HELP - TD-W8980 - Opening ports on the firewall

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

HELP - TD-W8980 - Opening ports on the firewall

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
HELP - TD-W8980 - Opening ports on the firewall
HELP - TD-W8980 - Opening ports on the firewall
2015-03-28 06:11:10
Region : UnitedKingdom

Model : TL-WDR3600

Hardware Version :

Firmware Version :

ISP :


Hi all,

i'm trying to expose a port (8096) on my firewall to the internet..

Everything is set to IPv4, and I'm using the IPv4 firewall....

I've configured port forwarding - seemingly correctly - to forward inbound requests on the port to the correct server, as when the firewall is disabled this service works (and also www.portchecktool.com shows that it can connect to 8096)...

When I enable the firewall (rules to be explained in a sec) it doesn't work...

I have the following rules:

* Deny unless specified: ON

* a series of outbound rules which give me the access I want / expect

* rules in question:

rule 1 -

LAN host - server IP address, 8096, Enabled, IN, TCP, Allow, Any time

rule 2 -

LAN host - gateway IP address, 8096, Enabled, IN, TCP, Allow, Any time



I've also tried specifying the LAN host as simply a port (8096)


I assumed the firewall comes into effect after the forwarding, but in case not, I added rule 2..

Neither rule works and (not in conjunction, or individually)...

I'm at a loss as to what to do..

Help!
  0      
  0      
#1
Options
13 Reply
Re:HELP - TD-W8980 - Opening ports on the firewall
2015-03-28 19:08:17
Why do you need open this port? Do you have public IP address on WAN port?
  0  
  0  
#2
Options
Re:HELP - TD-W8980 - Opening ports on the firewall
2015-03-29 00:34:23
I'm exposing a service over the Internet - which I can access on my mobile. I'm using no-ip.org as a dynamic DNS service and their client which regularly updates my public IP address with their service. The DNS and port forwarding all work perfectly without the IPv4 firewall enabled. The router overview page displays my public IP fine. My WAN host in the firewall rules are set to Any Host, the LAN Host for these rules I've tried not specifying an IP but just specifying the port. I've tried specifying the port and my gateway, and I've tried specifying the internal server and the port. None of the above work. All from any host, all with the direction of IN all on TCP (it's a tcp service), all set to allow, and all enabled. I have no other blocking anything.
  0  
  0  
#3
Options
Re:HELP - TD-W8980 - Opening ports on the firewall
2015-03-29 00:49:27
I need this port open as I'm trying to expose a service over the internet, this service runs on port 8096 (my port forwarding originally accepted 80 and forwarded over 8096 to the target LAN server/host, however, I'm simplifying things at the moment until I get it all working)

The service is over TCP and in fact is a HTTP service (a web application that I'm running)....

For access via a domain name, I've registered with no-ip.org, and I run their client to update my sub-domain with my public IP address.. All this works, and has worked in the past when using a different router..

The only issue is when I enable the IPv4 firewall (and yes, all my networking internally is run over an IPv4 network, IPv6 is disabled on the router and all hosts).

As I think I mentioned, the whole set-up works with the firewall disabled, absolutely perfectly.. www.portchecktool.com can connect to my port, and actually I'm able to browse to the service when I'm not connected to my network... This actually, all works including me exposing port 80 on the Firewall and forwarding it to 8096 on the target (internal) host. Just, as soon as I enabled the firewall, nothing can connect. www.portchecktool.com no longer works, and I cannot browse to the service when I'm off my network.

The firewall is set to deny anything not explicitly allowed and then - currently - in my list of rules I have these two:




DescriptionLAN HostTargetScheduleRuleStatusEdit...




















[/TD]
[TD]MediaServer1
MediaSe... Any Host Any Time Allow Enabled Edit
[/TD]
MediaServer2
Ext.Med... Any Host Any Time Allow Enabled


The two LAN hosts are specified as:

1.
Description: MediaServer
IP Address: the server's internal IPv4 address
Port range: 8096


2.
Description: Ext.MediaServ
IP Address: Gateway address
Port range: 8096



I added the second rule (well, second host for the second rule) just in case the firewalling was happening prior to any port forwarding and NATing - which I doubt, but I am/was getting desperate


The rules themselves are:

1.
Description: MediaServer1
LAN Host: MediaServer
WAN Host: Any Host
Schedule: Any time
Action: Allow
Status: Enabled
Direction: IN
Protocol: TCP


2.
Description: MediaServer2
LAN Host: Ext.MediaServ
WAN Host: Any Host
Schedule: Any time
Action: Allow
Status: Enabled
Direction: IN
Protocol: TCP




The other rules are all outbound, there is no rule that denies anything, except one to block some specific outbound traffic... There is no other inbound rule...


The port forwarding is as follows:




Service PortIP AddressInternal PortProtocolStatusWANEdit













[TD]
8096 server's internal IPv4 address 8096 TCP Enabled pppoa_0_38_0_d [COLOR=blue]Edit




I feel like I'm doing something really bl**dy stupid

Any help will be much appreciated!

Thanks!
  0  
  0  
#4
Options
Re:HELP - TD-W8980 - Opening ports on the firewall
2015-03-29 00:51:45
OH, and yes... I do have a public IP address on my WAN interface:













pppoa_0_38_0_d PPPoA 0/38 86.158.109.110 /32 217.47.112.186 213.120.234.14 213.120.234.30 Connected
  0  
  0  
#5
Options
Re:HELP - TD-W8980 - Opening ports on the firewall
2015-03-30 00:05:03
Do you have access to this service in local network?











pppoa_0_38_0_d PPPoA 0/38 86.158.109.110 /32 217.47.112.186 213.120.234.14 213.120.234.30 Connected



Is this IPv6 protocol on your WAN port?
  0  
  0  
#6
Options
Re:HELP - TD-W8980 - Opening ports on the firewall
2015-03-30 01:57:49

jimasek wrote

Do you have access to this service in local network?Is this IPv6 protocol on your WAN port?
IPv6 is disabled on the router and on all hosts and devices - everything is set to IPv4. And yes, with or without the firewall enabled it always works internally on the LAN. It's just access from the WAN.
  0  
  0  
#7
Options
Re:HELP - TD-W8980 - Opening ports on the firewall
2015-03-30 02:19:58
Give me screenshot from Virtual Server and port forwarding settings?
  0  
  0  
#8
Options
Re:HELP - TD-W8980 - Opening ports on the firewall
2015-03-30 05:55:46
Here's the screen shot that it let me upload .. hmm...

[ATTACH=CONFIG]2064[/ATTACH]

The settings are (in the virtual server section of port forwarding):

Service Port: 8096
IP Address: 192.168.1.103
Internal Port: 8096
Protocol: TCP
Status: Enabled
WAN: pppoa_0_38_0_d


I don't - believe - that I need to use Port Triggering, nor do I need to use the DMZ feature (because the server doesn't connect back out, it's a standard web application, that accepts inbound HTTP requests - 8096 is its default port)
File:
PF-VS.jpgDownload
  0  
  0  
#9
Options
Re:HELP - TD-W8980 - Opening ports on the firewall
2015-03-30 10:09:47
Since port forwarding works when firewall is disabled, I don't think configuration on virtual server is wrong.
Why you have to enable firewall? What are you trying to control? After you configure it as you said, can you access internet properly? Just port forwarding stops working?
  0  
  0  
#10
Options
Re:HELP - TD-W8980 - Opening ports on the firewall
2015-03-30 16:12:48
I'd quite like to have my firewall on, from a basic security perspective. Security is my profession (though software architecture security as opposed to networking / infrastructure security - though I have a basic understanding). Currently, I want to restrict outbound traffic to just HTTP(S), and block known C&C servers over any port/protocol, plus time restrict some other access. All this works, if we forget the media system that I'm trying to expose over the Internet... Every other rule on the firewall works. Although, there's a key difference between the rules that do and the rules that don't work. The rules that do work are all outbound/egress rules, whereas the rules that don't work are all inbound/ingress rules. So, I'm a little confused.
  0  
  0  
#11
Options