Remember Me


Forgotten your Password?


Firewall

From Tunngle Wiki

Revision as of 13:31, 19 April 2012 by Brioche (Talk | contribs)
Jump to: navigation, search

Contents

Firewall

A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices that is configured to permit or deny network transmissions based upon a set of rules and other criteria.

Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which inspects each message and blocks those that do not meet the specified security criteria.

Tunngle Requirements

Tunngle has two network capable executables.

  • Tunngle.exe: it's the Tunngle client interface.
  • Tnglctrl.exe: it's the Tunngle service, the core of Tunngle networking

You can find these files in the Tunngle folder which is usually located in your Program Files folder.

Tunngle has one network adapter which is configured in the following way:

  • IP: 7.x.x.x
  • Subnet Mask: 255.0.0.0
  • Gateway: 7.254.254.254

DHCP traffic over the Tunngle adapter must be allowed in order for Tunngle to successfully acquire a Virtual IP.

Tunngle and Firewalls

When it comes to Tunngle problems you might have to deal with three kind of firewalls depending on your system:

  • Windows Firewall
  • Security Suite Firewall
  • Router SPI Firewall (only in rare special cases)

Windows Firewall

Tunngle Setup

Windows Firewall is the easiest to handle. Tunngle automatically creates the Windows Firewall rules upon installation so chances are that you won't have to worry about it. Anyway in certain cases some changes to the Windows Network Settings (especially under Vista and 7) or some changes to the Windows Firewall rules might cause minor problems.

To check that everything is ok:

  • Windows Xp: go to Control Panel->Windows Firewall->Exceptions and check that the Tunngle Client and Tunngle Service rules are there and checked. If they are not checked please check them. If they are not there click Add, Browse to the Tunngle Folder and select Tunngle.exe. Repeat the same procedure for TnglCtrl.exe. Click OK to apply and you are done.
  • Windows Vista/Seven: go to Control Panel->Windows Firewall->Allow a Program Through Windows Firewall and check that the Tunngle Client and Tunngle Service rules are there and that both the Home/Work and Public checkboxes are checked. If they are not there click Change Settings, then click Add, Browse to the Tunngle Folder and select Tunngle.exe. Repeat the same procedure for TnglCtrl.exe. Be sure that both the Home/Work and Public checkboxes are checked for the rules that you created. Click OK to apply and you are done.

Game Setup - Network Locations

Windows Network Location
Windows Network Location

In Windows Vista/Seven Microsoft introduced the concept of network locations.
The first time that you connect to a network (e.g. the first time that you start Tunngle), you will be asked to choose a network location.
There are three network locations: Home, Work, and Public place.
If by chance your game exceptions are not set for the Location that you select the first time your run Tunngle, you might not be able to host your games over the Tunngle adapter (i.e. people might have troubles to see/join your game).
To ensure that Windows Firewall is properly configured for your game just go to Control Panel->Windows Firewall->Allow a Program Through Windows Firewall and check that the Game Executable rules are there and that both the Home/Work and Public checkboxes are checked (or just the proper one if you know the right Tunngle location).
If you can't find the exceptions, click Change Settings, then click Add, Browse to the game folder and select the game executable. Again be sure that both the Home/Work and Public checkboxes are checked for the rules that you created (or the proper one if you know which it is). Click OK to apply and you are done.

Security Suite Firewall

Certain PCs run an additional Security Suite Firewall. It is important to note that many new Antivirus include network components that might require additional configuration. There are so many Security Suite Firewalls out there that it is not possible to give a detailed step by step guide for every one of them. We will thus focus on certain important aspects of the modern Security Suite Firewall

Learning Mode

Many modern Security Software Firewalls feature the so called Learning Mode which prompt the user everytime that a program is blocked. If you can turn on this mode before you start Tunngle. This way you will be able to allow all the required network activity the first time you start Tunngle.

Exceptions

Many Firewalls and Antivirus feature a Windows Firewall style Executable Exception list in which you can add the programs that you want to allow. If this is your case you can add Tunngle.exe and TnglCtrl.exe to this Exception list following a procedure very similar to what explained in the #Windows_Firewall section.

Rules

Some firewalls require you to setup proper rules for your executables. If this is your case you should allow:

  • For TnglCtrl.exe:
    • Protocol: TCP and UDP
    • Direction: In/Out
    • Port: Any
    • Source IP: Any
    • Destination IP: Any
  • For Tunngle.exe
    • Protocol: TCP and UDP
    • Direction: Out
    • Port: Any
    • Source IP: Any
    • Destination IP: Any

Global Rules

Some firewalls apply some global rules (beyond application rules) that might prevent Tunngle from setting up the adapter on Startup. If this is your case check that the DHCP traffic is allowed over the network zone defined in #Tunngle_Requirements. Try relaxing the requirement or creating a new network Zone from the Advanced Settings of your firewall.

Trusted Zone

In some cases, the firewall doesn't let you configure advanced settings, but lets you configure trusted Zones in which all the traffic is allowed (including the Tunngle Adapter startup traffic). If this is your case you can find the network zone data in the #Tunngle_Requirements section. Be mindful that the firewall will be offline for all the connection over the Tunngle Adapter.

Last Resort

Certain firewalls and Antivirus do not allow you to setup any advanced option (like network zones or exceptions). They just block. In these cases there is the possibility, as a last resort method, to disable the network filtering for the Tunngle adapter. This will mean that while your other adapters will remain protected, the Tunngle Adapter will be free from interferences. Be mindful that this means disabling your firewall for all the connections over the Tunngle adapter. To do this go to Network Connections, right click on the Tunngle Network Adapter, select Properties. In the list that appears spot and uncheck your Firewall/Antivirus Network Filter. Click OK to apply the settings.

Broken Security Suites

Security suites are nice but, like with most "protections" in life, they can cause problems to the systems they are meant to protect (see "I,Robot" if you missed the lesson).
This sometimes lead to connectivity problems even if the Security Suite is properly configured, disabled or even uninstalled.
There isn't an unique reason for these failures. They can occur because the software has some bug or because the uninstaller fails to restore the Operating System to the point it was before you installed the protection software.
In these cases, the first recommended step is always to ask for some info to the Security Suite support. They know how their software is coded and how to recover from these desperate situations when everything else seems to fail.

Some brands offer a manual uninstaller that can be used to attempt to fix the situation when things aren't going your way:

Some of these tools can have a deep impact on your system and even cause bigger problems than those you are trying to resolve.
Be sure that you create a System Restore Point and that you know what you are doing before trying these.

Microsoft also provides some tools that can help restoring some Windows Networking Settings to their default values:

If you want to go for any of this, we strongly suggest that you create a System Restore Point before doing each step. This way if something goes wrong you will be able to recover to the previous configuration.

Router SPI Firewall

Router Firewall usually isn't a problem. You shouldn't be concerning with this unless you are 100% sure that your software firewall is properly configured and you are either getting a fail message from the Tunngle->System->Options->Test (Port Forward test) or you can't properly join rooms.

Some routers SPI Firewall might interfere with the Tunngle operation and thus prevent you from seeing peers. If you are convinced that this might be your case you can test by disabling the Firewall SPI protection in your router interface (check Accessing the router).

This is not something that should be done lightly. Do this only if you are 100% sure that you can rule any other possible problem out.

Disabling Firewalls - A note of Caution

Firewalls offer a useful protection in all the network environments (Internet, LAN etc. etc.). Turning off your firewall should only be done when troubleshooting issues and not as a permanent solution. If a firewall can't be properly configured in order to do what you want to do under its safe protection, then maybe it's time to consider switching to another one. Also don't forget to contact the Firewall Vendor support. They can help you.