Putting a PC in DMZ zone

[Sheldon]

Hi guys!

 

So let me explain. I have a PC that uses P2P. (other words torrents) now I have a firewall (Sonicwall) and packets get dropped and peers get dropped as well so I was thinking would it be easier for the put that PC in a DMZ zone on the firewall. Would that help in anyway? How do you guys have your P2P PC's set up ( remember I have a full on firewall, not a normal router like homes x_x) Sorry for sound like a chop!  :lol:

 

Thanks guys!

[AustinKZombie]

Well your firewall protects against hackers so I dont think I will block P2P communcation. I need it for a minecraft server I had a will back and my PC dmz dont really notice any difference

[Sheldon]

Well your firewall protects against hackers so I dont think I will block P2P communcation. I need it for a minecraft server I had a will back and my PC dmz dont really notice any difference

I know that is why the firewall is there and other reasons, I don't have P2P blocked. That is the thing. some days it will be fine then other days it will be super slow because the firewall is dropping packet. I can see it happening in the logs. You see, there's probably no use of putting that PC in a DMZ. Don't you agree? 

[wako7654]

I know that is why the firewall is there and other reasons, I don't have P2P blocked. That is the thing. some days it will be fine then other days it will be super slow because the firewall is dropping packet. I can see it happening in the logs. You see, there's probably no use of putting that PC in a DMZ. Don't you agree? 

 

Edit: Wrong Info lol

[Sheldon]

There is a use of putting a PC in DMZ of course, but the thing is when DMZs are implemented using a firewall it is not true "DMZ". DMZ is basically just putting a computer in a zone connected to the public network directly before a firewall.

 

A true DMZ would be like       Internet->DMZ PC->Firewall->LAN

While a firewall DMZ looks like     Internet->Firewall with DMZ->LAN 

 

If you already are allowing traffic on the firewall for all the ports you need for P2P then DMZ will not make any difference. What you can do is try putting your PC directly to the internet and see if P2P is fine without firewall to verify if your firewall is the problem. Next try turning on your DMZ, that makes sure that no port is blocked from your pc. If problem persists, it may be some mechanisms that are setup from your provider side, i've experienced providers blocking some ports to limit p2p traffic.

That wouldn't be a DMZ zone then, You create the DMZ zone on the firewall so that " all ports" and everything is open and in the public domain. ( using this very loosely) You create zones on the firewall so that you can do the best practices and keep everything clean. You cannot put a PC in front of a Firewall. That would not work on the firewall end and for the users. The firewall ( Sonicwall, Not the OS) is the problem that is why it should be put a DMZ but these days that doesn't fall under best practices any more. The ISP doesn't limit or shape traffic. Part of the contract is that P2P isn't shaped. It's a 1:1 ratio connection. So it should be the firewall but the right ports are open.

[Kick]

zone zone

[wako7654]

That wouldn't be a DMZ zone then, You create the DMZ zone on the firewall so that " all ports" and everything is open and in the public domain. ( using this very loosely) You create zones on the firewall so that you can do the best practices and keep everything clean. You cannot put a PC in front of a Firewall. That would not work on the firewall end and for the users. The firewall ( Sonicwall, Not the OS) is the problem that is why it should be put a DMZ but these days that doesn't fall under best practices any more. The ISP doesn't limit or shape traffic. Part of the contract is that P2P isn't shaped. It's a 1:1 ratio connection. So it should be the firewall but the right ports are open.

 

Ok yeah lol i was wrong, apparently my concept of DMZ was wrong since that logic is for home router firewalls not corporate firewall. If traffic shaping is not present and your using a corporate firewall then yeah DMZ will open your ports to the public network. Not too sure, try port forwarding to your PC directly maybe.

[Sheldon]

Ok yeah lol i was wrong, apparently my concept of DMZ was wrong since that logic is for home router firewalls not corporate firewall. If traffic shaping is not present and your using a corporate firewall then yeah DMZ will open your ports to the public network. Not too sure, try port forwarding to your PC directly maybe.

its fine. :This is full on firewall that isn't meant to have P2P going past it rather being blocked. You see, I did that and then it worked for awhile and forgot about the DMZ, Now it is slow again ( dropping peers in the firewall logs) and to correct my self. It is DMZ, not DMZ zone

[tom564]

Hi guys!

 

So let me explain. I have a PC that uses P2P. (other words torrents) now I have a firewall (Sonicwall) and packets get dropped and peers get dropped as well so I was thinking would it be easier for the put that PC in a DMZ zone on the firewall. Would that help in anyway? How do you guys have your P2P PC's set up ( remember I have a full on firewall, not a normal router like homes x_x) Sorry for sound like a chop!  :lol:

 

Thanks guys!

Are you seeing what rule is being flagged?

 

And is it after a certain period of time? I am thinking after the TCP connection times out the peer try's to make a request but as the connection no longer exists as a valid session and the peer may still be using the ephemeral port that  the peer is connecting to you on so it drops it.

[Sheldon]

Are you seeing what rule is being flagged?

 

And is it after a certain period of time? I am thinking after the TCP connection times out the peer try's to make a request but as the connection no longer exists as a valid session and the peer may still be using the ephemeral port that  the peer is connecting to you on so it drops it.

Hopefully that makes sense, I had to remove the IP's but some are left there. ( they internal, So no one come and tell me those shouldn't be there because then I shall give you all my IP ranges and see what you can do with that! lol ) I have access rules for utorrent and the download PC and you can see the port there. It doesn't make sense, I have added in all the rules and so on but you still see the packets get dropped. 

[Blade of Grass]

Do you see the part where it says rule? Because it isn't reporting what rule is actually being violated, it's going to be harder to figure it out.

 

My thought would be that the firewall is dropping the packets as the destination isn't valid, or something along those lines. Can you tell us if they're all coming from a single source and if they're all going to a single destination? 

[Sheldon]

Do you see the part where it says rule? Because it isn't reporting what rule is actually being violated, it's going to be harder to figure it out.

 

My thought would be that the firewall is dropping the packets as the destination isn't valid, or something along those lines. Can you tell us if they're all coming from a single source and if they're all going to a single destination? 

The part that says notes and the message state what rule is being violated. Normally the notes tells us which rule is stopping the packet. 

The source are coming from the peers ( so that changes all the time and I could leave those IP's there but those are other peoples, not like anyone will use those IP's to attack them, I hope )The Destination is 192.168.3.27 so that never changes, That has a static IP. 

Some of the rules are utorrent and Download in the ARL

[Blade of Grass]

The part that says notes and the message state what rule is being violated. Normally the notes tells us which rule is stopping the packet. 

The source are coming from the peers ( so that changes all the time and I could leave those IP's there but those are other peoples, not like anyone will use those IP's to attack them, I hope )The Destination is 192.168.3.27 so that never changes, That has a static IP. 

Some of the rules are utorrent and Download in the ARL

Hmm... I've never used SonicWall firewalls (though I'm going to be getting on soon-ish), but it's usually Like this;

 

message: description of what it did

note: additional info on event

rule: network access rule about the event

[tom564]

Might help if we can see your firewall rules? 

[Sheldon]

Hi There!, Here are the rules, hopefully I got them all. @tom564 Sorry for the late reply!

[tom564]

Hi There!, Here are the rules, hopefully I got them all. @tom564 Sorry for the late reply!

Could it be the Geo-IP or botnet feature flagging it? 

[Sheldon]

Could it be the Geo-IP or botnet feature flagging it? 

Just removed that from the rules. I will let you know how it goes, It doesn't make to much sense why they being dropped but i will keep an eye on it!