ProPain

Internet Connection Sharing [ICS]

Recommended Posts

I'm having problems getting Internet Connection Sharing [iCS] to work.

The setup: it's a laptop running Windows 7 x64 SP1 that gets its internet via a built-in WiFi card [this part works fine], and shares this connection with an Xbox 1 over a wired [ethernet] connection [this doesn't work]. This setup worked well before installing Online Armor, but now silently fails.

The OA "Firewall Status" window does not show any blocked connections, and neither does the log.

Under Firewall Setting - Rules - Interfaces: the local area connection is set to "Trusted" and under the Computers tab the IP / MAC address of the Xbox is marked as Trusted.

There are no pop-ups [either balloons or dialog boxes], even though those are enabled.

Interestingly enough, I can still initiate and use an FTP connection to the Xbox with no problems, so there's at least some communication possible.

If it helps, the Xbox is trying a DNS lookup [port 53] and a time query [sNTP, port 123], which both fail, after which it gives up.

[Yes, I've tried rebooting.]

Any ideas?

Share this post


Link to post
Share on other sites

To allow ICS to work you need to add a rule on the laptop in OA, for UDP OUT on Port 53 and make it for "All Programs". Most likely a similar rule will be required for the time query.

Share this post


Link to post
Share on other sites

Thanks for the reply catprincess, but if I allow "All Programs" access to port 53 [DNS], isn't that tantamount to giving internet access to everything?

Share this post


Link to post
Share on other sites

It's only allowing all programs to make DNS lookups to find the IP address associated with a domain name. Individual programs still require their own rule to use any other ports. An an example, if you allow DNS for all programs, it doesn't mean that a browser can connect using http (port 80) when there is no rule allowing that that port for that program, present in the rules list.

Share this post


Link to post
Share on other sites

As far as I can tell, when ICS is working, it's svchost.exe that appears to be making the connections on behalf of the shared computer. Since svchost was already automatically allowed to do pretty much anything it wants [such as phone home to Microsoft repeatedly], why do I need to allow "All Programs" to have DNS access?

FTR: Opening port 53 for all programs does fix the problem, but it strikes me as a heavy-handed solution.

I am not trying to be difficult, or rude; I just like to understand how things work.

Also, I don't understand why the blocked DNS query was not logged. Shouldn't OA be logging everything that's blocked? And why no pop-up or prompt?

Edited by ProPain

Share this post


Link to post
Share on other sites

If allowing UDP Port 53 OUT for svchost works, then sure, you can use this rule instead :) It didn't used to work in the past though and I don't currently use ICS to be able to verify it one way or the other now.

Sorry, I'm not sure why the connection attempt from the Xbox isn't logged, or where there is no popup or prompt. All I know is that it's always been this way and the solution given to allow ICS to work is as I mentioned above and when I used to have an ICS setup here, that's what I did. Possibly someone from Emsisoft can give you a more technical answer perhaps :)

Share this post


Link to post
Share on other sites

catprincess, I very much appreciate you taking the time to help me. Thanks!

In case this thread is helpful to anyone suffering from similar issues: allowing svchost to use port 53 did NOT work, although I don't understand why. Opening port 53 for all programs DID work, however.

So if anyone knows which program is actually acting as the proxy during ICS, I would like to know [mostly for my own edification].

Share this post


Link to post
Share on other sites
In case this thread is helpful to anyone suffering from similar issues: allowing svchost to use port 53 did NOT work, although I don't understand why. Opening port 53 for all programs DID work, however.

So if anyone knows which program is actually acting as the proxy during ICS, I would like to know [mostly for my own edification].

I think that ICS in Windows 7 uses IPv6, which is not supported by OA. Allowing all programs to use port 53 may allow (IPv6 requests); allowing port 53 for an individual program may not.

Share this post


Link to post
Share on other sites

[...]Allowing all programs to use port 53 may allow (IPv6 requests); allowing port 53 for an individual program may not.

I don't understand IPv6 well enough to debate it, but that doesn't sound quite right to me. Could you please explain it? Thanks in advance.

Share this post


Link to post
Share on other sites

I don't understand IPv6 well enough to debate it, but that doesn't sound quite right to me. Could you please explain it? Thanks in advance.

Did some more checking and I am probably incorrect - please ignore my thought. However, you may need a rule for udp incoming to port 53 on the PC (for svchost); to allow the xbox to make successful DNS requests. The time query will be failing because the DNS request fails.

Does the xbox get a valid IP address?

Share this post


Link to post
Share on other sites

Did some more checking and I am probably incorrect - please ignore my thought. However, you may need a rule for udp incoming to port 53 on the PC (for svchost); to allow the xbox to make successful DNS requests. The time query will be failing because the DNS request fails.

Does the xbox get a valid IP address?

svchost already had virtually unfettered access [automatically], including port 53 [in and out], but it wasn't until I opened port 53 for all programs [per catprincess] that the Xbox was finally able to connect. It works fine this way, but I can't help but think that there has to be a more elegant solution than completely opening a port.

What really bothers me is not understanding why it must be done this way.

And yes, the Xbox does get an IP address [static, for my convenience, but DHCP works too]. And I don't much care about the time query as the Xbox keeps time remarkably well on its own.

I appreciate you taking the time to offer your insights, judson. Thanks.

Share this post


Link to post
Share on other sites
I appreciate you taking the time to offer your insights, judson. Thanks.

No worries - opening UDP port 53 outgoing for all programs is not a major issue as long as the DNS server's address is not compromised. I have never used ICS but it may be that 'system', rather than svchost, needs the port 53 incoming rule. BTW, successful DNS requests by allowing port 53 access for all programs, rather than just svchost, makes no sense to me (too).

Share this post


Link to post
Share on other sites

svchost already had virtually unfettered access [automatically], including port 53 [in and out]

OK, but your statement is unclear. Allowing svchost 'unfetterd' (allow everything?) access is a bit of a worry. svchost should be carefully controlled, particularly for incoming packets.

Share this post


Link to post
Share on other sites

[...]svchost should be carefully controlled, particularly for incoming packets.

That was my initial thought as well, but in my experience, if svchost is too restricted I lose internet connectivity completely. So this time I let OA decide what svchost should be allowed to do, and it decided [automatically, with no prompting] to allow nearly every port and protocol.

One would think that OA would know how to safely deal with a core Windows component. Is there a better way?

Share this post


Link to post
Share on other sites

Many thanks to ProPain and everyone who gave him advice. This thread saved me a lot of trouble. But not all trouble...

My gaming setup is similar to ProPain's, except I'm running Windows XP and an Xbox 360. After initially failing to connect with Xbox Live (henceforth XBL), I opened port 53 to outbound UDP traffic, as described above, and the Xbox was able to connect to the internet. Then, new problems started showing up.

-The Xbox gave me an error message about an insufficient MTU (Maximum Transmission Unit). I found the Xbox support page for that error message, and one of the solutions mentioned four ports that have to be open. In addition to port 53, it needs port 80 (HTTP), Port 88 (Kerberos authentication protocol), and port 3074 (used exclusively by Microsoft's gaming services).

-I found I could access XBL if I opened all four ports to all traffic (gulp), or disabled OA entirely and reverted to Windows firewall (bigger gulp). Needless to say, I don't want to do either of those permanently.

-The internets said that port 3074 is only used by XBL and its PC equivalent, so I figured I could safely unshackle that one. Upon doing so, I stopped getting the MTU error message. In its place, it said it could connect to the internet but not to XBL.

-I finally got online by opening port 88 to all UDP traffic (I didn't need to do anything with port 80). Seeing as how I think a "network port" is the hole my LAN cable goes in, I ran this by a more computer-savvy friend, and he said it was safe to do so.

I'm all but clueless on networking. Am I taking any risks by opening ports 3074 and 88? There aren't that many people using laptops as Xbox wifi adapters, so it seems like it would be pointless to attack 3074, and I can't imagine a trojan would bother with authentication, so 88 seems safe as well. Am I wrong about any of this?

Thanks to everyone who's already posted here. If anyone else reads this on account of the same problem, I hope it helps.

Share this post


Link to post
Share on other sites

Am I taking any risks by opening ports 3074 and 88?

You can add endpoint restrictions in the paid versions of Online Armor, that allow you to restrict the IP's or countries that connections are allowed for, for these ports. You could then add the XBox's IP address so that these rules only allowed inbound to the XBox and not your laptop etc. You can also add only a specific IP range that the inbound connections are allowed to come from.

To do this you just double click the rule and go to the Endpoint Restrictions tab, untick "Use global restrictions", then select the radio box for "Only to the following endpoints" and/or "Only to the following countries" and enter the desired IP's and/or countries :)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.