Can only open ports when internal/external is different

[stanstrup]

Hi,

I am using a new RT-AC88U with the Merlin software (the issue I will describe also happens with official firmware).
Firmware: 380.67_beta4

Like many others I am having trouble opening ports on this router. I have disabled the firewall and disabled NAT Acceleration as suggested when people had problems.

I have now figured out that things work if the external (Port Range) and internal (local) port is different when I open ports.
If I set the same port or leave the local port blank the port stays closed. This is consistent when I try using RDP. For RDP and I could even live with that setup.

But I have other programs where the external and internal ports need to be the same. So any idea how to fix this or explain what is going on?

 

[ColinTaylor]

I can't help you with your problem , it's not one that's effecting me .

But don't disable the firewall. Anyone that suggests that is an idiot (or doesn't understand the consequences).

 

[Vexira]

Hi,

I am using a new RT-AC88U with the Merlin software (the issue I will describe also happens with official firmware).
Firmware: 380.67_beta4

Like many others I am having trouble opening ports on this router. I have disabled the firewall and disabled NAT Acceleration as suggested when people had problems.

I have now figured out that things work if the external (Port Range) and internal (local) port is different when I open ports.
If I set the same port or leave the local port blank the port stays closed. This is consistent when I try using RDP. For RDP and I could even live with that setup.

But I have other programs where the external and internal ports need to be the same. So any idea how to fix this or explain what is going on?

have you upgraded to the final build of 380.67, also what programs are you trying to get to work, internal port range is ports devices liek your pc can see, external is ports the router can use from the wan side.

 

[Vexira]

Also are you using upnp or manual port forward, if your comming from asus to merlin do a factory reset, to make sure every thing is all good, also upgrade to the stable build first. I have the 88u as well but my upnp works for most things bit there are still a few issues that i need to post about, im just trying to gauge if its the same issues as mine. I just need to know what your having issues with exactly, ie a game, a game console eg an xbox one, or a particular game on xbox or playstation, or if its a pc game or program, or possibly a server. If i you could please elaborate on the problem i might be able to help.

 

[stanstrup]

I tried the final 380.67 and I get same result. I have the same problem with the official firmware. I did do a complete wipe when I changed to Merlin.

I am using RDP to test since it is easy to see if it works or not.
if I do external:local 3399:3389 I can connect on 3399. If I do 3389:3389 (or leave the local empty) I cannot connect. http://canyouseeme.org give the same result that only when I do 3399:3389 it is reported as open. Same when I try with Plex.

upnp is enabled in the router. I forgot but yes if I enabled upnp in the other program I am trying to make work it actually works. If I forward the same ports manually that is when it doesn't work. It is the manual forwarding I am trying to get to work. To be sure it is not the program that is acting weird I am using RDP to test as I said and noticed this odd behavior of different external:local ports working.

 

[ColinTaylor]

@stanstrup When testing the connection make sure you have temporarily turned off the Windows firewall.

 

[stanstrup]

Yes. I checked again just to make sure and it didn't help.

 

[Vexira]

Try using the port checker utility here
https://portforward.com/store/pfconfig.cgi
Works better than the port checker websites, I never got them to work.

 

[ColinTaylor]

Try using the port checker utility here
https://portforward.com/store/pfconfig.cgi
Works better than the port checker websites, I never got them to work.

There's no way I'd trust anything from that site, let alone pay them $40 for their software!

 

[Vexira]

There's no way I'd trust anything from that site, let alone pay them $40 for their software!

Just go to the installation folder copy the port checker app then un install it. Trust it or not it works.

 

[stanstrup]

I appreciate the advise but I don't think there is any need to test more if the port is open or not. The bug is consistent and RDP shows well enough if the port is open or not. I also used Plex's build in port checker and I see the same thing there.

 

[Vexira]

I appreciate the advise but I don't think there is any need to test more if the port is open or not. The bug is consistent and RDP shows well enough if the port is open or not. I also used Plex's build in port checker and I see the same thing there.

hmm understanbale maby merlin must have to look at it

 

[ColinTaylor]

Maybe it's something that will be fixed in the next release:

Asuswrt-Merlin Changelog
========================

380.68 Beta (xx-xxx-2017)
  - FIXED: Port forward/UPNP issues with CTF enabled depending on
           selected NAT loopback mode.

 

[MarioCaires]

Maybe it's something that will be fixed in the next release:

Asuswrt-Merlin Changelog
========================

380.68 Beta (xx-xxx-2017)
  - FIXED: Port forward/UPNP issues with CTF enabled depending on
           selected NAT loopback mode.

AFAIK that's only an issue with Merlin's NAT loopback! Should be ok with Asus's option...

 

[stanstrup]

Thanks. Tried both Asus and Merlin loopback to rule this out.

 

[Marko Polo]

Having some troubles with ports too. I somewhat opened 5060 port for Asterisk, but still cannot register from the machines not in LAN.
Some of the online scanners show it as opened, some show as filtered

Host is up.

PORT     STATE    SERVICE

5060/tcp filtered sip

Here is my INPUT chain from iptables:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:51413
ACCEPT tcp -- anywhere anywhere tcp dpt:51413
logdrop icmp -- anywhere anywhere icmp echo-request
logaccept all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop all -- anywhere anywhere state INVALID
PTCSRVWAN all -- anywhere anywhere
PTCSRVLAN all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
logaccept udp -- anywhere anywhere udp spt:bootps dpt:bootpc
SSHBFP tcp -- anywhere anywhere tcp dpt:29 state NEW
logaccept tcp -- anywhere anywhere tcp dpt:8082
logaccept tcp -- anywhere anywhere tcp dpt:https
INPUT_ICMP icmp -- anywhere anywhere
logdrop all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:5060
ACCEPT tcp -- anywhere anywhere tcp dpt:5060
ACCEPT udp -- anywhere anywhere udp dpt:4569
ACCEPT udp -- anywhere anywhere udp dpt:5036
ACCEPT udp -- anywhere anywhere udp dpts:10000:20000
ACCEPT udp -- anywhere anywhere udp dpt:2727

 

[mstombs]

Having some troubles with ports too. I somewhat opened 5060 port for Asterisk, but still cannot register from the machines not in LAN.
Some of the online scanners show it as opened, some show is as filtered

Host is up.

PORT     STATE    SERVICE

5060/tcp filtered sip

Here is my INPUT chain from iptables:

Are you running Asterisk on the router? INPUT table is for connections to services running on the router. Port forwarding requires an entry in nat PREROUTING and FORWARD. Did you add those rules manually? - they seem to be below a drop all! I recommend to use these commands from an ssh console to see all the rules and counters

iptables -nvL -t nat
iptables -nvL

[Edit]Do review and obscure private IP addresses and port allocations before posting on public forums... Loopback at least also uses the "-t mangle" table.

 

[Marko Polo]

Are you running Asterisk on the router?

Yes, indeed.

INPUT table is for connections to services running on the router.

That's what I wanted to reveal recently. What is the relation port forwarding module in GUI to iptables? Is GUI simply a wrapper for IPTABLES and they are similar? Do they complement each other? Do they address different types of tasks?

Port forwarding requires an entry in nat PREROUTING and FORWARD.

Do I need port forwarding for the service residing on router?
Here is iptables -nvL -t nat output:

Chain PREROUTING (policy ACCEPT 35062 packets, 5812K bytes)
 pkts bytes target     prot opt in     out     source               destination     
 7532  713K VSERVER    all  --  *      *       0.0.0.0/0            177.XX.145.20   

Chain INPUT (policy ACCEPT 16108 packets, 1192K bytes)
 pkts bytes target     prot opt in     out     source               destination     

Chain OUTPUT (policy ACCEPT 174K packets, 11M bytes)
 pkts bytes target     prot opt in     out     source               destination     

Chain POSTROUTING (policy ACCEPT 161K packets, 10M bytes)
 pkts bytes target     prot opt in     out     source               destination     
50604 3666K PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0       
 4654  848K MASQUERADE  all  --  *      eth0   !177.XX.145.20        0.0.0.0/0       
13297 1048K MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24   

Chain DNSFILTER (0 references)
 pkts bytes target     prot opt in     out     source               destination     

Chain LOCALSRV (0 references)
 pkts bytes target     prot opt in     out     source               destination     

Chain PCREDIRECT (0 references)
 pkts bytes target     prot opt in     out     source               destination     

Chain PUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination 
 
Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination     
    0     0 DNAT       tcp  --  *      *       51.XX.XX.XX          0.0.0.0/0            tcp dpt:XX to:192.168.1.100:XXXX
    0     0 DNAT       tcp  --  *      *       51.XX.XX.XX          0.0.0.0/0            tcp dpt:XXXX to:192.168.1.100:XXXX
    0     0 DNAT       tcp  --  *      *       51.XX.XX.XX          0.0.0.0/0            tcp dpt:XX to:192.168.1.106:XX
    0     0 DNAT       tcp  --  *      *       51.XX.XX.XX          0.0.0.0/0            tcp dpt:XXXX to:192.168.1.100:XXXX
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:XXXX to:192.168.1.100:XXXX
    0     0 DNAT       tcp  --  *      *       51.XX.XX.XX          0.0.0.0/0            tcp dpt:XX to:192.168.1.100:XX
    0     0 DNAT       tcp  --  *      *       51.XX.XX.XX          0.0.0.0/0            tcp dpt:XXXX to:192.168.1.103:XXXX
    0     0 DNAT       tcp  --  *      *       51.XX.XX.XX          0.0.0.0/0            tcp dpt:XX to:192.168.1.103:XX
    0     0 DNAT       tcp  --  *      *       51.XX.XX.XX          0.0.0.0/0            tcp dpt:XXXX to:192.168.1.100:XXXX
 7532  713K VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0       

Chain VUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

 

[Marko Polo]

And here is iptables -nvL:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination       
    0     0 ACCEPT     tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:3570
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3570
 5866  682K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51413
13543  648K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:51413
   21  1554 logdrop    icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            icmptype 8
 652K  247M logaccept  all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 1934 81646 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
 124K 8847K PTCSRVWAN  all  --  !br0   *       0.0.0.0/0            0.0.0.0/0         
11533  781K PTCSRVLAN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0         
11533  781K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
 116K 7718K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
   40 15027 logaccept  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    4   240 SSHBFP     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:29 state NEW
    0     0 logaccept  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8082
   72  4220 logaccept  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 INPUT_ICMP  icmp --  *      *       0.0.0.0/0            0.0.0.0/0         
 8047 1110K logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5060
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:4569
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5036
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:10000:20000
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:2727
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination       
 971K 1223M ipttolan   all  --  *      br0     0.0.0.0/0            0.0.0.0/0         
 498K   43M iptfromlan  all  --  br0    *       0.0.0.0/0            0.0.0.0/0         
1462K 1264M logaccept  all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 logdrop    all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0         
    0     0 logdrop    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 logaccept  all  --  br0    br0     0.0.0.0/0            0.0.0.0/0         
    0     0 SECURITY   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0         
 6409 1211K NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0         
    0     0 logaccept  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
 6409 1211K logaccept  all  --  br0    *       0.0.0.0/0            0.0.0.0/0         

Chain OUTPUT (policy ACCEPT 813K packets, 135M bytes)
 pkts bytes target     prot opt in     out     source               destination       

Chain ACCESS_RESTRICTION (0 references)
 pkts bytes target     prot opt in     out     source               destination       

Chain FUPNP (0 references)
 pkts bytes target     prot opt in     out     source               destination       

Chain INPUT_ICMP (1 references)
 pkts bytes target     prot opt in     out     source               destination       
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 13
    0     0 logaccept  icmp --  *      *       0.0.0.0/0            0.0.0.0/0         
Chain NSFW (1 references)
 pkts bytes target     prot opt in     out     source               destination       
 1259 67409 RETURN     tcp  --  br0    eth0    192.168.1.100        0.0.0.0/0            tcp spts:1:65535 dpts:1:65535
   85  4420 RETURN     tcp  --  br0    eth0    192.168.1.103        0.0.0.0/0            tcp spts:1:65535 dpts:1:65535
 3042  170K RETURN     tcp  --  br0    eth0    192.168.1.105        0.0.0.0/0            tcp spts:1:65535 dpts:1:65535
    0     0 RETURN     tcp  --  br0    eth0    192.168.1.106        0.0.0.0/0            tcp spts:1:65535 dpts:1:65535
  428  407K RETURN     udp  --  br0    eth0    192.168.1.100        0.0.0.0/0            udp spts:1:65535 dpts:1:65535
 1178  210K RETURN     udp  --  br0    eth0    192.168.1.103        0.0.0.0/0            udp spts:1:65535 dpts:1:65535
  417  352K RETURN     udp  --  br0    eth0    192.168.1.105        0.0.0.0/0            udp spts:1:65535 dpts:1:65535
    0     0 RETURN     udp  --  br0    eth0    192.168.1.106        0.0.0.0/0            udp spts:1:65535 dpts:1:65535
    0     0 RETURN     tcp  --  br0    eth0    192.168.1.101        0.0.0.0/0            tcp spts:1:65535 dpts:1:65535
    0     0 RETURN     udp  --  br0    eth0    192.168.1.101        0.0.0.0/0            udp spts:1:65535 dpts:1:65535
    0     0 logdrop    all  --  br0    eth0    0.0.0.0/0            0.0.0.0/0         

Chain PControls (0 references)
 pkts bytes target     prot opt in     out     source               destination       
    0     0 logaccept  all  --  *      *       0.0.0.0/0            0.0.0.0/0         

Chain PTCSRVLAN (1 references)
 pkts bytes target     prot opt in     out     source               destination       

Chain PTCSRVWAN (1 references)
 pkts bytes target     prot opt in     out     source               destination       

Chain SECURITY (1 references)
 pkts bytes target     prot opt in     out     source               destination       
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x17/0x02 limit: avg 1/sec burst 5
    0     0 logdrop    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x17/0x02
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x17/0x04 limit: avg 1/sec burst 5
    0     0 logdrop    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x17/0x04
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
    0     0 logdrop    icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0         
 
Chain SSHBFP (1 references)
 pkts bytes target     prot opt in     out     source               destination       
    4   240            all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: SSH side: source
    0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 60 hit_count: 4 name: SSH side: source
    4   240 logaccept  all  --  *      *       0.0.0.0/0            0.0.0.0/0         

Chain iptfromlan (1 references)
 pkts bytes target     prot opt in     out     source               destination       
 498K   43M RETURN     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           account: network/netmask: 192.168.1.0/255.255.255.0 name: lan

Chain ipttolan (1 references)
 pkts bytes target     prot opt in     out     source               destination       
 971K 1223M RETURN     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           account: network/netmask: 192.168.1.0/255.255.255.0 name: lan

Chain logaccept (11 references)
 pkts bytes target     prot opt in     out     source               destination       
 5280 1170K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "ACCEPT "
2120K 1513M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0         

Chain logdrop (10 references)
 pkts bytes target     prot opt in     out     source               destination       
 8068 1111K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "DROP "
10002 1193K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

 

[mstombs]

Web GUI just a config tool for iptables, which configures the kernel netfilter code. I believed inherited from Tomato the rc c-code writes an iptables export text file so all the rules can be loaded with a single iptables command and not dozens of individual script like calls. Unless changing ports I don't see a need for router destined entries needed in PREROUTING, but you can see a mis-configuration in your INPUT table, the last 6 ACCEPTs are blocked by the logdrop all above. I guess your manual portforwards end up in VSERVER, but you can see none have been matched, you are correct to obscure your own IP/PORT addresses, sorry I should have said that above. I do not know what PUPNP does, except waste CPU clock cycles on every packet leaving the router...

[edit]PUPNP is for use by miniupnpd https://www.snbforums.com/threads/u...gaming-consoles-nat.35324/page-10#post-323062