Security Concerns with Wide Range Port Forwarding on Deco X55

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Security Concerns with Wide Range Port Forwarding on Deco X55

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Security Concerns with Wide Range Port Forwarding on Deco X55
Security Concerns with Wide Range Port Forwarding on Deco X55
2024-05-17 03:22:29
Tags: #Port Forwarding #Security Vulnerability
Model: Deco X55  
Hardware Version:
Firmware Version: 1.2.6

Hello TP-Link Community,

I am currently using the Deco X55 for managing network access to a home server that hosts various services like Remote Desktop, a media server, and a game server. While setting up port forwarding, I noticed that I can only forward a wide range of ports to accommodate these services, e.g from 3389 to 27016.
While this setup might seem convenient, it poses significant security concerns. Broadly opening such a wide range of ports can expose my network to various risks, including unauthorized access and potential exploitation of vulnerable services.

Typically, it's advisable to open only the specific ports needed for each service to minimize the attack surface. Here are some specific risks involved with opening a broad range of ports:
Increased Attack Surface: Every open port could potentially be a point of entry for malicious actors.
Potential for Exploitation: Certain ports, if left open and unmonitored, can be targeted for exploits, especially if associated services have known vulnerabilities.
Network Performance: While less of a security risk, broadly opened ports could potentially impact network performance and management due to increased overhead.

Given these risks, I am looking for advice or potential updates that might allow more granular control over port forwarding settings.
For instance:
Is there a way to more precisely control which ports are forwarded without needing to open a wide range?
Are there upcoming firmware updates that might address this issue and provide better configuration options?

I appreciate any feedback or guidance you can provide on securing our network while using the Deco X55 for complex home networking setups.

I've attached two screenshots one of the large range i've had to forward and one of me trying to add multiple ports to one client which displays "This IP address is already taken."

Thank you!

  1      
  1      
#1
Options
8 Reply
Re:Security Concerns with Wide Range Port Forwarding on Deco X55
2024-05-20 07:39:19

  @ThriftyKiwi 

Hi, welcome to the community.

Since the port range is customized by users themselves, if you only need to open ports 3389, 8096, and 27016, you could add three separate rules for each port.

Would there be a specific reason why you have to use a wide range of ports?

Wait for your reply and best regards.

 

 

 

  0  
  0  
#2
Options
Re:Security Concerns with Wide Range Port Forwarding on Deco X55
2024-05-20 08:00:28 - last edited 2024-05-20 08:46:23

  @David-TP How can you add 3 separate rules? can you provide steps for the x55.
You can see in my screenshot that when I try add another rule it says this IP is already taken so I can't add 3 separate rules.

It seems with the Deco x55 you can only do a range if you want multiple ports forwarded.

 

  0  
  0  
#3
Options
Re:Security Concerns with Wide Range Port Forwarding on Deco X55
2024-05-20 09:02:17

  @ThriftyKiwi 

Hi, 

the first NAT forwarding rule is from 3389-27016 which overrides port 8096 so Deco APP pops up an error message.

You might need to delete the first rule, then add a single port each time under one profile, such as:

How to set up Port Forwarding feature on the Deco

 

  0  
  0  
#4
Options
Re:Security Concerns with Wide Range Port Forwarding on Deco X55
2024-05-20 09:13:15

  @David-TP no luck set there to just be one port 3389 then tried adding another port but still get the same message and I can't add the port.
Might be an issue with the Deco X55. What router are you using?

  0  
  0  
#5
Options
Re:Security Concerns with Wide Range Port Forwarding on Deco X55
2024-05-21 01:16:59

  @ThriftyKiwi 

Hi, sorry for the delay.

I'm using Deco X68.

I also ran into several errors before finally being able to add all three rules.

Here are some advice from my experience.

1. Please go to the address reservation and reserver the IP address 192.168.68.111 first.

2. Then set the NAT forwarding rules for each port again.

Thank you very much and best regards.

  0  
  0  
#6
Options
Re:Security Concerns with Wide Range Port Forwarding on Deco X55
2024-05-22 02:44:37

Hey @David-TP 

I tried that but still not luck I just can't add more than one rule the only thing I can do is have a massive range of ports open sad

  0  
  0  
#7
Options
Re:Security Concerns with Wide Range Port Forwarding on Deco X55
2024-05-22 08:33:17

  @David-TP I believe you get another error message when (external) ports overlap.

There is no reason to avoid overlaps on internal ports, and I believe the Deco does not prevent that.

I believe this message "IP already taken" means something else. 

  1  
  1  
#8
Options
Re:Security Concerns with Wide Range Port Forwarding on Deco X55
2024-05-23 09:58:35

  @yves_b 

Hi, I did go through different errorsblush.

The first one always went smoothly, then I set a different port for the same client, and it told me to reserve a fixed IP address. Actually when I go back to "Address Reservation", it has been reserved already. Then I repeated, and it said, "Something went wrong, please try again".

Then I removed the  "Address Reservation" profile and went back to add the port forwarding rule for the third time. It worked.

I blame it for the poor APP interaction.

 

so @ThriftyKiwi , sorry for the inconvenience.

Would you mind trying it again? When the error pops out, try to remove the already reserved IP address profile once.

However if it fails again, could you please help me submit the Deco APP log here:

How to submit Deco APP log

 

Thank you very much and wait for your reply.

 

  0  
  0  
#9
Options