Hi.
it’s normal that this ports are opened on the wan?
nmap 192.168.20.251
Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-30 13:06 UTC
Nmap scan report for 192.168.20.251
Host is up (0.0013s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
MAC Address: 94:83:C4:32:B5:E1 (GL Technologies (Hong Kong) Limited)
Nmap done: 1 IP address (1 host up) scanned in 6.37 seconds
No, not normal.
Did you enable remote access?
Did you scan the WAN port from outside the LAN?
That’s gonna be my assumption too.
I have reset all.
I have a 2,5gbs fiber connection with fritzbox, proxmox server with opnsense and my lan with the glinet router. The test was done from vps inside proxmox server in main router lan , therefore scanning the glinet wan ip 192.168.20.251
You need to disable all these ports from the wan side UNLESS you need them.
These ports should be only accessible from the lan side.
One thing to try before you do it he security hardening: from an online box, try to access your public IP (Fritz) to these ports and confirm if you can get an established connection.
Did you scan the WAN IP or the WAN interface?
To clarify: Is the connection made by the WAN port?
Thank you to all…
The scan is the glinet wan ip.
I have 3 router: 1st Fritzbox fiber with inside no clients - 2nd router glinet for private lan witht the wan inside the 1st - and 3rd and last inside the 1st running opnsense firewall on proxmox. All traffic fom 1st router redirected as exposed host to the Opnsnese proxmox host.
I have scanned the public ip wan an i see the ports i have opened, the same for the opnsense firewall , but was unexpted to discover this problem on the wan glinet (lan) wan ip.
Scan of the public ip from another my server in germany. Scan of the two wan ip inside the main lan from test computer places inside the first lan to scan the two wan running with private ip. The two slave lans are physically divided to no have worries about security of the server with a lot of vps and private devices.
Private lans devices are connected with the server vlans vps using ondemand vpn
So all GL devices are connected by the WAN port, right?
So the WAN IP is the one on the WAN port, yeah?
exactly…
after the reset no ports are opened… but how thi can happen?
Guess you enabled remote access or played around with functions that affect the firewall.
really strange that a router can be opened like this without a warning
Since it’s not an ISP all-in-one router it’s for people who know what they are doing 
Absolutely. For some reasons I prefer opnsense instead of openwrt
I have 1.00USD on NAT loopback. OP, Scan GL device WAN from another WAN. Default firewall rejects unsolicited traffic. You can confirm via LuCI → Network → Firewall → General Settings → Zones.
To see all listening ports and on which interfaces, SSH into the router and execute:
~# netstat -tuplna | grep 'LISTEN\|::'
Check the result:
any daemon that is listening on 0.0.0.0 or ::: means that the service can be accessible from the WAN side, given the firewall allows it of course.