Default Drop

I have the latest version of UTM install with the Home Edition.

My son has a PS4 running via the Wifi connection and is trying to play FIFA 19 but it can't connect to play an Ultimate Team game.

I have checked the firewall log and can see a lot of default drops for incoming 443 packet going to the internal IP address of the PS4.

I have tried to get these to be allowed but have not been successful.

I have tried an any - any - any rule but this doesn't work.

I have tried a DNAT from the Internet IP4 - HTTPS Response - PS4 Wifi and this doesn't work either.

What am I missing? How do I stop these packets from being dropped and allowed through?

Any help work be greatly appreicated.

Thanks

Aaron

  • HI Aaron,

    Please copy here several related drop lines from the full Firewall log file (not the Live Log).

    Cheers - Bob

  • In reply to BAlfson:

    Bob thanks for the reply. I have since found out this is normal. As in other people have this so I am not worried about it.

    The issue is that I am trying to get the game FIFA 19 working on my son's PS4. The issue is that when he plays tried to play Division Rivals it loses connection. He can find an opponent but when he starts the game it has that the connection was lost.

    I have search EA support forums and Google and have come up with a list of ports that should be allowed. I have created these as services and added them to a group. I have allowed these in the Web Protection and also created a DNAT rule that is:

    Any - FIFA 19 PS4 group - External (WAN) Address, the destination translation is PS4 - WiFi host.

    The connection doesn't work. I have also tried adding a SNAT above that rule with the following but this doesn't work either:

    PS4 WiFi - Any - Any -  the source translation: External (WAN) Address.

    Inside the FIFA 19 PS4 group, I have added about 14 services that are either TCP or UDP. 

    Is there a way to find out if any ports are being blocked? I have checked the logs but cannot find any blocked ports.

    You help would be greatly appreciated.

    Thanks

    Aaron

  • In reply to aaronsalkeld:

    Aaron, if you're still experiencing drops in the Firewall log, please show us a few relevant lines from that file (NOT the Live Log).

    For the current issue, insert a picture of the Edit of the NAT rule.

    Cheers - Bob

  • In reply to BAlfson:

    Bob, thanks for your reply. I am hoping you have the magic touch to get this working.

    I am not seeing any drops in the logs but the game is not working. I have had this issue before where the logs shows nothing but I have found a missing port online, added it and the game works. This was FIFA 18 on XBOX 360.

    As for the NAT rule, please see image below:

    Thanks

    Aaron

  • In reply to aaronsalkeld:

    Are you sure that the "PS4-WiFi" object doesn't violate #3 in Rulz?  I also would check the Intrusion Prevention log to rule that out.

    Cheers - Bob

  • In reply to BAlfson:

    Bob,

    When I create Network Definitions I never assign them to a particular point. I have checked this host and it has ANY in the Advanced - Interface section.

    I have also checked the Intrusion Prevention log and not sure what I am looking for.

    I will read through the rulez and see if there is something in there that might help me.

    Is there a way where I can disable components and see if I can get this to work, then turn them back on until it breaks?

     

    thanks heaps

    Aaron

  • In reply to aaronsalkeld:

    If you read through #1 in Rulz, you know that it's tricky to disable "everything" in a section.  Better to leave things on and show us log lines and pictures of the Edits of the relevant configuration items.

    If you have anything in the Intrusion Prevention log, copy a few lines here to get started on understanding.

    Cheers - Bob

  • In reply to BAlfson:

    Bob. I have nothing in the IP log.

    I have created a PS4 - any - internat ip4 and a Internet ip4 - any - ps4 and itstill doesn’t work.

    I have also the following Nat:

    Any - Fifa services - external wan address

    Destination: ps 4

    This still doesn’t work.

    Inside the firewall log I see some packets logged that might be for this device. There is some packets dropped from and Internet address going to the wan IP address.

    Thanks

    Aaron

  • In reply to aaronsalkeld:

    In general, when trying to get help here, it's better to show what you're looking at instead of describing what you see.  We have yet to see any relevant lines from a log.  We also need to see pictures of the NAT and firewall rules you've described.

    Cheers - Bob

  • In reply to BAlfson:

    Bob, thanks for skill trying, I am not seeing anything so I am guessing that your won't see anything.

    The PS4 IP address is 192.168.200.79

    So here is the firewall rule that I have created. I have tried using the Any as well as Internal (Network) and it still doesn't work:

    Here is my NAT rule. I have tried with the SNAT both enabled and disabled and it doesnt work:

    I have created a group called FIFA 19 PS4 and added about 15 service definitions to it:

    Here are some lines from the IPS on the same day that we tried the game but not from the same time as there wasn't anything recorded in the log at the time we tried:

    2019:02:13-09:09:52 salkeldfam snort[19961]: S5: Pruned session from cache that was using 1115003 bytes (stale/timeout). 192.168.200.79 62916 --> 69.164.15.50 80 (0) : LWstate 0x9 LWFlags 0x6007
    2019:02:13-09:09:52 salkeldfam snort[19961]: S5: Pruned session from cache that was using 1114743 bytes (stale/timeout). 192.168.200.79 53708 --> 69.164.15.50 80 (0) : LWstate 0x9 LWFlags 0x6007
    2019:02:13-09:09:52 salkeldfam snort[19961]: S5: Session exceeded configured max bytes to queue 1048576 using 1049128 bytes (client queue). 192.168.200.79 58575 --> 69.164.15.237 80 (0) : LWstate 0x9 LWFlags 0x6007
    2019:02:13-09:10:54 salkeldfam snort[19961]: S5: Session exceeded configured max bytes to queue 1048576 using 1048744 bytes (client queue). 192.168.200.79 52152 --> 38.98.18.186 80 (0) : LWstate 0x9 LWFlags 0x6007
    2019:02:13-09:11:14 salkeldfam snort[19961]: S5: Session exceeded configured max bytes to queue 1048576 using 1049332 bytes (client queue). 192.168.200.79 58417 --> 38.98.18.186 80 (0) : LWstate 0x9 LWFlags 0x6007
    2019:02:13-09:11:34 salkeldfam snort[19961]: S5: Session exceeded configured max bytes to queue 1048576 using 1048712 bytes (client queue). 192.168.200.79 61888 --> 38.98.18.186 80 (0) : LWstate 0x9 LWFlags 0x6007
    2019:02:13-09:11:52 salkeldfam snort[19961]: S5: Session exceeded configured max bytes to queue 1048576 using 1049464 bytes (client queue). 192.168.200.79 50580 --> 149.135.80.11 80 (0) : LWstate 0x9 LWFlags 0x6007
    2019:02:13-09:14:32 salkeldfam snort[19961]: S5: Session exceeded configured max bytes to queue 1048576 using 1049116 bytes (client queue). 192.168.200.79 61634 --> 38.98.18.204 80 (0) : LWstate 0x9 LWFlags 0x6007

     

    This is information from the Firewall log from the time that we tried the game:

    2019:02:13-17:13:19 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="118.170.42.4" dstip="124.190.219.195" proto="6" length="60" tos="0x00" prec="0x00" ttl="48" srcport="43828" dstport="23" tcpflags="SYN"
    2019:02:13-17:13:22 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="118.170.42.4" dstip="124.190.219.195" proto="6" length="60" tos="0x00" prec="0x00" ttl="48" srcport="43828" dstport="23" tcpflags="SYN"
    2019:02:13-17:13:28 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="118.170.42.4" dstip="124.190.219.195" proto="6" length="60" tos="0x00" prec="0x00" ttl="48" srcport="43828" dstport="23" tcpflags="SYN"
    2019:02:13-17:13:29 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60004" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="115.238.245.8" dstip="124.190.219.195" proto="6" length="40" tos="0x00" prec="0x00" ttl="235" srcport="9090" dstport="22" tcpflags="SYN"
    2019:02:13-17:13:31 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="17.56.136.197" dstip="124.190.219.195" proto="6" length="83" tos="0x00" prec="0x00" ttl="45" srcport="993" dstport="59757" tcpflags="ACK PSH FIN"
    2019:02:13-17:13:39 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="17.56.136.164" dstip="124.190.219.195" proto="6" length="83" tos="0x00" prec="0x00" ttl="45" srcport="993" dstport="59752" tcpflags="ACK PSH FIN"
    2019:02:13-17:13:40 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="118.170.42.4" dstip="124.190.219.195" proto="6" length="60" tos="0x00" prec="0x00" ttl="48" srcport="43828" dstport="23" tcpflags="SYN"
    2019:02:13-17:13:40 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="92.63.196.22" dstip="124.190.219.195" proto="6" length="40" tos="0x00" prec="0x00" ttl="245" srcport="44528" dstport="22515" tcpflags="SYN"
    2019:02:13-17:13:46 salkeldfam ulogd[24815]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62002" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="46.161.27.42" dstip="124.190.219.195" proto="6" length="40" tos="0x00" prec="0x00" ttl="245" srcport="43970" dstport="19522" tcpflags="SYN"
    2019:02:13-17:13:46 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="46.161.27.42" dstip="124.190.219.195" proto="6" length="40" tos="0x00" prec="0x00" ttl="245" srcport="43970" dstport="19522" tcpflags="RST"
    2019:02:13-17:13:46 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="46.161.27.42" dstip="124.190.219.195" proto="1" length="68" tos="0x00" prec="0x00" ttl="54" type="3" code="10"
    2019:02:13-17:13:52 salkeldfam ulogd[24815]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62002" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="14.135.120.18" dstip="124.190.219.195" proto="6" length="52" tos="0x00" prec="0x00" ttl="240" srcport="53401" dstport="18246" tcpflags="SYN"
    2019:02:13-17:13:52 salkeldfam ulogd[24815]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62002" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="205.205.150.18" dstip="124.190.219.195" proto="6" length="52" tos="0x00" prec="0x00" ttl="241" srcport="50423" dstport="18246" tcpflags="SYN"
    2019:02:13-17:13:52 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="46.161.27.42" dstip="124.190.219.195" proto="6" length="40" tos="0x00" prec="0x00" ttl="245" srcport="43970" dstport="9189" tcpflags="SYN"
    2019:02:13-17:13:52 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="14.135.120.18" dstip="124.190.219.195" proto="6" length="52" tos="0x00" prec="0x00" ttl="240" srcport="53401" dstport="18246" tcpflags="RST"

    Not sure what else you would like to view. 

    Once again thank you for your time and effort you have put into this issue for me. It is very much appreciated. 

    Thanks
    Aaron

  • In reply to aaronsalkeld:

    Getting closer, Aaron! :-)

    Firewall rule 7 has no effect.  Any traffic allowed through to the PS4 comes via your DNAT rule.

    Your "FIFA 19 PS4" might be missing some ports:

    srcip="118.170.42.4" dstip="124.190.219.195" proto="6" length="60" tos="0x00" prec="0x00" ttl="48" srcport="43828" dstport="23" tcpflags="SYN"
    srcip="115.238.245.8" dstip="124.190.219.195" proto="6" length="40" tos="0x00" prec="0x00" ttl="235" srcport="9090" dstport="22" tcpflags="SYN"

    Then again, you need to check the srcip values with things like https://www.ip2location.com/demo/ and https://centralops.net/co/DomainDossier.aspx.  That's the only way to see if these drops are related to what you're doing.

    I haven't seen complaints about max bytes to queue for several years.  I don't know that this is causing you a problem.  If you have a lot of unused memory in your UTM, you can double the size with the following, but if you're tight on RAM, you might want to be more conservative.  If you do try this, do report back on the effect on your issue.

    cc set ips snortsettings max_queued_bytes 2097152

    Cheers - Bob

  • In reply to aaronsalkeld:

    Random thoughts:

    Always check the web filtering logs carefully, as well as firewall and IPS.   Web Filtering traffic does not flow through the firewall.  Whenever the firewall log is empty, I tend to assume the answer is in the web filtering logs.

    Verify that this device is exempt from decrypt-and-scan.   Most home users don't turn this on anyway, but it creates problems for applications that use a mix of web and non-web traffic.