Internet Connection Sharing problem

soyabeaner, I think you’re thinking of default Rule ID 2, which is Allow In ICMP where message is Fragmentation Needed.

LM

I know, but vabantha’s log shows Outbound Policy Violation, so it must be outgoing connections.

Okay, then that may be a possibility.

But here’s two questions, and some suggestions:

  1. Is CFP installed on both computers (just to make certain); if so, you will need to define the Zone & set it as a Trusted Network, on both computers.

  2. When you defined the Zone, did you modify the IP addresses at all, or are they as CFP defined them?

Now the suggestions, to “force” the issue, since we know there’s something in CFP’s rules that are stopping you (since it works if set to Allow All).

Turn both computers off. Then turn the Host back on, get it connected to the internet successfully. Then connect the Client (laptop), turn it on, and try to connect. Does it work? If so it may be due to a response delay.

Next step, if that doesn’t work. Turn Network Monitor on each computer off, one at a time, starting with Host. Check each time to see if you can connect. If so, we can narrow it down to that machine’s Network Monitor.

Next step, if that doesn’t work. Go to Security/Advanced/Miscellaneous. Move Alert Frequency to High or Very High. OK. Reboot. After reboot, you will get a lot more alerts; be sure to Allow & Remember on svchost.exe, or you may lose all connectivity. If you recognize an application, and know you want to allow it, select Allow & Remember. Now see if your computers can both connect.

Last step, if you still have no joy: Edit: Next step. Turn to Allow All. Connect Client, establish connection. Check Activity/Connections as it’s connecting, to see application, IP Protocol, IP addresses, and Ports used. Then we’ll create rules specifically for that.

Hope something here helps,

LM

I have only have comodo running on the host computer. I wanted to get the ICS working through the host before screwing around with the laptop. When I turn the network control rules off on the host, everything works fine. I’m assuming the ICS problem is there.

Okay, so the next step then would be,

Turn the Network Monitor back on.

Set Security to Allow All.

Open Activity/Connections.

Connect Client, create connection. Watch CFP Connections screen, write down (or do a screenshot) of the connection(s) created when the laptop is able to connect.

We will use this info to create Network rules to (hopefully) resolve this little (big) problem.

LM

It may be easier to create a Network Monitor to allow all IP In/Out, put it at the top, and then edit that rule to log (Create an alert if this rule is fired).

I agree.

  1. vabantha please add the above rule of soyabeaner at position #3 and enable all the three top rules (the first two are your trusted zone) to log.

  2. Then clear the logs from CFP and after that start an ICS connection with the laptop.

  3. Export the logs in html and attach them here in a zip archive.

Thanks,
Panagiotis

Ok, I’ve added the rule. I am still unable to access the internet on the laptop with the new rule.

[attachment deleted by admin]

Thanks for the uploads, vabantha. You should edit out any private IPs, though. Strange how your internet was still inaccessible because the allow all IP rule is essentially the same as the Allow All security level setting.

Thanks Vabantha.

It is strange indeed.

Can you please reboot your host and try this again?

IMPORTANT:

  1. Disable do protocol analysis
  2. Make sure to have unplugged your portable pc before you clear the logs. I could not find the initial traffic which assign the IP at the portable pc. ???

After that attach again the new logs

I think the filtering achieved by applying the rules in the Network Monitor is getting in the way; we already know that if NM is turned off it works fine. By having it on, the very fact that rules are active (even ones to Allow IP In/Out Any/Any) is a filter; this requires action and is, IMO, getting in the way.

Thus if it’s set to Allow All, NM is taken out of the picture. Watching the connections happen in real-time will show exactly what is occurring, by what application, to/from what IP addresses, protocol, ports. No clutter. No filtering. Just data.

It may seem like the more difficult route, but it removes the variable of the NM from the picture.

LM

PS: That, or break out WireShark…

Wireshark again? kail suggested that to me before and I declined with good reason. It almost seems like you have to know hexadecimals to comprehend that thing. ;D.

Oh well. We’ll see if pandlouk’s host restart method works. If not then LM’s method.

You’ll note I didn’t claim to know how to use it well… ;D

However, you can (even without hex) see the traffic pattern, and be able to identify when it does the ol’ stop, drop, and roll…

LM

[attachment deleted by admin]

Did it work?

And, is 192.168.0.127 the Client?

LM

No, it didn’t work. The client ip changes when I disconnect and reconnect.

Is there a way to define an IP range as a Trusted Network?

Sure, you can define an IP range as trusted. First go to Security/Tasks/Add a Zone. Define the start/finish range for the zone, name it, etc. OK. Then go to Security/Tasks/Define a New Trusted Network; use that Zone you just created. It will add two rules to the NetMon.

This is what my earlier suggestion related to; by watching the connection activity with Allow All (which we know would work), we’ll find out what needs to connect, where. My thought is, it may be 0.0.0.0 connecting to 255.255.255.255, but we’d have to see…

LM

Maybe the problems are caused by this blocked traffic.

Date/Time :2007-03-01 15:12:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.0.127, Port = bootp(67))
Protocol: UDP Incoming
Source: 192.168.0.127:dhcp(68)
Destination: 255.255.255.255:bootp(67)
Reason: Network Control Rule ID = 1

:BNC

OK, for some reason everything now works! I don’t know why (i haven’t changed anything since yesterday), but I’m not going to complain. Please take a look at my network rules and let me know if it is ok to leave them as is. Thanks so much to all for taking the time to help me out.

[attachment deleted by admin]