Solved

Windows 7 ICS firewall issue

Posted on 2011-09-29
21
625 Views
Last Modified: 2012-05-12
Hi experts.  I hope you can help as I'm pulling my hair out here!  

I'm working on a research project for a Windows 7 tablet with a 3G modem as Internet gateway and a PED (chip and PIN device) connected via ethernet to the tablet via an RJ45 port.  This will be a point of sale device running custom software and accepting payments.

The 3G modem is identified as a public network and I have enabled ICS on it.

The ethernet NIC was unidentified so I manually identified it as a private (work) network.

If I switch off Windows firewall for public networks, my PED works fine sending and receiving data over the relevant ports (listed below).  But if I enable Windows firewall for public networks, the PED sends out data but does not receive a response.  So I figured I simply need to allow the relevant ports through and I've added them as inbound and outbound allowed for all networks. I have done this and double checked it but nothing works.  I've run Wireshark (packet sniffer) over the connection when it's not firewalled to confirm the ports are correct and they seem to be (only PED port that comes up is 5187) but as soon as I switch the firewall back on, only outbound packets are shown - nothing inbound appears.

The ports are: 5187-5189, 5089, 12000.

The packet sniffer also shows ARP, DHCP and SSDP calls but I don't think these are relevant.

The attached screenshots show my firewall rules and Wireshark output.

The ICS NIC is 1.1.1.1 and the PED is 1.1.1.2

Any ideas?  Is there something else I need to do to the firewall because of ICS?  This should be simple - I can't understand why it won't work!

Thanks

Jon

Inbound rules on firewall

Wireshark output for port 5187 when firewall is ON

Wireshark output for port 5187 when firewall is OFF
0
Comment
Question by:Jon Winterburn
  • 10
  • 6
  • 5
21 Comments
 
LVL 9

Expert Comment

by:teebon
ID: 36813620
Hi Jon,

Have you added your "custom software" program into the windows firewall exception list?
0
 
LVL 11

Author Comment

by:Jon Winterburn
ID: 36813627
As yet, the custom software is not installed on Windows.  All I'm trying to do at present is get the PED to talk with the remote host via ICS with the firewall enabled.  It talks find to the remote host when the firewall is disabled.
0
 
LVL 9

Expert Comment

by:teebon
ID: 36813632
To add a program to the exceptions list

    1. Open Windows Firewall.

    2. Click the Exceptions tab, and then click Add program.
        a. If the program that you want to add to the exceptions list appears in Programs, click the program, and then click OK.
        b. If the program that you want to add to the exceptions list does not appear in Programs, click Browse, and then do the following:
             In the Browse dialog box, find the .exe file for the program that you want to add to the exceptions list, click Open, and then click OK.
0
 
LVL 11

Author Comment

by:Jon Winterburn
ID: 36813637
@teebon - As I've said, the software isn't even installed yet (it's still being developed).  The issue is not with the Windows machine accessing the Internet, it's with the firewall on the Windows machine stopping traffic going to the PED.

Right now I just need the PED to send and receive TCP responses over the Internet (which it does without a problem if the firewall is disabled but not if the firewall is enabled).
0
 
LVL 9

Expert Comment

by:teebon
ID: 36813674
Hi Jon,

Is your PED running using a software / driver application?
You might want to try add that into the exception list.
0
 
LVL 11

Author Comment

by:Jon Winterburn
ID: 36813686
No, there is no software driver being used - it's simply seen as a network device in Windows. This is why I don't understand why the firewall is blocking it.
0
 
LVL 1

Accepted Solution

by:
Doddsy1000 earned 500 total points
ID: 36813737
Hi Jon.

I remembered a few things about ICS when I saw your post. No guarantees here, but................

If I haven't mis-understood, you are trying to share the external connection to the internet with other devices on a local network.

Traditionally, ICS needs another network adapter to share the internet with.  For example, a USB Broadband can share with an ethernet cable network.  I'm not aware of it being able to share the actual internet connection itself as the internet's network connection is WAN & not LAN.

It looks like your ICS & firewall are having a fight, because the port settings would normally do the trick.

cheers

Ian
0
 
LVL 9

Expert Comment

by:teebon
ID: 36813739
I see that the SSDP is not showing also when you on the firewall. I think the discovery of your PED device rely on SSDP protocol.

Can you try this:

    Type the following at the command prompt, and press ENTER:

    netsh firewall set service type = upnp mode = enable
0
 
LVL 9

Expert Comment

by:teebon
ID: 36813745
0
 
LVL 11

Author Comment

by:Jon Winterburn
ID: 36813811
Sorry - the SSDPs do show when the firewall is on - the image I embedded was cropped to show you the ports in question.  But for good measure I followed your advice and enable UPNP, but no joy :-(

I've attached 2 logs from Wireshark - one with the firewall on and one with it off.
firewall-on.txt
firewall-off.txt
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 11

Author Comment

by:Jon Winterburn
ID: 36813953
Odd - I've just enabled dropped packets loggin using:

netsh firewall set logging droppedpackets = enable

And then powered up the device, gave it a few minutes and then checked the firewall log - no record of dropped packets!  So it must think it's allowing the packets through, but they're not getting through to the PED.
0
 
LVL 1

Expert Comment

by:Doddsy1000
ID: 36814011
How about switching it to a work network & seeing the difference?
0
 
LVL 11

Author Comment

by:Jon Winterburn
ID: 36814400
@Doddsy1000 - the NIC that the PED connects to was unidentified so I manually switched it to a Work network.  Are you suggesting I switch the Public network (the 3G) to Work network?
0
 
LVL 11

Author Comment

by:Jon Winterburn
ID: 36814443
Okay so I changed the 3G network from public to work and tried the PED again but no change and Wireshark logs look the same.
0
 
LVL 1

Expert Comment

by:Doddsy1000
ID: 36815066
Yes Jon.  I'm suggesting that because the device works with no Windows firewall, the the issue must either be with the Win 7 network security setup or the static IP address that you put in .

Most PED's come with their own security/firewall within the device on a network connected product..  

What surprises me, is that the internet modem is set to a non standard IP range for the LAN.  Whilst it "shouldn't" make much of a difference, the programmers at Microsoft or anywhere else will be expecting a 10.x.x.x or a 192.168.x.x IP range.

You had to set the IP address of the RJ45 manually.  That's unusual for any internet modem device as they usually use dhcp in the 10.x.x.x or 192.168.x.x range unless it's turned off for a server environment.  Your device seems to be in "Bridged" mode which makes your RJ45 a direct connection to the internet using an internet based IP address. 1.1.1.1 is unusual & may be generated by the modem device & not actually real.

If I was a Microsoft programmer, I'd be inclined to prevent the firewall from allowing a bridged connection to the internet. (& may not actually document how I did it).

You might want to look at the setup of the 3G device & it's IP address.  Maybe try "whatismyIP" on google to see the real internet address.  Then see if your 3G device allows for dhcp & the right address for that.

ICS was always intended to use 192.168.0.1 as the address of the LAN internet host.  I don;t know if that's changed with Windows 7/Vista.

good luck with that mate.

cheers

Ian



0
 
LVL 11

Author Comment

by:Jon Winterburn
ID: 36815260
Hi Ian.  Yes, the PED has been pe-configured with an IP of 1.1.1.2 on 255.0.0.0 so I had to edit the registry on the Windows PC to give out the ICS DHCP address of 1.1.1.1 to the NIC attached to the PED, otherwise they would not be able to communicate.

Your point about the IP range being invalid is a good one (I did ask the provider to assign a proper IP to it, but of course they didn't!), so I'm going to perform a test to prove this theory.  I'll connect a laptop to the NIC instead of the PED (with the IP of 1.1.1.2), run a web server on it, test it with the firewall off and then with the firewall on.  If I run into similar issues I'll know your theory is correct.  If not, well, I really don't know what to do next!  

Will you keep you updated.

Thanks

Jon
0
 
LVL 1

Expert Comment

by:Doddsy1000
ID: 36815621
Cool stuff Jon.

I'll be keen to hear your progress.
0
 
LVL 1

Expert Comment

by:Doddsy1000
ID: 36815705
Sorry Jon.  I just had a second look & the subnet 255.0.0.0 let's everyone & their dog into your network.

After your test, you may want to take that up with your provider.

cheers

Ian
0
 
LVL 11

Author Comment

by:Jon Winterburn
ID: 36815955
Hi Ian,

Yes indeed, I have spoken to them about that.

Anyway, my test fared no better - but then I realised that the 3G SIM blocks all incoming ports anyway!  So I will simply disable the firewall and be done with it.  I assumed I would need it on but as the SIM blocks all inbound traffic and ultimately we will be using a private APN anyway (so no Internet access for the SIMs - they will talk to our LAN only), there is no need for the firewall.

I think you are right about the IP ranges - I can't see what else it could be. Thanks for your help.

Jon
0
 
LVL 11

Author Closing Comment

by:Jon Winterburn
ID: 36816092
Thanks for pointing me in the right direction!
0
 
LVL 1

Expert Comment

by:Doddsy1000
ID: 36818708
Thanks Mate.  Glad we worked through it & got some ideas together.

cheers

Ian
.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I hope this helps those who have been battling the SanDisk / U3 problem for a while. For anyone that is running Windows 7 64bit and is receiving and searching the internet for the “Windows Error: Windows has allocated a drive letter to the U3 dri…
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now