ive already done this
1) Create a new service definition
Goto Definitions>>Services
New Service Definition
Name: ventrilo
Type of Definition: TCP/UDP
Destination port: 3784
Source port: 1:65535
Comment: Vent service
2) Create a DNAT rule
Goto Network Security>>NAT
Select DNAT/SNAT tab
New NAT rule
Name: ventrilo
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: port 3784
Traffic Destination: External (address)
NAT Mode: DNAT (destination)
Destination: Ventrilo server
Destination Service: left blank
Click Save
Once created click traffic light from Red to Green
3) Create Packet filter access
Goto Network Security>>Packet filter
Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: Port 3784
Destination: ventrilo server
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow http traffic to venrtilo server
Click Save
Once created click traffic light from Red to Green
Below is the the person who figure out how to make it work
I was unable to get the DNAT working with the information he supplied, I did however tinker with it for another day or so and found that I could get it working with a lot of playing around.
The problem continues in the logging NOT showing any blocks or drops on "some" programs. What I mean by that is when I first setup ASG I was seeing all kinds of drops from different programs, adobe, google, avg, vmware, games etc... At which point I was able to see those dropped connections and setup filter rules which would allow those programs to connect out. But I didn't see for example port 6100 for ventrilo was being dropped, it simply doesn't show up in the live logs. Once I opened that I could get it working. The server destination port was 3784 (1024 on the return) and the return port is a range of ports between 2 - 4k. (and this is not documented anywhere for the client program, in the doc, their site or their forums, even tried google with no luck)
The solution so far is to setup DNAT to allow a range of incoming ports and the out going port of 3784. Then of course setup a filtering rule to allow the same. We touched on this in the post that started this whole silliness.
Client connects out on random ports between 2-4k to port 3784 on the server.
The server responds from port 1024 (for whatever reasons) to the random port the client used to connect out.
And for no reason that I can find at all the client must have port 6100 open to connect the ventrilo directory service. I think this might be a system that allows them to find cracked s/n's on servers. Kind of a phone home system, but I'm not totally sure about about that.
So in the example above one would need to setup a DNAT rule to allow the Source port 1024 (server) to connect to the destination ports 2000-4000 (your network)
Then a filter rule needs to be setup under packet filtering to allow default ventrilo ports and port 6100...
That will get you out. (when I get some time I will make a better tutorial)
link to his post if you want more details
http://www.astaro.org/astaro-gateway-products/general-discussion/21087-taking-astaro-out-production-2.html
This thread was automatically locked due to age.
