TMobile CellSpot

Hi Dave,

Have you created a rule to allow the LAN zone and T-Mobile Cell Spot out to the internet? That rule allows traffic in but not out by the looks of thing? The other thing you can try is to check the "Create Reflexive Rule" button. Which essentially creates a reverse rule.

Cheers,

Ben

I had the reflexive already checked.  i added the following and still not working  these are ALL my rules.

Dave,

what a drop-packet-capture "host ip" will produce? Otherwise use a tcpdump to see what is happening on the connection for that ip/port.

Date=2016-04-13 Time=23:15:53 log_id=0139021 log_type=Firewall log_component= log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev=Port1 inzone_id=1 outzone_id=2 source_mac= dest_mac= l3_protocol=IP source_ip=208.54.90.1 dest_ip=10.1.1.23 l4_protocol=UDP source_port=4500 dest_port=4500 fw_rule_id=6 policytype=2 live_userid=4 userid=11 user_gp=2 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=1 inmark=0 nfqueue=0 scanflags=253 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=1 connid=134283520 masterid=442713312 status=0 state=410 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

fw_rule_id=6 and user_gp=2....

The port seems correct. Can you disable the policy rule 6? Also can you share the rule where the port 4500 is allowed? I mean open the Policy rule and post the screenshot.

Thanks.

OK rule 6 disabled.  also the picture above is ALL the rules i have now.  rule ID 2 is where I port forward the 4500

with rule 6 disabled I now get this

Date=2016-04-13 Time=23:31:14 log_id=0139021 log_type=Firewall log_component= log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev=Port1 inzone_id=1 outzone_id=2 source_mac= dest_mac= l3_protocol=IP source_ip=208.54.75.197 dest_ip=10.1.1.23 l4_protocol=UDP source_port=4500 dest_port=4500 fw_rule_id=1 policytype=1 live_userid=4 userid=11 user_gp=2 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=1 inmark=0 nfqueue=0 scanflags=253 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=1 connid=65792 masterid=1399558624 status=0 state=410 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

rule id 1 is my allow all out NO SCAN of any type

Hmmmm

You previous rule are not catched.

Check you config. How are you trying your wan to lan rule? Are you connected from another site?

dont know if I understand you totally.  i am inside on the LAN now with my CellSpot next to me.  

the only rules I have are in the picture above with the exception that rule #6 is now disabled.  

dont know if I understand you totally.  i am inside on the LAN now with my CellSpot next to me.  

the only rules I have are in the picture above with the exception that rule #6 is now disabled.  

Create a Policy Rule wan to lan where source zone is WAN, source IP is 208.54.75.197, dest. zone is lan and dest ip=10.1.1.23 where protocol is UPD 4500 and see if it works.

I get this now

Date=2016-04-14 Time=00:22:13 log_id=0139021 log_type=Firewall log_component= log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev=Port1 inzone_id=1 outzone_id=2 source_mac= dest_mac= l3_protocol=IP source_ip=208.54.73.1 dest_ip=10.1.1.23 l4_protocol=UDP source_port=4500 dest_port=4500 fw_rule_id=2 policytype=3 live_userid=4 userid=11 user_gp=2 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=1 inmark=0 nfqueue=0 scanflags=253 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=1 connid=65800 masterid=1313074432 status=0 state=410 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

Hmmm  still not working.  any ideas?

Have you tried moving your allow all network rule from the bottom to the top?

I have not.  I have always been in the mid set of top down.  top being what I want to filter inbound and bottom letting everything else out  :)

I will try this and report back

Moved it to the TOP.  

Still getting. the below drop...

Date=2016-04-15 Time=10:58:07 log_id=0139021 log_type=Firewall log_component= log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=2 source_mac=b4:ee:b4:d3:50:f1 dest_mac=00:01:2e:5a:96:03 l3_protocol=IP source_ip=10.1.1.23 dest_ip=208.54.73.1 l4_protocol=UDP source_port=4500 dest_port=4500 fw_rule_id=1 policytype=1 live_userid=4 userid=11 user_gp=2 ips_id=5 sslvpn_id=0 web_filter_id=6 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=1 app_id=0 category_id=0 bandwidth_id=0 up_classid=7161395441051893760 dn_classid=0 source_nat_id=0 cluster_node=1 inmark=0 nfqueue=0 scanflags=253 gateway_offset=72 max_session_bytes=0 drop_fix=0 ctflags=1 connid=604045568 masterid=1974685344 status=0 state=414 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

looks like an IPS thing..  i cant stop this from triggering.  i even created a blank IPS policy and it still triggers.

also RULE #1 is the default out everything rule.  i have set it to NONE and LAN2WAN and my own blank Accept ALL policy...  cant figure out how to add the LTE modem as a exception

STOPPING the IPS service worked.  it allowed the cellspot to boot even without specific rules.   so its the IPS service dropping it somwhere

It's not uncommon for IPS to pick these things up, what does the IPS logs say?

I've had to add an exception for my PS3 else everything I try and download triggers IPS and gets stuck in a download loop!