Stealth Ports on TL-R600VPN - Bridge mode
Stealth Ports on TL-R600VPN - Bridge mode
I use GRC.com to test ports externally for stealth. When using TL-R600VPN in bridge mode (PPPoE), the test for stealth shows 2 out of 3 for response, the router still responds to "solicited" packets.
Is there a way to get this router full stealth?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
On an Internet-facing, non-controlled (standalone) ER605 I was able to accomplish all stealth (verified using Shields Up! and Nmap) except TCP Port 0.
I followed all the 'Recommended Solution' guidelines except: I didn't need to make any 'IP Address' or 'IP Group' entries at all. The 'Virtual Servers' and the 'Service Type'+'Access Control' fields all allow you to specify IP address ranges right in the fields, seemingly obviating the need for the 'IP Address' and 'IP Group' to be filled out at all.
I am uncertain if the 'IP Address' and 'IP Group' fields are necessary for the 'Recommended Solution' author's setup, but they don't appear to be for mine.
The problem remaining now is, the 'Virtual Servers' field treats TCP Port 0 as invalid (allowing only 1-65535) or else I could fully stealth the ER605. Hopefully TP-Link will make a code change to allow for stealthing TCP Port 0 as well by allowing 'Virtual Servers' to accept 0-65535...
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@G777
There's a slightly better way to finish this off. I'm on an ER-605 which also follows the strict letter of the Internet spec and has all ports closed by default.
Adding in a DMZ server lets you send EVERYTHING except ports you manually set up to a non existant IP.
Go to Transmission -> NAT -> NAT-DMZ and put a dummy IP address. My main network is on 10.0.0.0 / 24 so I'm sending DMZ traffic to 192.168.33.1
I'm not entirely sure if you need to do the full setup of an IP Group for this, I did it but then I figured out the DMZ was a much better way to do this.
- Copy Link
- Report Inappropriate Content
Much quicker than the accepted solution:
Turn on the NAT-DMZ. I'm on an ER-605 but I believe this is similar to the posted item.
Transmission -> NAT -> NAT-DMZ + Add a DMZ entry going to any IP address that doesn't exist on your network.
This will catch all traffic not sent to a specifically forwarded port so you can open ports with virtual server and this rule will only act on all the other ports.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 5874
Replies: 14
Voters 0
No one has voted for it yet.