Comodo and LogMeIn [Closed]

Okay, then, my “wonderful” diagnostic tool helped… For whatever good that may have done! ;D

The only thing I could think - Ewen may have a different idea - is that it is due in part to Comodo’s Stateful Packet Inspection (SPI) engine (utilized thru Protocol Analysis and Fragmented Packet Analysis). While some other software firewalls have a sort of SPI engine built in, Comodo’s is more equivalent to that of a hardware firewall; it’s quite powerful. And probably quite particular about the performance of its duties.

I’ll put in terms of musical CD players. They all have a certain class of laser that reads the CD. However, there are various levels of quality within that. I have found some that absolutely will not read a given (cheap) CD, or will fault out on one that’s just a little damaged. And yet others will read anything pretty much no matter what. What it seems to me is that the better the quality of the CD player (and laser) the less flexible it is to read cheap/■■■■■ CDs. The lower the quality, the more “slop” it can endure on the part of the CD.

The higher quality has a much tighter configuration, and closer tolerances; I’ve seen this in other areas/products as well. Thus, it seems possible to me that there is a slight deviation in the packets once they pass through your school’s system, such that once they’re going round-trip, they get bonked by CFP’s SPI engine on the way back out. The other firewalls don’t have the issue because they do not do the level of inspect that CFP does.

What’s odd (really odd) is that this is happening on the Outbound from your Home, but only when it originally came from school. It would seem like (to me) that it should happen on the Inbound from School, in the first place.

Let me ask, when you go School to Home, are you accessing the LogMeIn website, going to your account and selecting the computer there? Also, do you have LogMeIn installed at school? And if I remember correctly, didn’t you say that your Home logs, when going School to Home, showed the School IP address? I don’t see that in mine; the only connection is to the LogMeIn portal IP; my computer shows to be controlled by its own IP address. In all locations, do you use the same procedure for accessing the other computer, or do you change things with each one (not sure how you would; just asking)?

LM

Your “wonderful” diagnostic tool definitely helped, hehe. And thank you for your detailed explanation about Comodo and the CD analogy. It definitely helped me further understand its inner-workings. I read really good reviews about Comodo, comparing it quite favorably to commercial firewalls, so I knew it would be quality even prior to my using it. And it’s why that even now, I’m quite hesitant to sacrifice it just for LogMeIn’s sake. There’s certainly no reason to nix great protection just so that I can see my home computer thru a remote access program.

I agree that it’s quite odd there’s only a problem going outbound back from home to school, with no problems indicated coming inbound from school to home to begin with. But to answer your questions, I have not done anything out of the ordinary in regards to connecting school-to-home via LogMeIn. So yes, I access LogMeIn at school via its website (logging into my account and selecting my home comp), and I do have LogMeIn software installed at school, which is how I can successfully connect home-to-school.

Yes, the blocked Comodo logs at home show my private home IP as the source (192.168.x.xxx), and the external school address as the destination (xx.xxx.xx.xx). It is strange that our logs differ in that respect. All I can say is that at my school, I know that they have 2 servers…a student side, and a staff side. Apparently, the student side assigns public IP’s which go right out to the internet, while the staff side has private IP’s. And of course there’s the hardware firewalls/routers etc. What I’m trying to understand is the fact that the blocked Comodo log only reports the school’s external IP as the destination, rather than the public IP of the computer I use (xxx.xxx.xx.xxx). Does this make sense?

Lastly, I do access any computer from any location the same way-- via the LogMeIn site>my account>my computers etc. I have occasionally used the “shortcut” option, which puts a shortcut to one of the computers on the desktop. Still, the result is the same whether I use that option or the site. Otherwise, I do not alter my accessing method in any other way.

~Netophone

This is quite odd. I just double-checked by connecting to my computer, and looking at the traffic. The only connection for logmein is to the portal/account website/IP. Not to the remote computer. The logmein notifier on the host computer does show it to be controlled by what is the external IP here.

I would expect to see something about external IP, rather than internal IP. The router is going to redefine that and only show the computer/internal IP. That’s what commonly known as Network Address Translation (NAT). And now I wonder if I’m starting to get down to the crux of the biscuit here. I got to thinking about NAT, and so looked at Wikipedia, here Network address translation - Wikipedia See the section on Drawbacks (in Overview) and then in Basic NAT vs Port Number Translation, see the section Application Affected by NAT under the IPSec paragraph.

Ewen, you know more about these things than I, by far. Does what I’m seeing/thinking make sense to you? Could the header modification by the School’s router be changing/interfering with the encryption protocol used by LogMeIn just enough that CFP’s SPI is finding a difference in the packets? Then when the packet is attempted to return to the client computer (by way of the School’s router), it is then further discombobulated and unable to continue back through to the source?

Would this not account for the fact that he’s seeing the School IP (router) blocked in Comodo’s logs due to Fragmentation/Protocol Analysis, rather than the connection to LogMeIn’s IP?

Did you already try adding a TCP Out rule to the top of Network Monitor, with the School’s IP (as shown in the logs)as the Destination, on Any Port? I think maybe you did, but I can’t remember now.

LM

Hey Mac / Netophone,

Sorry fro the delay but works has been nuts for the past couple of weeks. Apparently only the clowns have to work in our three ring circus. LOL

I still don’t get one thing about this problem.

If the connection works from point A to point B, after traversing the Logmein servers, why do we get different results on a connection from point A to point C, and the Logmein servers don’t show up as the connecting address?

We’re missing something here, because you simply can’t make a LogMeIn connection without going through the LogMeIn servers, as Mac has pointed out. It just can’t be done. I’ve used LMI for about three years (almost from day one) and have never seen a connection that didn’t include the LMI server in the chain.

I’m really at a loss to understand how you’ve half made a connection without the LMI server showing as the connection address.

Can you install CFP at school and attempt the remote connection again? This way we would have the logs from both ends to examine.

If not, can you install LMI on a student PC to see if using a different communications path varies the outcome?

Curiously,
Ewen

Actually, he wouldn’t need to install LMI on a student computer to try to connect, since the client comp doesn’t need it for the web-based access. Right? Just login in to LMI account, and click on the Home comp link.

That is a thought; interesting to see the results of that (especially if it works!).

LM

Hey guys,

Just to make sure we’re on the same page, I have a student computer at school that I regularly use. And that is where I have LogMeIn installed, and which is where I’ve attempted to connect to home with no success (blocked outgoing IP/UDP in the CFP logs at home). I know for a fact that you do not need the software installed on your client machine to access a host. You only need the software set up on the host comp (which I have installed on all of my aforementioned comps-- including my school’s so I can connect to it from home).

Would you be able and willing to post your CFP logs, so I can see for myself what they should look like (in regards to showing the LogMeIn Portal, which I have never seen in the logs). I have only seen the logs record my private IP’s when I’d connect with my 2 LAN comps at home…and of course, they’d record my source IP as my home comp and destination as that of my external IP at school when I try to connect school-to-home.

Also, I’d prefer not to uninstall my Symantec firewall at school in favor of CFP. Symantec came pre-installed with the school comp, and I’m happy with its setup there (as I’ve had no problems with it, including my connecting to it thru LogMeIn), so I’d rather just leave it as is.

However, would it be worth disabling the Symantec firewall prior to my again trying the school-to-home LogMeIn connection? I don’t see how or why it’d make a difference, but I’m just curious. Perhaps somehow…someway, IT is blocking the outbound IP/UDP coming back from CFP in the school-to-home connection? Now even I know that doesn’t seem to make much sense!

Oh yes, and LM, I did try out your TCP Out/Allow rule in the Network Monitor, but unfortunately, it didn’t make a difference. Thank you anyway for the suggestion.

You know what, I just had another thought…perhaps I can again try to connect school-to-home, only this time, attempt it from another student comp? Say, a comp in the school library for example? Maybe then, if it works, we can narrow the problem a little more? Again, it’s hard for me to see why or how it’d make a difference, but I’d be willing to give it a try. Just let me know what you think.

Sorry, I guess we assumed you were on a Staff computer at School…

That said, I think it would be good to try connecting from a different computer at school, in a different location, as you mentioned. It may not make any difference at all, but if it does, then we have just a little something more to go by. Every little bit counts.

I actually don’t have anything in my logs for LMI when I use it. That’s because nothing’s triggered. What I’m referring to is looking at the Connections tab (Activity/Connections), or thru an application that monitors connections (I use CurrPorts; there’s also TCPView and others). The LMI executable has a constant/established TCP connection to one IP, which is the LMI portal. When I actually log on to this computer via LMI, there may be a half-dozen or so of these same connections on different ports, for the duration of the session. When I disconnect the remote access, they go back down to the original one.

Occasionally, there’s an oddball Listening entry as well; it’s there right now as a matter of fact. But this does not seem to have any effect on my connectivity. Screenshot is attached…

What you may do is connect from to home from somewhere, and check active connections. See where LMI is connected to. Try to connect from school to home, check active connections, see where LMI is connected to. Before/After on LMI’s connections, so you see what occurs across the board. The other firewalls should have something that shows this; if not, you can use a free utility like I mentioned before. It should ONLY be connected to the LMI portal IP that is constantly on.

LM

PS: Being behind a router at school, you are relatively safe disabling the FW there and attempting an LMI connect to home; but I wouldn’t take long with it. Just see if it works, basically, then re-enable the FW. If you have the chance prior to that, Edit the Network Monitor rule that is set to Allow TCP/UDP Out, so that it will Log events (check the box, “Create an alert if this rule is fired”); this will cause any activity for that rule to be added to the Logs. This way, you will see the LMI connectivity at all times.

[attachment deleted by admin]

Sorry, but I should have asked this to start with.

Are you a student or a teacher at the school?

If you are a student, is remote accessing a PC outside the school LAN, from a school PC, permitted?

Ewen

Hello guys,

I was on the fringe of sending you a nice, long farewell, but unfortunately, my browser froze, closed and I lost my entire post . Suffice it to say, I found out that the problem connecting school-to-home was only when I’d do so from my school computer in my classroom. Apparently, the network setup in there is screwy. Why that negates ONLY when I connect to home, which has CFP, is what is strange. I discovered that when I attempted to connect from the school library to home, there was no problem at all.

Ewen, I am a student, and I know for a fact that we are able to engage in remote access being that I have successfully done so in many scenarios (school to home with CFP disabled, school to home from library, school-to-grandma, home-to-school, etc.). It is only from my school classroom to home w/CFP that causes the problem.

I know that it makes little sense to connect to home with CFP altered (ridding of the fragmented IP rule) which sacrifices my security unnecessarily, or to disable CFP altogether and enable Windows Firewall (an obvious downgrade for the session). So it’s most evident for me to just settle on the best workaround possible, which is my connecting from the school library to home. There’s little reason to drive myself crazy on my primary school computer anymore…as much as I’d like to figure out the dilemma. I’ll just leave it at that.

Again, I simply cannot thank you guys enough. You have been very supportive and I appreciate every bit of your time and expertise. Even though we may not have reached a solution, you have taught me a great deal, without a doubt. Take care–

~Netophone

P.S. LM, I will keep your recommendations for connection monitoring in mind. That will be very helpful to me indeed. Thank you very much.

Netophone ~

Well, I’m glad you found out it’s only from that computer. As you say, that doesn’t “solve” the problem, but at least the source is known, and we know it’s not CFP, nor anything over which you have control. You have a workaround, so that’s another plus.

I’ll go ahead and mark the topic as closed. If for some reason you need it reopened, just PM a Mod (please include a link) and we’ll be glad to do so.

LM