How to guide port forwarding for emule azureus torrent

[genevaroth]

After struggling with this and finding no info on the net I called juniper to get port forwarding straight and now I am sharing with you.

my setup is very straight forward and simple, I have a Netscreen 5gt with 3 pcs conected total. my emule and torrent apps are running on 192.168.2.1 and the 5gt is 192.168.2.1. and it is running in trust- untrust mode.


how to forward ports for emule or bit torrent or azureus;

login to your netscreen


go to;

Objects > Services > Custom


Click new

And create custom service and list all ports you will have to use for bit torrent

Name this; bit torrent

TCP src port: 1-65535, dst port: 56969-56969
TCP src port: 1-65535, dst port: 56881-56881
UDP src port: 1-65535, dst port: 56881-56881
TCP src port: 1-65535, dst port: 6885-6892
UDP src port: 1-65535, dst port: 6885-6892

Hit OK

then go to network>interface> and then edit untrust

then VIP > add new vip service

pick new service

virtual ip; (your outside ip that is assigned automatically by your ISP, this should be filled in automatically)

map to service; ( pick the custom service that you just made, bit torrent)


map to IP; (the box that you are running your service on, mine is 192.168.2.14)

hit OK


then go to

wizards> policy

pick
untrust to trust then next

Destination Address:

pick VIP(untrust) under address book

next

service

pick the service that you defined in the custom section

action permit

next

enable nat- don’t do anything here just click next

enable logging check that off and Enable count of traffic passed via the policy (this is so you can check to see the traffic- turn this off after you are happy with everything and it is all working)

next

Authentication Options

click none


next

Schedule:

none

next

finish
-------------

*****This step you must do- everyone forgets this step, forwarding will not work otherwise!!!*****

then you have to telnet into the netscreen


in windows go to start> run> then type in; CMD

black box will open and then type; telnet

then enter

then; open 192.168.2.1

(the 192.168.2.1 is the address of my 5gt)

then enter in the user name and password

and then type this command;


set vip multi-port

then it will return you to;


 ns5gt->


then type;


reset

then type;

y

and again;


y

In reset ...

close the black box.


and you are good to go, in a couple of minutes! It will take 3-5 minutes for everything to start working. Fire up the apps and then log in to the 5gt and go reports> policies> and click on the grid thing to see the traffic.  If this is not working after 10-15 mins try the telnet commands again and if still not working update firmware and clear all policies, VIP’s, and custom services.

[russollis]

Thanks for that!   

[Feren]

Thanks so much for this How To, it got me up and rolling with Azureus on my SSG5 in no time.  That telnet trick, I can see how people overlook that part since so much of the work is done on the web UI.

Mods: May I request that this be moved into the Knowledgebase?  While there aren't many of us who use the SSG for home and generally spend our time at work trying to prevent it from working this was still invaluable.

[seanovision]

I've been struggling with this for too long myself, and though your instructions are the most thorough I've seen, it's not working out for me.

I'm trying to do Windows Remote Desktop over port 24... was trying to use 22, but netscreens don't like to do port forwarding on ports they potentially do remote admin on.

Anyway, the RD host is configured for port 24 and has been rebooted.

remote client = 192.168.2.123
remote host = 192.168.1.120

5gt untrust = 192.168.2.127 ; Route
5gt trust = 192.168.1.1 ; NAT

My Netscreen steps are close to the same as given before...

Objects > Services > Custom


Click new

Name this; Remote Desktop

TCP src port: 1 | 65535, dst port: 24 | 24

Hit OK

then go to network>interface> and then edit untrust

then VIP > add new vip service

pick new service

virtual ip; (your outside ip that is assigned automatically by your ISP, this should be filled in automatically)

map to service; ( pick Remote Desktop)


map to IP; (the box that you are running your service on, mine is 192.168.1.120)

hit OK


then go to

wizards> policy

pick untrust to trust then next

Destination Address:

pick VIP(untrust) under address book

next

service

pick the service that you defined in the custom section

action permit

next

enable nat- don’t do anything here just click next

enable logging check that off and Enable count of traffic passed via the policy (this is so you can check to see the traffic- turn this off after you are happy with everything and it is all working)

next

Authentication Options

click none


next

Schedule:

none

next

finish
-------------

*****This step you must do- everyone forgets this step, forwarding will not work otherwise!!!*****

then you have to console into the netscreen with hyperterminal

then enter in the user name and password

and then type this command;


set vip multi-port

then it will return you to;


 ns5gt->


then type;


reset

then type;

y

and again;


y

.............................

All goes well but when I try to use RD from the client to the host, it cannot connect.

This is basically what wireshark says about it:

source 192.168.2.123 dest 192.168.2.127 TCP port 4652 > 24 [SYN] seq=0 len=0 mss=1460

source 192.168.2.123 dest 192.168.2.127 TCP port 4652 > 24 [SYN] seq=0 len=0 mss=1460

source 192.168.2.123 dest 192.168.2.127 TCP port 4652 > 24 [SYN] seq=0 len=0 mss=1460

....... and that's it.

5gt's logs: Reports > Policies

ID Source Destination Service Action
4 Untrust/Any Global/VIP(untrust) Remote Desktop Permit

2008-03-18 19:25:07 192.168.2.123:4652 192.168.2.127:24 192.168.2.123:4652 192.168.1.120:24 TCP PORT 24 21 sec. 198 0 Close - AGE OUT

2008-03-18 19:24:01 192.168.2.123:4651 192.168.2.127:24 192.168.2.123:4651 192.168.1.120:24 TCP PORT 24 20 sec. 198 0 Close - AGE OUT

2008-03-18 19:22:51 192.168.2.123:4650 192.168.2.127:24 192.168.2.123:4650 192.168.1.120:24 TCP PORT 24 22 sec. 198 0 Close - AGE OUT

The only other policy ID is #1, and it's permit any any

I can successfully RD from a local machine at 192.168.1.121 into 192.168.1.120:24!!


What am I doing wrong please?  =/

[seanovision]

Figured it out. The problem was with my lab setup...

PC1  <----------------------> hub <---> PC2
  ^                                       ^
  |                                        |
   --> (Trust) 5GT (Untrust)<----

Both PCs are running XP.  PC1 has 2 NICs, one on the Trusted, the other on the Untrusted side. It is also the remote host. With both NICs active on PC1, and PC2 trying to remote into the Trusted -side NIC of PC1, the PC1 host sees the SYN ACK packets coming in but doesn't respond.

However, when the Untrusted NIC of PC1 is disabled, PC2 can remote into PC1's Trusted-side NIC through the 5GT perfectly!

[lzaharia]

Hello,

I tried to do something similar, but with the following as custom service:

TCP src port: 1-65535, dst port: 1100-65535
UDP src port: 1-65535, dst port: 1100-65535

The problem is that when I add the service to the VIP in the untrust, I am getting a message "Insufficient virtual ports on pool - [(128872) needed, (64) available] !"
Of course, if i choose as destination under 64 ports, all goes well, but I need it as it is.

Can anybody please help?

Thank you,
Liviu

[matthiasD]

Thank your for the great description, we tried to set up a port forward for a VNC session on 5900, no problems so far.

Our ISP uses dynamic IP adresses (as usual in germany) - when I'm setting the service, the netscreen uses a "current" IP address, can anyone tell if this still works, when the untrust IP adress changes ?

thanks,

Matthias

[ncc1701w]

" virtual ip; (your outside ip that is assigned automatically by your ISP, this should be filled in automatically) "

How about in ns208 where there is no option like this ?

   Forum/Home
   Store
   Articles
     Tech Articles
     Industry News
     Site News
   Knowledgebase
     JUNOS/Routing
     NS/ISG/SSG/NSM
     SSL VPN
   Downloads

Submit Article/KB - Do not submit questions here.