Port Forwarding rules not working, could use some help

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

utbigrod

New Around Here
Hi, all. I've read all the port forwarding threads in the past couple years and haven't found any answers to help, so here we go.

I'm running an AC3100 with stock 386_41700 firmware and it's behind an Arris BGW210-700 on AT&T fiber. The Arris is in IP pass through mode and I'm seeing my public IP on the AC3100 so I assume that is working as intended. Also firewall and wireless are off on the Arris.

I'm trying to run openVPN on port 1194 to access my Synology remote. So I've put the port forward rule in for port 1194 going to my static LAN IP for my Synology.

The rules show up, but port checkers show it still closed. Actually the connection times out when I have the Asus firewall on. If I turn the firewall off it then shows closed.

I've tried all kinds of combinations, have confirmed IP isn't blocking ports and also tried to forward ports on the Arris as well with no avail.

Brief overview of settings: DHCP ON, port forwarding ON, DMZ OFF, DDNS OFF, NAT enabled except PPPoE

Any ideas on what might be causing this? Thanks for any help you can provide!
 

eibgrad

Very Senior Member
The most common cause these days is a private IP, often due to CGNAT. You said *public* IP, but sometimes ppl think their CGNAT ip is public.
 

utbigrod

New Around Here
The most common cause these days is a private IP, often due to CGNAT. You said *public* IP, but sometimes ppl think their CGNAT ip is public.
From what I can tell I do have a public IP. The one I get at whatsmyip.com is the same one shown on my AC3100. Per some searching this seems to say it is public.

Does this make sense? And if so do you have other ideas of what is causing this?

Thank you!
 

utbigrod

New Around Here
Is either the router or NAS using a VPN client of any kind?
I don't believe so. I had the OpenVPN server option running on the Asus at one point to try and test access that way (which failed). But I'm not running anything from a client side on any of them.
 

drabisan

Very Senior Member
I would blame AT&T.
It's easy to confirm it's carrier doing something weird by setting up an OpenVPN server of the router.
You don't need port forwarding for that.
And you can choose any port you like, as long as you're sure client connects to that port. Some ISPs are deliberately blocking well known port towards the clients.
You can post for first 2 octets of your public ip. That won't narrow it down to your actual link.
 
Last edited:

utbigrod

New Around Here
I would blame AT&T.
It's easy to confirm it's carrier doing something weird by setting up an OpenVPN server of the router.
You don't need port forwarding for that.
And you can choose any port you like, as long as you're sure client connects to that port. Some ISPs are deliberately blocking well known port towards the clients.
You can port for first 2 octets of your public ip. That won't narrow it down to your actual link.
Sorry for my ignorance, but could you explain this further? "You can port for first 2 octets of your public ip. That won't narrow it down to your actual link."
 

eibgrad

Very Senior Member
I'm not familiar w/ the oem/stock firmware, but if it supports ssh, you could use it to dump the firewall and at least see if packets from port forwarding are reaching the router and being forwarded to the NAS.

Code:
iptables -t nat -vnL PREROUTING
iptables -t nat -vnL VSERVER
iptables -vnL FORWARD

I'm not even sure the oem/stock firmware uses the VSERVER chain like Merlin, but in case it does, I included it.
 

utbigrod

New Around Here
I'm not familiar w/ the oem/stock firmware, but if it supports ssh, you could use it to dump the firewall and at least see if packets from port forwarding are reaching the router and being forwarded to the NAS.

Code:
iptables -t nat -vnL PREROUTING
iptables -t nat -vnL VSERVER
iptables -vnL FORWARD

I'm not even sure the oem/stock firmware uses the VSERVER chain like Merlin, but in case it does, I included it.
Stock does have SSH, but before I figured out how to do that I had a development. In other searching I read that there are potential issues with UDP in this situation. I changed from UDP to TCP and now its showing as open!

My question is, do you know of any settings on the Asus that would cause this? Is this something that could be overcome with Merlin or a different approach? I'd prefer the speed of UDP if possible, though TCP is better than nothing!
 

eibgrad

Very Senior Member
I don't know of any reason why port 1194 UDP would be blocked and port 1194 TCP would NOT. Not unless it's something being done upstream by the ISP, or perhaps by the ISP of the device attempting the OpenVPN client connection.

And I don't know if updating to Merlin would make a difference unless I knew the source of the problem. If it's something that lies outside of the router like I described above, it's NOT going to matter. But if you're otherwise stuck, and it happens to be some issue w/ the oem/stock firmware, maybe a change to Merlin will help. At the very least, it will give you access to ssh and other tools for diagnostic purposes. The lack of such tools is a big limitation in the current situation.
 

utbigrod

New Around Here
I don't know of any reason why port 1194 UDP would be blocked and port 1194 TCP would NOT. Not unless it's something being done upstream by the ISP, or perhaps by the ISP of the device attempting the OpenVPN client connection.

And I don't know if updating to Merlin would make a difference unless I knew the source of the problem. If it's something that lies outside of the router like I described above, it's NOT going to matter. But if you're otherwise stuck, and it happens to be some issue w/ the oem/stock firmware, maybe a change to Merlin will help. At the very least, it will give you access to ssh and other tools for diagnostic purposes. The lack of such tools is a big limitation in the current situation.
Thank you so much for your help!
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top