PFsense firewall and the Sling Adapter.

[smakovits]

I originally visited this subject about 8 months ago, but need to revisit. For a while, I went away from PFsense because the beta was jacked, but now that v2 Release Candidates are out it is much more stable. Except of course when you want to use the sling adapter.

I have tried a whole ton of things as far as internal and external ports go, but every time I try to connect either via a remote PC or my Droix X, it says that Sling is not available. I recently upgraded to Docsis 3 to get the 5mbps up load, but when you cant even connect, it does you no good.

So, my question is, is there anyone out there using the Pfsense for their firewall and able to access the sling adapter? I do see my firewall blocking some traffic when I try to connect to the sling and it always appears to be a random port, so maybe that is the issue. I know when I used smoothwall as the firewall it worked, however, the issues there with snort made me stop wanting to use it, so instead I went to Pfsense, but if Sling doesnt work, I may have to switch to something else.

If there is anyone out there with pfsense and their sling adapter does work, I would really like to hear about their configuration. Thanks.

 

[TG2]

Did you try manually setting up port forward for 5101?
Or did you try UPnP?

I found this link with several suggestions (its about xbox, but simply keep in mind the main inward port is 5101 for slings, 5102 if you have a second sling adapter)
http://forum.pfsense.org/index.php?topic=13887.0

I'd recommend setting up static DHCP so that you can try manually forwarding 5101 without worry for the ip changing to the dish receiver.

Also you need a flat network (one ip block) ... worse comes to worse, had you tried setting up the IP for the receiver as the DMZ machine?

 

[smakovits]

I will have to try some of this. Do I need a special outbound port? I don't believe I do, but just wanted to confirm.

 

[pabeader]

i hate to ask this, but why , oh why are you using a firewall? what is it doing for you besides stopping sling?

 

[TG2]

no special outbound ports ... its all about the inbound, and not dropping responses.. the multicast rule noted was interesting, since some of the snippets I've read on UPnP require it for peer announcement & self management.

As to the random port blocking, there was mention that port randomization caused problems for one of the people at that link (lack of good port randomization was one of the attack vectors in the past couple of years) and mentioned here http://doc.pfsense.org/index.php/Static_Port with examples of phone adapters having issues (as well as isakmp for vpns) so perhaps that will help..

As for this:

i hate to ask this, but why , oh why are you using a firewall? what is it doing for you besides stopping sling?

who *isn't* using one? At the very least 1 to many NAT is considered a poor firewall .. the standard operations of most soho firewall/routers enables nat, and stateful packet inspection, so that you don't have spoofed packets coming in for any port
http://en.wikipedia.org/wiki/Stateful_firewall

 

[smakovits]

i hate to ask this, but why , oh why are you using a firewall? what is it doing for you besides stopping sling?

Are you asking why I use a firewall in general or why do I have my 722 behind a firewall? I have pondered trying to put it in a DMZ as I feel it is low risk and should give me (and anyone for that matter) open access to my sling/722 from the outside world. So in that sense it would be like having no firewall.

As for the rest of my network, I would hope everyone has some sort of firewall. Have you ever monitored the traffic hitting your network? I see blocked traffic from china and india all the time. Even if it is just the Windows firewall it is something. But if you put a system unprotected on an outside line like that, it is sure to be attacked and I would never subject myself and my network to the bad guys. It is just asking for trouble. I might as well post my SSN and credit card numbers on my mailbox. A firewall is a must on any network these days. Therefore, I hope the question was either a joke or as mentioned above, just directed to why is my 722 behind the firewall.

 

[pabeader]

i still don't understand the need. let them bang on the router all day long. heck, until i got my new router i only used WEP. now i'm forced to use WPA something or other.

 

[TG2]

i still don't understand the need. let them bang on the router all day long. heck, until i got my new router i only used WEP. now i'm forced to use WPA something or other.

A router will simply route packets. In a soho environment, your router is also doing NAT & PAT ... Network / Port Address Translation and most likely also has SPI (Stateful Packet Inspection) turned on.

One to many NAT allows you to have 1 ip address for the real world, and 2 or more devices behind the translating device. ie. do you have 2 or 3 computers or other devices? 2 or 3 dish receivers with ethernet needs? ... NAT & PAT are helping you hook all those devices up to the internet, with only one real world IP address (rather than wasting 1 ip address per device when they don't need their own unique address, and without you having to pay extra to your ISP for additional IP Addresses).

But NAT & PAT aren't enough ... the crackers (and the millions of zombies in a bot net) can send traffic at your router ... your router without SPI (stateful packet inspection) would generally look through a table (think spreadsheet) line up the port it sees incoming, with the port it translated, and forward that traffic into the device (computer, receiver, ip phone, etc) inside your network. If the device that receives that traffic has a flaw (windows is one of the largest targets currently) the packet may be crafted to abuse that flaw and the next thing you know, a cracker has use of your property.

With SPI .. the firewall portion of your router isn't just translating the addresses (ips or ports), its making sure the packet is known. Either the traffic is coming *back* to your router, and thus is a response to a packet that was sent out from one of your devices ... or the packet is coming to a known port that was set up specifically to handle in-bound traffic.

As for the whole other side of your issue .. WEP vs WPA1/2 ... WEP stands for Wired Equivalent Privacy (or Wired Equivalent Protocol, Wireless Encryption Protocol if you prefer) and as such was supposed to make a wireless connection as private as a wired connection. The simple facts are, a flaw in the way the key was generated in WEP made the communication very insecure ... a cracker with freely availble tools can now crack WEP in 13 seconds or less.

So you being forced into WPA is trying to make it so that you are more secure than you were. And as far as WEP or open wireless goes, these would be protections to keep you safe from outsiders just messing with your internet ... without proper protection, they could eaves drop, redirect you, and capture any online passwords you use. They could also just use up your bandwidth, host illegal content and make it lead to you rather than them ... even if innocent, having the police/fbi/secret service knocking on your door taking away your time while they search .. is still a hassle.

 

[harshness]

Is there something peculiar about the Sling Adapter that is uses 510x instead of 500x?

 

[harshness]

i still don't understand the need. let them bang on the router all day long. heck, until i got my new router i only used WEP. now i'm forced to use WPA something or other.

It is much more economical to run one good firewall than to run a firewall on every machine on your network.

 

[TG2]

Is there something peculiar about the Sling Adapter that is uses 510x instead of 500x?

Not sure.. I know that I've seen 5004 as a port that the SB (slingbox) Discovery uses to look for sling devices .. and port 5101 shows as registered for "Talarian TCP" but beyond that.. no clue..