ICS and Forwarding issue in win 7
-
Saturday, August 18, 2012 2:40 PM
Hi I'm seeing a issue when enabling ICS and what NIC's it enables Forwarding on and by Forwarding I mean the one listed here for the NIC.
netsh interface ipv4 show interface l=verbose
When ICS is enabled in windows 7 both the WAN NIC and LAN NIC have this Forwarding enabled and at first there is no issue it all works. However there is a issue when the PC doing ICS does a VPN causing may packets to be sent counting down for TTL with received time exceeded ICMP.
This should not happen but for me it does and why has win 7 enabled Forwarding for both NIC's for ICS?
The workaround is to disable Forwarding for only the WAN NIC like this which for me is “Local Area Connection 2” for the WAN NIC with “Local Area Connection” being the LAN NIC.
netsh interface ipv4 set interface "Local Area Connection 2" forwarding=disable
Thanks for any replies
- Edited by Legacy_ Saturday, August 18, 2012 2:40 PM
All Replies
-
Sunday, August 19, 2012 5:23 AM
1. What is the target configuration?
2. In my understanding ICS is one to many NAT
3. I would use separate VPN devices.
Rgds
Milos
-
Sunday, August 19, 2012 10:28 AM
1. Like to have my WAN IP on PC and NAT for other devices.
2. What other NAT?
3. Does not really apply to me....My problem is when I enable ICS it enables Forwarding on both NIC's as show here:
netsh interface ipv4 show interface l=verboseThis causes a problem yet it all seems to work yet for VPN connections being make sends many packets out the same packet over and over again with a TTL going down to the point I receive time exceeded ICMP and the whole time its doing this the VPN works but it shouldn’t send the same packet over and over again.
When I disable the Forwarding for the WAN NIC it works as it should and so does ICS but I should not have to disable the Forwarding myself with the following on the WAN NIC that ICS is enabled on with the LAN NIC having forwarding enabled.
netsh interface ipv4 set interface "Local Area Connection 2" forwarding=disableI don't know if this it a bug in win 7 for ICS or just me this happens too?
-
Sunday, August 19, 2012 11:26 AMOne to many NAT is terminus technicus.
-
Monday, August 20, 2012 2:49 PM
One to many NAT is terminus technicus.
I'm not sure I follow?
Their is no router NAT in front of the connection it can only get a WAN IP.
So is it normal for ICS to enable forwarding on both NIC?
-
Tuesday, August 21, 2012 2:21 AM
Google it. By default, NAT (and ICS is just a cut-down version of NAT) is a one to many translation process.
I would never even consider setting up a VPN on a machine running ICS.
Bill
- Proposed As Answer by Vincent Wang-MCSCMicrosoft Contingent Staff, Moderator Monday, September 03, 2012 2:00 AM
-
Tuesday, August 21, 2012 7:32 PM
I'm not setting up a VPN I'm connecting to a VPN like superfreevpn.com and when I do ALL HELL BREAKS loose and it only works correctly if I do this.
netsh interface ipv4 set interface "Local Area Connection 2" forwarding=disable
When I do that it all works fine and now on every reboot the dam forwarding setting gets re-enabled.
Please is it normal for ICS to enable forwarding on both NIC?
- Edited by Legacy_ Tuesday, August 21, 2012 7:33 PM
-
Wednesday, August 22, 2012 12:44 AM
If you do not understand the previous posts, the answer is yes. And I was aware that you were using the ICS machine as a VPN client, not a VPN server. It is still a bad idea.
Bill
-
Wednesday, August 22, 2012 2:41 PM
If you do not understand the previous posts, the answer is yes. And I was aware that you were using the ICS machine as a VPN client, not a VPN server. It is still a bad idea.
Bill
Clearly I didn’t because I think I would of understand so thanks.
What I have worked out is going to be hard to explain in a way that yes thats what it seems but there is more to it then that and could be a security issue due to ICS enabling forwarding for the internet NIC.
But first what would your own conclusion be that with forwarding manually disabled for the internet NIC only for ICS when the following works with it disabled? given that:
-
VPN connects from the ICS work fine even protocol 50.
-
Computers connecting to ICS have internet and they too can connect to VPN's
-
Port mapping in ICS works
Given that everything works why would MS enable forwarding on the internet NIC for ICS when it does nothing and works with is disabled?
Thanks
-
-
Sunday, December 30, 2012 5:24 PM
This has been all misunderstood all because of how I found a problem thats only a problem when you monitor it...so if I don't run wireshark there is no problem but if I run wireshark in promiscuous mode then it becomes a problem because promiscuous mode overrides what the NIC would normally drop because of my setup and wireshark in promiscuous mode this then allows the problem to happen.
But this still does not answers MS enables forwarding on the internet NIC that clearly is not needed on that NIC only on the LAN NIC does forwarding need to be enabled on for ICS to work and with wireshark in promiscuous mode.
Say what you will but that’s what’s happened.
- Marked As Answer by Legacy_ Sunday, December 30, 2012 5:24 PM
.png)
