Networking issue, access service indirectly

3

1

Ive got an application and internet service that works fine from my home network, but fails (TCP connection "dies" after a few KB sent) on the university residence network. The admins of the two systems have spent a few months saying that they did nothing to cause this and blaming each other, and not really taking much interest, while all I want is to be able to use the application for more than the occasion I visit home...

I ran some tests, and there seems to be nothing about the data being sent that causes this, at least when the data isnt being sent from that exact server.

What I want to do now is route the connection through another computer outside the university network, which I know does work, as per the diagram below, however I have no idea how to do this, and force a specfic application to route through it for its outgoing TCP connection.

Will Roberts

Posted 2011-12-04T13:17:06.537

Reputation: 31

This sounds likely to be a Path MTU Discovery black hole. At one end of the connection or the other, someone has a link with an MTU less than 1500, but a firewall is blocking the "Destination Unreachable, fragmentation required but 'don't fragment' bit set" ICMP error messages from getting back to the sender. If you have any control over the service in question, try cranking down its MTU to 1400, and do the same on your machine inside the university. – Spiff – 2011-12-09T06:37:07.880

Answers

2

Sounds to me like a classic university/school/workplace blocking ports or filtering traffic, my first suggestion would be don't try bypass their firewalls, from experience it's there for a reason and they don't look kindly on people getting around it.

Next; changing the routing on your computer will completely depend on the operating system that your using, so what OS are you running on the client?

For it to work you will probably need to create some kind of VPN connection so that the blocked traffic is tunneled through the filter instead of been dropped. Basically this will mean installing a VPN client on the workstation within your university and then also install a VPN server somewhere on the internet (outside of your university).

Alternatively you could purchase a VPN service, in which case you wouldn't need to supply the public internet VPN server, which would save some money if you don't already have the public server.

Finally most VPN services will operate as a default route for your traffic, meaning any internet facing traffic will go over this encrypted tunnel. You simply need to add your own routing on the operating system that will just use the tunnel for your application traffic and all other traffic will be routed as normal.

As stated before this completely depends on the operating system that your using.

iTom

Posted 2011-12-04T13:17:06.537

Reputation: 545

Well at first I thought it was a filtering thing, but the sys admins promised they never terminate connections like that (they say the only thing they do is disconnect machines that attempt to connect to a few hundred other machines at once, e.g. p2p) and told me it was a user/server error, and there not inclined to put any effort into making things other than http work for student, everything else is upto the user to configure somehow... – Will Roberts – 2011-12-04T14:05:06.597

The administrators use some kind of filtering because they are blocking P2P connections, it's more than possible that there is miss configuration on this filter which is blocking your traffic, or your traffic is causing a false positive for P2P and been blocked. Either way they probably aren't going to help as you have said, so you need to find a way of getting around that filter, using something like a VPN tunnel. If it works over a VPN tunnel or at another location then it's almost certainly the network configuration. Another thing to do would be capture the network traffic with wireshark. – iTom – 2011-12-04T14:17:49.603

I'd also suggest you try a VPN. This will definitely prove if it is the university's filtering software. From my experience with university admins, they tend to give "official" answers(not their fault). I prefer to direct my questions to lower level workers who may not be under the scrutiny of policy. – surfasb – 2011-12-04T19:13:37.143

Asked: 2011-12-04T13:17:06.537

Viewed: 41 times

Active: 2011-12-04T16:56:08.927