How to properly setup rules for Akamai download managers



  • i'm pretty new to pfsense, and I thought I should ask how to do this prior to just adding a bunch of rules that I'm not so sure of…

    I have client computers using the Adobe Application Manager which installs their softwares and updates.  it checks the adobe servers for the license and versions, and if detects an update or the user requests an install, the updates are sent via Akamai network via UDP.

    by default, it looks like pfsense is blocking these inbound streams:

    so, how should I handle configuring NAT to permit this type of connection back to the client computers?

    I looked at the status:interfaces and they're definitely getting dropped at the WAN.

    The odd thing it seems to me, is that the source address looks like private ones, so could it be that pfsense is modifying that or is that something that Akamai is doing?

    when I run Process Monitor on a client computer, I can clearly see that outbound from the client workstation is communicating ok with their systems:

    10:54:48.1476864 AM PDapp.exe 4888 TCP Connect workstation00:3538 -> a96-17-202-177.deploy.akamaitechnologies.com:http SUCCESS Length: 0, mss: 1460, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 65700, rcvwinscale: 8, sndwinscale: 7, seqnum: 0, connid: 0
    10:54:48.1479511 AM PDapp.exe 4888 TCP Send workstation00:3538 -> a96-17-202-177.deploy.akamaitechnologies.com:http SUCCESS Length: 229, startime: 94189, endtime: 94189, seqnum: 0, connid: 0
    10:54:48.1758005 AM PDapp.exe 4888 TCP Receive workstation00:3538 -> a96-17-202-177.deploy.akamaitechnologies.com:http SUCCESS Length: 378, seqnum: 0, connid: 0
    10:54:48.1760687 AM PDapp.exe 4888 TCP Receive workstation00:3538 -> a96-17-202-177.deploy.akamaitechnologies.com:http SUCCESS Length: 0, seqnum: 0, connid: 0
    10:54:48.1760797 AM PDapp.exe 4888 TCP Disconnect workstation00:3538 -> a96-17-202-177.deploy.akamaitechnologies.com:http SUCCESS Length: 0, seqnum: 0, connid: 0

    perhaps some kind of handshaking over HTTP (maybe two left hands)…. :-\



  • That traffic originating from private IPs is not coming Akamai from the network. It is DHCP client broadcast requests looking for a DHCP server. You shouldn't be seeing these on your WAN interface, but it's not unheard of on large cable ISP networks.



  • oh I see, i guess I should have looked up that port reference.. my fault.

    I guess then, I am in teh dark on why this Adobe Application Manager software is not functioning behind pfsense >.<



  • ok, i have now atleast this working… I had squid transparent proxy package running and adding deploy.akamaitechnologies.com to the bypass filter allows the client to function properly.

    I had noticed in the States logs something similar to:

    127.0.0.1:3128 <- 96.17.202.194:80 <- 10.0.1.250:54094

    which i recalled the loopback/port thing that squid does when I read about it.

    would be great to be able to cache these downloads, but for now I guess this will do...

    i'll head over to the squid package area and educate myself a bit more, perhaps a custom option will solve this for good.