UDT firewall rules

[spider]

Hi all,

I have been struggling to get UDT traffic to work between to OPNsense boxes. Does anybody know the required firewall rules for UDT traffic?

UDT is a bidirectional UDP and I can't figure out how to fix the source port.

TIA - spider

[spider]

Hi all,

I reckon this must be blocked by the ISP, I need to figure out how to tell if the IPS is blocking UDP ports and if so, which ones.

The latest version of UDT file transfer is from https://github.com/Haivision/srt.git

I set up a port forwarding rule to pass UDP traffic on port 4201 to my workstation (all our company workstations run Debian) which then is listening for connections using the command: srt-file-transmit -v srt://4201 file://

Then on a workstation behind an OPNsense firewall connected to a 4G router I ran the command: srt-file-transmit -v file:///usr/src/srt/README.md srt://example.com:4201

What I see on the sending machine is:

Code Select Expand

SOURCE type=file, TARGET type=srt
Extract path '/usr/src/srt/README.md': directory=/usr/src/srt filename=README.md
SRT parameters specified:
        transtype = 'file'
Opening SRT target caller on example.com:4201
Connecting to example.com:4201
Target connected (caller)
Upload: 1456 --> 1456
Upload: 1456 --> 1456
Upload: 1456 --> 1456
Upload: 1456 --> 1456
Upload: 377 --> 377
File sent
Sending buffer still: bytes=6201 blocks=5
Buffers flushed
SrtCommon: DESTROYING CONNECTION, closing sockets (rt%756710371 ls%-1)...
SrtCommon: ... done.

on the receiving machine I see the following:

Code Select Expand

SOURCE type=srt, TARGET type=file
Extract path '': directory=/data/intern/. filename=
SRT parameters specified:
        transtype = 'file'
Opening SRT source listener on :4201
Binding a server on :4201 ...
listen...
Event with status 3
accept...
connected.
Source connected (listener), id [README.md]
Event with status 5
Writing output to [/data/intern/./README.md]
Download: --> 1456
Event with status 5
Download: --> 1456
Event with status 5
Download: --> 1456
Event with status 5
Download: --> 1456
Event with status 5
Download: --> 377
Event with status 6
Connection closed, reading buffer remains
Download COMPLETE.
SrtCommon: DESTROYING CONNECTION, closing sockets (rt%1011421236 ls%-1)...
SrtCommon: ... done.

So, everything is working just file.

As we have an old internet connection, that was used for both internet access and telephony I thought it would be a good idea to use this as a listener to receive incoming files (typically 200 GB) or video streams. So, my first test was to use this connection to send the file to my workstation, this time I see:

Code Select Expand

SOURCE type=file, TARGET type=srt
Extract path '/usr/src/srt/README.md': directory=/usr/src/srt filename=README.md
SRT parameters specified:
        transtype = 'file'
Opening SRT target caller on example.com:4201
Connecting to example.com:4201
Target disconnected
SrtCommon: DESTROYING CONNECTION, closing sockets (rt%643233832 ls%-1)...
SrtCommon: ... done.
So, it is refusing to connect to the same machine listening to the same port.

Does anybody have an idea what would cause this to fail?

Thanks

[spider]

Some network history was causing this to fail. Originally, we have an ISP from the phone company, and then we replaced this ISP with another ISP.

What I did was to create another WAN interface so that I could activate the new internet connection with minimal downtime. After the change over, I kept the original WAN settings in case we needed to fall back to the original ISP. This weekend, I implemented high availability and noticed that a test WireGuard host was getting a handshake. Then the penny dropped, and I realized that the same IP address was on both firewalls.

Removing the static IP from the main firewall (master and backup) for the old WAN connection, then the second firewall worked correctly.

Code Select Expand


Firewall 1 (Master+Backup)
WAN - static IP of ISP1 but no cable
WAN2 - static IP connected to the ISP2
Firewall 2
WAN - static IP connected to ISP1


The fix was to change the WAN interface from a static IP to None.

-spider