ER7412-M2 — Cannot close WAN-facing ports 21, 554, 1720, 1723
ER7412-M2 — Cannot close WAN-facing ports 21, 554, 1720, 1723
Hardware: ER7412-M2 v1.20
Controller: OC200 v1.39.6 Build 20260227
Mode: Controller mode
WAN: Static public IP
I've been running a penetration test against my public IP from an external device (laptop on hotspot) and found the following TCP ports responding on my WAN interface:
- Port 21 (FTP)
- Port 554 (RTSP)
- Port 1720 (H.323)
- Port 1723 (PPTP)
I do not use FTP, RTSP, H.323, or PPTP VPN. No port forwarding rules are configured. No VPN server is enabled.
What I've already tried:
1. Disabled all ALGs (FTP, PPTP, H.323, IPsec) under Devices → Gateway → Config → Transmission → NAT → ALG — ports remain open. Toggling ALGs off seems to control protocol inspection for pass-through traffic, not the gateway's own listening services. Disabling H.323 ALG actually exposed port 1720 which wasn't visible before.
2. Disabled IGMP Proxy under Devices → Gateway → Config → Advanced → IPTV — this closed port 8554 but 554 remains.
3. Disabled Remote Access under Network Tools → Remote Access — this successfully closed ports 80 and 443.
4. Created a Gateway ACL rule with Direction [WAN]IN, Policy Deny, targeting these ports via an IP-Port Group — rule has no effect. The gateway appears to process packets destined for its own WAN IP before ACL evaluation.
5. Checked Firewall, Attack Defense, VPN, VoIP, NAT/Port Forwarding pages — no relevant toggles found.
6. CLI is not available in controller mode (confirmed via datasheet: "CLI only in Standalone Mode").
7. Internet Service Provider (ISP) cannot apply upstream port filtering.
Ping from WAN is correctly blocked (Attack Defense → Block Ping from WAN is enabled). Ports 80 and 443 were successfully closed via the Remote Access toggle. The remaining four ports appear to be firmware-level services with no UI control.
Questions:
1. Is there a way to disable these services on the WAN interface in controller mode that I've missed?
2. Is there a planned firmware update that would add WAN service controls or allow WAN-inbound ACLs to apply to gateway-destined traffic?
3. Has anyone found a workaround without adding external hardware (e.g. OPNsense or a managed switch in front of the gateway)?
You can try a roule like this to block all to managment interface.
then you also need to know that you are blocking other services on the router such as openvpn, this is not possible and override with acl for openvpn, for example, then you need to create an acl rule that approves at the ip level to the management page.
Like this
but I don't understand why you have these ports open, there shouldn't be open ports on the router if you haven't opened them yourself.
