Archer A2300 - Firewall opening ports w/o authorization
Hey guys,
TL:DR - This morning, I noticed that my Archer A2300 had opened/forwarded a single port to an internal server without my authorization. The logs give no indication of this ever happening. A reboot of the router had no effect. Disabling port forwarding (destined for another port/machine), then re-enabling it, seems to have fixed the issue.
Longer version - I have been using an Archer A2300 on one of my networks for about two years now. The network in question is connected to a small virtualized lab hosting a handful of virtual machines, along with some Docker containers which host a number of services for internal use.
The only port I have explicitly open/forwarded on the A2300 is 1195/udp, which forwards internally to 10.10.10.5 on port 1195. This is a VPN server and serves as the only means of accessing my internal services while working remotely. There are currently no machines residing in the DMZ and no other ports have been explicitly opened or forwarded. Remote management and all other unneeded/insecure services have been disabled.
The server that was exposed this morning resides at 10.10.10.10 and the open port was 8096/tcp, which is a Jellyfin media server. I was made aware of this after receiving an email from my NIDS stating a large number of connections and unsuccessful authorization attempts were happening on this machine. The router's WebUI did not indicate that this port was opened or forwarded. The logs had no mention of same. It was confirmed opened and responsive via an nmap scan, and then by requesting the site (http://<WAN-IP>:<PORT>/), both from an off-site machine.
As a security analyst, this troubles me. I see no evidence of tampering or any sort of breach on any of my machines. It appears that there may be a bug in the A2300 firmware that wrongly opens/forwards ports when certain triggers are met. I'm working now to try and replicate the issue in the hopes of figuring out why this is happening and to help others in the community from experiencing the same issue.
If anyone else has experienced this, has questions or anything at all, I'm all ears.
ETA: Attached a network topo. Should give an idea of why a glitch like this bothers me.
https://i.imgur.com/NxIYyTw.png