NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
ORBI - Port 443 Closed even with Port Forwarding?
I have an RBR50 connected to an AT&T modem/router with IP passthrough. Synology web server is connected to the Orbi. Port Forwarding is enabled for 80 and 443 between Orbi and Synology. Howev...
Solution discovered:
I have AT&T as a service provider for Fiber; formerly I also had their U-Verse service with wireless receivers/DVR's.
Come to find out AT&T does block Port 443 for any inbound traffic. They specifically use this port for their wireless receivers/DVR's. Despite cancelling U-Verse last year, the IP/MacID of these services were still listed/cached in the AT&T modem/router which resulted in a permanent closure on Port 443.
SOLUTION FOR USERS WITH A SIMILAR ISSUE (assuming you do not have wireless receivers and just ATT fiber):
1. Login to ATT's modem router admin portal at 192.168.1.254
2. Click on Device>Device List>Clear and Rescan for Devices.
3. Perform a factory reset of the AT&T BGW210 modem/router, add port forwarding rules for allowed ports, then re-configure it for IP Passthrough to the Orbi again.
4. Apply or disable any additional settings needed for a secure network hosted by ATT or the Orbi.
This is probably a good solution for anyone with the following or similar equipment:
- At&t Arris bgw210-700
- Orbi
- Home NAS
> Synology web server is connected to the Orbi.
I know nothing about your "Synology web server". Does it support
HTTPS?
> Port Forwarding is enabled for 80 and 443 between Orbi and Synology.
> [...]
If you say so, but, with my weak psychic powers, I can't see your
actual port-forwarding rule(s). Or any IP address reservations. Or
what you're doing.
> [...] port 443 says closed [...]
But not port 80?
> [...] Synology also indicates its showing closed.
"it's"? "Synology" the corporation, or some (unspecified) "Synology"
device, or what, exactly, "indicates" what, exactly, how, exactly?
It might be helpful if you described actual events in the real world,
rather than providing your interpretation of what you believe a bunch of
invisible stuff really means.
For the usual problems with port forwarding, see:
https://community.netgear.com/t5/x/x/m-p/1859106
"3" sounds potentially applicable.
Why are you doing this? Whatever this thing really is, do you want
to expose it, on standard ports, to the whole Internet?
Q: I know nothing about your "Synology web server". Does it support
HTTPS?
Yes and the personal website domain I am hosting with it has SSL encryption enabled. I can access the domain externally (via standard port 80, unencrypted) or while connected to my local network via port 80 (unencrypted) and 443 (encrypted). However, external inbound through port 443 does not work when I run a port scan at https://www.grc.com/. My ISP has confirmed they are not blocking any inbound to any ports so the problem seems to be on the Netgear ORBI side.
Q: If you say so, but, with my weak psychic powers, I can't see your
actual port-forwarding rule(s). Or any IP address reservations. Or
what you're doing.
All forwarding rules are established.
Port forwarding can be a challenge. (Not having a Synology NAS) I did an experiment just now with my Epson printer, which has a built-in web server (doesn't almost everything now days?) It can be reached by both port 80 (http) and port 443 (https). When I connect to port 443 from the local LAN, my browsers throw a fit over the "self signed certificate" and hide the option to "go there anyway" in small print.
I then created a Port Forwarding rule: TCP port 443 to 192.168.1.4 (my printer). Click Apply.
Disconnecting my smartphone from the Orbi, I opened https://<my public IP>:443. Chrome(Anddroid phone) immediately threw up the same roadblock: "Self signed SSL cert". After selecting to go ahead, the Epson web page appeared, exactly the same as on the local LAN.
So, my assertion is that the Orbi does support forwarding port 443 to a device on the local LAN. As long as the device is accepting connections from the internet, "it works".
I see three possibilities for port forwarding to (any) port not working:
- There is a router in front of the Orbi which is not forwarding the port. Since Gibson Research reports port 80 open, this would not seem to be the case. And, you have verified that the Orbi has a public IP address on the WAN port (not a private IP address it would have gotten from an ISP device.)
- There is a typo in the port forwarding rule. (UDP instead of TCP. Wrong IP address for the Synology NAS. Forgetting to click "Apply")
- The NAS is not accepting connections from the internet.
Do you have some other device on the local network that acceepts connections over port 443? (a printer such as mine? some other web server?) See if port 443 will forward to that device.
> [...] I can access the domain externally (via standard port 80,
> unencrypted) or while connected to my local network via port 80
> (unencrypted) and 443 (encrypted). [...]I don't know what "access" or "the domain" or "externally" means to
you, or which actual URL you're using, or where you're using it, or what
any resulting error message might have been. Are you using some web
browser or other, running on some computer or other, which is situated
someplace or other, and you're specifying some URL or other, and getting
some actual result or other?> https://community.netgear.com/t5/x/x/m-p/1859106
Did you read any of that guide, or am I talking to myself? Which
part of "actual" was unclear to you? Care to answer any of the
questions, or report the results of any of the suggested tests?> [...] My ISP has confirmed [...]
Actual results from actual tests might be more valuable than an ISP's
assurance.> All forwarding rules are established.
That's swell. I'm glad that you're happy. Sadly, my weak psychic
powers have not gained strength, so I _still_ know no more about any of
that than I did when I complained before.
> I see three possibilities for port forwarding to (any) port not
> working:Solution discovered:
I have AT&T as a service provider for Fiber; formerly I also had their U-Verse service with wireless receivers/DVR's.
Come to find out AT&T does block Port 443 for any inbound traffic. They specifically use this port for their wireless receivers/DVR's. Despite cancelling U-Verse last year, the IP/MacID of these services were still listed/cached in the AT&T modem/router which resulted in a permanent closure on Port 443.
SOLUTION FOR USERS WITH A SIMILAR ISSUE (assuming you do not have wireless receivers and just ATT fiber):
1. Login to ATT's modem router admin portal at 192.168.1.254
2. Click on Device>Device List>Clear and Rescan for Devices.
3. Perform a factory reset of the AT&T BGW210 modem/router, add port forwarding rules for allowed ports, then re-configure it for IP Passthrough to the Orbi again.
4. Apply or disable any additional settings needed for a secure network hosted by ATT or the Orbi.
This is probably a good solution for anyone with the following or similar equipment:
- At&t Arris bgw210-700
- Orbi
- Home NAS
> Come to find out AT&T does block Port 443 for any inbound traffic.
> [...]"AT&T" (your ISP) and "the AT&T BGW210 modem/router" are two
different entities.
> "3" sounds potentially applicable.> [...] Care to answer any of the questions, or report the results of
> any of the suggested tests?I'd expect the tests suggested in "3" to have revealed such a problem
pretty easily. If "from a system on your LAN, try using the router's
WAN/Internet IP address" works, but actual outside-world access fails,
then something on the ISP side of the RBR50 would seem to be implicated.
