Monday, May 15, 2023

Port Forwarding on a Netcomm 3G Broadband Router 3G15Wn

Port Forwarding on a Netcomm 3G Broadband Router 3G15Wn 

This guide will walk you through the steps of port forwarding on the Netcomm 3G Broadband router 3G15Wn (Firmware L411-402NVM-C01_R10)

NetComm's web user interface (UI) was easy to navigate, although for no reason we could determine loading any of the wireless configuration pages took an exceedingly long time, leading to frustration.

Almost every menu option also creates a drop down when you mouse over, which is fine enough, but some of those drop-down menus then expand sideways when you mouse over them, with no indication that there's further options hidden there in the first place. With 16 menu items under the "Advanced" menu, many of which have daughter menus, it's really quite easy to get lost, or have an idea of just how many features there are.

1) Open up your favorite browser and go to the router’s default gateway address.

http://192.168.1.1 (Default Address)

2) Log in to the router.

Default Username: admin

Default password: admin

3) Once you have logged into your router go to the “Advanced” tab hover over “NAT” then click “Port Forwarding”.

4) Click on “Add” ad the bottom of the page.

5) Be sure to select the radio button “Custom Service” and choose a name for the service (small description eg. web, camera, xbox, etc..). “Server IP Address” is the Internal IP address that you want the port to be open on. Be sure you have “Protocol” set to “TCP/UDP” and “External Port” is the port you wish to open, “Internal Port” is the port leading to the machine on your home network. Apply/Save.

Once you save the settings you should now be able to test your port at www.portchecktool.com. Please keep in mind your ISP (Internet Service Provider) can be blocking certain ports such as port 8025 and 21. You can call and ask if they are. If you are still not able to see the ports check your firewall and anti-virus software on your computer.

An example configuration, you have a web cam that has the IP address 192.168.1.100 and it runs on port 80. You want to be able to access this camera from outside your network on port 8080. You would enter the below values into port forwarding page.

Custom Service = Small Description

Server IP Address = 192.168.1.100

Protocol = TCP/UDP

External Port = 8080

Internal Port = 80

Then to view the camera you would use your No-IP host of “somehost.no-ip.com” like this: http://somehost.no-ip.com:8080 to reach the webcam.

Port Forward Troubleshooting

If you are having problems with a port forward, try the following.

1. If you did not exactly follow the How can I forward ports with pfSense? guide, delete anything you have tried, and start from scratch with those instructions.

2. Port forwards do not work internally unless you enable reflection. Always test port forwards from outside your network.

3. If you're still having problems, edit the firewall rule that passes traffic for the NAT entry, and enable logging. Save and Apply Changes. Then try to access it again from the outside. Check your firewall logs to see if the traffic shows as being permitted or denied.

4. Use tcpdump to see what's happening on the wire. This is the best means of finding the problem, but requires the most networking expertise. Start with the WAN interface, and use a filter for the appropriate protocol and port. Attempt to access from outside your network and see if it shows up. If not, your ISP may be blocking the traffic, or for Virtual IPs, you may have an incorrect configuration. If you do see the traffic on the WAN interface, switch to the inside interface and perform a similar capture. If the traffic is not leaving the inside interface, you have a NAT or firewall rule configuration problem. If it is leaving the interface, and no traffic is coming back from the destination machine, its default gateway may be missing or incorrect, or it may not be listening on that port. For certain types of traffic you may see return traffic indicating the host is not listening on that port. For TCP, this would be a TCP RST. For UDP, it may be an ICMP Unreachable message.

Common Problems

1. NAT and firewall rules not correctly added (see How can I forward ports with pfSense?). Hint: You probably do NOT want to set a source port.

2. Firewall enabled on client machine.

3. Client machine is not using pfSense as its default gateway.

4. Client machine not actually listening on the port being forwarded.

5. ISP or something upstream of pfSense is blocking the port being forwarded

6. Trying to test from inside your network, need to test from an outside machine.

7. Incorrect or missing Virtual IP configuration for additional public IP addresses.

8. The pfSense router is not the border router. If there is something else between pfSense and your ISP, you must also replicate port forwards and associated rules there.

9. Forwarding ports to a server behind a Captive Portal. You must add an IP bypass both to and from the server's IP in order for a port forward to work behind a Captive Portal.

10. If this is on a WAN that is not your default gateway, make sure there is a gateway chosen on this WAN interface, or the firewall rules for the port forward would not reply back via the correct gateway.

11. If this is on a WAN that is not your default gateway, ensure the traffic for the port forward is NOT passed in via Floating Rules or an Interface Group. Only rules present on the WAN's interface tab under Firewall Rules will have the reply-to keyword to ensure the traffic responds properly via the expected gateway.

12. If this is on a WAN that is not your default gateway, make sure the firewall rule(s) allowing the traffic in do not have the box checked to disable reply-to.

13. If this is on a WAN that is not your default gateway, make sure the master reply-to disable switch is not checked under System > Advanced, on the Firewall/NAT tab.

14. WAN rules should NOT have a gateway set, so make sure that the rules for the port forward do NOT have a gateway configured on the actual rule.

Monday, May 1, 2023

Netgear Genie R7000 Port Forwarding for Security DVR

Netgear Genie R7000 Port Forwarding for Security DVR 

Within the Netgear Genie Nighthawk R7000, there is a port forwarding section you will need to access for port forwarding. To enable port forwarding on your system you will need to make “port rules” in your router to allow select traffic from the internet to allow access to devices on your network.  Without this configuration you will not be able to view your surveillance cameras remotely either online or from your phone. Therefore you must go through the steps listed below to configure your router to allow for this traffic. This particular guide is for the Netgear Genie Nighthawk R7000..

You can use this guide to help configure port forwarding on the Netgear Genie router for any device on your network.  There are two rules that must be made on your router for your security surveillance system. One rule for port 80  and one rule for port 37777. Port 80 is a port that is commonly used by other applications as well, so in the event that it is already being used by another service, you will have to use another rule such as port 8080.  For this demonstration we will use port 8080 as an example.

You must check your DVR’s network menu and change the HTTP Port from 80 to 8080 if you need to utilize a different port number.

1) Access your router

You must access your router on your home network in order to make any changes. To do this you need to find your Default Gateway(Router’s IP address) of your network. You can follow this guide {here} to find your default gateway.  For this type of router, it is commonly 192.168.1.1.  Type this IP address directly into your internet browser bar to bring up the router login screen. Here you will be prompted for your login credentials. If you do not know your login  credentials, you can check online for the manufacturer default, or call your internet service provider..

2) Navigate to Port Forwarding Section

Once you have accessed your router, you will see two tabs at the top for “Basic” and “Advanced.”

Choose “Advanced” to bring up choices on the left side of the screen. Click on the “Advanced Setup” drop down menu and from here select the option “Port Forwarding / Port Triggering.” This will bring up the menu we need to create port rules in your router.

3) Create Port Forwarding Rules

First at the bottom of the menu there will be an icon for “add custom service.” Click here to make your first rule. You will see several areas that you need to fill out to create this rule. Let’s go through the steps and make the first rule for port 8080.

3.1) Service name

This is the name you want to give your port rule.  Make it something easy to find and distinguish later, such as “port 8080.”

3.2) Service type

This is the type of service you are creating. Keep this TCP/UDP

3.3) External starting point and External ending point

Both of these options must be the port number you are creating the rule for, in this case type 8080.

3.4) Internal Starting Port and Internal ending point

Again, both of these must be the port number you are creating the rule for, in this case type 8080.

3.5) Internal IP address

This is the IP address of the device you are accessing with this port rule. The device, you want internet traffic routed to. For this, you must type in your DVR’s, NVR IP address, found in the DVR’s, NVR networking section.

After these steps are completed, hit “apply” to create this rule. You have just created the necessary port rule for port 8080. Follow these steps again and create a rule for port 37777, using the same steps but everywhere you entered 8080 before, you would now enter 37777. If you have created these two rules appropriately, you should be ready to access your DVR, NVR remotely either online or through your phone.

4) Scanning your Ports

Last, you want to make sure that the rules you configured are applied to your router and active, meaning that these ports are now open for use. You can check if your ports are open by scanning the ports.

Go to GRC.com to scan for open ports on your internet connection. This must be done from the same internet connection as to which the DVR, NVR is connected.

Click Proceed to begin, and wait for the next page to load.

When the page reloads, you will then type just the two port numbers in the search bar separated by a comma such as "8080, 37777" not  "port 8080, port 37777."  Click "User Specified Custom Port Probe" to check for open ports on your router.

Look only at the status next to each port after the scan is complete  If the status next to the ports is "Open", then the port rules should be applied correctly and you are done. If they say "Closed" then the rules were not created properly or there is some other issue happening.  If they say "Stealth" however, this points to an issue with your internet service provider (ISP). Your ISP is blocking these or all ports from being used for whatever reason and you will have to contact them to resolve this issue.