What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

RT-AC56U: 445 port NAT bug

A

ABEgorov

New Around Here
Hello!

Recently I bought the ASUS RT-AC56U router to share my Internet connection. However I found that using RT-AC56U I'm unable to access SAMBA shares in ISPs network. It's possible with any other router!

I found that the router doesn't perform NAT translation if destination port is TCP 445.

My ISP has some SAMBA shares in its 10.22.0.0/16 network. Router (firmware: 3.0.0.4.374_134-g9d50e8b) receive its WAN configuration via DHCP (it's a private IP address in 10.22.0.0/16 network). On computer I use static IP configuration using ISPs DNS and WINS servers. When I try to connect to SAMBA shares in ISPs network via the router Windows says the network path was not found:

Code: 
tracert -d 10.22.10.12

Tracing route to 10.22.10.12 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.1.1
2 <1 ms <1 ms <1 ms 10.22.10.12

Trace complete.
Code: 
nmap 10.22.10.12 -n -sS -p 139

Starting Nmap 6.40 ( http://nmap.org ) at 2013-09-09 15:56 Russian Standard Time

Nmap scan report for 10.22.10.12
Host is up (0.00088s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
Code: 
net use \\10.22.10.12
System error 53 has occurred.

The network path was not found.

It's possible to connect to the share via another router or if connect computer directly to ISPs network.



During investigation of the connection problem I installed sniffer on my computer.
  1. I set static WAN IP address of the router to 192.168.2.2/24 and default gateway 192.168.2.1.
  2. Set static IP address of my computer to 192.168.2.1/24 and connect it to the router WAN interface.
  3. Connect to the router via Wi-Fi (computer received 192.168.1.253/24 from the router).
  4. Start sniffer on my computer 192.168.2.1 interface.
  5. Enter command: net use \\10.22.10.12

Sniffer log:
Code: 
1 16:53:24 09.09.2013 0.0000000 192.168.1.253 10.22.10.12 TCP TCP:Flags=......S., SrcPort=53631,DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3634602023, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
2 16:53:25 09.09.2013 1.0015180 192.168.2.2 10.22.10.12 TCP TCP:Flags=......S., SrcPort=53632, DstPort=NETBIOSSession Service(139), PayloadLen=0, Seq=565836296, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
3 16:53:27 09.09.2013 3.0017490 192.168.1.253 10.22.10.12 TCP TCP:[SynReTransmit #1]Flags=......S., SrcPort=53631,DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3634602023, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
4 16:53:28 09.09.2013 4.0057190 192.168.2.2 10.22.10.12 TCP TCP:[SynReTransmit #2]Flags=......S., SrcPort=53632,DstPort=NETBIOS Session Service(139), PayloadLen=0, Seq=565836296, Ack=0,Win=8192 ( Negotiating scale factor 0x8 ) = 8192
5 16:53:33 09.09.2013 9.0064930 192.168.1.253 10.22.10.12 TCP TCP:[SynReTransmit #1]Flags=......S., SrcPort=53631,DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3634602023, Ack=0, Win=8192 (Negotiating scale factor 0x8 ) = 8192
6 16:53:34 09.09.2013 10.0076960 192.168.2.2 10.22.10.12 TCP TCP:[SynReTransmit #2]Flags=......S., SrcPort=53632,DstPort=NETBIOS Session Service(139), PayloadLen=0, Seq=565836296, Ack=0,Win=8192 ( Negotiating scale factor 0x8 ) = 8192
7 16:53:46 09.09.2013 22.0024080 192.168.2.2 10.22.10.12 NbtNs NbtNs:Query Request for * Workstation Service
8 16:53:47 09.09.2013 23.5052800 192.168.2.2 10.22.10.12 NbtNs NbtNs:Query Request for * Workstation Service
9 16:53:49 09.09.2013 25.0046050 192.168.2.2 10.22.10.12 NbtNs NbtNs:Query Request for * Workstation Service

According to the log NAT translation doesn't performed if destination port is 445. Packets with number 1, 3, 5 have my computer IP address 192.168.1.253 instead of 192.168.2.2. I don't know reasons of that but because of that I can not connect to SAMBA shares.
 
Samba isn't accessible from the WAN, and it shouldn't be either. I've seen some ISPs that will even filter out traffic sent to ports 139/445.

With the RT-AC56U, Asus specifically disable NAT on port 445 to improve LAN performance, telling iptables not to do connection tracking for connections to SMB/CIFS related ports.
 
It's bad news for me. In Russia some ISPs have large internal networks and they have SAMBA servers in intranet. So my router completely block access to these resources.

However NAT translation is performed for 139 port.
Is any possibility to disable this behaviour for 445 port?
 
ABEgorov said:
It's bad news for me. In Russia some ISPs have large internal networks and they have SAMBA servers in intranet. So my router completely block access to these resources.

However NAT translation is performed for 139 port.
Is any possibility to disable this behaviour for 445 port?
Click to expand...

You will have to switch to a custom firmware, and delete all related iptable rules that the FW creates specifically for Samba.
 
There aren't any iptables rules for Samba in the ASUS firmware 3.0.0.4.374_134-g9d50e8b:
Code: 
admin@RT-AC56U:/tmp/home/root# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
DROP icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate DNAT

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain FUPNP (0 references)
target prot opt source destination

Chain PControls (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT all -- anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP"
DROP all -- anywhere anywhere




admin@RT-AC56U:/tmp/home/root# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VSERVER all -- anywhere whkitten.cln.net

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- !whkitten.cln.net anywhere
MASQUERADE all -- 192.168.1.0/24 192.168.1.0/24

Chain LOCALSRV (0 references)
target prot opt source destination

Chain VSERVER (1 references)
target prot opt source destination
VUPNP all -- anywhere anywhere

Chain VUPNP (1 references)
target prot opt source destination
 
Last edited:
ABEgorov said:
There aren't any iptables rules for Samba in the ASUS firmware 3.0.0.4.374_134-g9d50e8b:
Click to expand...

The way Asus adds those rules is a bit buggy. If the firewall gets restarted after Samba, the Samba-related rules are lost until the next time Samba (or the router itself) is restarted. Check the add_samba_rules() function in this code to see the list of rules that they insert:

https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/firewall.c

Here's how it looks like on my RT-AC56U:

Code: 
admin@Stargate3:/tmp/home/root# iptables -L -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
    0     0 ACCEPT     tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpts:137:139
    0     0 ACCEPT     udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:445
   35  4050 ACCEPT     udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpts:137:139
    0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1194
  492  238K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
 185K   42M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  815 87912 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5916
20564 2704K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
 6752 2310K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8082
    4   220 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     icmp --  *      *       216.66.38.58         0.0.0.0/0           
    7   833 ACCEPT     41   --  *      *       0.0.0.0/0            0.0.0.0/0           
11322 1066K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

If you don't see them even after restarting Samba or the router, then it would mean that Asus removed that piece of code in the released FW version, but that the GPL sources they released are older than the firmware release.
 
Thank you for the information!
Those rules are present in the return of iptables command, but only if the samba server is enabled in the router configuration and a USB flash drive connected to the router. I don't have a USB flash drive connected to the router, so smbd isn't running.
But regardless of the fact that this rules aren't present, the router doesn't perform NAT translation if destination port is TCP 445. Anyway I tried to enter commands to delete those rules and they didn't help:
Code: 
iptables -t raw -D PREROUTING -i  br0, -p tcp --dport 137:139 -j NOTRACK
iptables -t raw -D PREROUTING -i  br0 -p tcp --dport 445 -j NOTRACK
iptables -t raw -D PREROUTING -i  br0 -p udp --dport 137:139 -j NOTRACK
iptables -t raw -D PREROUTING -i  br0 -p udp --dport 445 -j NOTRACK
iptables -t raw -D OUTPUT -o  br0 -p tcp --sport 137:139 -j NOTRACK
iptables -t raw -D OUTPUT -o  br0 -p tcp --sport 445 -j NOTRACK
iptables -t raw -D OUTPUT -o  br0 -p udp --sport 137:139 -j NOTRACK
iptables -t raw -D OUTPUT -o  br0 -p udp --sport 445 -j NOTRACK
iptables -t filter -D INPUT -i  br0 -p udp --dport 137:139 -j ACCEPT
iptables -t filter -D INPUT -i  br0 -p udp --dport 445 -j ACCEPT
iptables -t filter -D INPUT -i  br0 -p tcp --dport 137:139 -j ACCEPT
iptables -t filter -D INPUT -i  br0 -p tcp --dport 445 -j ACCEPT
I also tried to enter these commands when smbd is started. It was delete rules from iptables but it didn't enable NAT for connections to 445 TCP port.
Here's output of some commands from my router:
Code: 
admin@RT-AC56U:/tmp/home/root# ps -w
  PID USER       VSZ STAT COMMAND
    1 admin     2024 S    /sbin/preinit
    2 admin        0 SW   [kthreadd]
    3 admin        0 SW   [ksoftirqd/0]
    4 admin        0 SW   [kworker/0:0]
    5 admin        0 SW   [kworker/u:0]
    6 admin        0 SW   [migration/0]
    7 admin        0 SW   [migration/1]
    8 admin        0 SW   [kworker/1:0]
    9 admin        0 SW   [ksoftirqd/1]
   10 admin        0 SW<  [khelper]
   11 admin        0 SW   [kworker/u:1]
   52 admin        0 SW   [sync_supers]
   54 admin        0 SW   [bdi-default]
   55 admin        0 SW<  [kblockd]
  108 admin        0 SW   [kswapd0]
  154 admin        0 SW   [fsnotify_mark]
  164 admin        0 SW<  [crypto]
  240 admin        0 SW   [mtdblock0]
  245 admin        0 SW   [mtdblock1]
  250 admin        0 SW   [mtdblock2]
  255 admin        0 SW   [mtdblock3]
  273 admin        0 SW   [mtdblock4]
  276 admin        0 SW   [kworker/0:1]
  277 admin        0 SW   [kworker/1:1]
  279 admin      664 S    hotplug2 --persistent --no-coldplug
  313 admin     2012 S    console
  315 admin     1508 S    /bin/sh
  323 admin     1496 S    syslogd -m 0 -S -O /tmp/syslog.log -s 256 -l 6
  326 admin     1496 S    /sbin/klogd
  332 admin        0 SW   [khubd]
  415 admin     2020 S    usbled
  449 admin     2020 S    /sbin/wanduck
  457 admin     1500 S    telnetd
  458 admin     1120 S    /bin/eapd
  461 admin     2020 S    wpsaide
  463 admin     1456 S    nas
  465 nobody    1028 S    dnsmasq --log-async
  466 admin     3340 S    httpd
  467 admin     1100 S    /usr/sbin/infosvr br0
  468 admin     1116 S    networkmap
  470 admin     2020 S    watchdog
  473 admin     2020 S    ots
  474 admin     1320 S    rstats
  483 admin     1136 S    lld2d br0
  493 admin     2084 S    u2ec
  496 admin     1164 S    lpd
  506 admin     2084 S    u2ec
  507 admin     2084 S    u2ec
  560 admin     2020 S    ntp
  561 admin     1516 S    udhcpc -i eth0 -p /var/run/udhcpc0.pid -s /tmp/udhcpc -O33 -O249
  578 admin     1524 S    -sh
  587 admin     1500 R    ps -w
Code: 
admin@RT-AC56U:/tmp/home/root# iptables -L -vn -t raw
Chain PREROUTING (policy ACCEPT 2570 packets, 396K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1210 packets, 247K bytes)
 pkts bytes target     prot opt in     out     source               destination
Code: 
admin@RT-AC56U:/tmp/home/root# iptables -L -vn -t filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    9   720 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
 1209  108K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
  102  5237 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
  201 66413 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
  499  156K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 78 packets, 4361 bytes)
 pkts bytes target     prot opt in     out     source               destination
  248 29564 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 DROP       all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
    2    80 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT

Chain OUTPUT (policy ACCEPT 1223 packets, 249K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FUPNP (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PControls (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "ACCEPT "
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "DROP"
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
Code: 
admin@RT-AC56U:/tmp/home/root# iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 904 packets, 191K bytes)
 pkts bytes target     prot opt in     out     source               destination
   30 18391 VSERVER    all  --  *      *       0.0.0.0/0            10.22.133.23

Chain INPUT (policy ACCEPT 99 packets, 6272 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 12 packets, 1243 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 5 packets, 323 bytes)
 pkts bytes target     prot opt in     out     source               destination
   69  3913 MASQUERADE  all  --  *      eth0   !10.22.133.23         0.0.0.0/0
    7   920 MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24

Chain LOCALSRV (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination
   30 18391 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain VUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination
Code: 
admin@RT-AC56U:/tmp/home/root# iptables -L -vn -t mangle
Chain PREROUTING (policy ACCEPT 2666 packets, 400K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 2097 packets, 341K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 328 packets, 34005 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1268 packets, 260K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1596 packets, 294K bytes)
 pkts bytes target     prot opt in     out     source               destination
 
Last edited:
If there is no rule for port 445, then it will be NATted just like any other port. I don't see how or why the router would make a distinction there, so I would make sure the issue doesn't lies elsewhere (modem or ISP, for example).
 
Complete description of the test that I perform.

TEST PREPARATION:
  1. I perform erase nvram from "ASUSTeK - CFE miniWeb Server" of the router.
  2. I set WiFi password.
  3. On http://192.168.1.1/Advanced_WAN_Content.asp I set:
    • WAN Connection Type: Static IP
    • IP Address: 172.16.0.1
    • Subnet Mask: 255.255.255.252
    • Default Gateway: 172.16.0.2
    • DNS Server1: 172.16.0.2
  4. On http://192.168.1.1/Advanced_BasicFirewall_Content.asp I change:
    • Enable Firewall: No
  5. On http://192.168.1.1/Advanced_System_Content.asp I change:
    • Enable Telnet: Yes
  6. On My Computer I change settings for IPv4 protocol on ethernet interface connected to a router LAN port:
    • IP Address: 172.16.0.2
    • Subnet mask: 255.255.255.252
  7. I unplug the ethernet cabel from a LAN interface of the router and plug it to the WAN interface.
  8. I reboot the router.
  9. I connect to the router LAN network via wireless connection.

MY COMPUTER IP CONFIGURATION:
Code: 
D:\Users\abegorov>ipconfig

Windows IP Configuration


Wireless LAN adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter WiFi:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.1.254
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1

Ethernet adapter ETH1:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : cln.net

Ethernet adapter ETH2:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 172.16.0.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Default Gateway . . . . . . . . . :

The router doesn't have any iptables rules for 445 port. Complete router configuration in the attached RouterConfig.txt file.

TEST
1. I start a Wireshark packet sniffer on ethernet interface ETH2 (172.16.0.2) of my computer.
2. I open command line and start a nmap tool: nmap -v -Pn -sS -sU -p 137-139,445 10.10.10.10
3. I apply filter in the Wireshark: ip.dst == 10.10.10.10

RESULT:
Code: 
#	Source	Destination		Protocol	Description
1	192.168.1.254	10.10.10.10	TCP	TCP:Flags=......S., SrcPort=37774, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=615192410, Ack=0, Win=1024 (  ) = 1024
2	172.16.0.1	10.10.10.10	TCP	TCP:Flags=......S., SrcPort=37774, DstPort=NETBIOS Session Service(139), PayloadLen=0, Seq=615192410, Ack=0, Win=1024 (  ) = 1024
3	172.16.0.1	10.10.10.10	TCP	TCP:Flags=......S., SrcPort=37774, DstPort=NETBIOS Datagram Service(138), PayloadLen=0, Seq=615192410, Ack=0, Win=1024 (  ) = 1024
4	172.16.0.1	10.10.10.10	TCP	TCP:Flags=......S., SrcPort=37774, DstPort=NETBIOS Name Service(137), PayloadLen=0, Seq=615192410, Ack=0, Win=1024 (  ) = 1024
5	172.16.0.1	10.10.10.10	TCP	TCP:Flags=......S., SrcPort=37775, DstPort=NETBIOS Name Service(137), PayloadLen=0, Seq=615126875, Ack=0, Win=1024 (  ) = 1024
6	172.16.0.1	10.10.10.10	TCP	TCP:Flags=......S., SrcPort=37775, DstPort=NETBIOS Datagram Service(138), PayloadLen=0, Seq=615126875, Ack=0, Win=1024 (  ) = 1024
7	172.16.0.1	10.10.10.10	TCP	TCP:Flags=......S., SrcPort=37775, DstPort=NETBIOS Session Service(139), PayloadLen=0, Seq=615126875, Ack=0, Win=1024 (  ) = 1024
8	192.168.1.254	10.10.10.10	TCP	TCP:Flags=......S., SrcPort=37775, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=615126875, Ack=0, Win=1024 (  ) = 1024
9	172.16.0.1	10.10.10.10	UDP	UDP:SrcPort = 38030, DstPort = NETBIOS Session Service(139), Length = 8
10	172.16.0.1	10.10.10.10	UDP	UDP:SrcPort = 38030, DstPort = NETBIOS Datagram Service(138), Length = 8
11	172.16.0.1	10.10.10.10	NbtNs	NbtNs:Query Request for *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> <0x00> Workstation Service
12	172.16.0.1	10.10.10.10	UDP	UDP:SrcPort = 38030, DstPort = Microsoft-DS(445), Length = 8
13	172.16.0.1	10.10.10.10	UDP	UDP:SrcPort = 38031, DstPort = Microsoft-DS(445), Length = 8
14	172.16.0.1	10.10.10.10	NbtNs	NbtNs:Query Request for *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> <0x00> Workstation Service
15	172.16.0.1	10.10.10.10	UDP	UDP:SrcPort = 38031, DstPort = NETBIOS Datagram Service(138), Length = 8
16	172.16.0.1	10.10.10.10	UDP	UDP:SrcPort = 38031, DstPort = NETBIOS Session Service(139), Length = 8
Frames 1 and 8 have incorrect source IP address 192.168.1.254 instead of the router IP address 172.16.0.1.
 

Attachments

Packets with destination TCP port 445 completely ignored by iptables - no rules processed (even DROP).

RMerlin said:
The way Asus adds those rules is a bit buggy. If the firewall gets restarted after Samba, the Samba-related rules are lost until the next time Samba (or the router itself) is restarted. Check the add_samba_rules() function in this code to see the list of rules that they insert:

https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/firewall.c
Click to expand...
I compiled the firmware without any code in add_samba_rules() and del_samba_rules() functions... It didn't help. So it doesn't cause this issue.

I tried to find any code where 445 port present and found only (but I don't understand anything):
https://github.com/RMerl/asuswrt-me...8/linux/linux-2.6.36/net/ipv4/netfilter/lfp.c
https://github.com/RMerl/asuswrt-me...c-rt/linux/linux-2.6/net/ipv4/netfilter/lfp.c
 
Last edited:
ABEgorov said:
Packets with destination TCP port 445 completely ignored by iptables - no rules processed (even DROP).


I compiled the firmware without any code in add_samba_rules() and del_samba_rules() functions... It didn't help. So it doesn't cause this issue.

I tried to find any code where 445 port present and found only (but I don't understand anything):
https://github.com/RMerl/asuswrt-me...8/linux/linux-2.6.36/net/ipv4/netfilter/lfp.c
https://github.com/RMerl/asuswrt-me...c-rt/linux/linux-2.6/net/ipv4/netfilter/lfp.c
Click to expand...

This is kernel code for a netfilter module that's probably not even used by the FW - unrelated to your issue.
 
You must log in or register to reply here.

Similar threads

D
Help needed - Log full of strange records
Replies
6
Views
1K
ColinTaylor
C
N
Port forward back to wan interface, RT-N66U
Replies
0
Views
1K
Niels
N
M
Asus RT-AC56U Question
Replies
7
Views
3K
Theliel
T
J
VPN connection but no Ping from iOS device
Replies
1
Views
1K
jochenthomas
J
P
rt-n66u problems with ATT uverse
Replies
4
Views
5K
jlake
J
Similar threads
Thread starter Title Forum Replies Date
Chinquapin RT-AC56U & SimpliSafe Outdoor Camera ASUS AC Routers & Adapters (Wi-Fi 5) 2
zerowalker RT-AC56U - Make DNS resolve DHCP client names? ASUS AC Routers & Adapters (Wi-Fi 5) 2
D Issue with openVPN port forward in ASUS ac88u ASUS AC Routers & Adapters (Wi-Fi 5) 4
P How would you check or change the router's http or https webinterface port via telnet (only)? ASUS AC Routers & Adapters (Wi-Fi 5) 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 876 (members: 28, guests: 848)
Back
Top