• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 649
  • Last Modified:

Windows 7 ICS firewall issue

Hi experts.  I hope you can help as I'm pulling my hair out here!  

I'm working on a research project for a Windows 7 tablet with a 3G modem as Internet gateway and a PED (chip and PIN device) connected via ethernet to the tablet via an RJ45 port.  This will be a point of sale device running custom software and accepting payments.

The 3G modem is identified as a public network and I have enabled ICS on it.

The ethernet NIC was unidentified so I manually identified it as a private (work) network.

If I switch off Windows firewall for public networks, my PED works fine sending and receiving data over the relevant ports (listed below).  But if I enable Windows firewall for public networks, the PED sends out data but does not receive a response.  So I figured I simply need to allow the relevant ports through and I've added them as inbound and outbound allowed for all networks. I have done this and double checked it but nothing works.  I've run Wireshark (packet sniffer) over the connection when it's not firewalled to confirm the ports are correct and they seem to be (only PED port that comes up is 5187) but as soon as I switch the firewall back on, only outbound packets are shown - nothing inbound appears.

The ports are: 5187-5189, 5089, 12000.

The packet sniffer also shows ARP, DHCP and SSDP calls but I don't think these are relevant.

The attached screenshots show my firewall rules and Wireshark output.

The ICS NIC is 1.1.1.1 and the PED is 1.1.1.2

Any ideas?  Is there something else I need to do to the firewall because of ICS?  This should be simple - I can't understand why it won't work!

Thanks

Jon

Inbound rules on firewall

Wireshark output for port 5187 when firewall is ON

Wireshark output for port 5187 when firewall is OFF
0
Jon Winterburn
Asked:
Jon Winterburn
  • 10
  • 6
  • 5
1 Solution
 
teebonCommented:
Hi Jon,

Have you added your "custom software" program into the windows firewall exception list?
0
 
Jon WinterburnAuthor Commented:
As yet, the custom software is not installed on Windows.  All I'm trying to do at present is get the PED to talk with the remote host via ICS with the firewall enabled.  It talks find to the remote host when the firewall is disabled.
0
 
teebonCommented:
To add a program to the exceptions list

    1. Open Windows Firewall.

    2. Click the Exceptions tab, and then click Add program.
        a. If the program that you want to add to the exceptions list appears in Programs, click the program, and then click OK.
        b. If the program that you want to add to the exceptions list does not appear in Programs, click Browse, and then do the following:
             In the Browse dialog box, find the .exe file for the program that you want to add to the exceptions list, click Open, and then click OK.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
Jon WinterburnAuthor Commented:
@teebon - As I've said, the software isn't even installed yet (it's still being developed).  The issue is not with the Windows machine accessing the Internet, it's with the firewall on the Windows machine stopping traffic going to the PED.

Right now I just need the PED to send and receive TCP responses over the Internet (which it does without a problem if the firewall is disabled but not if the firewall is enabled).
0
 
teebonCommented:
Hi Jon,

Is your PED running using a software / driver application?
You might want to try add that into the exception list.
0
 
Jon WinterburnAuthor Commented:
No, there is no software driver being used - it's simply seen as a network device in Windows. This is why I don't understand why the firewall is blocking it.
0
 
Doddsy1000Commented:
Hi Jon.

I remembered a few things about ICS when I saw your post. No guarantees here, but................

If I haven't mis-understood, you are trying to share the external connection to the internet with other devices on a local network.

Traditionally, ICS needs another network adapter to share the internet with.  For example, a USB Broadband can share with an ethernet cable network.  I'm not aware of it being able to share the actual internet connection itself as the internet's network connection is WAN & not LAN.

It looks like your ICS & firewall are having a fight, because the port settings would normally do the trick.

cheers

Ian
0
 
teebonCommented:
I see that the SSDP is not showing also when you on the firewall. I think the discovery of your PED device rely on SSDP protocol.

Can you try this:

    Type the following at the command prompt, and press ENTER:

    netsh firewall set service type = upnp mode = enable
0
 
Jon WinterburnAuthor Commented:
Sorry - the SSDPs do show when the firewall is on - the image I embedded was cropped to show you the ports in question.  But for good measure I followed your advice and enable UPNP, but no joy :-(

I've attached 2 logs from Wireshark - one with the firewall on and one with it off.
firewall-on.txt
firewall-off.txt
0
 
Jon WinterburnAuthor Commented:
Odd - I've just enabled dropped packets loggin using:

netsh firewall set logging droppedpackets = enable

And then powered up the device, gave it a few minutes and then checked the firewall log - no record of dropped packets!  So it must think it's allowing the packets through, but they're not getting through to the PED.
0
 
Doddsy1000Commented:
How about switching it to a work network & seeing the difference?
0
 
Jon WinterburnAuthor Commented:
@Doddsy1000 - the NIC that the PED connects to was unidentified so I manually switched it to a Work network.  Are you suggesting I switch the Public network (the 3G) to Work network?
0
 
Jon WinterburnAuthor Commented:
Okay so I changed the 3G network from public to work and tried the PED again but no change and Wireshark logs look the same.
0
 
Doddsy1000Commented:
Yes Jon.  I'm suggesting that because the device works with no Windows firewall, the the issue must either be with the Win 7 network security setup or the static IP address that you put in .

Most PED's come with their own security/firewall within the device on a network connected product..  

What surprises me, is that the internet modem is set to a non standard IP range for the LAN.  Whilst it "shouldn't" make much of a difference, the programmers at Microsoft or anywhere else will be expecting a 10.x.x.x or a 192.168.x.x IP range.

You had to set the IP address of the RJ45 manually.  That's unusual for any internet modem device as they usually use dhcp in the 10.x.x.x or 192.168.x.x range unless it's turned off for a server environment.  Your device seems to be in "Bridged" mode which makes your RJ45 a direct connection to the internet using an internet based IP address. 1.1.1.1 is unusual & may be generated by the modem device & not actually real.

If I was a Microsoft programmer, I'd be inclined to prevent the firewall from allowing a bridged connection to the internet. (& may not actually document how I did it).

You might want to look at the setup of the 3G device & it's IP address.  Maybe try "whatismyIP" on google to see the real internet address.  Then see if your 3G device allows for dhcp & the right address for that.

ICS was always intended to use 192.168.0.1 as the address of the LAN internet host.  I don;t know if that's changed with Windows 7/Vista.

good luck with that mate.

cheers

Ian



0
 
Jon WinterburnAuthor Commented:
Hi Ian.  Yes, the PED has been pe-configured with an IP of 1.1.1.2 on 255.0.0.0 so I had to edit the registry on the Windows PC to give out the ICS DHCP address of 1.1.1.1 to the NIC attached to the PED, otherwise they would not be able to communicate.

Your point about the IP range being invalid is a good one (I did ask the provider to assign a proper IP to it, but of course they didn't!), so I'm going to perform a test to prove this theory.  I'll connect a laptop to the NIC instead of the PED (with the IP of 1.1.1.2), run a web server on it, test it with the firewall off and then with the firewall on.  If I run into similar issues I'll know your theory is correct.  If not, well, I really don't know what to do next!  

Will you keep you updated.

Thanks

Jon
0
 
Doddsy1000Commented:
Cool stuff Jon.

I'll be keen to hear your progress.
0
 
Doddsy1000Commented:
Sorry Jon.  I just had a second look & the subnet 255.0.0.0 let's everyone & their dog into your network.

After your test, you may want to take that up with your provider.

cheers

Ian
0
 
Jon WinterburnAuthor Commented:
Hi Ian,

Yes indeed, I have spoken to them about that.

Anyway, my test fared no better - but then I realised that the 3G SIM blocks all incoming ports anyway!  So I will simply disable the firewall and be done with it.  I assumed I would need it on but as the SIM blocks all inbound traffic and ultimately we will be using a private APN anyway (so no Internet access for the SIMs - they will talk to our LAN only), there is no need for the firewall.

I think you are right about the IP ranges - I can't see what else it could be. Thanks for your help.

Jon
0
 
Jon WinterburnAuthor Commented:
Thanks for pointing me in the right direction!
0
 
Doddsy1000Commented:
Thanks Mate.  Glad we worked through it & got some ideas together.

cheers

Ian
.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 10
  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now