BBox2 Sagem Blocked – NAT out failed First packet in connection is not a SYN packet

Sometimes a Belgacom Modem Sagem 3464 ( BBox 2 ) may block all outgoing traffic on any port except for port 80. You’ll get all sorts of errors from VPN clients, Bittorrent clients, and non port 80 wibsites. Typicaly the errors complain about being unable to connect. Also, the router will block all NAT and Server incomming traffic as well.

In the security log ( firewal -> security log ) you’ll find entries like these:

Outbound Traffic Blocked - NAT out failed TCP 192.168.1.200:1230->81.240.173.98:2499 on ppp0
Outbound Traffic Blocked - NAT out failed TCP 192.168.1.200:1229->84.105.73.50:12000 on ppp0
Outbound Traffic Blocked - NAT out failed TCP 192.168.1.200:1228->95.7.96.189:17500 on ppp0
Outbound Traffic Blocked - NAT out failed TCP 192.168.1.200:1227->82.170.211.77:12000 on ppp0
Outbound Traffic Blocked - NAT out failed TCP 192.168.1.200:1226->88.66.131.23:3170 on ppp0
Outbound Traffic Blocked - NAT out failed First packet in connection is not a SYN packet: TCP 192.168.1.50:60734->204.236.227.24:80 on ppp0

According to many internet forum posts this can only be solved by rebooting the modem, but there is another, quicker and better solution, especially when you don’t want to reboot the modem.

To quickly resolve this issue without rebooting ( thus without disrupting services like streams, uploads, etc. too long — rebooting takes minutes, while this solution takes less then a second) telnet to the Sagem modem, enter username: admin and password: BGCVDSL2
at the command prompt type:

fw_restart

Add_New_Post_‹_WWWalter_—_WordPress_-_ChromePlus-2010-10-24_14.33.45

Close the telnet session. You’ll now be able to connect to other ports and NAT functionality will be restored.

There is no permanent fix.

27 thoughts on “BBox2 Sagem Blocked – NAT out failed First packet in connection is not a SYN packet

  1. Try blocking an IP number (doesn’t matter which one)
    FIREWALL -> ADVANCED FILTERING -> Input Rule Sets
    Add a new rule like this:

    Initial Rules
    0
    41.228.178.172 Any Any
    Drop
    Active

    After I did this, the Firewall kept on running. I didn’t need to restart anymore.

    It’s hocus pocus, i know, but it’s worth a try. Let me know if it worked. tnx.

  2. Hi,

    Thanks for the information regarding this problem.

    Is there any other way to go about this issue other than rebooting / restarting?

  3. Pingback: Moshi Monsters
  4. It didn’t work for me. I’m still getting these errors combined with “No IP for NAT – connections may fail “. I can connect every website except for one. Getting the “No IP for NAT – connections may fail ” error when i try to connect to the website itself and getting “failed First packet in connection is not a SYN packet” when i try to run a client that connects through the site…

  5. hello just wont to let every body know that there is a way to automatic restart the firewall using ubuntu with a cronjob end installing under ubuntu the following program in a terminal $ sudo apt-get install expect after that copy the script and save it as restart.sh in /var/etc you have to create the etc folder and than you need to attribute it to 755

    after that you open crontab -e and add 03 * * * * /var/etc/restart.sh to let the script run every 3 min

    #!/usr/bin/expect -f
    set timeout 5
    set echo off

    # router user name
    set name admin

    # router password
    set pass 123456789

    # router IP address
    set routerip “192.168.1.1”

    # Read command as arg to this script
    set routercmd “fw_restart”

    # start telnet
    spawn telnet $routerip

    # send username & password
    expect “Username : ”
    send “$name\r”
    expect “Password : ”
    send “$pass\r”
    expect -i “_{admin}=>”

    # get out of ISP’s Stupid menu program, go to shell
    expect ” -> ”
    send — “fw_restart\r”

    # execute command
    expect “# ”
    send — “$routercmd”
    # exit
    send — “^D”

  6. The cronjob should be like this

    “*/59 * * * * /var/etc/restart.sh” every 59 minutus

    intead of that on does not work

    03 * * * * /var/etc/restart.sh

    Maurice

  7. Still works here. Did you get an update? Check router by http, is should read:
    Runtime Code Version 60R109-60A022
    VDSL Version Firmware-VTU-R:5.5.1.2IK105012 Time Oct 1 2009, 14:04:47

  8. Hi Hans & Walter,

    Thx for feedback. Nope none of both passwords seems to work over telnet (i tried upper case and lower cas for the password)
    Just to be sure i tried “admin” as login and “BGCVDSL2” (and also “OLOVDSL2”) as password.

    @Hans: Mine: Firmware-VTU-R:5.5.1.2IK105012 Time Oct 1 2009, 14:04:47

    Any other idea’s to get in this d*mmned piece of junk? I’d love to put it in bridge and/or stop the firewall.

    My problem: use port 80 to get my webmail working (was working nicely on the older bbox, but bbox2 is a straight disaster…).
    Thx all who can help me & thx to Walter&Co for this great blog!

    T.

  9. Thanks for this topic,it helped me on the way.
    I tried to play Battlefield Heroes but the game client could not find any suitable servers.
    I found out that the Bbox firewall blocked the game client’s requests because of ‘first packet in connection is not a SYN packet’
    I just turned the whole firewall+packet inspection off and now it’s working fine.

    Telnet commands to do this are:
    fw_stop
    and
    fw_filter 0

    Grtz, IM

  10. @IMweasel Keep in mind though, that disabling the firewall puts the box wide open for tampering, because the admin portal (port80) is not secured by a password, and the telnet server is secured by a default password that can be found easily.

    I would suggest to replace the modem with a Fritz!Box WLAN 7390 and use it to make de VDSL2 connection, OR keep your BBox (sagem) as a simple “modem” and setup pppoe tunnel from the Fritzbox, trough the modem, to your provider. ( I will post on this subject as soon as I get my Fritz!Box )

    Check-out http://patrick.vande-walle.eu/hardware/fritzbox-7390/review/
    He seems to have successfully replaced his b-box for a fritzbox.

  11. PS/ Look carefully that the router is VDSL compatible, the FRITZ!Box 7390 is, the others aren’t.

    (Fon all-in-one: VDSL/ADSL2+ modem-router-VoIP voor ADSL (annex A én annex B))

  12. True, i had already taken care of the http login page password.
    But didn’t think about the telnet login. Thanks for that.
    I now changed both user and admin passwords…that should be fine,right?

    I considered changing the bbox… But as long as i can get it working as i want to, i’ll keep it in use.

  13. Surf to your box 192.168.1.1 and go to;
    Advanced settings->system->user->change password.
    Change the password, and that will be the password for logging into your box from now on.

    When you change the administrator password;
    Advanced settings->system->administrator->change password
    It will be the password for logging in with telnet from now on…the user name will remain ‘admin’

  14. I’m running this setup for a while now and it’s quite good… pings are 27-30 ms and gaming works like a charm. Messenger, Skype, Ut0rr3nt, N3wsl33cher, all sort of web applications, it all works fine… wireless!

  15. Hi,
    I tryed many of the advices on this website, but even with e reboot, I still have these messages int he Fw log :
    Oct 5 22:26:13 2012 Outbound Traffic Blocked – NAT out failed First packet in connection is not a SYN packet: TCP 192.168.1.3:64046->31.13.80.4:443 on ppp0

  16. I’ve spend hours trolling the internet, but I cannot find any solution for this “First packet in connection is not a SYN packet” problem. It seems to happen with all devices connected to the BBOX.

    (I use the wifi of the BBOX, and have a wired a Linksys router into the BBOX that will in turn handle all the wired connections.

    Any one found a solution to this ??

    PaVink.

  17. I would suggest you try the PPPoE, The Sagem supports PPPoE passtrough actually very good. I’ve read about many stable configurations. I’m planning to get a Fritz modem though, which would be able to replace the Sagem completely.

    I’m planning an experiment with PPPoE and Fritz, and will report back.

  18. Recently, Belgacom changed their software, so that you need to enter the serial number into the main page, as a security measure.
    Besides that, the admin password also changed.
    Any idea what this password is now ?
    (Today’s date is july 29, 2013)
    Suggestions ?

    Thanks a lot.
    Daniel

Leave a Reply

Your email address will not be published. Required fields are marked *