Sophos (Astaro) UTM 9 opening ports for Utorrent (bittorrent) - this works

This worked of rme, was simple to implement and I thank the original author for posting it...

Source: http://www.astaro.org/gateway-products/network-protection-firewall-nat-qos-ips/42529-utorrent-guide.html

After spending 2 days trying to make uTorrent work behind Astaro 8 I finally managed to solve it. Here is how I did...

Astaro gurus out there - feel free to comment on this...am I doing anything stupid here?

1. Create the Definition for the computer running uTorrent

Definition and Users -> Network Definitions -> New Network Definition ->

Name: uTorrent host (or whatever you want to call your seedbox)
Type: Host
Interface: Any
IPv4 Adress: 192.168.10.100 (or whatverver LAN address your seedbox has)
Comment: Whatever you want


2. Create the Service Definition

Definition and Users -> Service Definitions -> New Service Definition ->

Name: uTorrent
Type of Definition: TCP/UDP
Destination port: 55555 (or whatver port you have set in uTorrent)
Source port 1:65535
Comment: Whatever

3. Create NAT Rule

Network Security -> NAT -> DNAT/SNAT -> New NAT rule

Traffic Source: Any
Traffic Service: uTorrent
Traffic Destination: External (WAN) Network - (I dont really understand why it shouldn´t be Any to Internal......but it must be External)
Nat Mode: DNAT
Destination: uTorrent Host (the host definition created under p. 1 above)
Destination Service: uTorrent (the service definition created under p. 2 above)
Automatic Firewall rule: On

Turn it on, i.e. press the red/green switch

4. Create the outbound firewall rule

Firewall -> New Rule

Source: uTorrent Host
Service: Any
Destination: Any

Turn it on, i.e. press the red/green switch

This will open all outbound communication from the uTorrent host

5. Create the inbound firewall rule

Firewall -> New Rule

Source: Any
Service: uTorrent
Destination: uTorrent Host

Turn it on, i.e. press the red/green switch

----------------------------------------

Happy seeding!

//

Attached Images

	definition.PNG (35.3 KB, 29 views)
	service definition.PNG (37.3 KB, 27 views)
	NAT Rule.PNG (62.3 KB, 27 views)
	outbound rule.PNG (54.4 KB, 25 views)
	inbound rule.PNG (53.8 KB, 25 views)

dilandau Senior Member Join Date: Jan 2008 Posts: 427

#2 (permalink)   04-25-2012, 09:20 PM Hi, Looks pretty good, I would just add for your DNAT rule I would suggest changing the traffic destination from External (wan) Network to using the External (WAN) Address. Then just traffic destined for the External IP will be forwarded instead of traffic for the whole network. Probably would only affect someone who had additional IP's configured on the interface. Also just to point out in #4 if someone didn't want to allow all services they could just allow the utorrent service for outbound traffic. (Might need to create another service with the source being the utorrent port) Step 5 would only be necessary if you didn't turn on the automatic packet filter rule in step 3. Good job outlining the steps, should be pretty useful as this question comes up pretty often.

VelvetFog Wizard Join Date: Dec 2003 Location: Calgary, Alberta, Canada Posts: 1,234

#3 (permalink)   04-29-2012, 11:26 PM Quote: Originally Posted by djfralla 3. Create NAT Rule Network Security -> NAT -> DNAT/SNAT -> New NAT rule Traffic Source: Any Traffic Service: uTorrent Traffic Destination: External (WAN) Network - (I dont really understand why it shouldn´t be Any to Internal......but it must be External) Nat Mode: DNAT Destination: uTorrent Host (the host definition created under p. 1 above) Destination Service: uTorrent (the service definition created under p. 2 above) Automatic Firewall rule: On The traffic destination for the Internet traffic by bit torrent peers sending requests to your bit torrent client is your External (WAN) Interface. Specifying External (WAN) Network is therefore ambiguous, and specifying an Internal IP address would be completely in error, since 192.168.xx.yy series "fakenet" addresses do not exist on the public Internet (reference: IRC1918). __________________ ASG v8.311 at home - HP Compaq EVO D530 2.66 GHz, 2 GB RAM, 40 GB HD, 3 NICs - Gigabit LAN - 15 Mbit WAN

djfralla Junior Member Join Date: Apr 2012 Posts: 2

#4 (permalink)   04-30-2012, 08:06 AM Quote: Originally Posted by VelvetFog The traffic destination for the Internet traffic by bit torrent peers sending requests to your bit torrent client is your External (WAN) Interface. Specifying External (WAN) Network is therefore ambiguous, and specifying an Internal IP address would be completely in error, since 192.168.xx.yy series "fakenet" addresses do not exist on the public Internet (reference: IRC1918). Should I change from wan network to wan interface?

BarryG Moderator Join Date: Jul 2001 Location: southern California Posts: 9,197

#5 (permalink)   04-30-2012, 08:56 PM Yes. It's probably called "External (WAN) Address". Barry __________________ http://BlogSec.net http://JobOyster.com http://DealBert.net IT Consultant specializing in high-performance Web Infrastructure and Security. Astaro End-user since v1.x ASL 8.3x, HP DL145, 6 gigE NICs ASL 7.5x, HP DL360G5, Platinum License ASL 9.0x, Fanless Atom n270, 2GB RAM, 2 Intel GigE Netgear GS108T gigE switch & Astaro AP30 Access Point with 4 VLANs. 100-IP Home Power User License. 25/10mbit FiOS internet. Source: http://www.astaro.org/gateway-products/network-protection-firewall-nat-qos-ips/42529-utorrent-guide.html