Port Forwarding Oddities: Some open, some don't

Discussion in 'Tomato Firmware' started by HXRoark, Dec 5, 2018.

  1. HXRoark

    HXRoark New Member Member

    I am hoping someone here can help me figure out why I can't get port forwarding working correctly. Some ports will open, but most will not. I'm running TomatoUSB on a Netgear WNR3500L v1 on the latest firmware K26USB 1.28.RT MIPSR2 140-miniVPN.

    Using the GUI at Port Forwarding>Basic, I have set several ports to be opened.

    On    Protocol    Src Address    Ext Ports    Int Port    Int Address    Description
    On    Both        3500    3500    Surveillance
    On    TCP        3495    3495    Camera TCP
    On    UDP        3496    3496    Camera UDP
    On    TCP        3503    3503    First Pi SSH
    On    Both        3505    3505    Second Pi SSH
    Testing with a port checker (both from inside the network and out) (Note: NAT loopback is set to "All"), the first port above (i.e., 3500) shows as open, but the rest do not. No matter what I have tried, I can't get any port other than 3500 to open -- at least through the Port Forwarding page. If I set the SSH Daemon access to Remote Port 22 - it will show that port as open, and I can access it via SSH.

    I believe that this is also killing my PPTP VPN (I know, not awesome), as I can't accept port 1723. Below is what I have under Advanced > Scripts > Firewall:
    iptables -I INPUT 2 -p gre -j ACCEPT
    iptables -I INPUT 2 -p tcp --dport 1723 -j ACCEPT
    iptables -I INPUT 2 -i ppp+ -j ACCEPT
    iptables -t nat -I PREROUTING -p tcp --dport 1723 -j ACCEPT
    iptables -I INPUT -p tcp --dport 1723 -j ACCEPT
    iptables -I INPUT -i ppp+ -j ACCEPT
    iptables -I FORWARD -i ppp+ -j ACCEPT
    I should note that this all worked until recently, when I must have messed up some setting. But I make periodic backups of the Netgear's settings, so I have a number of old config files: none of which, when restored, will forward ports work correctly. I did update the firmware from 138 to 140 at some point, but I think everything worked after that.
    Please, any ideas?
    Last edited: Dec 5, 2018
  2. ruggerof

    ruggerof Network Guru Member

    First the basics: what is your network topology?
  3. HXRoark

    HXRoark New Member Member

    Thanks for responding @ruggerof . The network is set up in a star formation, with the Netgear at the hub.

    From the wall it goes: Cable modem>Netgear. From the Netgear, I have several routers acting as wireless AP nodes that are connected to the Netgear by CAT5 cable. The Netgear has the firewall and serves DHCP for all connected devices (wired and wireless), including the router-nodes.

    The Netgear also has a guest network, and it is the only AP for that network.
  4. HXRoark

    HXRoark New Member Member

    So, today I did all I could to totally reset the router and start from scratch. But the result was that Port Forwarding still does not work.

    I did the following:
    • Reverted to v.1.38 of Tomato and tried current and past config files;
    • Upgraded back to 1.40 of Tomato with a full NVRAM reset and just a simple, single Port Forward add
    If a full NVRAM reset does not fix it, I can't figure out what will.
  5. Monk E. Boy

    Monk E. Boy Network Guru Member

    I suppose you're using a Shibby build? Toastman? Sorry, I'm getting over some cold flu thing so I'm a little fuzzy.

    If its Shibby I would suggest going back to 132 which is the last version before multiwan was implemented. Multiwan introduced a lot of issues, I just try to avoid them.

    If you want to go with a version newer than 132 you may be better off going with FreshTomato-MIPS which is built off Shibby's code but they've caged a lot of the gremlins.

    Just to flesh out your configuration a little, is your cable modem in bridge mode? Meaning does your Netgear running Tomato end up with a public IP address on its WAN port?
  6. HXRoark

    HXRoark New Member Member

    Hey MonkE. Thanks for responding. Yes, I'm on Shibby. I never accessed the cable modem's GUI, but the Netgear has a public IP address in its WAN port -- so it must be in bridge mode.

    So, I could go back to 132; I'm willing to do anything at this point.

    I took a look at FreshTomato-MIPS, but don't see install instructions. Can you just flash it using the Tomato GUI with NVRAM wipe?

    If you have any other ideas, let me know. I'll post back with results.
    Last edited: Dec 6, 2018
  7. Monk E. Boy

    Monk E. Boy Network Guru Member

    In theory yes, however I've only ever played with those builds on ASUS routers with CFE-based firmware recovery modes, which make them fairly brick-proof (normally the only way to brick them, short of a hardware failure, is to put a new CFE onto them that doesn't work). If you're at risk of a brick, sticking with something like 132 would be a good first step since that's the last build before MultiWAN which is when a lot of new bugs started. If it works then at least you know it's a bug in the newer MultiWAN builds and not something slightly more wacky like ISP filtering or blocking or who knows what.

    You might be able to inquire in the FreshTomato-MIPS as to which build you should use for your model (or at least use the search function for freshtomato & your model), although the naming convention follows Shibby's for the most part so you should look for something named very similar to what you're using. If you tell me exactly which Shibby build you're using (the firmware's filename) I could dig around and see if an equivalent build is present in FreshTomato but as I said, there is a risk of a brick if your router doesn't implement a recovery method. I'm really not familiar with Netgear models to be honest so I only know the a couple models at best (but not yours). I don't want to say "hey this is the right build" only to find out there's an issue with that build on your particular model that bricks it and there's no firmware recovery method in your model.

    Basically let's say you flashed the wrong firmware to your router and it stopped booting normally. Do you know how to recover from that? If you do then I'm not as worried. If you don't then I can point you in what's probably the right direction but no guarantees, proceed at your own risk, here there be dragons, etc.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice