Internet Connection Sharing problem

[Guest]

[vabantha]

Yes, it's been connected.

IP 192.168.0.252
subnet 255.255.255.0
gateway 192.168.0.1

Did you connect the laptop? I mean did it acquired the IP adress and the connection through ICS?

It seems strange because CFP reports the same range again.

Please check at your laptops connection status. Start -> Control Panel -> Network and internet connections -> Network connections
Select the active network connection, right click with he mouse and select status -> support
IP adress=?
Subnet Mask=?
Default gateway=?

[pandlouk]

ok the default gateway of your portable is the ics host.

add this rule at the network monitor of the host pc.

Action = Allow
Protocol = UDP
Direction = In
Source IP = Any
Destination IP = 192.168.0.1
Source port = 68
Destination port = 67

then move this rule up over the default BLOCK Rule

and try to do some tests connecting and disconnecting your portable.

if this resolve the problem please report back the results.

[vabantha]

Didn't work...

ok the default gateway of your portable is the ics host.

add this rule at the network monitor of the host pc.

Action = Allow
Protocol = UDP
Direction = In
Source IP = Any
Destination IP = 192.168.0.1
Source port = 68
Destination port = 67

then move this rule up over the default BLOCK Rule

and try to do some tests connecting and disconnecting your portable.

if this resolve the problem please report back the results.

[pandlouk]

Didn't work...

Hi Vabantha,

I did some research and from http://www.microsoft.com/technet/security/smallbusiness/topics/ServerSecurity/ref_net_ports_ms_prod.mspx I found that you must allow udp incoming for the ports 53,67 and maybe 2535. And maybe is also necessary to alow tcp incoming at the port 53.
These should be the rules:

Rule 1 (necessary)
Action = Allow
Protocol = UDP
Direction = In
Source IP = Any
Destination IP = 192.168.0.1
Source port = ?
Destination port = 53

Rule 2 (necessary)
Action = Allow
Protocol = UDP
Direction = In
Source IP = Any
Destination IP = 192.168.0.1
Source port = 68
Destination port = 67

Rule 3 (?)
Action = Allow
Protocol = UDP
Direction = In
Source IP = Any
Destination IP = 192.168.0.1
Source port = ?
Destination port = 2535

Rule 4(?)
Action = Allow
Protocol = TCP
Direction = In
Source IP = Any
Destination IP = 192.168.0.1
Source port = ?
Destination port = 53

ps. I'll ask the other mods and maybe someone from the firewall team to help me restrict a little these rules. Hopefully tomorrow we will finally resolve the ICS problem

[Soyabeaner]

I hope this isn't irrelevant, but your first log pic indicates outgoing ICMP (needed fragmentation) is blocked.  Is a Net Mon rule required to allow these connections?

[Little Mac]

soyabeaner, I think you're thinking of default Rule ID 2, which is Allow In ICMP where message is Fragmentation Needed.

LM

[Soyabeaner]

I know, but vabantha's log shows Outbound Policy Violation, so it must be outgoing connections.

[Little Mac]

Okay, then that may be a possibility.

But here's two questions, and some suggestions:

1.  Is CFP installed on both computers (just to make certain); if so, you will need to define the Zone & set it as a Trusted Network, on both computers.

2.  When you defined the Zone, did you modify the IP addresses at all, or are they as CFP defined them? 

Now the suggestions, to "force" the issue, since we know there's something in CFP's rules that are stopping you (since it works if set to Allow All).

Turn both computers off.  Then turn the Host back on, get it connected to the internet successfully.  Then connect the Client (laptop), turn it on, and try to connect.  Does it work?  If so it may be due to a response delay.

Next step, if that doesn't work.  Turn Network Monitor on each computer off, one at a time, starting with Host.  Check each time to see if you can connect.  If so, we can narrow it down to that machine's Network Monitor.

Next step, if that doesn't work.  Go to Security/Advanced/Miscellaneous.  Move Alert Frequency to High or Very High.  OK.  Reboot.  After reboot, you will get a lot more alerts; be sure to Allow & Remember on svchost.exe, or you may lose all connectivity.  If you recognize an application, and know you want to allow it, select Allow & Remember.  Now see if your computers can both connect.

Last step, if you still have no joy:  Edit:  Next step.  Turn to Allow All.  Connect Client, establish connection.  Check Activity/Connections as it's connecting, to see application, IP Protocol, IP addresses, and Ports used.  Then we'll create rules specifically for that.

Hope something here helps,

LM

[vabantha]

I have only have comodo running on the host computer.  I wanted to get the ICS working through the host before screwing around with the laptop.  When I turn the network control rules off on the host, everything works fine.  I'm assuming the ICS problem is there.

Okay, then that may be a possibility.

But here's two questions, and some suggestions:

1.  Is CFP installed on both computers (just to make certain); if so, you will need to define the Zone & set it as a Trusted Network, on both computers.

2.  When you defined the Zone, did you modify the IP addresses at all, or are they as CFP defined them? 

Now the suggestions, to "force" the issue, since we know there's something in CFP's rules that are stopping you (since it works if set to Allow All).

Turn both computers off.  Then turn the Host back on, get it connected to the internet successfully.  Then connect the Client (laptop), turn it on, and try to connect.  Does it work?  If so it may be due to a response delay.

Next step, if that doesn't work.  Turn Network Monitor on each computer off, one at a time, starting with Host.  Check each time to see if you can connect.  If so, we can narrow it down to that machine's Network Monitor.

Next step, if that doesn't work.  Go to Security/Advanced/Miscellaneous.  Move Alert Frequency to High or Very High.  OK.  Reboot.  After reboot, you will get a lot more alerts; be sure to Allow & Remember on svchost.exe, or you may lose all connectivity.  If you recognize an application, and know you want to allow it, select Allow & Remember.  Now see if your computers can both connect.

Last step, if you still have no joy:  Edit:  Next step.  Turn to Allow All.  Connect Client, establish connection.  Check Activity/Connections as it's connecting, to see application, IP Protocol, IP addresses, and Ports used.  Then we'll create rules specifically for that.

Hope something here helps,

LM

[Little Mac]

Okay, so the next step then would be,

Turn the Network Monitor back on.

Set Security to Allow All.

Open Activity/Connections.

Connect Client, create connection.  Watch CFP Connections screen, write down (or do a screenshot) of the connection(s) created when the laptop is able to connect.

We will use this info to create Network rules to (hopefully) resolve this little (big) problem.

LM

[Soyabeaner]

It may be easier to create a Network Monitor to allow all IP In/Out, put it at the top, and then edit that rule to log (Create an alert if this rule is fired).

[pandlouk]

It may be easier to create a Network Monitor to allow all IP In/Out, put it at the top, and then edit that rule to log (Create an alert if this rule is fired).

I agree.

1. vabantha please add the above rule of soyabeaner at position #3 and enable all the three top rules (the first two are your trusted zone) to log.

2. Then clear the logs from CFP and after that start an ICS connection with the laptop.

3. Export the logs in html and attach them here in a zip archive.

Thanks,
Panagiotis

[vabantha]

Ok, I've added the rule.  I am still unable to access the internet on the laptop with the new rule.

I agree.

1. vabantha please add the above rule of soyabeaner at position #3 and enable all the three top rules (the first two are your trusted zone) to log.

2. Then clear the logs from CFP and after that start an ICS connection with the laptop.

3. Export the logs in html and attach them here in a zip archive.

Thanks,
Panagiotis

[Soyabeaner]

Thanks for the uploads, vabantha.  You should edit out any private IPs, though.  Strange how your internet was still inaccessible because the allow all IP rule is essentially the same as the Allow All security level setting.

[pandlouk]

Thanks Vabantha.

It is strange indeed.

Can you please reboot your host and try this again?

IMPORTANT:
1. Disable do protocol analysis
2. Make sure to have unplugged your portable pc before you clear the logs. I could not find the initial traffic which assign the IP at the portable pc.

After that attach again the new logs

[Tags:]