Jump to content

NAT traversal questions: Vista firewall, UPnP vs. manual port fwd


html.mencken

Recommended Posts

Hello!

I want to troubleshoot NAT traversal and I'm a bit confused about

1) the merits and demerits of using UPnP vs. manual port forwarding and

2) the correct settings for the Vista (enhanced) firewall

I'm using µtorrent on Vista Home Premium with the built-in firewall; I'm connecting through a Netgear WPN824v2 router. This router has UPnP capability and it seems to work with Vista.

(Side note: Vista, or at least Vista Home eds. have two general network & firewall modes, "public" and "private". Most users with a small network behind a router are probably going to use the "private" setting; users with no local network or who connect directly without a router may want to use "public". This thread suggests that UPnP will only work with the "private" setting but I haven't confirmed this. I am using the private setting and it seems to work -- I can see the port being forwarded to the correct local IP address in the UPnP section of my router admin panel. It only says TCP, not UDP though, apparently µtorrent only requests UPnP/TCP?.)

My question re 1) is about security and performance. If I understand correctly, UPnP only forwards port(s) if and when requested by the software, in this case µtorrent. Thus, port fowarding occurs only when µtorrent is launched and stops once you close it down. This seems to be significantly more secure compared with assigning a static IP to your machine and more or less permanently opening a specific port on your router and in your firewall. Is this true?

............

The second part of the question is about performance - does UPnP reduce performance when compared to manual port forwarding? If not, are there any good reasons not to use UPnP if the router can handle it?

............

Third part of the question: µtorrent preferences.

"Randomize port" ... I leave this unchecked because I want to open a single port in the Vista firewall only. See below.

"Enable UPnP port mapping" ... checked

"Enable NAT-PMP port mapping" ... unchecked. I'm not sure whether this applies to non-Apple hardware at all? In any case, I'm using a Netgear WPN824v2, not Apple Airport Extreme etc.

re. 2) The Vista firewall has two "incoming" entries for µtorrent, one for UDP and one for TCP (I assume both protocols are in use, in particular UDP is used for DHT?). In both entries, I've specified the remote ports as "any" and the local port as equal to µtorrent's listening port (with "randomize port" unchecked). Both entries are for the "private" network profile.

Although these settings appear ok to me, µtorrent still gives me the NAT traversal warning (yellow triangle). Download speeds are nominal but uploading is borked.

My initial tought was a router issue but the router admin panel indicates that UPnP is in fact working properly. However the port forwarding test under (Ctrl+G) fails. Not sure what to make of it; can the test fail because it's not manual port forwarding but UPnP? Is UPnP not working properly or have I misconfigured the Vista firewall? Do I need to open more ports in my firewall "incoming" rule?

Any thoughts?

P.S. The µtorrent help (.chm) file does not open on Vista.

Link to comment
Share on other sites

First as far as forwarding being secure, if you are forwarding a port but nothing is listening/ open on it, it's the same as if the port weren't forwarded. I don't know about efficiency throughput specifics, but I do know that extra relaying of packets does slow you down over the long-run. Related to torrenting and torrent traffic, once the configuration is done via UPnP or NAT-PMP (on apple hardware) it is done so you are essentially running the same as manually forwarding without having to keep one port or IP at your end for each session. Regarding Vista... I don't have a clue, lol. I despise Vista due to UAC and the fact I couldn't get it to work on the existing network after three people and an hour poked at the damn thing. We just used flash drives to copy the files between computers.

The network status icon only means that you cannot receive incoming connections. You can upload to people who are un-firewalled or configured correctly while firewalled.

Hmm if that is the case relating to the compiled HTML helpdoc it may need to be looked at.. Are you sure you weren't trying to open the zipped version?

Link to comment
Share on other sites

Well Vista doesn't seem to hate utorrent, and vice versa. :) Perhaps some actual Vista users can help us out?

The Help file thing is really strange.. I am unzipping with 7-zip and the resulting .chm (compiled html help file) won't open. "Cannot open utorrent.chm". However when I open the zip file inside 7-zip's own file browser and then click "open" utorrent.chm, it actually opens. I have no idea what that is about.. a corrupt or misconfigured zip file perhaps? In any case, this is how you might be able to replicate:

* unzip with 7-zip, then try to open the resulting .chm (fails)

* open inside 7-zip's file browser (works)

Link to comment
Share on other sites

I don't see anything unusual with the help file's security settings. Anything particular to look for?

Perhaps someone with access to a Vista machine could help by

1) responding to my question about the firewall rules and UPnP and

2) by trying to repro the help file funnyness. Perhaps its one of the rarest things out there, a bug in 7-zip? ;) AFAIK, older help file formats are being phased out. For example, ".hlp" -type help files have been deprecated but according to the same paper, .chm files are still supported.

EDIT. Maybe its because .chm file isn't entirely self-contained, i.e. it's calling web pages? Not sure but I think they clamped down on that a while back in XP when it was considered a security hole. KB #896358 - A vulnerability in HTML Help could allow remote code execution.

Link to comment
Share on other sites

The issue with the help file I noticed before:

Do you try to open a .chm file on a network drive or on a local drive (it doesnt work on a network drive).

Opening it directly with zip/rar/whatelse opens the .chm file in a (local) temp-folder, so that works.

Just try to copy the .chm to C:\XX.chm and retest :)

Bill, have a look at this very old issue ...

Link to comment
Share on other sites

Remember this is on Vista, not XP, so perhaps it's a regression that affects .chm files on Vista only. (Unlike the .hlp help file format for which support has been dropped, .chm is still supported on Vista but it is not the native help file format.) Might be interesting to see if this happens on XP as well.. just make a folder with special chars in the name and try to open the help file inside.

Still looking for ideas on the firewall settings.. it would be great if we could figure out a proper ruleset for mutorrent on Vista.

Link to comment
Share on other sites

You were right, it seems to be a Vista-specific issue (the .CHM works fine in XP).

Re. the Vista firewall, well I guess it's up to other Vista users to help you out there. As for my XP firewall, there doesn't seem to be an option for specifying local/remote ports separately that I can see:

6psqp2t.png

Link to comment
Share on other sites

  • 5 months later...

I know this thread is several months old, but I want to solve the problem of opening the help file in Vista, so people reading this thread wont get it wrong. The problem has nothing to do with unicode, or paths.

After downloading the help file, or utorrent.exe for that matter, (and checking it with an antivirus, if we were talking about general downloading), you should open the file's "properties" in Windows Explorer (select the file, then right-click -> properties). In the "general" tab, look for some "unblock" button. Click on it, and it will go gray. Click "ok".

That's it, now double click the help file and you should be ok. BTW, downloading a .zip file and "unblocking" *IT* will actually unblock all its contents. This is faster than extracting the contents and just then selecting each file to unblock.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...