ASUS RT-AC3100 Merlin Port Forwarding Issue

[Vinh Nguyen]

I am trying to view my cameras outside my network. I have a Lorex NVR and have had support assist me and check my DDNS settings and everything looks good. I can't seem to forward any ports on my router though. Using a port checker, it confirms my ports are blocked. Looking for any assistance. Perhaps I have some settings conflicting or something?

Merlin Firmware: 384.15
Note: Some troubleshooting things I've done

• I tried to turn on DMZ for the NVR but the ports are still blocked.
• When I enable web access from WAN for the router over 8443, it opens the port and works on WAN.
• Checked NVRAM - 65704/131072
• Ensured UPnP is enabled
• Firewall is enabled

Appreciate any assistance anyone could provide. Thanks in advance.

 

[RMerlin]

Make sure your router isn't behind another router, which would block all inbound traffic before it reaches your Asus router.

 

[Vinh Nguyen]

I have Xfinity and called them. They stated they do not block any of these ports from their side. Aside from that, there is only a cable modem in front of the router. So either Xfinity is lying or something else is going on.

Appreciate the suggestion though.

https://www.xfinity.com/support/articles/list-of-blocked-ports

 

[ColinTaylor]

What is the model number of your NVR?

 

[Travison]

Have you tried port scanning from inside your LAN?

 

[Vinh Nguyen]

What is the model number of your NVR?

It is a Lorex LNR6108-N.

 

[Vinh Nguyen]

Have you tried port scanning from inside your LAN?

Have not tried that but I'll do that shortly. Thanks for the idea.

 

[Vinh Nguyen]

Doing port scan on the router, i get the below. Think this confirms port fowarding is not happening on the router?

Host is up (0.0086s latency).

Not shown: 50 filtered ports, 45 closed ports

PORT STATE SERVICE

22/tcp open ssh

53/tcp open domain

139/tcp open netbios-ssn

445/tcp open microsoft-ds

9100/tcp open jetdirect

MAC Address: 70:8B:CD:31:B1:18 (Asustek Computer)



Nmap done: 1 IP address (1 host up) scanned in 1.72 seconds

 

[ColinTaylor]

Doing port scan on the router, i get the below.

I think he meant port scan the NVR (for ports 80 and 35000), not the router.

 

[Vinh Nguyen]

I think he meant port scan the NVR (for ports 80 and 35000), not the router.

I did both but I thought router made more sense. Here is the one for the NVR. Looks like it's open there.

Host is up (0.0043s latency).

Not shown: 97 closed ports

PORT STATE SERVICE

80/tcp open http

443/tcp open https

554/tcp open rtsp

MAC Address: 00:40:7F:B8:14:AC (Flir Systems)



Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds

 

[ColinTaylor]

I did both but I thought router made more sense. Here is the one for the NVR. Looks like it's open there.

Can you check port 35000 as well please.

 

[Vinh Nguyen]

Can you check port 35000 as well please.

Yes, looks to be open as well. First one was a quick scan and I guess it doesn't scan up to 35000 but an intense scan did.

Scanning 192.168.2.200 [65535 ports]

Discovered open port 443/tcp on 192.168.2.200

Discovered open port 80/tcp on 192.168.2.200

Discovered open port 554/tcp on 192.168.2.200

Discovered open port 8686/tcp on 192.168.2.200

Discovered open port 35000/tcp on 192.168.2.200

Discovered open port 56447/tcp on 192.168.2.200

 

[ColinTaylor]

What are to first two octets of your WAN IP address as seen in the router's GUI? (Network Map > Internet)

Does this WAN IP address match that shown when you go to https://canyouseeme.org/ ?

 

[Vinh Nguyen]

What are to first two octets of your WAN IP address as seen in the router's GUI? (Network Map > Internet)

Does this WAN IP address match that shown when you go to https://canyouseeme.org/ ?

73.115

Yes it does.

 

[ColinTaylor]

73.115

Yes it does.

OK, thanks for that. I just wanted to check that you weren't behind some kind of CGNAT.

Well I'm stumped. Your internal scan shows the ports to be listening. Your screenshot in post #1 shows that the ports are forwarded correctly.

I could believe there might be a problem with forwarding port 80 (either with the router or the ISP) but not with ports 554 and 35000.

Have you tested those two ports recently using https://canyouseeme.org/ ? Are they still showing as closed.

 

[Vinh Nguyen]

Both are still showing up closed. Was thinking about flashing the router back to the default firmware. This bullet gets me though. How does it open and work when the others don't?

• When I enable web access from WAN for the router over 8443, it opens the port and works on WAN.

 

[ColinTaylor]

Both are still showing up closed. Was thinking about flashing the router back to the default firmware. This bullet gets me though. How does it open and work when the others don't?

• When I enable web access from WAN for the router over 8443, it opens the port and works on WAN.

The difference between enabling web access (8443) and what you're doing is that 8443 isn't forwarding any ports. The port 8443 service is listening on the router's WAN interface. What you are trying to do is forward traffic from the WAN to the LAN client.

I assume that you aren't using the router's VPN client or server? Your NVR isn't connected to a guest WiFi network or another intermediate router?

 

[Vinh Nguyen]

Ok, that makes sense.

No, I am not using VPN. The NVR is on the internal network and directly attached to the router (ethernet). Network is pretty straight forward. Cable modem>router>switch.

 

[ColinTaylor]

Was thinking about flashing the router back to the default firmware.

I think I'd try just doing a factory reset rather than changing firmware versions.