Opened 5 years ago

Closed 4 years ago

#1402 closed defect (worksforme)

Router thinks it is firewalled even though it is not

Reported by: rfree Owned by: zzz
Priority: major Milestone:
Component: router/transport Version: 0.9.15
Keywords: firewall Cc:
Parent Tickets: #623 Sensitive: no

Description

Finished tests (as part of #623) and now I'm sure that ports are correctly forwarded to the application and yet it still complains it is firwalled.

IP detection method is "try all available methods", for UDP and TCP.
Laptop mode is OFF.
UDP and TCP port are the same number.
Network (gateway, router) was reseted and test was done few times.

Firewall/gateway forwards this port, my computer's firewall does not block it either.

When I shut down i2p and instead, as same user, run example listening server (socat program), as same unix user, on same port number, then I receive the packets without any problem.

Other p2p programs seems to get incoming connections as well without any problems, so this is not case of "LAN router malfunctions and stops incoming TCP" or something.

Router says:
Network: Firewalled
5 min: 71.8 / 152.2 KBps
Tunnels
Exploratory: 14
Client: 5X
Participating: 0
Share ratio: 0.00
Congestion
Job lag: 0
Message delay: 188 ms
Backlog: 0
Accepting tunnels

Connectivity to application (socat) running as same user on same udp and tcp ports was confirmed with (copied from #1400)

while true ; do d=$(LC_ALL=C date); echo "UDP4 $d" | socat - UDP4-SENDTO:1.2.3.4:12345 ; sleep 1 ; done
while true ; do d=$(LC_ALL=C date); echo "TCP4 $d" | socat - TCP4:1.2.3.4:12345 ; sleep 1 ; done
while true ; do d=$(LC_ALL=C date); echo "UDP6 $d IPv6" | socat - UDP6-SENDTO:1.2.3.4:12345 ; sleep 1 ; done
while true ; do d=$(LC_ALL=C date); echo "TCP6 $d IPv6" | socat - TCP6:1.2.3.4:12345 ;
socat UDP-RECV:12345 - ; socat UDP4-RECV:12345 - ; socat UDP6-RECV:12345 -
socat TCP-RECV:12345 - ; socat TCP-LISTEN:12345 - ; socat TCP6-LISTEN:12345 -

Subtickets

Change History (4)

comment:1 Changed 5 years ago by rfree

Forced network to be simple ipv4 instead dual stack, with the workaround

wrapper.java.additional.5=-Djava.net.preferIPv4Stack=true
wrapper.java.additional.6=-Djava.net.preferIPv6Addresses=false

but it did not helped, after full router restart it finishes testing and again shows
Network: Firewalled

Router status is:

http://localhost:7657/netdb?r=.

Published: 4 min ago
Address(es): SSU: [cost=7] [caps=B]
[ihost0=X.X.X.X some unknown Internet address]
[ihost1=X.X.X.X some other unknown Internet address]
[ikey0=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=]
[ikey1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=]
[iport0=XXXX some port, that is not my port]
[iport1=XXXX some port, that is not my port]
[itag0=XXXXXXX]
[itag1=XXXXXXX]
[key=XXXXXXXXXXXXXXXXXXXX=]
Stats:
caps = OU
coreVersion = 0.9.15
netId = 2
router.version = 0.9.15
stat_uptime = 90m

On
http://localhost:7657/peers

I see only outgoing connections (the big arrows are only UP). There are <5 for NTCP and dozen of UDP.

So the i2p stopped even publishing NTCP address of my router - as result when I did following changes: changed UDP port number to be same as of TCP, and changed detection method to all available methods instead manually entering IP; Btw, UPnP is (and was) off, laptop mode is (and was) off.

Last edited 5 years ago by rfree (previous) (diff)

comment:2 Changed 5 years ago by zzz

Component: router/generalrouter/transport
Milestone: 0.9.160.9.17
Owner: set to zzz

Stop trying to 'fix' I2P by changing your configuration. As I said in #1400 comment 8, it makes diagnosis harder, increases the chance of making things worse, and you're just shotgunning. You should not be publishing an NTCP address if you're firewalled. That's the way it is supposed to work. Don't try to outsmart the firewall detection code and other logic. Instead, help us figure out why it thinks it is firewalled. Changing a bunch of settings and opening up a bunch of new tickets isn't helping at all.

My current theory is that it's something that's different about your setup compared to others, and that's your BSD NAT/firewall, that it's doing something that I2P isn't happy with.

Our firewall detection method is called "peer testing" and is documented at http://i2p-projekt.i2p/en/docs/transport/ssu .

This is implemented in PeerTestManager?, and you may see what it's doing with the logging override net.i2p.router.transport.udp.PeerTestManager?=DEBUG

comment:3 Changed 4 years ago by str4d

Keywords: firewall added
Milestone: 0.9.17

comment:4 Changed 4 years ago by zzz

Resolution: worksforme
Status: newclosed

I'm declaring this worksforme, we don't have any evidence of a bug on our side. From everything I can see, our firewall detection is quite reliable. Please reopen if you get new information pointing to a bug.

Note: See TracTickets for help on using tickets.