Asus RT-AX88U Closed Ports vs. Stealth

[ColinTaylor]

okay, awesome. Thanks again for your time and expertise.

Might you have any other suggestions on why these ports are behaving this way?

Not really. It's something upstream of your router. It could be anywhere between your ISP gateway server and the GRC website.

 

[Woofer Wrecker]

Understood. You have been a tremendous help, sir. Thank you very much. I really appreciate your time.

 

[eibgrad]

Here's another way to know exactly which firewall, yours or the ISP's, is blocking ports.

You can add the following firewall rules to the router (using SSH) and try Shields Up again.

iptables -t raw -I PREROUTING -i $(nvram get wan0_ifname) -p tcp --dport 89 -j ACCEPT
iptables -t raw -I PREROUTING -i $(nvram get wan0_ifname) -p tcp --dport 90 -j ACCEPT

If you subsequently dump the PREROUTING chain of the raw table …

iptables -t raw -vnL PREROUTING

… and do NOT see any packets (pkts field = 0) for those rules, you know for certain those ports are being blocked upstream of your router, otherwise your own router would be seeing them and show it (in my own case, they are NOT being blocked and report four (4) packets each).

You could even use the following script to review ALL of the tested ports (plus ping/icmp) this way.

#!/bin/sh
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
i=1023
while [ $i -ge 0 ]; do
    iptables -t raw -I PREROUTING -i $WAN_IF -p tcp --dport $((i--)) -j ACCEPT
done
iptables -t raw -I PREROUTING -i $WAN_IF -p icmp -j ACCEPT

Run Shields Up again and then search for any rules that show ZERO packets.

iptables -t raw -vnL PREROUTING | egrep '^\s*0'

In my case, I get the following …

    0     0 ACCEPT     tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
    0     0 ACCEPT     tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:135
    0     0 ACCEPT     tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:136
    0     0 ACCEPT     tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:137
    0     0 ACCEPT     tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:138
    0     0 ACCEPT     tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
    0     0 ACCEPT     tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:179
    0     0 ACCEPT     tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445

Seems about right to me.

You can flush those same rules w/ a reboot.

P.S. The above assumes you're testing Shields Up over the WAN, NOT the VPN.

 

[Woofer Wrecker]

Thank you eibgrad. Although I have the least possible understanding of the results, I see that the packets column is 0 for ports 0 through 1023.

I am going to put this system outside the VPN and see if it is them who are blocking those ports. I do hope that is the case, as I have no other idea where to look! LOL

tcp dpt:1023
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:90
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:89

 

[Woofer Wrecker]

Nope, still blocked when outside the VPN, and after running your scripts. I guess it is Spectrum, even though they don't list 89 or 90 as ports they block.

Again, thank you both, ColinTaylor and eibgrad. You guys are very much appreciated. Your depth of knowledge is astounding! Thank you for sharing it with a noob like me!

 

[Woofer Wrecker]

Just to follow up, after suddenly having connection issues with my VPN and chatting with the support, I was given 10 new servers to try out. As soon as I connected to the VPN, the ports were closed again. This was after a perfect stealth score when not connected to the VPN. So it's Nord VPN that are the culprits.

 

[ColinTaylor]

Just to follow up, after suddenly having connection issues with my VPN and chatting with the support, I was given 10 new servers to try out. As soon as I connected to the VPN, the ports were closed again. This was after a perfect stealth score when not connected to the VPN. So it's Nord VPN that are the culprits.

Ah! I think I get it now.

I must apologise, all along I thought you were running the GRC test from a client that was excluded from your VPN routing. I assumed that when you said "... and route all but a few devices through the VPN tunnel".

To me it seems obvious that you shouldn't be testing via a VPN as what you'd be testing is the VPN provider's public facing server and not your router. But I shouldn't have assumed that, so apologies again.