Can't open m0n0wall ports (bug?)

[pairughdocks]

I recently replaced a Linksys E900 router with a m0n0wall router distribution, and on my local LAN or external WAN I can not open custom ports. I need to open the following for active directory/dns/etc.. to authorize, sync, and update.

RPC endpoint mapper: 135/tcp, 135/udp
Network basic input/output system (NetBIOS) name service: 137/tcp, 137/udp
NetBIOS datagram service: 138/udp
NetBIOS session service: 139/tcp
RPC dynamic assignment: Win 2k/2003:1024-65535/tcp
Win 2008+:49152-65535/tcp
Server message block (SMB) over IP (Microsoft-DS): 445/tcp, 445/udp
Lightweight Directory Access Protocol (LDAP): 389/tcp
LDAP ping: 389/udp
LDAP over SSL: 636/tcp
Global catalog LDAP: 3268/tcp
Global catalog LDAP over SSL: 3269/tcp
Kerberos: 88/tcp, 88/udp
Domain Name Service (DNS): 53/tcp1, 53/udp

I have a default LAN rule of:

Proto: * / Source: Lan Net / Port: * / Destination: * / Description: Default LAN -> any

So ANY traffic should be able to flow freely, yet I am getting error messages such as:

The DNS server could not open socket for address 192.168.1.1. 
Verify that this is a valid IP address for the server computer. If it is NOT valid use the Interfaces dialog under Server Properties in the DNS Manager to remove it from the list of IP interfaces. Then stop and restart the DNS server. (If this was the only IP interface on this machine and the DNS server may not have started as a result of this error. In that case remove the DNS\Parameters\ ListenAddress value in the services section of the registry and restart.) 
 
If this is a valid IP address for this machine, make sure that no other application (e.g. another DNS server) is running that would attempt to use the DNS port. 
 
For more information, see "DNS server log reference" in the online Help.
 

The DNS server could not bind a Transmission Control Protocol (TCP) socket to address 192.168.1.1. The event data is the error code. An IP address of 0.0.0.0 can indicate a valid "any address" configuration in which all configured IP addresses on the computer are available for use.
Restart the DNS server or reboot the computer.

 

I've researched on m0n0walls forums and have had no luck, is this a bug with the distro?

 

 

 

[pairughdocks]

I'm not sure what the NAT would look like to only allow these local services to talk amongst the LAN.

 

Edit: I set up a rule for RDP as a test

 

IF: WAN PROTO: TCP EXT PORT RANGE: 3389-3389 NAT IP: 192.168.1.1 (server) INT PORT: 3389 DESCRIPTION: RDP

 

which works...

 

So to get LDAP to authorize it should be

 

IF: WAN PROTO: TCP EXT PORT RANGE:389-389 NAT IP: 192.168.1.1 (server) INT PORT: 389 DESCRIPTION: LDAP

 

But I don't get how to do a UNIQUE range, such as RPC using something like 1024-65534, since I can only map it to one local port as opposed to a range.

[+BudMan MVC]

Do you have more than 1 lan segment? Your gateway/router has NOTHING to do with traffic between lan machines on the same network.

So unless your routing traffic between say 192.168.1.0/24 and 192.168.2.0/24 through m0n0wall. It does not care nor even see traffic between say 192.168.1.14 and 192.168.1.52

These devices would only talk to m0n0wall to go to something off 192.168.1.0/24, like the internet. You would not be opening up most of the ports you listed inbound from the internet - nor would you believe would you even want that traffic going to the internet. Other than your dns listing port 53

Where are you seeing this error?

"The DNS server could not open socket for address 192.168.1.1"

And what is the IP address of your m0n0wall lan interface.. I believe it would default to something 192.168

But generally specking those ports would have NOTHING to do with your m0n0wall setup for your local lan. And seem unlikely you would want those forwarded from the internet, etc.

[snaphat (Myles Landwehr) Member]

Let me see if I understand you correctly:

 

(1) These errors are on the m0n0wall setup.

(2) You setup an outbound rule to allow passing of ANY traffic out.

(3) You are seeing socket errors when M0n0wall tries to bind to the DNS port on your LAN interface.

 

The binding to ports and outbound rules issue appear to be unrelated to me. It appears that m0n0wall's DNS server service is failing to bind to the DNS port (53) for some reason. I assume you are saying that all of the services you listed also fail to bind to ports in the same manner. Out of curiosity is m0n0wall having issues binding to ports above 1024? If not, this would probably indicate an issue with root vs non-root binding. Also, is your m0n0wall LAN interface actually configured to use address 192.168.1.1? If not, it would fail to bind.

[pairughdocks]

Do you have more than 1 lan segment? Your gateway/router has NOTHING to do with traffic between lan machines on the same network.

So unless your routing traffic between say 192.168.1.0/24 and 192.168.2.0/24 through m0n0wall. It does not care nor even see traffic between say 192.168.1.14 and 192.168.1.52

These devices would only talk to m0n0wall to go to something off 192.168.1.0/24, like the internet. You would not be opening up most of the ports you listed inbound from the internet - nor would you believe would you even want that traffic going to the internet. Other than your dns listing port 53

Where are you seeing this error?

"The DNS server could not open socket for address 192.168.1.1"

And what is the IP address of your m0n0wall lan interface.. I believe it would default to something 192.168

But generally specking those ports would have NOTHING to do with your m0n0wall setup for your local lan. And seem unlikely you would want those forwarded from the internet, etc.

 

1) no, it is just one lan segment (192.168.1.x)

2) I am seeing this error in my DNS event viewer

3) The m0n0wall is 192.168.1.2 (firewall.eatvac.local) and the server is is 192.168.1.1 (zeus.eatvac.local)

 

Let me see if I understand you correctly:

 

(1) These errors are on the m0n0wall setup.

(2) You setup an outbound rule to allow passing of ANY traffic out.

(3) You are seeing socket errors when M0n0wall tries to bind to the DNS port on your LAN interface.

 

The binding to ports and outbound rules issue appear to be unrelated to me. It appears that m0n0wall's DNS server service is failing to bind to the DNS port (53) for some reason. I assume you are saying that all of the services you listed also fail to bind to ports in the same manner. Out of curiosity is m0n0wall having issues binding to ports above 1024? If not, this would probably indicate an issue with root vs non-root binding. Also, is your m0n0wall LAN interface actually configured to use address 192.168.1.1? If not, it would fail to bind.

 

1) the dns errors are from the server, I KNOW m0n0wall is the culprit, because if I put in a little SOHO router I do not have these issues

2) that is the default firewall rule that m0n0wall ships with

3) Yes, I believe that m0n0wall is preventing DNS from binding a port on the LAN interface. In m0n0wall my DNS is set to 192.168.1.1 (my DNS server - Standard 2008 R2)

 

Also, every so often I get internet disconnects (page can not be displayed) yet DCDIAG shows NO errors and passes everything.

[snaphat (Myles Landwehr) Member]

So those errors are NOT from m0n0wall? They are from logs on a Windows machine running a DNS server? if so, it really has nothing to do with m0n0wall because m0n0wall cannot control what ports a completely separate machine is able to listening on. The best I can come up with is that possibly your Windows Server isn't keeping its 192.168.1.1 IP whenever m0n0wall is hooked up and as such can't listen to any ports on that address.

[pairughdocks]

So those errors are NOT from m0n0wall? They are from logs on a Windows machine running a DNS server? if so, it really has nothing to do with m0n0wall because m0n0wall cannot control what ports a completely separate machine is able to listening on. The best I can come up with is that possibly your Windows Server isn't keeping its 192.168.1.1 IP whenever m0n0wall is hooked up and as such can't listen to any ports on that address.

 

Which is totally a possiblity, except everything is hard coded... I'm not sure how it would "forget" - the issue does not occur though when I have a SOHO router on the network and remove m0n0wall from the equation.

[snaphat (Myles Landwehr) Member]

Which is totally a possiblity, except everything is hard coded... I'm not sure how it would "forget" - the issue does not occur though when I have a SOHO router on the network and remove m0n0wall from the equation.

 

Is it possible that m0n0wall has control of the 192.168.1.1 address (e.g. to hand it out via dhcp or something) and a conflict is occurring?

 

EDIT: http://support.microsoft.com/kb/279678 could this be relevant?

[pairughdocks]

m0n0wall is static to 192.168.1.2 (firewall.eatvac.local) all DHCP services are disabled on m0n0wall.

 

Edit: If I follow the advice of the article and set the DNS server to only listen on 192.168.1.1 I lose all functionality of DNS.

[+BudMan MVC]

If m0n0wall is actually on 192.168.1.2 and your dns server is on 192.168.1.1, and your seeing this error on your dns server.

WTF can that have to do with m0n0wall? There is NOTHING that m0n0wall could be doing that would effect anything your dns server on a different IP address does - nothing!!

So we are missing something here.. But I assure you if what your saying is correct m0n0wall is not part of the puzzle.

[pairughdocks]

If m0n0wall is actually on 192.168.1.2 and your dns server is on 192.168.1.1, and your seeing this error on your dns server.

WTF can that have to do with m0n0wall? There is NOTHING that m0n0wall could be doing that would effect anything your dns server on a different IP address does - nothing!!

So we are missing something here.. But I assure you if what your saying is correct m0n0wall is not part of the puzzle.

 

I'm sure you are correct, originally I thought it may have something to do, but I have since resolved SOME of those issues. The issue at hand is still that the DNS/AD server hasn't signaled a sync yet.. (EVENT 4013 - http://gslink.us/B8syka)

[pairughdocks]

This issue is actually resolved :) thanks to all involved.

[snaphat (Myles Landwehr) Member]

This issue is actually resolved :) thanks to all involved.

What was the issue in the end?

[pairughdocks]

It was some weird DNS settings and I used kept running "best practice analyzer" and isolating down issues, event by event. I still actually have TWO issues, but I don't want to trouble others with this...

 

The best practice I DONT UNDERSTAND. I have my loopback as a secondary server.. in the adapter properties and in the DNS server.

 

 

 

 

DNS-4013.txt

DNS-Best-Practice-Error.txt

[+BudMan MVC]

You normally point to 127.0.0.1 as secondary in case something wrong with the IP binding, or stack that prevents dns working on the IP assigned. It's really hard to break loopback ;)

[pairughdocks]

Right, which I did ;), yet I'm still getting a warning that it isn't set. I'm not sure if I should be worried about it or not since everything seems to be functioning normally.

[+BudMan MVC]

does this server have more than 1 network interface - where exactly are you going to sync too. Do you have more than 1 AD dns server in your network. Do you have more than 1 DC? Where are all the roles located?

[pairughdocks]

does this server have more than 1 network interface - where exactly are you going to sync too. Do you have more than 1 AD dns server in your network. Do you have more than 1 DC? Where are all the roles located?

 

It has 4, they are all disabled except for the one in use (since I do not have need for them). 1 AD DNS server only, and 1 DC only. Roles are all on the central/primary DC.

[+BudMan MVC]

so the DNS is not your DC?

[pairughdocks]

DNS is running on the DC