Port forwarding unreliable

Discussion in 'Tomato Firmware' started by apinunt, Jul 13, 2009.

  1. apinunt

    apinunt LI Guru Member

    When I first began using Tomato over a year ago on my WRT54GS router, port forwarding worked very well, and I could open or close ports with no difficulty at all. Now after the last couple of upgrades I find that ports cease at random to remain forwarded, and if I struggle long enough changing the port number back and forth between a new port and the original port, saving each change I can eventually get the original port to forward once again, but even then it eventually and at random appears to stop being forwarded. I tried opening a range of ports and found none would test opened, using www.grc.com/x/portprobe=nnnnn to test. Currently I have 6 ports forwarded in Tomato, all of which were displaying open less than 12 hours ago, and now only 1 tests displaying "open", 3 display "stealth", and 2 display "closed".
    Anyone know of a solution to this problem?

    Testing the current opened port, 44432, in Tomato GRC.com shows it "closed". Unchecking and saving the "ON" box in Tomato GRC.com then displays the port status "Stealth", reapplying the check mark and retesting the port brings me back to "Closed". It appears that the longer this problem persists, the more difficult it becomes to get around. Previously it took only a few attempts to get the port to forward, and now it has become a several hour process of trial and error.
    Another port, 43222, remains testing as Stealth" no matter if the check mark is applied or removed.
  2. apinunt

    apinunt LI Guru Member

    As it appears Port forwarding is somewhat beyond my comprehension as to how it is intended to work, I appear to have stumbled upon what I am uncertain should be described as "the solution" or simply "a work around". Enabling UPnP in both the router and the computers I appear able to forward any port I desire simply by assigning it to the application I am running. Although this appears reasonable based upon my limited, and perhaps even inaccurate, knowledge of what UPnP does, or should do, it appears to be at least a temporary solution. I am still somewhat confused as to why I cannot forward ports with UPnP turned off, as I once was able to do.
    If someone can enlighten me with a clear explanation of why Port forwarding should not work without using UPnP I would greatly appreciate it. It did work at one time.
  3. jan.n

    jan.n LI Guru Member

    UPnP safe?

    AFAIK UPnP should not be anabled on routers due to security reasons, some of which are pointed out in http://en.wikipedia.org/wiki/Universal_Plug_and_Play

    Although WP always has to be taken with a grain of salt I personally don't use UPnP for this reason. On the other hand, I don't need it since all my port forwards work as expected even without it...
  4. apinunt

    apinunt LI Guru Member

    This is why I suspected that all I was doing was working "around" the problem, rather than solving it. The problem did not exist when I first began to use Tomato, but began to appear 2 or more upgrades ago, and appears to have increased not only in frequency, but also more difficult to resolve as was possible previously.
    Perhaps there is a reason for the problem as well as a proper solution that someone can offer?
  5. mstombs

    mstombs Network Guru Member

    The full upnp spec has a number of interesting possibilities, from assigning dns servers to outgoing diverts to helpfully 'configure' all our settings for you - clearly this could be abused. Its also possible even with the basic windows i/f to 'manage' diverts for another user on your lan. Tomato has only a limited range of upnp functions, and with minupnp now also has a 'secure mode' which prevents one user managing another's port forwards, you can also elect just to use NATPMP which is more restrictive by design.

    Personally I feel that if you have rogue users and/or programs running on machines within your LAN upnp is the least of your worries - a trojan needs no port forwarding to phone home - the Tomato 'nat packet filter' allows any replies to connections initiated from the LAN - a real 'firewall' would be much more restrictive as to what could connect to what.

    If you have a variety of users using internet, chat, voip and games on your LAN - upnp is very useful!

    I don't have a problem with Tomato port forwarding, and I wouldn't use scaremongering websites to test them either - you need services running on the forwarded ports to be able to test!
  6. apinunt

    apinunt LI Guru Member

    "I don't have a problem with Tomato port forwarding, and I wouldn't use scaremongering websites to test them either - you need services running on the forwarded ports to be able to test!"

    I am having a problem with Tomato port forwarding, as described earlier. Are you claiming that www.grc.com is a scaremongering website? I am simply using it to check that the ports I'm forwarding are open as the application I'm assigning them to is complaining that the ports appear to not be open, when they are running.
  7. Toastman

    Toastman Super Moderator Staff Member Member

    There are indeed some scaremongering websites, and after a quick glance at the one you mention I would personally include this in that category.

    I use this one: http://www.canyouseeme.org/ which has never given me any hassle (yet).

    I do agree in principle with those who say that UPnP is not secure. However, each day it seamlessly provides web access to 550+ users who would otherwise be unable to use their web access here, with no operational problems at all. Not using it is a noble aim, but somewhat like shooting oneself in the foot. If you are a standalone user, then port-forwarding is feasible, but for many, it is not.

    UPnP aside, I don't know what is wrong with your port-forwarding. All versions of tomato I have ever tried have worked fine as advertised. Curious.

    One thing that does trip people up is that all applications you forward to must have a route set back to the router. For example, an AP must have the default gateway set to the router IP, and if access restrictions are used to control access, the AP's wireless MAC/IP must be in the "allow" list.
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You've mentioned you haven't cleared NVRAM (ever?). That can cause all sorts of weird problems. You should try doing that ("Administration"->"Configuration"->"Restore Default Configuration"->"Erase all data in NVRAM memory (thorough)"). This clears out all settings in the firmware. You will have to re-enter all of your settings manually (be sure to write anything down that you've done and won't be able to remember), but this sure sounds like the type of problem it would fix. In fact, I'd say at least 90% of the problems that people report here are because they didn't clear NVRAM.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice