Port Forwading not working

Matrix007 · June 23, 2024, 9:40pm

Hi All,

I bought the Gli router from a recommendation off a friend and so far it has been fine. Apart from the fact that I had issues with certain versions of the firmwares. However, that has been resolved.

Currently on the 4.5.8 firmware and it seems as though the port forwading just does not seem to work.

I attempted to open ports and when I test them with a port forward website, it reports as ''Closed''

I have attempted to do via Luci and via the router interface within the firewall menu.

Had a friend is tech savvy in networks and he also was baffled as to why it keeps reporting as closed.

I am not sure what I could be doing wrong but perhaps someone on this forum could help with this matter that would be greatly appreciated.

Just to add, this is the primary router and there is no VPN running.

Thanks you all in advance.

Matrix007

admon · June 23, 2024, 9:41pm

What port do you want to open and for which reason?
What ISP is your internet connection from?

Matrix007 · June 24, 2024, 1:21am

Hi,

Thank you for your prompt reply.

I have HFS (http file server setup) and in order for me to access the documents from home remotely I need the ports be open.

ISP is community fibre limited

Thanks

ywp · June 24, 2024, 2:15am

hello
If it's convenient, can we take a look at your port forwarding configuration?
SCREENSHOTS

j2zero · June 24, 2024, 4:42am

I'm pretty sure they use CGNAT which would be the reason why you're having issues.

slesar · June 24, 2024, 7:06am

No, you wrong. This is looks like British provider and normal fibre. Does include ONT box, if I am right.

Have you check any online port check? Could be problem dynamic IP someone using. Try use duckdns😉

Matrix007 · June 24, 2024, 10:51am

Sure I will forward the ports and send across the screenshots sometime today

Thanks

Matrix007 · June 24, 2024, 10:55am

You'e correct in regards to being a british ISP and a oint box is supplied and installed.

The issue is that using DuckDNS is all well and good but if the ports do not open at all, then as I understand DuckDNS would be of no use.

I have been using Noip for a while now and even have that configured from previously as well.

The only other option I have is setting up a double NAT, if no solution is found. However, that would be the last resort of course.

Thanks.

Matrix007 · June 24, 2024, 10:56am

If that was the case then I would think that even with the ISP supplied router the port forwarding would not work.

Thanks

j2zero · June 24, 2024, 11:24am

I am from the UK. UK providers use CGNAT on their fibre products and community fibre is one of them.

LupusE · June 24, 2024, 12:06pm

I do not know why this thread drifts to DDNS services, when the question was about ports. So I would start from the beginning.

You've got a router with a LAN side and a WAN side. Port forwarding is from the WAN side to the LAN side.
Note: You can't test port forwarding from the LAN! The request needs to come from the outside (WAN).

You'll get an IP from your ISP. This one is important for you. You should not need any DDNS service at this moment.

Please lets stick with the GL-iNet admin panel, because this one works fine. LuCI is a little overshoot here.

What you don't answered before: Did the port forwarding with the ISP router work? If not, the issue is at the providers side.

You have an IP, and a port. Ports below 1024 are historical known as 'privileged' ports, that needs root to run the service behind. Today there are other techniques to avoid this, but it still makes sense to avoid these ports. We can assume your provider tries to protect you and block especially these.
Than they are well known ports. 22 ssh, 53 DNS, 80 http, 1433 MSSQL, 8080 proxy, ... Try to avoid this ports, too.

With all this assumptions and knowledge you could try the following:

revert the manual changes in LuCI.
Open the GL-iNet Admin Panel
Go to Network - Firewall - Tab: Port forwarding
Add a rule for source port 12346 (12345 is well known for a malware) and direct it to local server IP (from drop down) and local port 80 (http)
Add a second rule with source port 12347 and direct it to the same IP port 443 (https)

It is important to select the tab 'port forwarding' not 'open port on router'. On this tab you would open the port local on the router, but there is no service listening -> it is shown as closed.

Now you can ask your friend to make a nmap scan to your WAN IP and the port 12346 and 12347 ...
You could also ask online nmap tools ... But only if they are verified by a working service. For example test against forum.gl-inet.com port 80/443 ...

Matrix007 · June 24, 2024, 1:16pm

Hi,

Thank you for the prompt reply.

The port forwarding aspect works with the supplied ISP router.

I will give a try as you suggested above and see how that pans out.

I have previously used the GLi admin panel and forwarded the ports from there and I did not have any joy at all.

Will give a 2nd try and post back with screenshots.

Thank you

Matrix007 · June 24, 2024, 1:18pm

Thanks. Wasn't aware of this tbf.

slesar · June 24, 2024, 6:26pm

Never heard, but does use mobile network? If yes that why cgnat

Pro4TLZZ · June 24, 2024, 6:39pm

What package are you on with community fibre? They changed their t&c at one point and only offer non cgnat IPv4 addresses on 3Gbps and existing plans.

But weird you said it works on their router, maybe they are doing some special config.

But you should be able to get it working with the flint 2.

j2zero · June 24, 2024, 9:36pm

No they are not mobile networks. Here In the UK some of the budget FTTP providers use CGNAT to combat the IP shortage. Most people sign up unknowingly that the provider is routing via CGNAT until they come to port forward or experience issues with gaming. There are a few companies that use CGNAT and some of the providers will provide a static IP for an extra monthly cost which then negates the price different compared to sticking with the main providers that use public dynamic/static IPs

Matrix007 · June 25, 2024, 5:37pm

I am on the 1GB package. I have tested port forwarding using there router and works fine.

Matrix007 · June 25, 2024, 5:39pm

Not had the chance to do the above suggested as I have been busy with work. However, i will test it and report back with my findings.

Thanks

j2zero · June 25, 2024, 6:34pm

What is the WAN IP showing on the flint? If you go to ipecho.net can you also tell us that IP, please post flint 2 WAN IP from gui and ipecho - you can blank out the last few digits of the results for both. If indeed you are not behind CGNAT then chances are your ISP router needs to be put in bridge / modem only mode.

Matrix007 · June 25, 2024, 7:59pm

IP on the router: 100.65.64.xxxx - protocol here is listed has DHCP. Hence the IP shown is not matching the IP below

IP on the site you provided: 80.76.5 xxxx

I do not think the Router which is supplied by the ISP allows to be put modem mode but I will have to double check that.