ICS + CPF + Port Forward does not work

Hi!

I’ve just migrated from Kerio Personal Firewall to CPF, but i have a serious problem.

I’m running ICS on my PC to share net to the computer in the neighbour room.
Port Forwarding in ICS is already set to forward incoming TCP port 60000 to 10.0.0.3 (PC in the other room)

Everything was good till i installed CPF to this computer (the ICS-PC).
After that, the other PC is unreachable on TCP port 60000.
I’ve already tried everything, i have no idea now.

If i set CPF to Disabled (Allow all traffic), Port Forward is OK!
But if i set it back to Custom Policy Mode, then Port Forward is broken, the other computer is unreachable on TCP port 60000!

I’ve added a GLOBAL rule:
Allow incoming TCP,
Any source, Any Destination, Any Source Port, Destination Port: 60000
This is for allow the connection attempt in. (its with my public ip as dest_ip)

And an other GLOBAL rule:
Allow outgoing TCP,
Any source, Any Destination, Any Source Port, Destination Port: 60000
This is for allow the connection attempt to be put to the “LAN” ethernet card. (with 10.0.0.3 as dest_ip)

But it has no effect!
I’ve tried to add a copy of these rules to svchost.exe and system, also no effect.

I’ve set “Log as a firewall event if this rule is fired”, but nothing is appeared in the firewall log
when i tried to connect to port 60000 (from an other computer on internet).
If i turn these two rules to Block instead of Allowing, (and trying again to connect to 60000) the attempt appeared in the firewall log as it blocked!

I never had this problem with Kerio. (but i don’t want to install it back again)

Please help me, i’m trying to solve this for hours, i’m going crazy…
I’m starting to believe its a CPF BUG!

Thanks for advance,
Fenyo

Hi fenyo, welcome to the forums.

CFP, in general, does not block silently unless specifically told to. That being the case, check CFPs Firewall Log for clues as to what is being blocked. This is usually a good indicator of what you need to do to resolve it.

That being said, I assume you have defined a Trusted Network for the 10.0.0.* IP range to allow proper LAN access between the systems & have set the Gateway system to be a gateway system (ICS) from within CFP Firewall settings (Advanced - Firewall Behavior Settings - Alert Settings tab)?

Note: Just noticed that the ICS option is missing from CFPs Help. Now, that is a typo (bug, of sorts).

But that’s the case now.

Is there any other log other than “View Firewall Events” ?
Because that one shows nothing in the time interval i tried to connect to TCP 60000.

Yes, but what is the relation between this and my problem? I’ve created GLOBAL rules for the TCP port 60000, so i think it’s unimportant.

Of course, “This computer is an internet connection gateway (i.e. an ICS Server)” is checked.

Good job, I didn’t say it always did then.

There is the Defense+ Log, but I’m not certain how that could impact ICS, unless a Windows component had been blocked from a COM interface or something.

It’s hard for me to tell (I’ve not seen your TCP Port 60000 rules), but if you say that’s unimportant, that’s fine by me.

No, I disabled only the Firewall security, the Defense+ remained enabled. BTW i tried to turn it off also, but had no effect.

As i said, i had created Top level Global rule to allow all incoming and all outgoing TCP port-60000 connection.
But it had no effect!

So, now what? Any ideas? From anyone?

Please help!

Is that a single bi-directional Global rule or 2 mono-directional Global rules?

They are 2 mono-directional Global rules.
If i’d use 1 bidirectional, then that wouldn’t be the same, because the Source Port and Destination Port would be inverted, I know.

I may be mis-remembering some details, as I haven’t done anything with ICS in some months. As I recall, ICS in WinXP uses the IP address range 192.168.0.x, with the ICS machine being 192.168.0.1. If you have other machines with static defined addresses in the 10.x.x.x range, they won’t network properly. The ICS machine should try to provide addresses to other local machines in the 192.168.0.x range, and not 10.x.x.x. Why it would work before, and not now, is a different question, and I don’t know enough about your LAN setup to make a guess just now.