What's new

My Asus router won't let me port forward. Get error: WAN IP is not external IP.

protocol57

New Around Here
Hi guys, I've come to my wits end trying to understand what in the world is going on with my router.
I'm hoping maybe someone here can help. I've searched online but cannot seem find a definitive answer, or even what to look for in my case.

Anyways, I have Charter/Spectrum internet in Metro Atlanta. They supplied a Arris TM1602 modem, which is connected directly to my Asus RT-N56U router, which is in "Router mode" -- not AC mode. I have the latest firmware for the router installed, and had not had any problems with port forwarding on the router before. For a long time I've had a domain pointed to my router's IP (using DDNS) and the router port forwarding to a raspberry pi server/reverse proxy for my insecure IP cams.

A few weeks ago I noticed that my port forwarding settings were just gone. I then tried to manually re-add them, for example "http: port 80 : 192.168.1.68 : port 80 : tcp" to point back to my Rpi server, but it will not save. The port forwarding table remains blank. Now on the router's web UI there's a flashing yellow (!) exclamation/warning symbol that says: "WAN IP is not external IP. External IP-based services will not work." Clicking it takes me to the WAN's Internet Connection settings page, which are pretty normal looking.

The wierd part is that when I curl or go to icanhazip.com for my external IP, I get the same external IP that the router shows. So I'm left utterly confused about what the issue is.

Googling online for this type of problems seems to point to maybe the carrier doing NAT-ing on the modem, but as far as I can tell, I can only see one external IP address for me. I tried to verify this but I have no idea how to access the modem's admin interface, what IP:port it's on, nor what the credentials are to get in.

Can anyone point me in the right direction to troubleshoot this? If I have to call charter, I'd like to know at least what to say/ask so they know what to check... I'm def no network engineer but I thought I had a pretty good grasp on the basics...

Anyhow thanks in advance.
 

ColinTaylor

Part of the Furniture
What are the first two octets of your WAN IP address as reported on the router?

Do you have a VPN client setup on your router?
 

protocol57

New Around Here
What are the first two octets of your WAN IP address as reported on the router?

Do you have a VPN client setup on your router?
Hi, thanks... so:

Router reports in main "Network Map" dashboard page the WAN IP as: 155.186.xxx.xxx - this matches what I get from icanhazip.com

Yes, I was using VPN a while ago, so it's active, but I haven't tested or used it in quite some time.
Under VPN Server:

  • I have the Enable PPTP VPN Server set to Enabled.
  • Broadcast Support = ON
  • Authentication = AUTO
  • MPPE Encryption has MPPE-128 and MPPE-40 checked.
  • Connect to DNS Server Automatically = YES
  • Connect to WINS server automatically = YES
  • MRU = 1450
  • MTU = 1450
  • Client IP Address - 192.168.10.2 to .11 (Max 10 VPN clients)
  • Current I just have 2 users setup for VPN.
Would having the router's VPN features ON have anything to do with the issue?
 

umarmung

Senior Member
You didn't actually say whether this service is unavailable from the Internet, only that the port forwarding was not visible.

For science, test if the port is exposed from the Internet with a port scanner, e.g. the famous GRC Shield's Up: https://www.grc.com/default.htm

Use a custom probe to test if its Open.

If you have a VPN, you could easily test further. You could also try a proxy service instead, like HideMyAss to access the port if you are running a web service.

However, realistically, your Asus router is either corrupted or dying. How long have you had it?
  1. Take screenshots of your router configuration, and make a note of the firmware version.
  2. Download the Asus Firmware Restoration tool and the latest firmware.
  3. Save your router configuration, but do not attempt to Restore it at any point. It is for possible future diagnosis since it may be corrupted.
  4. Be careful to follow the exact instructions given for the Restoration utility, ideally set a static IP on your main network interface, and ensure that no other network interfaces are even enabled on the connecting PC, otherwise you could waste a lot of time wondering why the utility does not work
  5. Use the utility, as instructed (will involve rebooting router and holding down button before reconnecting power), and latest firmware.
  6. Once logged in, immediately save your router configuration again to somewhere new.
  7. Put back your original configuration manually (not from any saved files).
  8. Make very sure that neither Remote Management is enabled nor, ideally, UPnP.
  9. When all configuration is done and tested, save your final configuration one last time to somewhere new.
  10. Reboot the router and check everything.
At no point do any of the above from the Asus mobile app. It has had major issues in the past with resetting router configurations.
 
Last edited:

ColinTaylor

Part of the Furniture
Router reports in main "Network Map" dashboard page the WAN IP as: 155.186.xxx.xxx - this matches what I get from icanhazip.com
That looks OK.
Would having the router's VPN features ON have anything to do with the issue?
No, that's fine. I was asking about the VPN client rather than the server, just in case something odd was happening there.

I can't think what the problem might be. Try the GRC port scan that @umarmung suggested. Particularly scan port 1723 which is your VPN server. It should see that.
 

protocol57

New Around Here
Ok this is wierd. So port scan reveals that port 80 is closed/unreachable BUT the VPN port 1723 is open. WTF!??!

I've had this router since April 2014, so 4 years old now. Never really had this kind of wierdness happen though... could be some memory corruption, or the router "dying" I suppose.

I'll go ahead and try what @umarmung suggested.... factory resetting and re-flashing the latest stock Asus firmware. Perhaps that'll get rid of the wierd issues. If not I guess I'll be in the market for a new router :)

I'll report back in a few hours. Thanks for the help guys.
 

ColinTaylor

Part of the Furniture
Make sure you haven't enabled Web Access from WAN in case that is conflicting with it somehow. Otherwise, perhaps your ISP is blocking it.

EDIT: Just remembered that you said you couldn't add the port forwarding rule for port 80, so GRC will show it as closed. No port forwarding rule is necessary for the VPN as it resides on the router itself.
 

protocol57

New Around Here
Hey guys, sorry for the long reply... been a busy week...

So I factory reset the router and the problem went away... I was able to port fwd por 80 and reach a host machine running apache. I think the factory reset cleared the NVRAM? Thus possibly removing some of the corruption or issues that it had... I guess I'll see how long it lasts... In the meantime I guess I should start looking for a good deal on a new router...

Thanks again for the help!

(feel free to send me any router recommendations, I have a pretty heavily used home network... a few of streaming devices, and 2 people that work from home. I have added alot of cat 6 wiring where possible, not to mention that currently I have 3-4 PoE IP cams (2-4MP) that are in the network along with the NVR. However, I'll be isolating the IP cams from the "normal" home network, by connecting them directly to the NVR, which would provide a separate network and free some bandwidth.)
 

umarmung

Senior Member
It depends on your budget and how you want to scale.

If you want to continue along with what you are doing but a more powerful solution, then the Asus RT-AC86U is an excellent solution. It has all the features of Asus firmware, has one of the most powerful CPUs in a consumer router, it is 3x3 2.4 GHz and 4x4 5 GHz WiFi, it has the most powerful VPN support in all consumer routers and almost universally recommended by retail VPN providers.

A featureful and scalable solution that allows high control and visibility into your network and some of the best performing WiFi available is Ubiquiti Unifi products. You can start with a Ubiquiti USG + 2x Ubiquiti UAP-AC-Lite (one per floor of the home) + Unifi Cloud Controller (nothing to do with the "Cloud", but a dongle-like thing that hosts controller software - can use a Raspberry Pi or anything else to host it too).

That solution enables you extend your network however you like, to setup VLANs to logically segment and easily manage your network, e.g. protecting yourself from your IoT devices, and having a logical office network separate from your home network, separate from your guest network etc. They are used for small to medium business (or even US military bases!), but due to pricing they are affordable to ordinary consumers, pack a lot of features and value for that price that are not found in consumer routers.
 

protocol57

New Around Here
It depends on your budget and how you want to scale.

If you want to continue along with what you are doing but a more powerful solution, then the Asus RT-AC86U is an excellent solution. It has all the features of Asus firmware, has one of the most powerful CPUs in a consumer router, it is 3x3 2.4 GHz and 4x4 5 GHz WiFi, it has the most powerful VPN support in all consumer routers and almost universally recommended by retail VPN providers.

A featureful and scalable solution that allows high control and visibility into your network and some of the best performing WiFi available is Ubiquiti Unifi products. You can start with a Ubiquiti USG + 2x Ubiquiti UAP-AC-Lite (one per floor of the home) + Unifi Cloud Controller (nothing to do with the "Cloud", but a dongle-like thing that hosts controller software - can use a Raspberry Pi or anything else to host it too).

That solution enables you extend your network however you like, to setup VLANs to logically segment and easily manage your network, e.g. protecting yourself from your IoT devices, and having a logical office network separate from your home network, separate from your guest network etc. They are used for small to medium business (or even US military bases!), but due to pricing they are affordable to ordinary consumers, pack a lot of features and value for that price that are not found in consumer routers.
Thanks for the rec, I really appreciate it. I've heard good things aboutUbiquiti before and almost bought one of their Edge routers a while back... will look again into the Ubiquiti products and see how they'd work. I think before I had the impression that they might be a bit overkill for my needs, as pretty much the entire house gets pretty darn good coverage from our single router + switches/wired ports, since the house is a rather 'open' layout. What really does interest me is the VLAN capabilities, I'd love to be able to segment guests and secure any CCTV/IPcams and IoT devices... Anyways, thanks again!
 

protocol57

New Around Here
@umarmung

So I decided to pull the trigger on an EdgeRouter X... to get the VLAN capabilities and better routing.
For now, what I think I'm gonna do is set the Asus RT-N56U as just a wifi access point, and offload all the DHCP/NAT/routing to the EdgeRouter.
In the future once my Asus router craps out completely I think I'll prob get a Ubiquiti UAP-AC-Lite...

I've heard/read online though that even though this edgerouter has PoE passthru on the eth4 port to power an AC... the power adapter it has is not powerful enough (not enough amps?) to power both itself and an UAP-AC-Lite? Is this true?
 
Last edited:

Tekneek

Regular Contributor
I've heard/read online though that even though this edgerouter has PoE passthru on the eth4 port to power an AC... the power adapter it has is not powerful enough (not enough amps?) to power both itself and an UAP-AC-Lite? Is this true?
Yes, you either have to move up to the 24V power supply or the ER-X-SFP.

On another note, I have been thinking about moving to the Edgerouter X myself (like almost ordering one right this second). Could you tell me what the transition was like? I love what Merlin's firmware does for my RT-AC3200, but I increasingly have the need for some advanced networking capabilities that are out of its scope.
 

protocol57

New Around Here
Yes, you either have to move up to the 24V power supply or the ER-X-SFP.

On another note, I have been thinking about moving to the Edgerouter X myself (like almost ordering one right this second). Could you tell me what the transition was like? I love what Merlin's firmware does for my RT-AC3200, but I increasingly have the need for some advanced networking capabilities that are out of its scope.
I just unboxed my EdgeRouterX this past weekend, and I'm testing the waters... right off the bat I realized I needed to do some reading on the EdgeOS and how to configure/use this thing, cuz there's many options and it's nothing like any other standard "consumer router" web UIs, there more advanced options that let you create different networks on different port/interfaces (i.e eth1, eth2), etc. I think it'll probably take me a few months to truly get confortable with it, so definitely don't throw your current router away! lol
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top