Client behind NAT Firewall

If you are having a problem using SourceOffSite, post a message here.

Moderator: SourceGear

Post Reply
SSC

Client behind NAT Firewall

Post by SSC » Tue Aug 24, 2004 3:32 am

We are using SOS 4.0.2 and the clients are connecting to the server behind a firewall. Even end-user has different user license, their IP address are the same to SOS as they are local address are masked with the gateway address. So in this case, when the 2nd user logs in, the first user's connection immediately get dropped.

Does anyone have a solution for this?[/list]

lbauer
Posts: 9736
Joined: Tue Dec 16, 2003 1:25 pm
Location: SourceGear

Post by lbauer » Tue Aug 24, 2004 10:13 am

I'd like to see what the SOS Server log is reporting about these connections.

Please enable verbose logging:

http://support.sourcegear.com/viewtopic.php?t=463

Then reproduce the problem and email the log to linda@sourcegear.com.

Be sure to reference this post in your email.
Linda Bauer
SourceGear
Technical Support Manager

mathewss
Posts: 8
Joined: Thu Aug 26, 2004 5:50 pm
Contact:

Post by mathewss » Thu Aug 26, 2004 6:14 pm

This sounds like a firewall issue but if not it was worth a stab.

One very common problem with firewall's and Masquerading or SNAT is that if you have two people behind the Masquerading IP the remote server that you talk to would have difficulty keeping it clear who is who.

Joe's Packet 192.168.1.1 -> SNAT -> 202.202.1.1 -> internet -> server (201.201.201.1)
server (201.201.201.1) -> internet -> SNAT 202.202.1.1 -> ???
Bob's Packet 192.168.1.2 -> SNAT -> 202.202.1.1 -> internet -> server (201.201.201.1)
server (201.201.201.1) -> internet -> SNAT 202.202.1.1 -> ???

The packets are __almost__ identical the only difference is the sequence numbers on the ip packets themselves.

In order to solve this problem a good firewall will also modify the packet's source port so the server will then send the packet back and the firewall and the firewall will based upon the source port send it back to the correct internal address.

Where the exchange of packets would look like this.

Joe's Packet 192.168.1.1 -> SNAT -> 202.202.1.1:SPORT(1000) -> internet -> server (201.201.201.1)
server (201.201.201.1:SPORT(1000)) -> internet -> SNAT 202.202.1.1 -> 192.168.1.1
Bob's Packet 192.168.1.2 -> SNAT -> 202.202.1.1:SPORT(2000) -> internet -> server (201.201.201.1)
server (201.201.201.1:SPORT(2000)) -> internet -> SNAT 202.202.1.1 -> 192.168.1.2


In order to do this the firewall must maintain a session tracking table and make reasonable decisions as to what to change the source port to.
If the firewall does not do a good job of this then the result will be a situation where one person will get connected and as soon as the other person gets connected everything will fall apart.

In general SOS or any server does not give a rip if the packet comes from the same ip address as another person as long as the TCP/IP layer can distinguish it apart. This is down in the OS level and source port is the most common way of doing this.

As an example you could make 5 connections from your computer to another server say an ssh client or a database connection. If you look at the packets using a packet sniffer you will see that each packet from each connection will have a different random source port.

Anyway what i would look at is a network packet sniffer and see what the packets look like as they come from behind the SNAT firewall and make sure they are correct.
Regards
Sean Mathews Nu Tech CTO

struct SoftwareProfessional {
double salary;
long lunches;
float jobs;
char unstable;
void work;
short tempers;
};

lbauer
Posts: 9736
Joined: Tue Dec 16, 2003 1:25 pm
Location: SourceGear

Post by lbauer » Fri Aug 27, 2004 2:46 pm

Wow, Matthew, thanks for the info. Nicely done.

You're right that the SOS Server doesn't care about multiple logins from the same IP.

To SSC: If your firewall seems OK, verify that you really are have the SOS 4.0.2 server installed. The log file will have that information. SOS 4.0 had a bug that if you had Timeout idle connections set in the Server Manager->General, the server would allow only one login at a time. This was fixed in 4.0.2.

We've found that some of our resellers still have 4.0 available for download from their websites, so users are still running into this bug.
Linda Bauer
SourceGear
Technical Support Manager

Post Reply