Menu
What's new
By:
Filters Better Search

Port 10 Open & Responding to ICMP request?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

SevenFactors

SevenFactors

Regular Contributor
I recently got AT&T as my ISP. The combo-box router they left me with is a Pace 5268ac. What a nightmare of interface.

I've set my RTN66U on what they call DMZ+ so that it may access WAN directly, do all the firewall business & handle my LAN/WLAN. When I do this everything seems to work find. Going to ShieldsUP, for some reason, reveals that Port 10 is open & responding to ICMP requests.

On contrast, when I place the RTN66U back in the Pace_5268ac's private IP pool, ShieldsUP reports full stealth across the board but then I'm dealing with Double NAT issue. What gives, huh.

I've no idea what port 10 is used for but I was wondering that perhaps Port 10 deals with the firmware update checkup ??

I would place RTN66U back on WAN & test it out myself but the Pace interface is buggy & I'm about to just kick it.

Any ideas? Has anybody else ran into this with their ATT combo-box network setup?

Thanks
 
Ports do not respond to ICMP, only to TCP or UDP. You probably misinterpreted the test results.
 
RMerlin said:
Ports do not respond to ICMP, only to TCP or UDP. You probably misinterpreted the test results.
Click to expand...

Hello RMerlin,

This is a text reports from shieldsup.
---RTN66U is already set to not respond to ICMP echo request from WAN.

GRC Port Authority Report created on UTC: 2017-05-08 at 16:03:31

Results from scan of ports: 0-1055

1 Ports Open
0 Ports Closed
1055 Ports Stealth
---------------------
1056 Ports Tested

NO PORTS were found to be CLOSED.

The port found to be OPEN was: 10

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.
 
Do you have UPNP enabled? Could be that one of the computers behind the router opened the port for gaming?
 
Zirescu said:
Do you have UPNP enabled? Could be that one of the computers behind the router opened the port for gaming?
Click to expand...

By default, Asuswrt will refuse to forward privileged ports (ports between 1 and 1023), for security reasons.

SevenFactors said:
- A PING REPLY (ICMP Echo) WAS RECEIVED.
Click to expand...

Chances are it's the modem in front of your router that isn't bridged, and is replying to PING requests.

Same thing could be the case with port 10, unless it's your ISP that's filtering that port (some ISPs will filter ports within their network, causing false positives with remote scanners). Port 10 isn't officially allocated to any application, however a quick web search shows that Dark Age of Camelot uses that port (which sounds like a bad idea to me, since it's not an ephemeral port if it's true).

You can check on your router which ports are open/forwarded/in use, through System Logs -> Port Forwarding and Connections.
 
If you are not comfortable with the modem/router combination from your ISP there isn't any real disadvantage of running a double NAT and for some setups/ people it provides advantages. Nothing wrong with trying it and seeing for yourself.

Assign your N66 a static WAN IP using the PACE box. Then assign your N66 to get its WAN IP using DHCP.

Run a cable from a LAN port on your pace to the WAN port on your N66.

Set a LAN IP for you N66 in a different subnet than the PACE subnet. The DHCP pool for the devices connecting to the N66 will now be in this subnet also.

You should be good to go.

Some of the advantages of the double NAT is that you can run a guest network on the PACE, some or all of your IoT devices particularly those devices where you aren't convinced that have adequate security and if they should be hacked the hackers will not easily be able to connect to devices attached to the N66 if you have disabled access from the WAN on all interfaces.
 
RMerlin said:
By default, Asuswrt will refuse to forward privileged ports (ports between 1 and 1023), for security reasons.



Chances are it's the modem in front of your router that isn't bridged, and is replying to PING requests.

Same thing could be the case with port 10, unless it's your ISP that's filtering that port (some ISPs will filter ports within their network, causing false positives with remote scanners). Port 10 isn't officially allocated to any application, however a quick web search shows that Dark Age of Camelot uses that port (which sounds like a bad idea to me, since it's not an ephemeral port if it's true).

You can check on your router which ports are open/forwarded/in use, through System Logs -> Port Forwarding and Connections.
Click to expand...

Checking the logs revealed the expected ports 80, 443, 53 etc. Everything looks normal.

I had no issues prior switching "modems" Before I'd Arris Surboard SB6121 & everything was good.

After much running around, I was able to run a port scan per device & of course the culprit is the Pace combo-box. Ports 10 (unknown) & 53. The behavior I don't get is why this happens only when placing a device on DMZ+ [DMZ+Hole :) ] When doing double NAT I get full stealth on shieldsup. What gives :confused:

Yup, one buggy combo-box
 
CaptainSTX said:
If you are not comfortable with the modem/router combination from your ISP there isn't any real disadvantage of running a double NAT and for some setups/ people it provides advantages. Nothing wrong with trying it and seeing for yourself.

Assign your N66 a static WAN IP using the PACE box. Then assign your N66 to get its WAN IP using DHCP.

Run a cable from a LAN port on your pace to the WAN port on your N66.

Set a LAN IP for you N66 in a different subnet than the PACE subnet. The DHCP pool for the devices connecting to the N66 will now be in this subnet also.

You should be good to go.

Some of the advantages of the double NAT is that you can run a guest network on the PACE, some or all of your IoT devices particularly those devices where you aren't convinced that have adequate security and if they should be hacked the hackers will not easily be able to connect to devices attached to the N66 if you have disabled access from the WAN on all interfaces.
Click to expand...

Pretty much my current setup but turned the Pace's wifi interface off. I find it to be too buggy. Guess networt on rtn66 works fine ;)

Given that these are my "toys" I wanted to setup the Pace combo-box properly... I never expected the options to be so limited :\

I went ahead set a static IP & let the double NAT take effect. To my surprise ASUSWRT-Merlin automatically detected it & took care of the rest. On my part, all I had to do was update my static IPs & renew. To my surprise all connected devices are able to access the internet without issue. Broadband speeds is still the same. No issues after rebooting Pace, rtn66.

I even noticed that it automatically updated the settings for some of the NAT Passthrough options from "Enable" to "Enable+NAT Helper" Very cool. I've yet to test if my openvnp server.


I honestly I was expecting it to be more chaotic.
 
This is a known issue and a major bug with the ATT RG 5268ac. So far ATT is doing nothing to fix it and don't recommend using your own router with there devices. Unacceptable.

Just like you and others have noticed while the RG is in DMZplus mode it will respond to ICMP echo requests and not passing them on t o the router to be killed by firewall.

In other words the gateway is passing all traffic to the router for handling except ICMP pings they are wide open to the world with no firewall. Not a good thing.
 
Kal-EL said:
This is a known issue and a major bug with the ATT RG 5268ac. So far ATT is doing nothing to fix it and don't recommend using your own router with there devices. Unacceptable.

Just like you and others have noticed while the RG is in DMZplus mode it will respond to ICMP echo requests and not passing them on t o the router to be killed by firewall.

In other words the gateway is passing all traffic to the router for handling except ICMP pings they are wide open to the world with no firewall. Not a good thing.
Click to expand...


I contacted them about this matter. [ -- I kept my cool at all times ^_^ -- ] As expected all I got were answers that had nothing to do with the issue regarding the 5268ac's firewall. I explained how I was able to find this out, how I was able to do it internally, etc. All I got was the always present "it wasn't me" attitude.

Still a massive let down that ATT wont let us bring our own "supported" modem. Why must we be force to use these combo-boxes o_O
 
SevenFactors said:
I contacted them about this matter. [ -- I kept my cool at all times ^_^ -- ] As expected all I got were answers that had nothing to do with the issue regarding the 5268ac's firewall. I explained how I was able to find this out, how I was able to do it internally, etc. All I got was the always present "it wasn't me" attitude.

Still a massive let down that ATT wont let us bring our own "supported" modem. Why must we be force to use these combo-boxes o_O
Click to expand...

Get rid of your 5268 thats what i did. I had them send me a NVG599 gateway, im using it now in IP-Pass mode with my AC3100 router and its all good now. All ports are closed also no longer responding to ICMP pings and Ipv6 works good to through the Asus router using a 6rd.
 
Kal-EL said:
Get rid of your 5268 thats what i did. I had them send me a NVG599 gateway, im using it now in IP-Pass mode with my AC3100 router and its all good now. All ports are closed also no longer responding to ICMP pings and Ipv6 works good to through the Asus router using a 6rd.
Click to expand...

Thanks for the recomendation Kal-El

Today I got the NVG599 replacement for the Pace5268.

- I'm very happy to confirm that the NVG599 does not have the firewall bugs/issues that the Pace5268 has.

- I'm able to happily expose my n66 and maintain stealth.

- Shields Up test as well as UPnP test all clear/stealth.

LAN tests, all good :cool:
 
Yep the 599 is a far better gateway at least with the 5268 current firmware. Not sure what your 599 has for firmware i just updated mine to there latest and it works great.
 
You must log in or register to reply here.

Similar threads

TheLyppardMan
Possible translation to something more simple?
Replies
10
Views
825
drinkingbird
drinkingbird
M
Add port to RT-N66U with USB ethernet
Replies
6
Views
929
drinkingbird
drinkingbird
eibgrad
Tutorial Adding IP Networks to the ASUS RT-AC68U (et al.)
Replies
2
Views
4K
eibgrad
eibgrad
R
Port forwarding inbound on XXXXX from RT AC66U to Windows 10
Replies
13
Views
2K
ColinTaylor
C
T
RT-AC86U Policy Based Routing through VPN conundrum
Replies
6
Views
4K
Martineau
Martineau
Similar threads
Thread starter Title Forum Replies Date
John Tetreault How to open ipv6 firewall to a port on the router? Asuswrt-Merlin 4
M Solved aaews open two port random Asuswrt-Merlin 2
PaulA Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP Asuswrt-Merlin 1
N Connecting an ax58u to a BT homehub 5, via a lan port, and not getting internet access. Asuswrt-Merlin 3
D Redirect port 443 to 8443 Asuswrt-Merlin 6
GShlomi Sharing my DualWan with port forwarding and DDNS experience Asuswrt-Merlin 0
C 3004.388.6_2 media bridge mode (RT-AX86U but maybe others also) - port status missing Asuswrt-Merlin 8
P Google TV on lan port drops connection Asuswrt-Merlin 5
GShlomi Two WANs but not dual-WAN, with port-forwarding Asuswrt-Merlin 7
S Finding Port Connections Asuswrt-Merlin 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 701 (members: 25, guests: 676)
Top