ASUS AC routers won’t port forward

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Jere Larson

Occasional Visitor
Hello SNB Forum !!

I have a solid, always occurring port forwarding problem that I’ve been struggling with for ten days.

I’ve searched the web, and SNB Forum, but found nata !!

I’m building a new network in a large home in Anchorage, Alaska.

In test, I have -
2ea RoG Rapture AC11000
2ea RT-AC68U

They are configured for testing, with only mode and addresses differing. Been testing AiMesh - which is working perfectly. Gonna be great.

But I can’t get simple port forwarding to work for love or money.

I’ve simplified the testing baseline down to one router configured as router. Factory Reset and hand configured from scratch.

Tried all two routers of both models.

Nothing fancy -
ASUS Firmware:
On AC-11000’s *** 384 ***
On AC-68U’s *** 385 ***
Unsecured Wan
Lan DHCP pool .71-.99
DDNS using dyndns.org
No AiMesh
That’s about it ...

My ISP is rock solid.
DDNS never fails.
No Windows PC in the path.
Tried Firewall off
Tried NAT off
Typical entries in the forwarding table:

Freeze1 blank 8231 8231 192.168.1.231

Tried the local port as blank.

2 physical routers of 2 different types ( Four routers total ) !! - it’s not a hardware problem ...

I have older Linksys and Netgear routers with very similar configurations -

They port forward perfectly, which eliminates any ISP problems.

There are online and active IP devices behind each port - freeze detectors, temperature sensors in refrigerator and deep freeze, moisture / leak detectors, a few cameras, and etc.

I use several port scanner utilities, including the one in “Network Analyzer” running on iOS. All my port tools report accurately.

I’m about to pull my hair out !!!

Obviously something is wrong in my configuration ??

Sure hope someone has seen this before !! I’m just buffaloed !!

Sincerely,

Jere Larson
Anchorage, AK
 

eibgrad

Very Senior Member
When you're testing these port forwards, are you doing so from *outside* the WAN? For example, on a smartphone using the cellular network?

What I'm thinking is perhaps you're trying to test them from *inside* the local network, the same one as the target devices. But that requires nat loopback (aka, hair-pinning) to be enabled. Maybe your older Linksys and Netgear have this enabled by default, but NOT your newer routers.
 

ColinTaylor

Part of the Furniture
Do not disable the firewall or NAT.

Go to Network Map > Internet status. What are the first two octets of the WAN IP address?

Go to System Log > Port Forwarding and confirm that your port forwarding rules have been applied successfully.
 

ColinTaylor

Part of the Furniture
I thought it might be CGNAT as well, but he claims the older Linksys and Netgear work!
Cable modems typically give out different IP addresses for different MAC addresses. There's been a few cases reported here where the old device got a public IP but the new one got a CGNAT address.
 

eibgrad

Very Senior Member
Cable modems typically give out different IP addresses for different MAC addresses. There's been a few cases reported here where the old device got a public IP but the new one got a CGNAT address.

Wow, didn't know that. Learned something new again.

So I assume the answer was to clone the old MAC to the new router.
 
Last edited:

Jere Larson

Occasional Visitor
When you're testing these port forwards, are you doing so from *outside* the WAN? For example, on a smartphone using the cellular network?

What I'm thinking is perhaps you're trying to test them from *inside* the local network, the same one as the target devices. But that requires nat loopback (aka, hair-pinning) to be enabled. Maybe your older Linksys and Netgear have this enabled by default, but NOT your newer routers.

Thank You Sir !!

Yes, I’m “Outside” coming in thru my DDNS dedicated domain and my ISP.

Actually, I’m currently traveling in Florida.

I access the router under test if I want to make changes or check status on my local LAN using TeamViewer Remote Desktop.

Sincere Thanks for taking an interest in this !!

Hopefully the answer will be interesting and not something stupid I’ve done.
 

Jere Larson

Occasional Visitor
Cable modems typically give out different IP addresses for different MAC addresses. There's been a few cases reported here where the old device got a public IP but the new one got a CGNAT address.

Thanks !!

Everything else is super solid. My ISP blocks nothing.

I have configured remote access to the router, and this “backdoor” port always opens, and is completely reliable for remote access ...

Good ideas - Thanks - Jere
 

eibgrad

Very Senior Member
Thanks !!

Everything else is super solid. My ISP blocks nothing.

I have configured remote access to the router, and this “backdoor” port always opens, and is completely reliable for remote access ...

Good ideas - Thanks - Jere

I don't understand. What "backdoor" port? Are you saying you have this fixed now to your satisfaction?
 

Jere Larson

Occasional Visitor
Do not disable the firewall or NAT.

Go to Network Map > Internet status. What are the first two octets of the WAN IP address?

Go to System Log > Port Forwarding and confirm that your port forwarding rules have been applied successfully.


Thanks Colin !!

Firewall and NAT are currently enabled.

My WAN IP is obtained by DHCP from my ISP. It changes every week or so, as the lease expires.

My current external IP begins with 65.74 which is GCI in Alaska. They have several non-continuous blocks, so it isn’t always 65.

I run the ASUS internal DDNS agent and my personal domains are registered with dyndns.org. This has been bulletproof. I don’t even lose sessions when my external IP changes. Even FaceTime is seamless.

I’ve been occasionally monitoring the Port Forwarding Log, and it accurately shows what is in my PF table. Also as I do adds, edits and deletes.

These are great suggestions. Many Thanks !!

Jere
 

Jere Larson

Occasional Visitor
I don't understand. What "backdoor" port? Are you saying you have this fixed now to your satisfaction?

Nope - Sorry ...

This feature is set under:

Administration/System/RemoteAccessConfig

The default address was 84?? or something.

I don’t remember exactly. I’ve changed it to 8*** for better security.

This port always shows open. I don’t have to configure it in my Port Forwarding table.

I can reliably access my router via:
MyDomain.dyndns.org:8***

I once heard this feature being called the backdoor...

Kind Thanks for your help !! Jere
 

dave14305

Part of the Furniture
A picture can be worth 1000 posts. Can you post a screenshot of the Port Forwarding page under WAN?
 

Jere Larson

Occasional Visitor
A picture can be worth 1000 posts. Can you post a screenshot of the Port Forwarding page under WAN?

Hi Dave !!

27B88D02-50D1-4F85-8190-8328711A8D3A.jpeg


This is the abbreviated list I’m using for testing. If we can get these to forward,
the other 15 or so ports should also ...

Great suggestion !! Many Thanks, Jere
 

dave14305

Part of the Furniture
Hi Dave !!

View attachment 27630

This is the abbreviated list I’m using for testing. If we can get these to forward,
the other 15 or so ports should also ...

Great suggestion !! Many Thanks, Jere
I hurt my neck trying to read this upside down. :p

So each device listens on a unique custom port that resembles its fourth octet? Is that necessary?
 

Jere Larson

Occasional Visitor
I hurt my neck trying to read this upside down. :p

So each device listens on a unique custom port that resembles its fourth octet? Is that necessary?
I hurt my neck trying to read this upside down. :p

So each device listens on a unique custom port that resembles its fourth octet? Is that necessary?

Sorry, I did a rotate and posted again - still upside down ??? The original was rightside ???

Anyway, your question might be beyond my paygrade. This is how I’ve always done it on LinkSys and Netgear, specifying the external and internal ports numbers and the local LAN IP of the resource ...

Thanks Dave !! I really appreciate your help !!

Jere
 

Jere Larson

Occasional Visitor
Sorry, I did a rotate and posted again - still upside down ??? The original was rightside ???

Anyway, your question might be beyond my paygrade. This is how I’ve always done it on LinkSys and Netgear, specifying the external and internal ports numbers and the local LAN IP of the resource ...

Thanks Dave !! I really appreciate your help !!

Jere
 

Jere Larson

Occasional Visitor
In your port forwards, try adding 0.0.0.0/0 in the Source IP field.

Hello Sir

This is an inspired idea !! When I woke for a bit (it was 4:35 in Florida), I couldn’t wait to try it !!! I was really hopeful !!! Oh the Shuckens. Foiled by this gremlin again.

Great idea !!

Kind Thanks for you interest and help !!

Jere
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top