EPICS Home

Experimental Physics and Industrial Control System


 
1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  <20232024  2025  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  <20232024  2025 
<== Date ==> <== Thread ==>
Subject: Re: [EXTERNAL] Re: PVA connection problem
From: "Kasemir, Kay via Tech-talk" <tech-talk at aps.anl.gov>
To: Jörn Dreyer <j.dreyer at hzdr.de>, "tech-talk at aps.anl.gov" <tech-talk at aps.anl.gov>
Date: Tue, 17 Oct 2023 14:37:36 +0000

> course port XXX is not covered by the firewall rules and is random

 

Yes, that’s a known issue with the original PVA server implementation, https://github.com/epics-base/pvAccessCPP/issues/159 .

You simply can’t use the original PVA server via firewalls unless you allow all UDP traffic, which isn’t practical.

 

With the newer PVXS implementation of the PVA server, that’s been fixed.

A firewall usually involves a gateway, and when you use the PVXS-based PVA gateway, https://mdavidsaver.github.io/p4p/gw.html, you can place that behind a firewall just fine. The IOCs handled by that PVA gateway may still use the original PVA server with random UDP ports, but that’s not a problem inside your controls network. The gateway that you reach via the firewall will stick to the known UDP port for searches and replies. Or you might actually use TCP-only name lookup and avoid UDP altogether for the gateway & firewall.

 

 

 

From: Tech-talk <tech-talk-bounces at aps.anl.gov> on behalf of Jörn Dreyer via Tech-talk <tech-talk at aps.anl.gov>
Date: Tuesday, October 17, 2023 at 10:30 AM
To: tech-talk at aps.anl.gov <tech-talk at aps.anl.gov>
Subject: [EXTERNAL] Re: PVA connection problem

Hello

Sorry for not citing the old messages. I just found the topic on tech-talk as I was looking for a strange behavior I observed when playing around with NDPluginPVA.
I was able to do a "pvget some_pv" on the machine where the IOC is running, but not on another machine. I had exactly the same ideas as commented here (adding ports 5075/5076 to the firewall) but without luck.
Then I started up wireshark and tested with and without firewall and figured out whats going on.

Without firewall:

Clients sends from port XXX to 5076
Server replies from port YYY to XXX
Client can read data!

With firewall:

Clients sends from port XXX to 5076
Server replies from port YYY to XXX
Client replies with ICMP message
Server gives up, no data transfered!

Of course port XXX is not covered by the firewall rules and is random (> 50000 in my case). One can get around this if you open your firewall for all UDP traffic.
But that is not what you really want to do in a bigger network with lots of broadcast traffic. So opening ports 5075/5076 is not necessary.

So my hope is that one can force pvget/pvput to use a dedicated port that can be added to the firewall rules.

Regards,

Jörn


Replies:
Re: [EXTERNAL] Re: PVA connection problem Jörn Dreyer via Tech-talk
References:
Re: PVA connection problem Jörn Dreyer via Tech-talk
Navigate by Date:
Prev: Re: PVA connection problem Jörn Dreyer via Tech-talk
Next: Re: Cross Compilation of Epics-base Han Lee via Tech-talk
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  <20232024  2025 
Navigate by Thread:
Prev: Re: PVA connection problem Jörn Dreyer via Tech-talk
Next: Re: [EXTERNAL] Re: PVA connection problem Jörn Dreyer via Tech-talk
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  <20232024  2025