Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 4 subscribers
  • Views 5491 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

(Another) Issue with torrents post - Rules appear correct but all incoming traffic from outgoing torrent connections being dropped.

Allister Wade

I have setup Sophos UTM at home and configured what should be correct rules for torrent traffic. I have gone by the guides I have found and my own knowledge and have the following rules configured. My "torrent port" configured in client is 8999.

NAT WAN > 8999 TCP/UDP > Torrent Server
Firewall Allow WAN > 8999 TCP/UDP > Torrent Server
Firewall Allow Torrent Server > Any TCP/UDP > Any

I am connecting to my ISPs router but they have DMZ'd to my Sophos UTM IP address - Is there something different I need to ask them to do? Bridging is not an option (this is fixed wireless with their AP/Router on the roof).

I've also tried as a test having WAN > ANY PORT > Torrent Server and again doesn't work.

Should be working from what I can figure but then torrent speeds are extremely slow compared to my connection speed and there is a large amount of dropped traffic which appears to be the incoming data from the outbound connections the torrent client is making. As example:

22:55:13 Default DROP Bittorrent  
80.137.83.246 : 61430
192.168.1.128 : 1628
 
len=48 ttl=110 tos=0x00 srcmac=80:2a:a8:f5:67:4a dstmac=00:15:5d:97:2b:0d
22:55:13 Default DROP Bittorrent  
104.190.186.106 : 30233
192.168.1.128 : 1630
 
len=58 ttl=41 tos=0x00 srcmac=80:2a:a8:f5:67:4a dstmac=00:15:5d:97:2b:0d
22:55:13 Default DROP Bittorrent  
190.21.24.228 : 33086
192.168.1.128 : 1628
 
len=48 ttl=102 tos=0x00 srcmac=80:2a:a8:f5:67:4a dstmac=00:15:5d:97:2b:0d
22:55:13 Default DROP Bittorrent  
91.121.202.190 : 1130
192.168.1.128 : 1628
 
len=129 ttl=43 tos=0x00 srcmac=80:2a:a8:f5:67:4a dstmac=00:15:5d:97:2b:0d
22:55:13 Default DROP TCP  
27.255.37.233 : 58506
192.168.1.128 : 1631
 
[SYN] len=52 ttl=99 tos=0x00 srcmac=80:2a:a8:f5:67:4a dstmac=00:15:5d:97:2b:0d
22:55:13 Default DROP Bittorrent  
212.51.139.26 : 1072
192.168.1.128 : 1628
 
len=48 ttl=37 tos=0x00 srcmac=80:2a:a8:f5:67:4a dstmac=00:15:5d:97:2b:0d
22:55:13 Default DROP Bittorrent  
212.51.139.26 : 1072
192.168.1.128 : 1625
 
len=48 ttl=38 tos=0x00 srcmac=80:2a:a8:f5:67:4a dstmac=00:15:5d:97:2b:0d
22:55:13 Default DROP Bittorrent  
172.98.67.123 : 30449
192.168.1.128 : 1627
 
len=48 ttl=43 tos=0x00 srcmac=80:2a:a8:f5:67:4a dstmac=00:15:5d:97:2b:0d
22:55:13 Default DROP Bittorrent  
108.61.76.11 : 1756
192.168.1.128 : 1628
 
len=48 ttl=105 tos=0x00 srcmac=80:2a:a8:f5:67:4a dstmac=00:15:5d:97:2b:0d
22:55:13 Default DROP TCP  
95.239.174.42 : 59527
192.168.1.128 : 1630
 
[SYN] len=52 ttl=104 tos=0x00 srcmac=80:2a:a8:f5:67:4a dstmac=00:15:5d:97:2b:0d
22:55:13 Default DROP Bittorrent  
172.98.67.34 : 53291
192.168.1.128 : 1631
 
len=58 ttl=43 tos=0x00 srcmac=80:2a:a8:f5:67:4a dstmac=00:15:5d:97:2b:0d
22:55:13 Default DROP Bittorrent  
95.239.174.42 : 54549
192.168.1.128 : 1630
 
len=48 ttl=104 tos=0x00 srcmac=80:2a:a8:f5:67:4a dstmac=00:15:5d:97:2b:0d
22:55:14 Default DROP TCP  
167.60.169.227 : 50503
192.168.1.128 : 1626
 
[SYN] len=52 ttl=103 tos=0x00 srcmac=80:2a:a8:f5:67:4a dstmac=00:15:5d:97:2b:0d
22:55:14 Default DROP Bittorrent  
167.60.169.227 : 48458
192.168.1.128 : 1626
 
len=48 ttl=101 tos=0x00 srcmac=80:2a:a8:f5:67:4a dstmac=00:15:5d:97:2b:0d

Anyone able to help me find what I'm missing or need to change??



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Allister, and welcome to the UTM Community!

    Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to those above.

    There has been plenty of discussion here about torrents, so you might try a google on:

    site:community.sophos.com/products/unified-threat-management/f torrent

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob

    Had already looked at a few threads and guides on setting up and appears all exactly the same as those.

    As said issue appears that the returning connections are being dropped. I can see in the Firewall log the outgoing connections followed by incoming traffic being blocked usually on low ports in the Bittorrent range (1024-65535).

    Just can't figure why its all behaving this way.

  • 0 in reply to Allister Wade

    And, about that line I requested above, Alister?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob

    I have gone as having my ISP change my connection from their AP/Router to PPPOE so their device is bridged removing any possibility of the double natting having caused issues. After this I have also factory reset the Sophos UTM. Still the exact same issue remains of what appears to be the incoming data from outgoing successful connections being blocked and I cannot get torrents to download any faster than 100-200 KB/s when I should be getting at least 10x that. Have tested with Ubuntu torrents and confirm compared to tethered speed.

    I have followed every guide or bit of info on this setup I can find without any luck. Is there some setting or something I am missing as this behavior just seems wrong would be like me accessing a website and my firewall blocking the incoming traffic from that allowed outgoing connection...

    Here should be the a quick snippet of requested logs. I have just changed the external IP entry to "external-ip".

    2017:02:20-23:43:32 home-firewall ulogd[4520]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="86.168.236.236" dstip="external-ip" proto="6" length="52" tos="0x00" prec="0x00" ttl="103" srcport="55993" dstport="62187" tcpflags="SYN"
    2017:02:20-23:43:33 home-firewall ulogd[4520]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="1.161.214.56" dstip="external-ip" proto="6" length="48" tos="0x00" prec="0x00" ttl="42" srcport="6168" dstport="1898" tcpflags="SYN"
    2017:02:20-23:43:35 home-firewall ulogd[4520]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="86.168.236.236" dstip="external-ip" proto="6" length="52" tos="0x00" prec="0x00" ttl="103" srcport="55993" dstport="62187" tcpflags="SYN"
    2017:02:20-23:43:38 home-firewall ulogd[4520]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="63.228.236.232" dstip="external-ip" proto="6" length="40" tos="0x00" prec="0x00" ttl="103" srcport="51851" dstport="8999" tcpflags="ACK RST"
    2017:02:20-23:43:38 home-firewall ulogd[4520]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="85.250.160.8" dstip="external-ip" proto="6" length="48" tos="0x00" prec="0x00" ttl="100" srcport="11941" dstport="1800" tcpflags="SYN"

  • 0 in reply to Allister Wade

    Allister Wade said:

    2017:02:20-23:43:38 home-firewall ulogd[4520]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="63.228.236.232" dstip="external-ip" proto="6" length="40" tos="0x00" prec="0x00" ttl="103" srcport="51851" dstport="8999" tcpflags="ACK RST"  

    Looks like your firewall is blocking incoming port 8999 and that is why all the other incoming connections are randomized and blocked. Double check your DNAT rule and test that the port 8999 is actually open. You can use something like grc.com https://www.grc.com/x/ne.dll?bh0bkyd2 to check incoming connections. 

  • 0 in reply to Billybob

    Appears the rules are working correctly just blocking some traffic still and torrent speeds still like 10% of what they should be.

    Turned on the logging on the NAT rule so it is showing as working now:

  • 0 in reply to Allister Wade

    Allister, did you check the Intrusion Prevention log (#1 in Rulz)?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Allister Wade

    Sorry, my mistake. That was a reset packet that was dropped. If Bob's suggestion above doesn't work, you can try an allow ANY ANY firewall rule for your particular torrent client as a last ditch effort.

    P.S. I have to admit, I haven't used torrents in a while even for linux downloads because of the stigma associated with them and the automatic assumption by many ISPs in the US that torrent = illegal download. 

Reply
  • 0 in reply to Allister Wade

    Sorry, my mistake. That was a reset packet that was dropped. If Bob's suggestion above doesn't work, you can try an allow ANY ANY firewall rule for your particular torrent client as a last ditch effort.

    P.S. I have to admit, I haven't used torrents in a while even for linux downloads because of the stigma associated with them and the automatic assumption by many ISPs in the US that torrent = illegal download. 

Children
No Data
Unfiltered HTML