Depending on your needs, open only the corresponding ports
To allow connections on your SE server, accept connection from the following ports:
443 Used for server administration, vpncmd and SE VPN protocol itself
1194 OpenVPN
500,4500,1701 L2TP, L2TPv3, etc..
Depending on your needs, open only the corresponding ports
-
- Posts: 7
- Joined: Mon Oct 12, 2015 4:56 pm
Re: Port change and still being hit
I’m not talking about the source ports which can be arbitrary, I’m specifically talking about destination ports. I don’t think you understand the situation and what I’m trying to convey?
I have ports 500 (isakmp), 4500 (ipsec-nat-t) and 13333 (softether) open. I have a remote SE client configured to connect to destination port 13333 to my site where softether is configured to use port 13333 and this works without issues. I do not want to use a destination port of 40000, 40001, etc. The client has specifically been configured to connect via 13333. Therefore, why is the SE remote client repeatedly trying to connect to the destination port 40000 or 40001 after it has established a connection via 13333?
Even just for the question of why the question still stand because its odd behaviour. Like I have previously mentioned when IDS is implemented it will see a flood on these ports and it will block the IP address of the SE client. This also currently floods my message log that this port has been hit, when more clients are deployed, this problem will be exasperated.
Just to clarify further an SE client is configured to connect to a destination port of 13333. What I see if after SE connects and starts passing traffic, is a repeated connection attempt to destination port 40000, 40001, etc. In my opinion, this should not be happening.
I have ports 500 (isakmp), 4500 (ipsec-nat-t) and 13333 (softether) open. I have a remote SE client configured to connect to destination port 13333 to my site where softether is configured to use port 13333 and this works without issues. I do not want to use a destination port of 40000, 40001, etc. The client has specifically been configured to connect via 13333. Therefore, why is the SE remote client repeatedly trying to connect to the destination port 40000 or 40001 after it has established a connection via 13333?
Even just for the question of why the question still stand because its odd behaviour. Like I have previously mentioned when IDS is implemented it will see a flood on these ports and it will block the IP address of the SE client. This also currently floods my message log that this port has been hit, when more clients are deployed, this problem will be exasperated.
Just to clarify further an SE client is configured to connect to a destination port of 13333. What I see if after SE connects and starts passing traffic, is a repeated connection attempt to destination port 40000, 40001, etc. In my opinion, this should not be happening.
-
- Posts: 336
- Joined: Sat Aug 15, 2015 7:41 pm
Re: Port change and still being hit
Interesting.
I just configured SE to connect on port 13333 and tried with an SE client. It worked fine. No other ports are being hit. I examined this through iptables logging on PREROUTING, POSTROUTING etc.. Everything is working fine, and no unexpected ports are being hit by the client, i.e. I'm not able to reproduce the described behavior.
Is this reproducible? If so would you please create a minimum vpn_server.config file and attach it here, or even better open a github issue with it?
https://github.com/SoftEtherVPN/SoftEtherVPN
I just configured SE to connect on port 13333 and tried with an SE client. It worked fine. No other ports are being hit. I examined this through iptables logging on PREROUTING, POSTROUTING etc.. Everything is working fine, and no unexpected ports are being hit by the client, i.e. I'm not able to reproduce the described behavior.
Is this reproducible? If so would you please create a minimum vpn_server.config file and attach it here, or even better open a github issue with it?
https://github.com/SoftEtherVPN/SoftEtherVPN
-
- Posts: 2458
- Joined: Mon Feb 24, 2014 11:03 am
Re: Port change and still being hit
Which is port that the client sends to TCP or UDP?
If it is UDP, it is for NAT-traversal.
If it is UDP, it is for NAT-traversal.