Time Capsule port mapping is broken for L2TP Servers behind NAT config.
I'm hoping that someone here can refute the below bug assertion... am I missing something?
There is a bug with Apple’s Time Capsule/Airport Express Base Station (TC/AEBS) rendering L2TP servers on the LAN unusable:
When TC/AEBS is used as a router providing NAT services to the LAN, it will NOT under any circumstance provide port mapping services for 500/UDP, 1701/UDP, & 4500/UDP making L2TP VPN servers on the LAN side of TC/AEBS are unreachable from the WAN/Internet side.
*The conditions for my tests*:
3 different external networks used for all tests: MacBook Air at home on TWC network, the Air on AT&T mobile dongle, & CentOS server at ThePlanet.
MobileMe configuration was removed from both the TC/AEBS & Snow Leopard Server on the LAN.
I used port 501 for my control-test; spot checks of other ports worked as well, though they were all < 10000.
Simultaneous local and server monitoring of port traffic using
tcpdump -vvv -i en0 -s 0 -X port 500 or port 1701 or port 4500 or port 501
The TC/AEBS was configured to forward UDP ports 501, 500, 1701, & 4500 received from the WAN interface to the Snow Leopard Server on the LAN.
The port forwarding was accomplished both 1) manually via AirPort Utility, and 2) automatically via Snow Leopard Server’s Server Preferences utility. Each was tested separately.
*The tests*:
Netcat with the following commands, in turn, on the server:
nc -l -u 501
nc -l -u 500
nc -l -u 1700
nc -l -u 4500
which causes traffic to the udp port specified to be dumped to std out. Provides a confirmation of the tcpdump output.
On the various external networks, nc -u WAN-address-of-AEBS.example.com 501 to send UDP packets on port 501. The output of the nc -l 501 command and the server-run tcpdump confirmed that packets left the client and made it to the server as expected. Remember, 501 is the control-test.
For each test permutation on ports 500, 1700, & 4500, no packets made it to the server.
Based on some web research, I’m not the only one to have found trouble with this configuration, but I haven’t been able to find any conclusive tests.
I’ve filed a bug with Apple (#7720101) and encourage you to do the same.
Message was edited by: WebMarc
There is a bug with Apple’s Time Capsule/Airport Express Base Station (TC/AEBS) rendering L2TP servers on the LAN unusable:
When TC/AEBS is used as a router providing NAT services to the LAN, it will NOT under any circumstance provide port mapping services for 500/UDP, 1701/UDP, & 4500/UDP making L2TP VPN servers on the LAN side of TC/AEBS are unreachable from the WAN/Internet side.
*The conditions for my tests*:
3 different external networks used for all tests: MacBook Air at home on TWC network, the Air on AT&T mobile dongle, & CentOS server at ThePlanet.
MobileMe configuration was removed from both the TC/AEBS & Snow Leopard Server on the LAN.
I used port 501 for my control-test; spot checks of other ports worked as well, though they were all < 10000.
Simultaneous local and server monitoring of port traffic using
tcpdump -vvv -i en0 -s 0 -X port 500 or port 1701 or port 4500 or port 501
The TC/AEBS was configured to forward UDP ports 501, 500, 1701, & 4500 received from the WAN interface to the Snow Leopard Server on the LAN.
The port forwarding was accomplished both 1) manually via AirPort Utility, and 2) automatically via Snow Leopard Server’s Server Preferences utility. Each was tested separately.
*The tests*:
Netcat with the following commands, in turn, on the server:
nc -l -u 501
nc -l -u 500
nc -l -u 1700
nc -l -u 4500
which causes traffic to the udp port specified to be dumped to std out. Provides a confirmation of the tcpdump output.
On the various external networks, nc -u WAN-address-of-AEBS.example.com 501 to send UDP packets on port 501. The output of the nc -l 501 command and the server-run tcpdump confirmed that packets left the client and made it to the server as expected. Remember, 501 is the control-test.
For each test permutation on ports 500, 1700, & 4500, no packets made it to the server.
Based on some web research, I’m not the only one to have found trouble with this configuration, but I haven’t been able to find any conclusive tests.
I’ve filed a bug with Apple (#7720101) and encourage you to do the same.
Message was edited by: WebMarc
MBP, MBA, Mini Server, Mac OS X (10.6.2)
