WinGate Forums

[PoorJohn]

TiVo wants a gaggle of ports opened to support on-line access to its guide information and other features. I've d/l'ed a demo of WinGate and configured it to support my normal network configuration, but can't get it to let TiVo talk to mommy.

(I realize that uncontrolled Internet access to TiVo would probably be safe enough, but TiVo now includes features that need it to be on the LAN, i.e. behind a good firewall, thus my quest to put it there.)

My vanilla configuration has a server with two netcards - one on 192.168.x.x talks to a Netgear FVS124G hardware firewall and thence to a TimeWarner cable modem. The other netcard services the LAN on a different range of addresses (140.x.x.x). All the standard services are working fine, and I like the product.

The TiVo box connects to a Belkin wireless hub. Belkin has a WAN connection, and if I attach it directly to the cable modem, TiVo finds its service successfully. Further, if I use Netgear to connect to the cable modem as it would normally, and connect a LAN port on the Belkin to a LAN port on the Netgear box (and make sure to have Belkin give TiVo an address in the 192.168... range that Netgear is using) TiVo works fine.

The next step is to reconfigure Belkin to use my 140.x.x.x range (of course including its DHCP server, so TiVo gets a good address) and connecting its LAN port to my LAN. That works fine, too - I can access TiVo from my LAN to use the local features (copying media to and from my computer, e.g. ). But when TiVo tries to connect to the Internet to get its guide, it reports "service not found".

As I said up top, TiVo says it needs a bunch of ports opened, and that's where my ignorance shows up. An on-line doc I found told me to open WWW Proxy Server, click on Sessions, and add the ports I wanted to use. That hasn't caused any joy. (I also may not understand how to set the related bindings.)

Also note that I tell TiVo that the gateway address is that of the netcard that's hosting the 140.x.x.x LAN in the server; same for DNS.

Many thanks for pointing me toward the answer...

[Nev]

Hi there,

As you have configured the client points at the IP, DNS and Gateway of the Wingate Server.

That being the case the device should use the NAT [Extended Networking Service] to connect.

Just check the network designation in GateKeeper, the 192.168.x NIC must be marked External and the 140.x must be Internal for routing to work.

Drop back to the forum and let us know how you get on!

[PoorJohn]

Thanks for the reply, but I'm afraid I'm going to be very much of a bother in getting up to speed here.

WWW Proxy server/Sessions does indeed have the box checked "Intercept connections made via ENS..." WWW Proxy server/Bindings has "Any Adapter", "Any Address" Port 80 in the top pane, and in the bottom I've only left "Bind to any IP address on any adapter" checked.

WWWProxyserver/Gateways only lists the external netcard; the "Gateways" category has checked 192.168.2.1 which is the Netgear IP, and the next category, "Source IP Address" has checked 192.168.2.12 which is the IP of the netcard in the server PC that talks to it.

WWW Proxy server/Connection has Directly selected. Policies is essently blank.

Incidentally, something listed as "XDMA Proxy service" seems to want to use port 8000, which is one of TiVo's demands, but since startup is "automatic" and I don't imagine I'm using it, I think there's no conflict.

Bedtime here in Los Angeles; good morning to Oz.

[Nev]

Thanks for the reply, but I'm afraid I'm going to be very much of a bother in getting up to speed here.

WWW Proxy server/Sessions does indeed have the box checked "Intercept connections made via ENS..." WWW Proxy server/Bindings has "Any Adapter", "Any Address" Port 80 in the top pane, and in the bottom I've only left "Bind to any IP address on any adapter" checked.

Hi & GM!

Ok what I would do here is to disable the Intercepts [See Sessions] as I suspect your client may not work via Proxy so well and this will enable NAT for WWW requests.

The binding refers to where requests will be answered from, for security reasons it should only allow access from 'Internal' adaptors such as the Localhost and the IP of your NIC to the clients.

WWWProxyserver/Gateways only lists the external netcard; the "Gateways" category has checked 192.168.2.1 which is the Netgear IP, and the next category, "Source IP Address" has checked 192.168.2.12 which is the IP of the netcard in the server PC that talks to it.

In here I would be choosing 'Use any available connection' and for the Connection area choose to 'Connect Directly' should be all that is required as you have done.

WWW Proxy server/Connection has Directly selected. Policies is essently blank.

Policies can be ignored or to allow full access until you want to create some rules once everything is connecting as expected.

Incidentally, something listed as "XDMA Proxy service" seems to want to use port 8000, which is one of TiVo's demands, but since startup is "automatic" and I don't imagine I'm using it, I think there's no conflict.

Oh, ok you could disable that so that requests are via NAT on that port.

Just check your adaptor usage like this, Internet // External // Lan Internal, to modify just click the adaptor.

Bedtime here in Los Angeles; good morning to Oz.

[PoorJohn]

No joy out of any of that, but thanks very much for the details. If you happen to think of any other "dummy" mistake I may have made, I'll try it in a flash.

As it is, when I ask TiVo to test its connection, it does an "init" step in a few seconds, then dwells for about 200 seconds on "connecting" before saying "service not found". I thought it might have something to do with the 180 second default "session" timeout, but changing that value to 90 seconds didn't change that behavior at all.

Shouldn't I be able to see TiVo's attempts to connect in a log somewhere? The only "log" I'm aware of is the History tab, and it never shows an entry from TiVo's IP, although the routine business of the other computers on the network is routinely logged.

[Nev]

Hi, yes from default there will be logs for all services.

C:\Program Files\WinGate\Logs\

NAT for example: C:\Program Files\WinGate\Logs\WinGate NAT\WinGate NAT.log

You must be able to see the 'init' in the Activity pane when it is underway too.

If not there is some network matter in the way.

The Tivo should have an IP in the same subnet as the Internal NIC on Wingate, eg: 192.168.0.2.

It also should have a Subnet Mask to suit, eg: 255.255.255.0

The Gateway should be same IP Wingate's Internal NIC eg: 192.168.0.1
DNS should be the same: eg: 192.168.0.1

Found some stuff here: http://tivosupport2.instancy.com/LaunchContent.aspx?cid=d7e0f1fa-7880-4919-8809-7d5159ec8791&anchor=undefined&anchor=undefined

Is that like your device?

[PoorJohn]

Thanks for all that effort! Yes, the TiVo setup is pretty easy to follow - they get praise for their user interface - with the small catch that if you let a DHCP server give TiVo an address, it also assigns (incorrectly) the mask, gateway, and DNS servers and you can't change them. So static IP it is.

TiVo is 140_x_x_246 on the internal net, subnet mask is appropriate, and its gateway is given to be 140_x_x_7, which is the address of the netcard that WinGate considers its "internal" address. The "external" netcard is 192_x_x_xand is connected directly to the Netgear box and thence the cable modem.

Thanks for pointing me to the logs. I should have looked in the folder. No mention of .246 that I can see.

On the internal net, I can see and manage TiVo on .246, but its connection attempts don't show up in the WinGate current activity pane nor in the logs, afaik. I guess I need to get ambitious and put a general traffic logger on the LAN. Either I still don't have all the WinGate switches pointed the right way, or maybe Windows is disallowing TiVo from initiating a connection.

I don't think it's a Windows problem - with my old proxy (which doesn't have transparent proxy) I've seen TiVo attempt to connect on port 8000, and then fail since that port isn't mapped properly. But I haven't actually looked at the Event log to see if there's any mention of denied connection attempts.

[sorry about the funny ip notation. I kept getting "no internet addresses allowed in post". Turns out that mentioning the w_w_w_proxy log with those w's strung together was annoying it. ]

[Nev]

The TiVo box connects to a Belkin wireless hub. Belkin has a WAN connection, and if I attach it directly to the cable modem, TiVo finds its service successfully. Further, if I use Netgear to connect to the cable modem as it would normally, and connect a LAN port on the Belkin to a LAN port on the Netgear box (and make sure to have Belkin give TiVo an address in the 192.168... range that Netgear is using) TiVo works fine.

The next step is to reconfigure Belkin to use my 140.x.x.x range (of course including its DHCP server, so TiVo gets a good address) and connecting its LAN port to my LAN. That works fine, too - I can access TiVo from my LAN to use the local features (copying media to and from my computer, e.g. ). But when TiVo tries to connect to the Internet to get its guide, it reports "service not found".

I think the link here is the 'Belkin' and it's forwarding to Wingate, assuming it's another NAT device which must source it's Gateway and DNS from the Internal NIC at Wingate.

Is there any way to isolate it by: TiVo <--> Wingate by ethernet to see how well that works?

[PoorJohn]

Yes, it's almost zero bother to run a piece of cable. I don't give it as much hope as you, but at this point I'll try anything.

I did put a traffic logger on the system. TiVo talks on port 80 and 8000. Knowing its destinations, I corrected the port addressing for Winproxy with no improvement. Of course Wingate doesn't insist that ports be opened to a particular target, so there was no new knowledge for that interface.

I also opened an official support ticket, and was a bit surprised that a day went by without any ack or other response.

I'll try that cable and let you know what happens.

[PoorJohn]

Hard-wire unfortunately behaved just like wireless. I guess it's time to ask TiVo tech support if they have any ideas. I won't be surprised to hear that they've never actually had anyone connect through a firewall, despite their savvy-sounding listing of the ports that should be open, on-screen.

I suspect it's beyond mere mortals. Maybe if the head tech guy from Wingate got to talking with the head tech guy at TiVo they could figure it out.

[PoorJohn]

Okay, here's the start of the problem: TiVo pings Mommie during its connection sequence. Apparently (some version?) of Wingate won't route ping. I can execute the TiVo ping successfully from the server computer (which has direct access to the external adapter and thus the Internet) but pings to that address from other computers on the network fail. TiVo included, obviously.

An outfit called RedLine which seems to share more about Wingate than Wingate says "Wingate doesn't route pings" but it's not particularly clear if they're talking about the latest version.

[Nev]

An outfit called RedLine which seems to share more about Wingate than Wingate says "Wingate doesn't route pings" but it's not particularly clear if they're talking about the latest version.

Hi, yes you can ping from any client via Wingate when NAT is installed and working, take a pc on your lan and ping a network host such as google.com will work just as on the server.

What you could do is add the IP of TiVo to the Assumed users' this will ensure that access is provided by Wingate's services, give it a name of one of the users on your server, also if it has local name [eg you can ping tivo and get four replies] add that name as a 'Computername' in the 'Assumed Users' should get you going.

This should remove any System messages [if there was any] and show you Activity in Gatekeeper!

[PoorJohn]

Well that was about the first thing I did before posting my previous note. It failed and still does.

I guess that says I've turned off NAT somehow. In a previous post you suggested - correct me if I misunderstood - that if I go to User Services - ww Proxy Server - Sessions and uncheck the "intercept connections" box that would turn NAT on. Checking /unchecking that box doesn't allow ping either way.

So if I need Wingate's NAT, kind sir, how do I enable it?

(I'm thrilled to hear that it >is< possible, at least... I'm beginning to smell success.)

[Nev]

Well that was about the first thing I did before posting my previous note. It failed and still does.

I guess that says I've turned off NAT somehow. In a previous post you suggested - correct me if I misunderstood - that if I go to User Services - ww Proxy Server - Sessions and uncheck the "intercept connections" box that would turn NAT on. Checking /unchecking that box doesn't allow ping either way.

So if I need Wingate's NAT, kind sir, how do I enable it?

(I'm thrilled to hear that it >is< possible, at least... I'm beginning to smell success.)

Good, yes success soon ;-) ok NAT is the Extended Networking Service in the System pane.

If you open it it should look similar to:



It must be installed and running, if not enable it and reboot.

Yes, any client should be able to ping outside to the Internet Via Wingate if NAT is working normally, it also is the Firewall component.

If you go to a client system it should look similar to this:

[PoorJohn]

Alas, it's not in the list, and right-clicking doesn't give me an opportunity to add new things as it does for the next tab. Magic word?

[Nev]

Alas, it's not in the list, and right-clicking doesn't give me an opportunity to add new things as it does for the next tab. Magic word?

Oh ok, run Install again and enable ENS should fix this one!

[PoorJohn]

Success! I uninstalled, reinstalled, the service was in the list. I did essentially no fiddling other than setting the program straight regarding which netcard was internal and which was external, and voila! TiVo and its mommie are chatting away.

I sense that your assistance to me has been strictly voluntary, and I owe you more than I'll be able to repay for it. The company itself seems to have an excellent product, but is remarkably shy about supporting it, either by responding to a direct request for help (they've ignored me for two days now) or through the available helps and tutorials (about as devoid of anything useful as any program I've ever used.)

I hesitate to ask another question, but:

1. Are there useful helps anywhere? This user has to guess at everything. For example, POP3 requests have to be routed to mail.myIsp.com. I did that using the Services-pop3 proxy server-server request window, where I clicked "pipe request through to predetermined server". Seems to work, but I don't know why. What is the POP3 server on the system tab good for? I entered the (non-standard) port I use and checked "allow pop3 proxying" but have no idea what I'm doing.

2. My NNTP client times out. (It tries to connect). It was working okay before the reinstall. Is there a place to change the timeout? NNTP doesn't seem to be handled separately so I assume it's TCP based.

Thanks again!
John

[Nev]

Success! I uninstalled, reinstalled, the service was in the list. I did essentially no fiddling other than setting the program straight regarding which netcard was internal and which was external, and voila! TiVo and its mommie are chatting away.

I sense that your assistance to me has been strictly voluntary, and I owe you more than I'll be able to repay for it. The company itself seems to have an excellent product, but is remarkably shy about supporting it, either by responding to a direct request for help (they've ignored me for two days now) or through the available helps and tutorials (about as devoid of anything useful as any program I've ever used.)

Excellent: :-) NAT is the solution.

The folks at QBIK really stand by their product and being the time of the year for shutdowns, probably only one or two are available to run everything, next week will be different.

At the top of the Wingate forum is a few Announcements and Sticky points which are worth a look, also at Wingate.com is some excellent white papers from: http://www.wingate.com/support.php

I hesitate to ask another question, but:

1. Are there useful helps anywhere? This user has to guess at everything. For example, POP3 requests have to be routed to mail.myIsp.com. I did that using the Services-pop3 proxy server-server request window, where I clicked "pipe request through to predetermined server". Seems to work, but I don't know why. What is the POP3 server on the system tab good for? I entered the (non-standard) port I use and checked "allow pop3 proxying" but have no idea what I'm doing.

By all means ask away!

The POP3 server handles client requests, it is not the POP3 Proxy to which requests are passed and then onto the remote server.

I use two approaches in this order:

Proxy all requests in the format where the client has a username format with a delimeter, eg; user#mail.myisp.com will see Wingate connect to that mail server for 'user' and fetch the mail from 'mail.myisp.com' on demand.

Or direct; disable the Pop3 Server and configure the client to make direct connection to the remote mail server, NAT will carry the traffic.

2. My NNTP client times out. (It tries to connect). It was working okay before the reinstall. Is there a place to change the timeout? NNTP doesn't seem to be handled separately so I assume it's TCP based.

Thanks again!
John

NNTP, that would be Port 119, that should be ok via NAT from a client, but it has been a long time since I played with any NNTP stuff for anyone. If the client is just using the remote server and port NAT should handle that without timeouts, mappings or proxies.

[PoorJohn]

Sorry, too many N's in NTP, I meant the time server e.g nist.gov. Seems to be a matter of the government responding slowly (surprise?) and timing out. It works sometimes.

[Nev]

Sorry, too many N's in NTP, I meant the time server e.g nist.gov. Seems to be a matter of the government responding slowly (surprise?) and timing out. It works sometimes.

Oh righteo, yes have seen that problem my self from that server! ;-)