NAT & Corporate Firewall

classic Classic list List threaded Threaded
30 messages Options
12
Reply | Threaded
Open this post in threaded view
|

NAT & Corporate Firewall

Fleep Tuque
Hi all,

We're trying to get an opensim grid running on our campus network, and it works fine from inside the campus network but can't get past region handshake from off campus.  We're running opensim version 0.7.0.2 on Windows Server 2008 virtual machines, and our campus firewall does 1 to 1 NATting.  Each machine on the campus network has both an internal and an external IP address.

I've checked the configuration files on both machines (one's running robust services, the other running opensim.exe) and I've used hostnames instead of IP addresses in all the .ini files except for the region.ini file.  When I capture packet traffic trying to connect from off campus, the client correctly uses the external IP to communicate with the robust server, but after the authentication process, I see the client trying to send packets to the simulator machine's internal IP (10.23.23.x) instead of an external IP address (129.137.2.x).  

I've talked with our NOC and we have confirmed that TCP/UDP traffic is open on all the appropriate ports, so I'm wondering if this has something to do with NAT and if so what's the next step?  In the region.ini file I've tried various permutations of the InternalAddress and ExternalHostName variables, currently InternalAddress is set to the internal IP 10.23.23.x and the ExternalHostName is set to the hostname ucsim1.irc.uc.edu (the box running opensim.exe).  On campus logins are working fine but off campus still doesn't get past region handshake.

Any ideas about what to try next?  And thanks in advance.  :)


- Chris/Fleep


Chris M. Collins (SL: Fleep Tuque)
Project Manager, UC Second Life 
Second Life Ambassador, Ohio Learning Network 
UCit Instructional & Research Computing
University of Cincinnati 
406E Zimmer Hall
PO Box 210088
Cincinnati, OH 45221-0088
(513)556-3018




_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

Edmund Edgar
Hi Fleep.

Maybe you've already tried this, but I'd suggest setting
ExternalHostName as your external IP (129.137.2.x) rather than your
hostname (ucsim1.irc.uc.edu).

Behind NAT, some places (including Amazon EC2, I found) use an (IMHO
evil) thing called Split DNS (or "Split Brain DNS"), where the IP
address you get inside the firewall is different to the one you get
outside your firewall. This may be causing your OpenSim box to think
that ucsim1.irc.uc.edu is 10.23.23.x rather than 129.137.2.x.

HTH, let us know how you get on.

On 30 March 2011 23:44, Fleep Tuque <[hidden email]> wrote:

> the client
> correctly uses the external IP to communicate with the robust server, but
> after the authentication process, I see the client trying to send packets to
> the simulator machine's internal IP (10.23.23.x) instead of an external IP
> address (129.137.2.x).
> [snip]
> In the region.ini file I've tried
> various permutations of the InternalAddress and ExternalHostName variables,
> currently InternalAddress is set to the internal IP 10.23.23.x and the
> ExternalHostName is set to the hostname ucsim1.irc.uc.edu (the box running
> opensim.exe).

--
Edmund Edgar
Founder, KK Social Minds
Educational Technology for the Web and Virtual Worlds

[hidden email]
+81 090 3912 3380
Skype: edmundedgar
Second Life: Edmund Earp
Linked In: edmundedgar
Twitter: @edmundedgar
http://www.socialminds.jp
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

Luisillo Contepomi
In reply to this post by Fleep Tuque


2011/3/30 Fleep Tuque <[hidden email]>
Each machine on the campus network has both an internal and an external IP address.

Yo probaría todo con las externas y que los de dentro también se conecten por la externa.
 Creo que no es posible la resolución de nombres desde fuera de tu red.

I would try all configurations with  the outside and the inside users configure with external uri.
I think is not posible resolve names from out of your net.

Saludos,


_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

Fleep Tuque
In reply to this post by Edmund Edgar
Hi Edmund,

Nod I've tried that permutation too, no luck.  Here are the combinations I've tried so far:

Test 1:  InternalAddress = 10.23.23.x  ExternalHostName = 129.137.2.x
Result On-Campus: FAIL Result Off-Campus: FAIL

Test 2: InternalAddress = 0.0.0.0 ExternalHostName = 129.137.2.x
Result On-Campus: FAIL Result Off-Campus: FAIL

Test 3: InternalAddress = 10.23.23.x ExternalHostName = ucsim1.irc.uc.edu
Result On-Campus: SUCCESS Result Off-Campus: FAIL

Test 4: InternalAddress = ucsim1.irc.uc.edu ExternalHostName = ucsim1.irc.uc.edu
Result: Opensim.exe crashes

Leaving at the default InternalAddress = 0.0.0.0 and ExternalHostName = SYSTEMIP works for on campus users but not for off campus users.

Has anyone else run into this problem with a campus or corporate firewall?  How did you resolve it?

Thanks again,

- Chris


Chris M. Collins (SL: Fleep Tuque)
Project Manager, UC Second Life 
Second Life Ambassador, Ohio Learning Network 
UCit Instructional & Research Computing
University of Cincinnati 
406E Zimmer Hall
PO Box 210088
Cincinnati, OH 45221-0088
(513)556-3018





On Wed, Mar 30, 2011 at 11:03 AM, Edmund Edgar <[hidden email]> wrote:
Hi Fleep.

Maybe you've already tried this, but I'd suggest setting
ExternalHostName as your external IP (129.137.2.x) rather than your
hostname (ucsim1.irc.uc.edu).

Behind NAT, some places (including Amazon EC2, I found) use an (IMHO
evil) thing called Split DNS (or "Split Brain DNS"), where the IP
address you get inside the firewall is different to the one you get
outside your firewall. This may be causing your OpenSim box to think
that ucsim1.irc.uc.edu is 10.23.23.x rather than 129.137.2.x.

HTH, let us know how you get on.

On 30 March 2011 23:44, Fleep Tuque <[hidden email]> wrote:
> the client
> correctly uses the external IP to communicate with the robust server, but
> after the authentication process, I see the client trying to send packets to
> the simulator machine's internal IP (10.23.23.x) instead of an external IP
> address (129.137.2.x).
> [snip]
> In the region.ini file I've tried
> various permutations of the InternalAddress and ExternalHostName variables,
> currently InternalAddress is set to the internal IP 10.23.23.x and the
> ExternalHostName is set to the hostname ucsim1.irc.uc.edu (the box running
> opensim.exe).

--
Edmund Edgar
Founder, KK Social Minds
Educational Technology for the Web and Virtual Worlds

[hidden email]
<a href="tel:%2B81%20090%203912%203380">+81 090 3912 3380
Skype: edmundedgar
Second Life: Edmund Earp
Linked In: edmundedgar
Twitter: @edmundedgar
http://www.socialminds.jp
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users


_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

Diva Canto
Try the missing combination
InternalAddress=0.0.0.0 ExternalHostName=ucsim1.irc.uc.edu

On 3/30/2011 8:11 AM, Fleep Tuque wrote:
Hi Edmund,

Nod I've tried that permutation too, no luck.  Here are the combinations I've tried so far:

Test 1:  InternalAddress = 10.23.23.x  ExternalHostName = 129.137.2.x
Result On-Campus: FAIL Result Off-Campus: FAIL

Test 2: InternalAddress = 0.0.0.0 ExternalHostName = 129.137.2.x
Result On-Campus: FAIL Result Off-Campus: FAIL

Test 3: InternalAddress = 10.23.23.x ExternalHostName = ucsim1.irc.uc.edu
Result On-Campus: SUCCESS Result Off-Campus: FAIL

Test 4: InternalAddress = ucsim1.irc.uc.edu ExternalHostName = ucsim1.irc.uc.edu
Result: Opensim.exe crashes

Leaving at the default InternalAddress = 0.0.0.0 and ExternalHostName = SYSTEMIP works for on campus users but not for off campus users.

Has anyone else run into this problem with a campus or corporate firewall?  How did you resolve it?

Thanks again,

- Chris


Chris M. Collins (SL: Fleep Tuque)
Project Manager, UC Second Life 
Second Life Ambassador, Ohio Learning Network 
UCit Instructional & Research Computing
University of Cincinnati 
406E Zimmer Hall
PO Box 210088
Cincinnati, OH 45221-0088
(513)556-3018





On Wed, Mar 30, 2011 at 11:03 AM, Edmund Edgar <[hidden email]> wrote:
Hi Fleep.

Maybe you've already tried this, but I'd suggest setting
ExternalHostName as your external IP (129.137.2.x) rather than your
hostname (ucsim1.irc.uc.edu).

Behind NAT, some places (including Amazon EC2, I found) use an (IMHO
evil) thing called Split DNS (or "Split Brain DNS"), where the IP
address you get inside the firewall is different to the one you get
outside your firewall. This may be causing your OpenSim box to think
that ucsim1.irc.uc.edu is 10.23.23.x rather than 129.137.2.x.

HTH, let us know how you get on.

On 30 March 2011 23:44, Fleep Tuque <[hidden email]> wrote:
> the client
> correctly uses the external IP to communicate with the robust server, but
> after the authentication process, I see the client trying to send packets to
> the simulator machine's internal IP (10.23.23.x) instead of an external IP
> address (129.137.2.x).
> [snip]
> In the region.ini file I've tried
> various permutations of the InternalAddress and ExternalHostName variables,
> currently InternalAddress is set to the internal IP 10.23.23.x and the
> ExternalHostName is set to the hostname ucsim1.irc.uc.edu (the box running
> opensim.exe).

--
Edmund Edgar
Founder, KK Social Minds
Educational Technology for the Web and Virtual Worlds

[hidden email]
<a moz-do-not-send="true" href="tel:%2B81%20090%203912%203380">+81 090 3912 3380
Skype: edmundedgar
Second Life: Edmund Earp
Linked In: edmundedgar
Twitter: @edmundedgar
http://www.socialminds.jp
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users

_______________________________________________ Opensim-users mailing list [hidden email] https://lists.berlios.de/mailman/listinfo/opensim-users


_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

Fleep Tuque
Yep no luck with that one either.  

[University of Cincinnati]
RegionUUID = 5985af1b-4223-4a12-ba87-1c3830a44e97
Location = 9000,9000
InternalAddress = 0.0.0.0
InternalPort = 9000
AllowAlternatePorts = False
ExternalHostName = ucsim1.irc.uc.edu

This is what I see on the opensim.log:

2011-03-30 11:44:07,114 DEBUG - OpenSim.Region.CoreModules.ServiceConnectorsOut.Simulation.LocalSimulationConnectorModule [LOCAL SIMULATION CONNECTOR]: Found region University of Cincinnati to send SendCreateChildAgent
2011-03-30 11:44:07,118 INFO  - OpenSim.Region.Framework.Scenes.Scene [CONNECTION BEGIN]: Region University of Cincinnati told of incoming root agent Fleep Tuque 883317bb-bcf1-4e5b-82f1-330f24fb32a7 (circuit code 871509482, teleportflags 128)
2011-03-30 11:44:07,344 INFO  - OpenSim.Region.Framework.Scenes.Scene [CONNECTION BEGIN]: Region University of Cincinnati authenticated and authorized incoming root agent Fleep Tuque 883317bb-bcf1-4e5b-82f1-330f24fb32a7 (circuit code 871509482)
2011-03-30 11:44:07,348 DEBUG - OpenSim.Region.CoreModules.Agent.Capabilities.CapabilitiesModule [CAPS]: Reregistering caps for agent 883317bb-bcf1-4e5b-82f1-330f24fb32a7.  Old caps path e89d38e3-fc0c-4c17-bf91-2b0e73b89735, new caps path 00e226b9-6b4a-4025-974b-c813725f6b52. 
2011-03-30 11:44:07,350 DEBUG - OpenSim.Framework.Capabilities.Caps [CAPS]: Registered seed capability /CAPS/00e226b9-6b4a-4025-974b-c813725f6b520000/ for 883317bb-bcf1-4e5b-82f1-330f24fb32a7
2011-03-30 11:44:07,353 DEBUG - OpenSim.Region.CoreModules.Framework.EventQueue.EventQueueGetModule [EVENTQUEUE]: Found Existing UUID!
2011-03-30 11:44:07,356 INFO  - OpenSim.Region.CoreModules.Avatar.ObjectCaps.ObjectAdd [OBJECTADD]: /CAPS/OA/65e157bc-6345-4ab3-bd27-a9d9074b4768/
2011-03-30 11:44:07,359 INFO  - OpenSim.Region.CoreModules.Avatar.ObjectCaps.GetTextureModule [GETTEXTURE]: /CAPS/30f93e03-8f90-45d7-a6ee-a8e3c9fda71f
2011-03-30 11:44:13,837 DEBUG - OpenSim.Framework.Capabilities.Caps [CAPS]: Seed Caps Request in region: University of Cincinnati
2011-03-30 11:44:13,840 DEBUG - OpenSim.Region.Framework.Scenes.Scene [SCENE]: Incoming client Fleep Tuque in region University of Cincinnati via regular login. Client IP verification not performed.

On the client side it gets to Region Handshake and then hangs..  Users from on campus are still able to log in though.

- Chris /Fleep


Chris M. Collins (SL: Fleep Tuque)
Project Manager, UC Second Life 
Second Life Ambassador, Ohio Learning Network 
UCit Instructional & Research Computing
University of Cincinnati 
406E Zimmer Hall
PO Box 210088
Cincinnati, OH 45221-0088
(513)556-3018






On Wed, Mar 30, 2011 at 11:17 AM, Diva Canto <[hidden email]> wrote:
Try the missing combination
InternalAddress=0.0.0.0 ExternalHostName=ucsim1.irc.uc.edu


On 3/30/2011 8:11 AM, Fleep Tuque wrote:
Hi Edmund,

Nod I've tried that permutation too, no luck.  Here are the combinations I've tried so far:

Test 1:  InternalAddress = 10.23.23.x  ExternalHostName = 129.137.2.x
Result On-Campus: FAIL Result Off-Campus: FAIL

Test 2: InternalAddress = 0.0.0.0 ExternalHostName = 129.137.2.x
Result On-Campus: FAIL Result Off-Campus: FAIL

Test 3: InternalAddress = 10.23.23.x ExternalHostName = ucsim1.irc.uc.edu
Result On-Campus: SUCCESS Result Off-Campus: FAIL

Test 4: InternalAddress = ucsim1.irc.uc.edu ExternalHostName = ucsim1.irc.uc.edu
Result: Opensim.exe crashes

Leaving at the default InternalAddress = 0.0.0.0 and ExternalHostName = SYSTEMIP works for on campus users but not for off campus users.

Has anyone else run into this problem with a campus or corporate firewall?  How did you resolve it?

Thanks again,

- Chris


Chris M. Collins (SL: Fleep Tuque)
Project Manager, UC Second Life 
Second Life Ambassador, Ohio Learning Network 
UCit Instructional & Research Computing
University of Cincinnati 
406E Zimmer Hall
PO Box 210088
Cincinnati, OH 45221-0088
<a href="tel:%28513%29556-3018" target="_blank">(513)556-3018





On Wed, Mar 30, 2011 at 11:03 AM, Edmund Edgar <[hidden email]> wrote:
Hi Fleep.

Maybe you've already tried this, but I'd suggest setting
ExternalHostName as your external IP (129.137.2.x) rather than your
hostname (ucsim1.irc.uc.edu).

Behind NAT, some places (including Amazon EC2, I found) use an (IMHO
evil) thing called Split DNS (or "Split Brain DNS"), where the IP
address you get inside the firewall is different to the one you get
outside your firewall. This may be causing your OpenSim box to think
that ucsim1.irc.uc.edu is 10.23.23.x rather than 129.137.2.x.

HTH, let us know how you get on.

On 30 March 2011 23:44, Fleep Tuque <[hidden email]> wrote:
> the client
> correctly uses the external IP to communicate with the robust server, but
> after the authentication process, I see the client trying to send packets to
> the simulator machine's internal IP (10.23.23.x) instead of an external IP
> address (129.137.2.x).
> [snip]
> In the region.ini file I've tried
> various permutations of the InternalAddress and ExternalHostName variables,
> currently InternalAddress is set to the internal IP 10.23.23.x and the
> ExternalHostName is set to the hostname ucsim1.irc.uc.edu (the box running
> opensim.exe).

--
Edmund Edgar
Founder, KK Social Minds
Educational Technology for the Web and Virtual Worlds

[hidden email]
<a href="tel:%2B81%20090%203912%203380" target="_blank">+81 090 3912 3380
Skype: edmundedgar
Second Life: Edmund Earp
Linked In: edmundedgar
Twitter: @edmundedgar
http://www.socialminds.jp
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users

_______________________________________________ Opensim-users mailing list [hidden email] https://lists.berlios.de/mailman/listinfo/opensim-users


_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users



_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

jeffersontwig
Hello, change the port to 9001

Jefferson

Sent from my iPhone

On 30 Mar 2011, at 04:49 p.m., Fleep Tuque <[hidden email]> wrote:

Yep no luck with that one either.  

[University of Cincinnati]
RegionUUID = 5985af1b-4223-4a12-ba87-1c3830a44e97
Location = 9000,9000
InternalAddress = 0.0.0.0
InternalPort = 9000
AllowAlternatePorts = False
ExternalHostName = ucsim1.irc.uc.edu

This is what I see on the opensim.log:

2011-03-30 11:44:07,114 DEBUG - OpenSim.Region.CoreModules.ServiceConnectorsOut.Simulation.LocalSimulationConnectorModule [LOCAL SIMULATION CONNECTOR]: Found region University of Cincinnati to send SendCreateChildAgent
2011-03-30 11:44:07,118 INFO  - OpenSim.Region.Framework.Scenes.Scene [CONNECTION BEGIN]: Region University of Cincinnati told of incoming root agent Fleep Tuque 883317bb-bcf1-4e5b-82f1-330f24fb32a7 (circuit code 871509482, teleportflags 128)
2011-03-30 11:44:07,344 INFO  - OpenSim.Region.Framework.Scenes.Scene [CONNECTION BEGIN]: Region University of Cincinnati authenticated and authorized incoming root agent Fleep Tuque 883317bb-bcf1-4e5b-82f1-330f24fb32a7 (circuit code 871509482)
2011-03-30 11:44:07,348 DEBUG - OpenSim.Region.CoreModules.Agent.Capabilities.CapabilitiesModule [CAPS]: Reregistering caps for agent 883317bb-bcf1-4e5b-82f1-330f24fb32a7.  Old caps path e89d38e3-fc0c-4c17-bf91-2b0e73b89735, new caps path 00e226b9-6b4a-4025-974b-c813725f6b52. 
2011-03-30 11:44:07,350 DEBUG - OpenSim.Framework.Capabilities.Caps [CAPS]: Registered seed capability /CAPS/00e226b9-6b4a-4025-974b-c813725f6b520000/ for 883317bb-bcf1-4e5b-82f1-330f24fb32a7
2011-03-30 11:44:07,353 DEBUG - OpenSim.Region.CoreModules.Framework.EventQueue.EventQueueGetModule [EVENTQUEUE]: Found Existing UUID!
2011-03-30 11:44:07,356 INFO  - OpenSim.Region.CoreModules.Avatar.ObjectCaps.ObjectAdd [OBJECTADD]: /CAPS/OA/65e157bc-6345-4ab3-bd27-a9d9074b4768/
2011-03-30 11:44:07,359 INFO  - OpenSim.Region.CoreModules.Avatar.ObjectCaps.GetTextureModule [GETTEXTURE]: /CAPS/30f93e03-8f90-45d7-a6ee-a8e3c9fda71f
2011-03-30 11:44:13,837 DEBUG - OpenSim.Framework.Capabilities.Caps [CAPS]: Seed Caps Request in region: University of Cincinnati
2011-03-30 11:44:13,840 DEBUG - OpenSim.Region.Framework.Scenes.Scene [SCENE]: Incoming client Fleep Tuque in region University of Cincinnati via regular login. Client IP verification not performed.

On the client side it gets to Region Handshake and then hangs..  Users from on campus are still able to log in though.

- Chris /Fleep


Chris M. Collins (SL: Fleep Tuque)
Project Manager, UC Second Life 
Second Life Ambassador, Ohio Learning Network 
UCit Instructional & Research Computing
University of Cincinnati 
406E Zimmer Hall
PO Box 210088
Cincinnati, OH 45221-0088
(513)556-3018






On Wed, Mar 30, 2011 at 11:17 AM, Diva Canto <[hidden email]> wrote:
Try the missing combination
InternalAddress=0.0.0.0 ExternalHostName=ucsim1.irc.uc.edu


On 3/30/2011 8:11 AM, Fleep Tuque wrote:
Hi Edmund,

Nod I've tried that permutation too, no luck.  Here are the combinations I've tried so far:

Test 1:  InternalAddress = 10.23.23.x  ExternalHostName = 129.137.2.x
Result On-Campus: FAIL Result Off-Campus: FAIL

Test 2: InternalAddress = 0.0.0.0 ExternalHostName = 129.137.2.x
Result On-Campus: FAIL Result Off-Campus: FAIL

Test 3: InternalAddress = 10.23.23.x ExternalHostName = ucsim1.irc.uc.edu
Result On-Campus: SUCCESS Result Off-Campus: FAIL

Test 4: InternalAddress = ucsim1.irc.uc.edu ExternalHostName = ucsim1.irc.uc.edu
Result: Opensim.exe crashes

Leaving at the default InternalAddress = 0.0.0.0 and ExternalHostName = SYSTEMIP works for on campus users but not for off campus users.

Has anyone else run into this problem with a campus or corporate firewall?  How did you resolve it?

Thanks again,

- Chris


Chris M. Collins (SL: Fleep Tuque)
Project Manager, UC Second Life 
Second Life Ambassador, Ohio Learning Network 
UCit Instructional & Research Computing
University of Cincinnati 
406E Zimmer Hall
PO Box 210088
Cincinnati, OH 45221-0088
<a href="tel:%28513%29556-3018" target="_blank">(513)556-3018





On Wed, Mar 30, 2011 at 11:03 AM, Edmund Edgar <[hidden email]> wrote:
Hi Fleep.

Maybe you've already tried this, but I'd suggest setting
ExternalHostName as your external IP (129.137.2.x) rather than your
hostname (ucsim1.irc.uc.edu).

Behind NAT, some places (including Amazon EC2, I found) use an (IMHO
evil) thing called Split DNS (or "Split Brain DNS"), where the IP
address you get inside the firewall is different to the one you get
outside your firewall. This may be causing your OpenSim box to think
that ucsim1.irc.uc.edu is 10.23.23.x rather than 129.137.2.x.

HTH, let us know how you get on.

On 30 March 2011 23:44, Fleep Tuque <[hidden email]> wrote:
> the client
> correctly uses the external IP to communicate with the robust server, but
> after the authentication process, I see the client trying to send packets to
> the simulator machine's internal IP (10.23.23.x) instead of an external IP
> address (129.137.2.x).
> [snip]
> In the region.ini file I've tried
> various permutations of the InternalAddress and ExternalHostName variables,
> currently InternalAddress is set to the internal IP 10.23.23.x and the
> ExternalHostName is set to the hostname ucsim1.irc.uc.edu (the box running
> opensim.exe).

--
Edmund Edgar
Founder, KK Social Minds
Educational Technology for the Web and Virtual Worlds

[hidden email]
<a href="tel:%2B81%20090%203912%203380" target="_blank">+81 090 3912 3380
Skype: edmundedgar
Second Life: Edmund Earp
Linked In: edmundedgar
Twitter: @edmundedgar
http://www.socialminds.jp
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users

_______________________________________________ Opensim-users mailing list [hidden email] https://lists.berlios.de/mailman/listinfo/opensim-users


_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users


_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users

_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

Diva Canto
In reply to this post by Fleep Tuque
That sounds like a firewall problem.

On 3/30/2011 8:49 AM, Fleep Tuque wrote:
Yep no luck with that one either.  

[University of Cincinnati]
RegionUUID = 5985af1b-4223-4a12-ba87-1c3830a44e97
Location = 9000,9000
InternalAddress = 0.0.0.0
InternalPort = 9000
AllowAlternatePorts = False
ExternalHostName = ucsim1.irc.uc.edu

This is what I see on the opensim.log:

2011-03-30 11:44:07,114 DEBUG - OpenSim.Region.CoreModules.ServiceConnectorsOut.Simulation.LocalSimulationConnectorModule [LOCAL SIMULATION CONNECTOR]: Found region University of Cincinnati to send SendCreateChildAgent
2011-03-30 11:44:07,118 INFO  - OpenSim.Region.Framework.Scenes.Scene [CONNECTION BEGIN]: Region University of Cincinnati told of incoming root agent Fleep Tuque 883317bb-bcf1-4e5b-82f1-330f24fb32a7 (circuit code 871509482, teleportflags 128)
2011-03-30 11:44:07,344 INFO  - OpenSim.Region.Framework.Scenes.Scene [CONNECTION BEGIN]: Region University of Cincinnati authenticated and authorized incoming root agent Fleep Tuque 883317bb-bcf1-4e5b-82f1-330f24fb32a7 (circuit code 871509482)
2011-03-30 11:44:07,348 DEBUG - OpenSim.Region.CoreModules.Agent.Capabilities.CapabilitiesModule [CAPS]: Reregistering caps for agent 883317bb-bcf1-4e5b-82f1-330f24fb32a7.  Old caps path e89d38e3-fc0c-4c17-bf91-2b0e73b89735, new caps path 00e226b9-6b4a-4025-974b-c813725f6b52. 
2011-03-30 11:44:07,350 DEBUG - OpenSim.Framework.Capabilities.Caps [CAPS]: Registered seed capability /CAPS/00e226b9-6b4a-4025-974b-c813725f6b520000/ for 883317bb-bcf1-4e5b-82f1-330f24fb32a7
2011-03-30 11:44:07,353 DEBUG - OpenSim.Region.CoreModules.Framework.EventQueue.EventQueueGetModule [EVENTQUEUE]: Found Existing UUID!
2011-03-30 11:44:07,356 INFO  - OpenSim.Region.CoreModules.Avatar.ObjectCaps.ObjectAdd [OBJECTADD]: /CAPS/OA/65e157bc-6345-4ab3-bd27-a9d9074b4768/
2011-03-30 11:44:07,359 INFO  - OpenSim.Region.CoreModules.Avatar.ObjectCaps.GetTextureModule [GETTEXTURE]: /CAPS/30f93e03-8f90-45d7-a6ee-a8e3c9fda71f
2011-03-30 11:44:13,837 DEBUG - OpenSim.Framework.Capabilities.Caps [CAPS]: Seed Caps Request in region: University of Cincinnati
2011-03-30 11:44:13,840 DEBUG - OpenSim.Region.Framework.Scenes.Scene [SCENE]: Incoming client Fleep Tuque in region University of Cincinnati via regular login. Client IP verification not performed.

On the client side it gets to Region Handshake and then hangs..  Users from on campus are still able to log in though.

- Chris /Fleep


Chris M. Collins (SL: Fleep Tuque)
Project Manager, UC Second Life 
Second Life Ambassador, Ohio Learning Network 
UCit Instructional & Research Computing
University of Cincinnati 
406E Zimmer Hall
PO Box 210088
Cincinnati, OH 45221-0088
(513)556-3018






On Wed, Mar 30, 2011 at 11:17 AM, Diva Canto <[hidden email]> wrote:
Try the missing combination
InternalAddress=0.0.0.0 ExternalHostName=ucsim1.irc.uc.edu


On 3/30/2011 8:11 AM, Fleep Tuque wrote:
Hi Edmund,

Nod I've tried that permutation too, no luck.  Here are the combinations I've tried so far:

Test 1:  InternalAddress = 10.23.23.x  ExternalHostName = 129.137.2.x
Result On-Campus: FAIL Result Off-Campus: FAIL

Test 2: InternalAddress = 0.0.0.0 ExternalHostName = 129.137.2.x
Result On-Campus: FAIL Result Off-Campus: FAIL

Test 3: InternalAddress = 10.23.23.x ExternalHostName = ucsim1.irc.uc.edu
Result On-Campus: SUCCESS Result Off-Campus: FAIL

Test 4: InternalAddress = ucsim1.irc.uc.edu ExternalHostName = ucsim1.irc.uc.edu
Result: Opensim.exe crashes

Leaving at the default InternalAddress = 0.0.0.0 and ExternalHostName = SYSTEMIP works for on campus users but not for off campus users.

Has anyone else run into this problem with a campus or corporate firewall?  How did you resolve it?

Thanks again,

- Chris


Chris M. Collins (SL: Fleep Tuque)
Project Manager, UC Second Life 
Second Life Ambassador, Ohio Learning Network 
UCit Instructional & Research Computing
University of Cincinnati 
406E Zimmer Hall
PO Box 210088
Cincinnati, OH 45221-0088
<a moz-do-not-send="true" href="tel:%28513%29556-3018" target="_blank">(513)556-3018





On Wed, Mar 30, 2011 at 11:03 AM, Edmund Edgar <[hidden email]> wrote:
Hi Fleep.

Maybe you've already tried this, but I'd suggest setting
ExternalHostName as your external IP (129.137.2.x) rather than your
hostname (ucsim1.irc.uc.edu).

Behind NAT, some places (including Amazon EC2, I found) use an (IMHO
evil) thing called Split DNS (or "Split Brain DNS"), where the IP
address you get inside the firewall is different to the one you get
outside your firewall. This may be causing your OpenSim box to think
that ucsim1.irc.uc.edu is 10.23.23.x rather than 129.137.2.x.

HTH, let us know how you get on.

On 30 March 2011 23:44, Fleep Tuque <[hidden email]> wrote:
> the client
> correctly uses the external IP to communicate with the robust server, but
> after the authentication process, I see the client trying to send packets to
> the simulator machine's internal IP (10.23.23.x) instead of an external IP
> address (129.137.2.x).
> [snip]
> In the region.ini file I've tried
> various permutations of the InternalAddress and ExternalHostName variables,
> currently InternalAddress is set to the internal IP 10.23.23.x and the
> ExternalHostName is set to the hostname ucsim1.irc.uc.edu (the box running
> opensim.exe).

--
Edmund Edgar
Founder, KK Social Minds
Educational Technology for the Web and Virtual Worlds

[hidden email]
<a moz-do-not-send="true" href="tel:%2B81%20090%203912%203380" target="_blank">+81 090 3912 3380
Skype: edmundedgar
Second Life: Edmund Earp
Linked In: edmundedgar
Twitter: @edmundedgar
http://www.socialminds.jp
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users

_______________________________________________ Opensim-users mailing list [hidden email] https://lists.berlios.de/mailman/listinfo/opensim-users


_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users


_______________________________________________ Opensim-users mailing list [hidden email] https://lists.berlios.de/mailman/listinfo/opensim-users


_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

Edmund Edgar
This probably won't help Fleep, but does anyone know what this
broken-Englished sentence on the wiki is supposed to say?

# Internal IP address - This should always be 0.0.0.0 (0.0.0.0 means
"listen for connections on any interface", basically a wildcard) if
you want to access this server from the internet or another server on
your internal network, this should be the IP address assigned to the
OpenSim Server.

http://opensimulator.org/wiki/Configuration

--
Edmund Edgar
Founder, KK Social Minds
Educational Technology for the Web and Virtual Worlds

[hidden email]
+81 090 3912 3380
Skype: edmundedgar
Second Life: Edmund Earp
Linked In: edmundedgar
Twitter: @edmundedgar
http://www.socialminds.jp
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

Mike Chase
On 03/30/2011 12:16 PM, Edmund Edgar wrote:

> This probably won't help Fleep, but does anyone know what this
> broken-Englished sentence on the wiki is supposed to say?
>
> # Internal IP address - This should always be 0.0.0.0 (0.0.0.0 means
> "listen for connections on any interface", basically a wildcard) if
> you want to access this server from the internet or another server on
> your internal network, this should be the IP address assigned to the
> OpenSim Server.
>
> http://opensimulator.org/wiki/Configuration
>
On a computer that has multiple "nics" (virtual or otherwise) 0.0.0.0
binds to all of the nics (i.e traffic can come in any of the nics)
rather than a specific IP address which is bound to a specific nic.

I cant say why the wildcard address wouldn't work externally (the second
half of the paragraph).  I havent looked that closely at the connection
code.

Mike
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

Adelle Fitzgerald
In reply to this post by Edmund Edgar
As I understand it, that is used for binding opensim to a specific IP
address, where the opensim server may have more than one IP address on a
network interface or multiple network interfaces.

0.0.0.0 = listen on all available IP addresses, or specify (bind) to a
specific IP address.



-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Edmund
Edgar
Sent: 30 March 2011 17:16
To: [hidden email]
Subject: Re: [Opensim-users] NAT & Corporate Firewall

This probably won't help Fleep, but does anyone know what this
broken-Englished sentence on the wiki is supposed to say?

# Internal IP address - This should always be 0.0.0.0 (0.0.0.0 means
"listen for connections on any interface", basically a wildcard) if
you want to access this server from the internet or another server on
your internal network, this should be the IP address assigned to the
OpenSim Server.

http://opensimulator.org/wiki/Configuration

--
Edmund Edgar
Founder, KK Social Minds
Educational Technology for the Web and Virtual Worlds

[hidden email]
+81 090 3912 3380
Skype: edmundedgar
Second Life: Edmund Earp
Linked In: edmundedgar
Twitter: @edmundedgar
http://www.socialminds.jp
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

Gary Beck
In reply to this post by Fleep Tuque
Chris/Fleep
 
If all was well in your setup then Tests 1,2 &3 should work for both on and off campus users.
 
Off Campus being sent a local network address for handshake implies that on the server system ucsim1.irc.uc.edu is resolving to the local address instead of the external IP address.  To work properly both on-campus and off-campus need to be sent the external IP address.
 
On Campus failures in Tests 1 & 2 indicate that NAT Loop-Back is not in effect.   You don't appear to be reaching your local server from on-campus using it's external IP address.  However, if the failure is at handshake and Loop-Back is in effect that suggests the UDP port is open for the local address and blocked for the external address.
 
Off Campus failures in Tests 1 & 2 suggest that the TCP port is open while the UPD port is not (assuming failure is at handshake.)  I know you say they're verified open but this is what your results indicate.
 
- Gary
----- Original Message -----
Sent: Wednesday, March 30, 2011 11:49
Subject: Re: [Opensim-users] NAT & Corporate Firewall

Yep no luck with that one either.  

[University of Cincinnati]
RegionUUID = 5985af1b-4223-4a12-ba87-1c3830a44e97
Location = 9000,9000
InternalAddress = 0.0.0.0
InternalPort = 9000
AllowAlternatePorts = False
ExternalHostName = ucsim1.irc.uc.edu

This is what I see on the opensim.log:

2011-03-30 11:44:07,114 DEBUG - OpenSim.Region.CoreModules.ServiceConnectorsOut.Simulation.LocalSimulationConnectorModule [LOCAL SIMULATION CONNECTOR]: Found region University of Cincinnati to send SendCreateChildAgent
2011-03-30 11:44:07,118 INFO  - OpenSim.Region.Framework.Scenes.Scene [CONNECTION BEGIN]: Region University of Cincinnati told of incoming root agent Fleep Tuque 883317bb-bcf1-4e5b-82f1-330f24fb32a7 (circuit code 871509482, teleportflags 128)
2011-03-30 11:44:07,344 INFO  - OpenSim.Region.Framework.Scenes.Scene [CONNECTION BEGIN]: Region University of Cincinnati authenticated and authorized incoming root agent Fleep Tuque 883317bb-bcf1-4e5b-82f1-330f24fb32a7 (circuit code 871509482)
2011-03-30 11:44:07,348 DEBUG - OpenSim.Region.CoreModules.Agent.Capabilities.CapabilitiesModule [CAPS]: Reregistering caps for agent 883317bb-bcf1-4e5b-82f1-330f24fb32a7.  Old caps path e89d38e3-fc0c-4c17-bf91-2b0e73b89735, new caps path 00e226b9-6b4a-4025-974b-c813725f6b52. 
2011-03-30 11:44:07,350 DEBUG - OpenSim.Framework.Capabilities.Caps [CAPS]: Registered seed capability /CAPS/00e226b9-6b4a-4025-974b-c813725f6b520000/ for 883317bb-bcf1-4e5b-82f1-330f24fb32a7
2011-03-30 11:44:07,353 DEBUG - OpenSim.Region.CoreModules.Framework.EventQueue.EventQueueGetModule [EVENTQUEUE]: Found Existing UUID!
2011-03-30 11:44:07,356 INFO  - OpenSim.Region.CoreModules.Avatar.ObjectCaps.ObjectAdd [OBJECTADD]: /CAPS/OA/65e157bc-6345-4ab3-bd27-a9d9074b4768/
2011-03-30 11:44:07,359 INFO  - OpenSim.Region.CoreModules.Avatar.ObjectCaps.GetTextureModule [GETTEXTURE]: /CAPS/30f93e03-8f90-45d7-a6ee-a8e3c9fda71f
2011-03-30 11:44:13,837 DEBUG - OpenSim.Framework.Capabilities.Caps [CAPS]: Seed Caps Request in region: University of Cincinnati
2011-03-30 11:44:13,840 DEBUG - OpenSim.Region.Framework.Scenes.Scene [SCENE]: Incoming client Fleep Tuque in region University of Cincinnati via regular login. Client IP verification not performed.

On the client side it gets to Region Handshake and then hangs..  Users from on campus are still able to log in though.

- Chris /Fleep


Chris M. Collins (SL: Fleep Tuque)
Project Manager, UC Second Life 
Second Life Ambassador, Ohio Learning Network 
UCit Instructional & Research Computing
University of Cincinnati 
406E Zimmer Hall
PO Box 210088
Cincinnati, OH 45221-0088
(513)556-3018






On Wed, Mar 30, 2011 at 11:17 AM, Diva Canto <[hidden email]> wrote:
Try the missing combination
InternalAddress=0.0.0.0 ExternalHostName=ucsim1.irc.uc.edu


On 3/30/2011 8:11 AM, Fleep Tuque wrote:
Hi Edmund,

Nod I've tried that permutation too, no luck.  Here are the combinations I've tried so far:

Test 1:  InternalAddress = 10.23.23.x  ExternalHostName = 129.137.2.x
Result On-Campus: FAIL Result Off-Campus: FAIL

Test 2: InternalAddress = 0.0.0.0 ExternalHostName = 129.137.2.x
Result On-Campus: FAIL Result Off-Campus: FAIL

Test 3: InternalAddress = 10.23.23.x ExternalHostName = ucsim1.irc.uc.edu
Result On-Campus: SUCCESS Result Off-Campus: FAIL

Test 4: InternalAddress = ucsim1.irc.uc.edu ExternalHostName = ucsim1.irc.uc.edu
Result: Opensim.exe crashes

Leaving at the default InternalAddress = 0.0.0.0 and ExternalHostName = SYSTEMIP works for on campus users but not for off campus users.

Has anyone else run into this problem with a campus or corporate firewall?  How did you resolve it?

Thanks again,

- Chris


Chris M. Collins (SL: Fleep Tuque)
Project Manager, UC Second Life 
Second Life Ambassador, Ohio Learning Network 
UCit Instructional & Research Computing
University of Cincinnati 
406E Zimmer Hall
PO Box 210088
Cincinnati, OH 45221-0088
<A href="tel:%28513%29556-3018" target=_blank>(513)556-3018





On Wed, Mar 30, 2011 at 11:03 AM, Edmund Edgar <[hidden email]> wrote:
Hi Fleep.

Maybe you've already tried this, but I'd suggest setting
ExternalHostName as your external IP (129.137.2.x) rather than your
hostname (ucsim1.irc.uc.edu).

Behind NAT, some places (including Amazon EC2, I found) use an (IMHO
evil) thing called Split DNS (or "Split Brain DNS"), where the IP
address you get inside the firewall is different to the one you get
outside your firewall. This may be causing your OpenSim box to think
that ucsim1.irc.uc.edu is 10.23.23.x rather than 129.137.2.x.

HTH, let us know how you get on.

On 30 March 2011 23:44, Fleep Tuque <[hidden email]> wrote:
> the client
> correctly uses the external IP to communicate with the robust server, but
> after the authentication process, I see the client trying to send packets to
> the simulator machine's internal IP (10.23.23.x) instead of an external IP
> address (129.137.2.x).
> [snip]
> In the region.ini file I've tried
> various permutations of the InternalAddress and ExternalHostName variables,
> currently InternalAddress is set to the internal IP 10.23.23.x and the
> ExternalHostName is set to the hostname ucsim1.irc.uc.edu (the box running
> opensim.exe).

--
Edmund Edgar
Founder, KK Social Minds
Educational Technology for the Web and Virtual Worlds

[hidden email]
<A href="tel:%2B81%20090%203912%203380" target=_blank>+81 090 3912 3380
Skype: edmundedgar
Second Life: Edmund Earp
Linked In: edmundedgar
Twitter: @edmundedgar
http://www.socialminds.jp
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users

_______________________________________________ Opensim-users mailing list [hidden email] https://lists.berlios.de/mailman/listinfo/opensim-users


_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users



_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users

_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

Antoine Bapst
In reply to this post by Fleep Tuque
@Edmund
(So far I can explain this more clearly) This means that if your purpose is
to address the server from outside your private network (i.e another server
with another IP mask or from the Internet) you have to wildcard the internal
IP address parameter of your OpenSim Server using "0.0.0.0" syntax (without
quotes).
Sorry, that could also sound as broken English ... froggy here.


-----Message d'origine-----
De : [hidden email]
[mailto:[hidden email]] De la part de
[hidden email]
Envoyé : mercredi 30 mars 2011 18:39
À : [hidden email]
Objet : Opensim-users Digest, Vol 43, Issue 47

Send Opensim-users mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.berlios.de/mailman/listinfo/opensim-users
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Opensim-users digest..."


Today's Topics:

   1. Re: NAT & Corporate Firewall (Edmund Edgar)
   2. Re: NAT & Corporate Firewall (Gary Beck)


----------------------------------------------------------------------

Message: 1
Date: Thu, 31 Mar 2011 01:16:09 +0900
From: Edmund Edgar <[hidden email]>
To: [hidden email]
Subject: Re: [Opensim-users] NAT & Corporate Firewall
Message-ID:
        <AANLkTi=tXZTbOw3N1_vU5hB+9G6UH_tSUwrdhmU9=[hidden email]>
Content-Type: text/plain; charset=UTF-8

This probably won't help Fleep, but does anyone know what this
broken-Englished sentence on the wiki is supposed to say?

# Internal IP address - This should always be 0.0.0.0 (0.0.0.0 means
"listen for connections on any interface", basically a wildcard) if
you want to access this server from the internet or another server on
your internal network, this should be the IP address assigned to the
OpenSim Server.

http://opensimulator.org/wiki/Configuration

--
Edmund Edgar
Founder, KK Social Minds
Educational Technology for the Web and Virtual Worlds

[hidden email]
+81 090 3912 3380
Skype: edmundedgar
Second Life: Edmund Earp
Linked In: edmundedgar
Twitter: @edmundedgar
http://www.socialminds.jp




_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

justincc
In reply to this post by Adelle Fitzgerald
 From my understanding of the code, using 0.0.0.0 will make the UDP listen to the 'most appropriate' IP address as
assigned to the server's NICs (see http://msdn.microsoft.com/en-us/library/system.net.sockets.socket.bind.aspx,
IPAddress.Any = 0.0.0.0).

On a machine with just one NIC this should be fine.  But on a machine with two NICs I'm guessing you would really want
to explicitly state the right address.

The internal address is used to bind the UDP listener.  However, the client is told to connect to the external host name
(if this or the port is incorrect then the client connection will timeout on the 'connecting to region' bit).

Confusingly, the 'internal port' is used for both the internal UDP listener and is passed to the client as the external
connection port.

Some people on Stack Overflow think that IPAddress.Any means listen on all NICs
(http://stackoverflow.com/questions/1777629/how-to-listen-on-multiple-ip-addresses).  But my reading of the MS SDK
reference above means that it only binds to one.  Anybody able to comment on this?

And does anybody actually use a non 0.0.0.0 internal address and in what context?  I'd really like to clear up my
understanding of this so that we can improve the instructions.


On 30/03/11 17:28, Adelle Fitzgerald wrote:

> As I understand it, that is used for binding opensim to a specific IP
> address, where the opensim server may have more than one IP address on a
> network interface or multiple network interfaces.
>
> 0.0.0.0 = listen on all available IP addresses, or specify (bind) to a
> specific IP address.
>
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Edmund
> Edgar
> Sent: 30 March 2011 17:16
> To: [hidden email]
> Subject: Re: [Opensim-users] NAT&  Corporate Firewall
>
> This probably won't help Fleep, but does anyone know what this
> broken-Englished sentence on the wiki is supposed to say?
>
> # Internal IP address - This should always be 0.0.0.0 (0.0.0.0 means
> "listen for connections on any interface", basically a wildcard) if
> you want to access this server from the internet or another server on
> your internal network, this should be the IP address assigned to the
> OpenSim Server.
>
> http://opensimulator.org/wiki/Configuration
>


--
Justin Clark-Casey (justincc)
http://justincc.org/blog
http://twitter.com/justincc
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

Slavin, Simon

On 1 Apr 2011, at 12:43am, Justin Clark-Casey wrote:

> Some people on Stack Overflow think that IPAddress.Any means listen on all NICs (http://stackoverflow.com/questions/1777629/how-to-listen-on-multiple-ip-addresses).  But my reading of the MS SDK reference above means that it only binds to one.  Anybody able to comment on this?

Stack Overflow is right.  My reading of that SDK page is that it's wrong, and should be corrected, but other MS documentation is clearer on what '::Any' means, for example

http://msdn.microsoft.com/en-us/library/system.net.ipaddress.any.aspx

Returning to the standards, IP address 0.0.0.0 is reserved for specific purposes for both sending and receiving.  It's called the 'anonymous' address (for historical reasons) or the 'broadcast' address (for current reasons).

If a computer SENDS a packet to 0.0.0.0 then it is multibroadcasting: sending one message to every computer that can hear it.  This is done most often to announce the (un)availability of a service, for instance that a printer service has come online.  Sending to address 0.0.0.0 is done by, for example, DHCP and zeroconf (what Apple calls 'Bonjour').  Things like routers are usually set up to drop packets SENT to 0.0.0.0 so that you don't announce to the entire world what address your printer can be found on.

When a computer LISTENS to the network interface bound to 0.0.0.0 then it is telling its TCP stack that it doesn't care which network interface a message comes in on, it wants it anyway.  Almost every Internet application does this, especially now many have both Ethernet sockets and WiFi capabilities: an app doesn't care what its user is using right now, it just wants to 'use the internet'.  Under normal circumstances the only programs which /don't/ listen on 0.0.0.0 are techie programs like network utilities, or a web server on a gateway computer which needs to present a web site to internal users and make sure it isn't available to external users.

I tried to find an RFC to point to as reference but nothing seems to spell this out.  The nearest thing i could find was RFC950.

Simon.
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

Fleep Tuque
In reply to this post by justincc
Sorry I haven't replied in a few days, had an inconvenient office move in the middle of all this.  

Justin wrote:  

Confusingly, the 'internal port' is used for both the internal UDP listener and is passed to the client as the external connection port.

It sounds like this might be part of the problem with our campus set up.  I couldn't figure out where the client was even getting the 10.23.23.x internal address to send packets to, but it appears that if I leave the default InternalAddress = 0.0.0.0 in the region.ini file, then somehow that is passed to the off-campus client as the internal IP, which of course doesn't work.

Will consult with the NOC again with this latest information and many thanks to all for helping shed light on this.

Sincerely,

- Chris/Fleep


Chris M. Collins (SL: Fleep Tuque)
Project Manager, UC Second Life 
Second Life Ambassador, Ohio Learning Network 
UCit Instructional & Research Computing
University of Cincinnati 
406E Zimmer Hall
PO Box 210088
Cincinnati, OH 45221-0088
(513)556-3018




On Thu, Mar 31, 2011 at 7:43 PM, Justin Clark-Casey <[hidden email]> wrote:
From my understanding of the code, using 0.0.0.0 will make the UDP listen to the 'most appropriate' IP address as assigned to the server's NICs (see http://msdn.microsoft.com/en-us/library/system.net.sockets.socket.bind.aspx, IPAddress.Any = 0.0.0.0).

On a machine with just one NIC this should be fine.  But on a machine with two NICs I'm guessing you would really want to explicitly state the right address.

The internal address is used to bind the UDP listener.  However, the client is told to connect to the external host name (if this or the port is incorrect then the client connection will timeout on the 'connecting to region' bit).

Confusingly, the 'internal port' is used for both the internal UDP listener and is passed to the client as the external connection port.

Some people on Stack Overflow think that IPAddress.Any means listen on all NICs (http://stackoverflow.com/questions/1777629/how-to-listen-on-multiple-ip-addresses).  But my reading of the MS SDK reference above means that it only binds to one.  Anybody able to comment on this?

And does anybody actually use a non 0.0.0.0 internal address and in what context?  I'd really like to clear up my understanding of this so that we can improve the instructions.



On 30/03/11 17:28, Adelle Fitzgerald wrote:
As I understand it, that is used for binding opensim to a specific IP
address, where the opensim server may have more than one IP address on a
network interface or multiple network interfaces.

0.0.0.0 = listen on all available IP addresses, or specify (bind) to a
specific IP address.



-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Edmund
Edgar
Sent: 30 March 2011 17:16
To: [hidden email]
Subject: Re: [Opensim-users] NAT&  Corporate Firewall

This probably won't help Fleep, but does anyone know what this
broken-Englished sentence on the wiki is supposed to say?

# Internal IP address - This should always be 0.0.0.0 (0.0.0.0 means
"listen for connections on any interface", basically a wildcard) if
you want to access this server from the internet or another server on
your internal network, this should be the IP address assigned to the
OpenSim Server.

http://opensimulator.org/wiki/Configuration



--
Justin Clark-Casey (justincc)
http://justincc.org/blog
http://twitter.com/justincc

_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users


_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

Gary Beck
InternalAddress is the address internally used by the server to listen for traffic - this parameter is not used to inform the client for use in the handshake.
 
To set up the UDP handshake the server resolves the ExternalHostName to an IP address.
InternalPort (in your case 9000) is added to the address derived from ExternalHostName.
The server passed that address to the client which then attempts to use it for the handshake.
In your case the server should be sending an IP address like  http://129.137.2.x:9000
However you say you can see at the client that it is using an address like http://10.23.23.x:9000
To me that indicates that on your server ucsim1.irc.uc.edu is resolving to 10.23.23.x which is a problem.
 
You can see what is used to produce the UDP handshake address using this server command: 
    show region yourregionname
 
For the parameters that follow the show region command output would include this:
 
 
Example region parameters which works successfully for internal and external clients:
 
[REGIONNAME]
RegionUUID = 0d8662a9-e7cb-4552-a701-8bbc3e08ed17
Location = 1001,1000
InternalAddress = 0.0.0.0
InternalPort = 9000
AllowAlternatePorts = False
ExternalHostName = something.dyndns-mail.com
----- Original Message -----
Sent: Friday, April 01, 2011 09:44
Subject: Re: [Opensim-users] NAT & Corporate Firewall

Sorry I haven't replied in a few days, had an inconvenient office move in the middle of all this.  

Justin wrote:  

Confusingly, the 'internal port' is used for both the internal UDP listener and is passed to the client as the external connection port.

It sounds like this might be part of the problem with our campus set up.  I couldn't figure out where the client was even getting the 10.23.23.x internal address to send packets to, but it appears that if I leave the default InternalAddress = 0.0.0.0 in the region.ini file, then somehow that is passed to the off-campus client as the internal IP, which of course doesn't work.

Will consult with the NOC again with this latest information and many thanks to all for helping shed light on this.

Sincerely,

- Chris/Fleep


Chris M. Collins (SL: Fleep Tuque)
Project Manager, UC Second Life 
Second Life Ambassador, Ohio Learning Network 
UCit Instructional & Research Computing
University of Cincinnati 
406E Zimmer Hall
PO Box 210088
Cincinnati, OH 45221-0088
(513)556-3018




On Thu, Mar 31, 2011 at 7:43 PM, Justin Clark-Casey <[hidden email]> wrote:
From my understanding of the code, using 0.0.0.0 will make the UDP listen to the 'most appropriate' IP address as assigned to the server's NICs (see http://msdn.microsoft.com/en-us/library/system.net.sockets.socket.bind.aspx, IPAddress.Any = 0.0.0.0).

On a machine with just one NIC this should be fine.  But on a machine with two NICs I'm guessing you would really want to explicitly state the right address.

The internal address is used to bind the UDP listener.  However, the client is told to connect to the external host name (if this or the port is incorrect then the client connection will timeout on the 'connecting to region' bit).

Confusingly, the 'internal port' is used for both the internal UDP listener and is passed to the client as the external connection port.

Some people on Stack Overflow think that IPAddress.Any means listen on all NICs (http://stackoverflow.com/questions/1777629/how-to-listen-on-multiple-ip-addresses).  But my reading of the MS SDK reference above means that it only binds to one.  Anybody able to comment on this?

And does anybody actually use a non 0.0.0.0 internal address and in what context?  I'd really like to clear up my understanding of this so that we can improve the instructions.



On 30/03/11 17:28, Adelle Fitzgerald wrote:
As I understand it, that is used for binding opensim to a specific IP
address, where the opensim server may have more than one IP address on a
network interface or multiple network interfaces.

0.0.0.0 = listen on all available IP addresses, or specify (bind) to a
specific IP address.



-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Edmund
Edgar
Sent: 30 March 2011 17:16
To: [hidden email]
Subject: Re: [Opensim-users] NAT&  Corporate Firewall

This probably won't help Fleep, but does anyone know what this
broken-Englished sentence on the wiki is supposed to say?

# Internal IP address - This should always be 0.0.0.0 (0.0.0.0 means
"listen for connections on any interface", basically a wildcard) if
you want to access this server from the internet or another server on
your internal network, this should be the IP address assigned to the
OpenSim Server.

http://opensimulator.org/wiki/Configuration



--
Justin Clark-Casey (justincc)
http://justincc.org/blog
http://twitter.com/justincc

_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users


_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users

_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

Fleep Tuque
On Fri, Apr 1, 2011 at 11:10 AM, Gary Beck <[hidden email]> wrote:
InternalAddress is the address internally used by the server to listen for traffic - this parameter is not used to inform the client for use in the handshake.
 
To set up the UDP handshake the server resolves the ExternalHostName to an IP address.
 
So if this is correct you're saying that opensim is doing the DNS resolution for the remote client?   That seems not good.  I mean, surely we're not the only campus with split DNS...

- Chris/Fleep

Chris M. Collins (SL: Fleep Tuque)
Project Manager, UC Second Life 
Second Life Ambassador, Ohio Learning Network 
UCit Instructional & Research Computing
University of Cincinnati 
406E Zimmer Hall
PO Box 210088
Cincinnati, OH 45221-0088
(513)556-3018






_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

Gary Beck
Chris/Fleep,
 
Yes, opensim is doing DNS resolution for the remote client.  
 
This is a frequent problem area for implementations with internal and external clients.  There's added confusion because using domain names at the client which match those used in the server works to begin login and then fails in the handshake phase.  Home networks can often solve the problem by turning on NAT loopback in the router. 
 
I agree that split DNS is probably common.  Perhaps someone running that environment can offer a suggestion. 
 
- Gary
 
Chris/Fleep wrote:

On Fri, Apr 1, 2011 at 11:10 AM, Gary Beck <gab4gab@...> wrote:
InternalAddress is the address internally used by the server to listen for traffic - this parameter is not used to inform the client for use in the handshake.
 
To set up the UDP handshake the server resolves the ExternalHostName to an IP address.
 
So if this is correct you're saying that opensim is doing the DNS resolution for the remote client?   That seems not good.  I mean, surely we're not the only campus with split DNS...

_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: NAT & Corporate Firewall

justincc
In reply to this post by Slavin, Simon
Thanks for the info Simon, that's cleared that up for me.  And thanks to the others contributing to this thread.

I think that a utility to test a connection and provide an explicit diagnosis (rather than the clues provided by the
client just hanging in various places) would be rather nice to have.

On 01/04/11 12:59, Simon Slavin wrote:

>
> On 1 Apr 2011, at 12:43am, Justin Clark-Casey wrote:
>
>> Some people on Stack Overflow think that IPAddress.Any means listen on all NICs (http://stackoverflow.com/questions/1777629/how-to-listen-on-multiple-ip-addresses).  But my reading of the MS SDK reference above means that it only binds to one.  Anybody able to comment on this?
>
> Stack Overflow is right.  My reading of that SDK page is that it's wrong, and should be corrected, but other MS documentation is clearer on what '::Any' means, for example
>
> http://msdn.microsoft.com/en-us/library/system.net.ipaddress.any.aspx
>
> Returning to the standards, IP address 0.0.0.0 is reserved for specific purposes for both sending and receiving.  It's called the 'anonymous' address (for historical reasons) or the 'broadcast' address (for current reasons).
>
> If a computer SENDS a packet to 0.0.0.0 then it is multibroadcasting: sending one message to every computer that can hear it.  This is done most often to announce the (un)availability of a service, for instance that a printer service has come online.  Sending to address 0.0.0.0 is done by, for example, DHCP and zeroconf (what Apple calls 'Bonjour').  Things like routers are usually set up to drop packets SENT to 0.0.0.0 so that you don't announce to the entire world what address your printer can be found on.
>
> When a computer LISTENS to the network interface bound to 0.0.0.0 then it is telling its TCP stack that it doesn't care which network interface a message comes in on, it wants it anyway.  Almost every Internet application does this, especially now many have both Ethernet sockets and WiFi capabilities: an app doesn't care what its user is using right now, it just wants to 'use the internet'.  Under normal circumstances the only programs which /don't/ listen on 0.0.0.0 are techie programs like network utilities, or a web server on a gateway computer which needs to present a web site to internal users and make sure it isn't available to external users.
>
> I tried to find an RFC to point to as reference but nothing seems to spell this out.  The nearest thing i could find was RFC950.
>
> Simon.
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users
>


--
Justin Clark-Casey (justincc)
http://justincc.org/blog
http://twitter.com/justincc
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
12