Port Forwarding on a Netcomm 3G Broadband Router 3G15Wn

Port Forwarding on a Netcomm 3G Broadband Router 3G15Wn 

This guide will walk you through the steps of port forwarding on the Netcomm 3G Broadband router 3G15Wn (Firmware L411-402NVM-C01_R10)

NetComm's web user interface (UI) was easy to navigate, although for no reason we could determine loading any of the wireless configuration pages took an exceedingly long time, leading to frustration.

Almost every menu option also creates a drop down when you mouse over, which is fine enough, but some of those drop-down menus then expand sideways when you mouse over them, with no indication that there's further options hidden there in the first place. With 16 menu items under the "Advanced" menu, many of which have daughter menus, it's really quite easy to get lost, or have an idea of just how many features there are.

1) Open up your favorite browser and go to the router’s default gateway address.

http://192.168.1.1 (Default Address)

2) Log in to the router.

Default Username: admin

Default password: admin

3) Once you have logged into your router go to the “Advanced” tab hover over “NAT” then click “Port Forwarding”.

4) Click on “Add” ad the bottom of the page.

5) Be sure to select the radio button “Custom Service” and choose a name for the service (small description eg. web, camera, xbox, etc..). “Server IP Address” is the Internal IP address that you want the port to be open on. Be sure you have “Protocol” set to “TCP/UDP” and “External Port” is the port you wish to open, “Internal Port” is the port leading to the machine on your home network. Apply/Save.

Once you save the settings you should now be able to test your port at www.portchecktool.com. Please keep in mind your ISP (Internet Service Provider) can be blocking certain ports such as port 80, 25 and 21. You can call and ask if they are. If you are still not able to see the ports check your firewall and anti-virus software on your computer.

An example configuration, you have a web cam that has the IP address 192.168.1.100 and it runs on port 80. You want to be able to access this camera from outside your network on port 8080. You would enter the below values into port forwarding page.

Custom Service = Small Description

Server IP Address = 192.168.1.100

Protocol = TCP/UDP

External Port = 8080

Internal Port = 80

Then to view the camera you would use your No-IP host of “somehost.no-ip.com” like this: http://somehost.no-ip.com:8080 to reach the webcam.

Port Forward Troubleshooting

If you are having problems with a port forward, try the following.

1. If you did not exactly follow the How can I forward ports with pfSense? guide, delete anything you have tried, and start from scratch with those instructions.

2. Port forwards do not work internally unless you enable reflection. Always test port forwards from outside your network.

3. If you're still having problems, edit the firewall rule that passes traffic for the NAT entry, and enable logging. Save and Apply Changes. Then try to access it again from the outside. Check your firewall logs to see if the traffic shows as being permitted or denied.

4. Use tcpdump to see what's happening on the wire. This is the best means of finding the problem, but requires the most networking expertise. Start with the WAN interface, and use a filter for the appropriate protocol and port. Attempt to access from outside your network and see if it shows up. If not, your ISP may be blocking the traffic, or for Virtual IPs, you may have an incorrect configuration. If you do see the traffic on the WAN interface, switch to the inside interface and perform a similar capture. If the traffic is not leaving the inside interface, you have a NAT or firewall rule configuration problem. If it is leaving the interface, and no traffic is coming back from the destination machine, its default gateway may be missing or incorrect, or it may not be listening on that port. For certain types of traffic you may see return traffic indicating the host is not listening on that port. For TCP, this would be a TCP RST. For UDP, it may be an ICMP Unreachable message.

Common Problems

1. NAT and firewall rules not correctly added (see How can I forward ports with pfSense?). Hint: You probably do NOT want to set a source port.

2. Firewall enabled on client machine.

3. Client machine is not using pfSense as its default gateway.

4. Client machine not actually listening on the port being forwarded.

5. ISP or something upstream of pfSense is blocking the port being forwarded

6. Trying to test from inside your network, need to test from an outside machine.

7. Incorrect or missing Virtual IP configuration for additional public IP addresses.

8. The pfSense router is not the border router. If there is something else between pfSense and your ISP, you must also replicate port forwards and associated rules there.

9. Forwarding ports to a server behind a Captive Portal. You must add an IP bypass both to and from the server's IP in order for a port forward to work behind a Captive Portal.

10. If this is on a WAN that is not your default gateway, make sure there is a gateway chosen on this WAN interface, or the firewall rules for the port forward would not reply back via the correct gateway.

11. If this is on a WAN that is not your default gateway, ensure the traffic for the port forward is NOT passed in via Floating Rules or an Interface Group. Only rules present on the WAN's interface tab under Firewall Rules will have the reply-to keyword to ensure the traffic responds properly via the expected gateway.

12. If this is on a WAN that is not your default gateway, make sure the firewall rule(s) allowing the traffic in do not have the box checked to disable reply-to.

13. If this is on a WAN that is not your default gateway, make sure the master reply-to disable switch is not checked under System > Advanced, on the Firewall/NAT tab.

14. WAN rules should NOT have a gateway set, so make sure that the rules for the port forward do NOT have a gateway configured on the actual rule.

IPv6 and IPv4

IPv6 and IPv4 

Many engineers called to get know about IPv6 & IPv4. IP (short for Internet Protocol) specifies the technical format of packets and the addressing scheme for computers to communicate over a network OR, An IP (Internet Protocol) Address is an alphanumeric label assigned to computers and other devices that connect to a network using an internet protocol. This address allows these devices to send and receive data over the internet. Every device that is capable of connecting to the internet has a unique IP address.

There are currently two version of Internet Protocol (IP): IPv4 and a new version called IPv6. IPv6 is an evolutionary upgrade to the Internet Protocol. IPv6 will coexist with the older IPv4 for some time.

What is IPv4 (Internet Protocol Version 4)?

IPv4 (Internet Protocol Version 4) is the fourth revision of the Internet Protocol (IP) used to to identify devices on a network through an addressing system. The Internet Protocol is designed for use in interconnected systems of packet-switched computer communication networks. IPV4 header format is of 20 to 60 bytes in length, 

IPv4 is the most widely deployed Internet protocol used to connect devices to the Internet. IPv4 uses a 32-bit address scheme allowing for a total of 2^32 addresses (just over 4 billion addresses).  With the growth of the Internet it is expected that the number of unused IPv4 addresses will eventually run out because every device -- including computers, smartphones and game consoles -- that connects to the Internet requires an address.

A new Internet addressing system Internet Protocol version 6 (IPv6) is being deployed to fulfill the need for more Internet addresses. IPV6 header format is of 40 bytes in length

IPv6 (Internet Protocol Version 6) is also called IPng (Internet Protocol next generation) and it is the newest version of the Internet Protocol (IP) reviewed in the IETF standards committees to replace the current version of IPv4 (Internet Protocol Version 4). 

IPv6 is the successor to Internet Protocol Version 4 (IPv4). It was designed as an evolutionary upgrade to the Internet Protocol and will, in fact, coexist with the older IPv4 for some time. IPv6 is designed to allow the Internet to grow steadily, both in terms of the number of hosts connected and the total amount of data traffic transmitted.

IPv6 is often referred to as the "next generation" Internet standard and has been under development now since the mid-1990s. IPv6 was born out of concern that the demand for IP addresses would exceed the available supply.

The Benefits of IPv6

While increasing the pool of addresses is one of the most often-talked about benefit of IPv6, there are other important technological changes in IPv6 that will improve the IP protocol:

·        No more NAT (Network Address Translation)

·        Auto-configuration

·        No more private address collisions

·        Better multicast routing

·        Simpler header format

·        Simplified, more efficient routing

·        True quality of service (QoS), also called "flow labeling"

·        Built-in authentication and privacy support

·        Flexible options and extensions

·        Easier administration (say good-bye to DHCP)

The Difference Between IPv4 and IPv6 Addresses

An IP address is binary numbers but can be stored as text for human readers.  For example, a 32-bit numeric address (IPv4) is written in decimal as four numbers separated by periods. Each number can be zero to 255. For example, 1.160.10.240 could be an IP address.

IPv6 addresses are 128-bit IP address written in hexadecimal and separated by colons. An example IPv6 address could be written like this: 3ffe:1900:4545:3:200:f8ff:fe21:67cf.

Did You Know...? IPv6 in the News: (April, 2017) MIT announced it would sell  half of its 16 million valuable IPv4 addresses and use the proceeds of the sale to finance its own IPv6 network upgrades.

Port Forwarding on a Netcomm 3G Broadband Router

Port Forwarding on a Netcomm 3G Broadband Router 3G15Wn for Camera Online

This guide will walk you through the steps of port forwarding on the Netcomm 3G Broadband router 3G15Wn (Firmware L411-402NVM-C01_R10)

1) Open up your favorite browser and go to the router’s default gateway address.

 http://192.168.1.1 (Default Address)

2) Log in to the router.

Default Username: admin

Default password: admin

3) Once you have logged into your router go to the “Advanced” tab hover over “NAT” then click “Port Forwarding”.

4) Click on “Add” ad the bottom of the page.

5) Be sure to select the radio button “Custom Service” and choose a name for the service (small description eg. web, camera, xbox, etc..). “Server IP Address” is the Internal IP address that you want the port to be open on. Be sure you have “Protocol” set to “TCP/UDP” and “External Port” is the port you wish to open, “Internal Port” is the port leading to the machine on your home network. Apply/Save.

Once you save the settings you should now be able to test your port at www.portchecktool.com. Please keep in mind your ISP (Internet Service Provider) can be blocking certain ports such as port 80, 25 and 21. You can call and ask if they are. If you are still not able to see the ports check your firewall and anti-virus software on your computer.

An example configuration, you have a web cam that has the IP address 192.168.1.100 and it runs on port 80. You want to be able to access this camera from outside your network on port 8080. You would enter the below values into port forwarding page.

Custom Service = Small Description

Server IP Address = 192.168.1.100

Protocol = TCP/UDP

External Port = 8080

Internal Port = 80

Then to view the camera you would use your No-IP host of “somehost.no-ip.com” like this: http://somehost.no-ip.com:8080 to reach the webcam.

Port Forward Troubleshooting

If you are having problems with a port forward, try the following.

1. If you did not exactly follow the How can I forward ports with pfSense? guide, delete anything you have tried, and start from scratch with those instructions.

2. Port forwards do not work internally unless you enable reflection. Always test port forwards from outside your network.

3. If you're still having problems, edit the firewall rule that passes traffic for the NAT entry, and enable logging. Save and Apply Changes. Then try to access it again from the outside. Check your firewall logs to see if the traffic shows as being permitted or denied.

4. Use tcpdump to see what's happening on the wire. This is the best means of finding the problem, but requires the most networking expertise. Start with the WAN interface, and use a filter for the appropriate protocol and port. Attempt to access from outside your network and see if it shows up. If not, your ISP may be blocking the traffic, or for Virtual IPs, you may have an incorrect configuration. If you do see the traffic on the WAN interface, switch to the inside interface and perform a similar capture. If the traffic is not leaving the inside interface, you have a NAT or firewall rule configuration problem. If it is leaving the interface, and no traffic is coming back from the destination machine, its default gateway may be missing or incorrect, or it may not be listening on that port. For certain types of traffic you may see return traffic indicating the host is not listening on that port. For TCP, this would be a TCP RST. For UDP, it may be an ICMP Unreachable message.

Common Problems

1. NAT and firewall rules not correctly added (see How can I forward ports with pfSense?). Hint: You probably do NOT want to set a source port.

2. Firewall enabled on client machine.

3. Client machine is not using pfSense as its default gateway.

4. Client machine not actually listening on the port being forwarded.

5. ISP or something upstream of pfSense is blocking the port being forwarded

6. Trying to test from inside your network, need to test from an outside machine.

7. Incorrect or missing Virtual IP configuration for additional public IP addresses.

8. The pfSense router is not the border router. If there is something else between pfSense and your ISP, you must also replicate port forwards and associated rules there.

9. Forwarding ports to a server behind a Captive Portal. You must add an IP bypass both to and from the server's IP in order for a port forward to work behind a Captive Portal.

10. If this is on a WAN that is not your default gateway, make sure there is a gateway chosen on this WAN interface, or the firewall rules for the port forward would not reply back via the correct gateway.

11. If this is on a WAN that is not your default gateway, ensure the traffic for the port forward is NOT passed in via Floating Rules or an Interface Group. Only rules present on the WAN's interface tab under Firewall Rules will have the reply-to keyword to ensure the traffic responds properly via the expected gateway.

12. If this is on a WAN that is not your default gateway, make sure the firewall rule(s) allowing the traffic in do not have the box checked to disable reply-to.

13. If this is on a WAN that is not your default gateway, make sure the master reply-to disable switch is not checked under System > Advanced, on the Firewall/NAT tab.

14. WAN rules should NOT have a gateway set, so make sure that the rules for the port forward do NOT have a gateway configured on the actual rule.

How do I setup IP forwarding/filtering with the Connect WAN

Introduction

The WAN supports four features which provide security and IP traffic forwarding when using incoming or Mobile Terminated connections:

1.      Network Address Translation (NAT)

2.      Generic Routing Encapsulation (GRE) forwarding

3.      TCP/UDP port forwarding

4.      IP Filtering

This document describes each function, how they are used in conjunction with each other, how they are used, and what issues can occur with each if not used properly.

Network Address Translation (NAT)

NAT allows the Connect WAN to have a single public IP address on the mobile link, while allowing multiple private IP addressed devices connected to the Ethernet interface. 

Outgoing traffic (mobile initiated) from the private network to the public mobile network assumes the IP address of the public mobile interface.  An internal table tracks which internal IP address made the outgoing request so that responses get sent to the proper requestor.

For example, a workstation at IP address 192.168.1.15 sends a request to www.arindamcctvaccesscontrol.blogspot.com.  The source IP address is changed by the Connect WAN address translation to the public 

Incoming (mobile terminated) traffic is either designated to the Connect WAN itself (i.e. HTTP or telnet connections for configuration or monitoring), or is forwarded to hosts via the Ethernet interface based either on GRE or TCP/UDP port forwarding which is covered below.

NAT provides two main benefits:

1.      Security: NAT hides the Private IP addresses of the devices on the Connect WAN''''s Ethernet network.

2.      IP Address Availability: IP addresses are in short supply and cost money.  The Connect WAN need be provided only one IP address from the wireless carrier.

NAT is enabled by default on the Connect WAN.  It should not be disabled unless there is a specific reason to do so.

Generic Routing Encapsulation (GRE) forwarding

GRE is a transport layer protocol, designated as IP protocol number 47, is used by many routers, WAN switches and VPN concentrators, to effectively tunnel traffic over a WAN between routers.  Note that GRE itself provides no encryption but protocols such as PPTP can use GRE.  IPSec can be encapsulated in GRE (and vice-versa).  GRE uses IP-in-IP and allows private IP addresses to be tunneled through a public network.

The Connect WAN provides a simple checkbox to turn on GRE forwarding to pass GRE traffic from the mobile interface through to a router on the Ethernet interface.  Note the Connect WAN only passes GRE traffic and does not terminate it.

Here is an example diagram:

Figure 1 - GRE Forwarding

The HQ router''s peer GRE address is the mobile IP address of the Connect WAN, which in this case is 166.213.229.218.  The Connect WAN has GRE forwarding enabled and will send to the router''s Ethernet WAN port, in this case 192.168.1.2.  Typically this connection is a directly connected Ethernet cable.

An example similar to the above is where GRE tunneling is used to create a backup WAN connection to a primary Frame Relay connection through the Connect WAN and wireless network. 

TCP/UDP Port Forwarding

Normally, traffic initiated from a host site to a Connect WAN is blocked by NAT, unless the traffic is destined for the Connect WAN itself.  Port forwarding provides a means to pass traffic from the mobile interface to devices connected to the Connect WAN''''s Ethernet port.  There are two main applications where port forwarding is required:

1.      Pass application data traffic, such as polls or requests, to Ethernet connected devices, and

2.      Pass VPN traffic, such as IPSec-in-UDP, through to routers or VPN appliances.

For example, three devices are attached to the Connect WAN''''s Ethernet port:

Figure 2 - TCP Port Forwarding

The application uses a protocol that polls the devices using the device IP address and TCP port 502 (which is Modbus).  On local LANs and publicly routable IP addresses this is not a problem. 

NAT hides the private Ethernet IP addresses of the devices connected behind the Connect WAN''''s Ethernet port.  The application can then only send polls to one IP address the mobile IP in this case 166.213.229.218. 

TCP port forwarding is used to forward the IP polls to one or more devices on the Connect WAN Ethernet port.  Different TCP port numbers are used to designate which device gets the proper traffic. The application must be able to support changing the TCP protocol port number from the default of 502.  In this case the application is configured to poll according to this table:

Remote Device	Destination IP Address	Destination TCP Port
One	163.213.229.218	12001
Two	163.213.229.218	12002
Three	163.213.229.218	12003

Notice the destination IP address is the Connect WAN''''s mobile IP address.

The Connect WAN is configured with a TCP/UDP forwarding table as follows:

Source TCP Port	Destination IP Address	Destination TCP Port
12001	192.168.1.2	502
12002	192.168.1.3	502
12003	192.168.1.4	502

Incoming traffic is then routed to the proper device.  The devices can use their standard TCP port of 502.

The main issue with port forwarding in this case is when the polling application does NOT allow the user to specify the TCP or UDP port used.  The workaround is to use routers that support GRE, VPN, or other forms of tunneling that can be forwarded through the Connect WAN.

Another example of port forwarding is forwarding of IPSec-in-UDP traffic to a VPN appliance or router attached to the Connect WAN''''s Ethernet port.  Figure 1 above shows a GRE tunnel.  In much the same way, IPSec traffic can be encapsulated in UDP to prevent NAT from modifying the IPSec headers (which would invalidate the traffic).  IPSec-in-UDP implementations always use UDP port 500 for IKE/ISAKMP, but can use various UDP port numbers for the AH/ESP traffic.  Here is an example of UDP port forwarding entries on a Connect WAN for IPSec in UDP:

Protocol	Source Port	Destination IP Address	Destination Port
UDP	500	192.168.1.2	500
UDP	4500	192.168.1.2	4500

IP Filtering

IP Filtering is a security feature that allows the user to block all incoming, mobile terminated traffic into the Connect WAN except for traffic from specific IP addresses and/or subnets.  There are three IP Filtering settings on the Connect WAN:

1.      Only allow access from the following devices and networks.  When checked this blocks ALL incoming traffic except for the traffic from the IP address/subnets listed in the "allow access" tables.

2.      Automatically allow access from all devices on the local subnet.  This allows out-bound traffic from the private Ethernet network out to the mobile network and beyond.

3.      Allow access from the following devices and/or subnets.  When the "Only allow access from the following devices and networks" box is checked, you must provide entries here to allow in-coming mobile traffic to be passed through the Connect WAN.

CAUTION: Incorrect settings here can stop some or all traffic.  For example, checking "Only allow access from the following devices and networks" without adding IP addresses or subnets to the "allow access" tables will block ALL incoming traffic, even responses from outgoing requests.

Remote Device

Destination IP Address

Destination TCP Port

One

163.213.229.218

12001

Two

163.213.229.218

12002

Three

163.213.229.218

12003

Source TCP Port

Destination IP Address

Destination TCP Port

12001

192.168.1.2

502

12002

192.168.1.3

502

12003

192.168.1.4

502

Protocol

Source Port

Destination IP Address

Destination Port

UDP

500

192.168.1.2

500

UDP

4500

192.168.1.2

4500

Double Router Forwarding process

As a CCTV Engineer / Technician its very hard to configure Double Router Forwarding for your Installed DVR. As a Technical Writer this post is dedicated to all who call / Mail for writing this Process. My aim is to keep this guide as simple as possible, while still providing you with the information you need to know.

As you can imagine, port forwarding through two routers is a bit more complex than port forwarding through one router. Below is a diagram of a double routed network.

Important Things to Notice:

· Both "Router #1" and "Router #2" have TWO IP addresses; an Internal IP address and an External IP address.

·    There are TWO LANs (Local Area Networks).

·    There are TWO WANs (Wide Area Networks). If there is a LAN then there is an accompanying WAN.

Now that we have identified these things we can go on to learn how they affect us.

Network Address Translation

For the sake of readability, from now on I will refer to "Router #1" and "Router #2" as "R1" and"R2" respectively.

Every router does NAT (Network Address Translation), and has both an internal IP address and an external IP address. The external IP address is the one that connects that router to the WAN (Wide Area Network). Usually the WAN is the Internet. The internal IP address connects the router to the internal network. Our network here is a bit more complex than the basic network.

R1's external IP address connects R1 to the Internet, just like any other network. R1 also has an internal IP address which provides NAT to the internal LAN1 network below it. The only thing connected to LAN1 is the router R2. R2 connects to LAN1 with an external IP address. Notice that R2's external IP address does not connect to the internet, but to another private network. Another way to say that is, R2's WAN IP address is external to R2 but internal to R1. R2 then provides NAT to the LAN2 network below it. R2 provides NAT through its internal IP address. The computers then connect to LAN2 and receive data from R2.

Let's assign IP addresses to everything, and see how it would look.

Notice that the IP addresses that exist on LAN1 differ from the IP addresses on LAN2. The IP addresses that are on LAN1 are 192.168.1.1 and 192.168.1.5. The IP addresses that are on LAN2 are 10.0.0.1 and 10.0.0.15. Here is another diagram to help show the network divisions:

Configure Port Forwards

Okay enough idle chatter. Let's talk about how to forward ports through this network.

Step 1

We want to forward ports from the WAN of R1 to a computer connected to LAN2. To do this we need to forward the ports in R1 to R2's external IP address. In this example we would log into R1 and forward ports to 192.168.1.5.

Note: In order to connect to R1's web interface one will probably have to plug a computer directly into R1 and establish a connection on LAN1.

Step 2

The next step is to forward ports from R2 to the proper network device whether it be a computer, XBOX, or PS3. (The Proper network device is the device on which you run the program for which you are forwarding ports.) In our example we would log into R2, and then forward ports to 10.0.0.15.

If you are having trouble forwarding ports or just don't want to deal with the hassle of doing it manually, check out PFConfig; a software tool that automatically forwards your ports.

Using the Free Router Detector you can know IP address for each host. Download Now & Install.

Static IP Addresses

You have now set up port forwards in your double router network and everything is working without a hitch. That's great, but if you have not configured static IP addresses for the network devices for which you have forwarded ports then your port forwarding settings are just waiting to break. When your port forward settings stop working, the most likely cause is that the network device for with you have forwarded ports has obtained a different internal IP address than the internal IP address that it had when you originally configured your port forward settings. The result is that your ports are no longer forwarded to the correct IP address.

How do I stop my port forward settings from breaking?

Static IP addresses allow you to assign an IP address to a network device and ensure that its IP address does not change.

The network devices for which ports are being forwarded need to have a static IP address. If a device does not have a static IP address, then it has a dynamic IP address. Dynamic IP addresses can/will change. As stated earlier, if the IP address of a network device for which ports you've forwarded ports changes, the ports will not be forwarded to the correct place. So it is important to setup a static IP address on the network devices for which you intend to forward ports.

The same applies to R2 in our example. R2's external IP address should really be static. This is not too big of a problem if R2 is the only network device connected to LAN1. If R2 is the only device on LAN1, it is unlikely that its IP address will change. If you have other devices on LAN1, you really need to setup a static IP address on R2. You would make configurations for a static IP address in the WAN section of R2.