NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
RBK50 Port Forwarding Help
Trying to port forward port 51820 to the world. I have a service running on 192.168.1.19 that exposes this port with no local firewall. The service running is running currently and exists. Runnin...
Sorry, I got ahead of myself. (There are so many issues flying around at the same time.) If putting the WireGuard or SSH server in the DMZ is not successful, then the question seems to be, "Do these connection attempts actually arrive at all?" The WireGuard (and probably SSH) work on the LAN, so the ports must be "open". Either the connections arrive at the Orbi and do not get through, or they never arrive at all.
So, how to verify that connections are arriving? One way is to put something in the DMZ that will record every packet, such as Wireshark. Another way is to have the Orbi itself record packets.
Orbi has a "debug" page, http://<ip of Orbi>/debug.htm. For me, it is http://192.168.1.1/debug.htm Log in with the normal admin credentials.
Check the box titled "Enable LAN/WAN Packet Capture". Then, when you are ready to perform a test, click the box "Start Caapture". Attempt to connect to WireGuard or SSH on the Pi. (of course, the SSH port 22 has to be port forwarded on the Orbi). Then go back to the debug page and Click on "Save Debug Log". This will copy a zip file to your PC wherever the web browser saves files. Mine goes into my "Downloads" folder. The zip file includes LOTS of stuff, including a record of every packet seen on the LAN and WAN interfaces. These are PCAP packet capture files that can be opened by many software packages. I use Wireshark.
You know which IP address is attempting to connect, so look in the WAN capture for packets from that IP. If those packets are there, then look for them on the LAN side. If they are NOT there, then "why?"
Nice! I did not know that Orbi had a debug page like that. I did not find my iPhone's IP anywhere inside either the WAN or LAN pcap files when trying to connect into WireGuard. Interesting...
Another thing I found, and I feel stupid for not checking this, is that the IP that Orbi displays (in ADVANCED -> Administration -> Router Status) is not the same as the IP I find when I google "what is my IP". Does this mean I'm behind a double router or something? I don't believe the box that my ISP gave me is a router, it just takes the fiber and converts it to ethernet, which then feeds my Orbi router. I'm not sure how I would access any page (like 192.168.1.1) that would show me some panel to configure DMZ to my orbi router... Where should I go from here?
Yes, it is sounding more like you have two "routers". One easy way to tell is to "look under the tail" (hah, humor). That is, look on the back of the fiber conversion box. If it has more than one ethernet jack, it is almost certainly a router. Another test is to do a "trace route" to some well known IP address, such as Google 8.8.8.8. If the trace shows 192.168.1.1 (the Orbi) and then another "private" IP address before it begins showing public IP addresses before getting to 8.8.8.8, then there is a router in there somewhere.
Is there a label on the fiber box with a brand and part number?
Okay so I did a bit of debugging.
First of all, I checked the fiber conversion box. The only inputs where fiber and power, and the only output was a single ethernet that went up to my Orbi router.
Second (replacing IPs with identifiers):
- I did a traceroute to 8.8.8.8 on my current setup 192.168.1.1 -> A -> B -> C -> D -> * -> E -> * -> 8.8.8.8
- What Orbi thinks my IP is: A
- What Google says my IP is: some address I haven't seen yet, lets call it ADDRESS
I then plugged the ethernet coming out of the fiber conversion box into a raspberry pi and looked at the internet information:
- Traceroute to 8.8.8.8: A (exactly the same IP as A above) -> B -> C -> ........
- What ipconfig says my IP is: very similar to A, except the last section is different. If A was 111.111.111.111, this IP was 111.111.111.150
- What Google says my IP is: some address I haven't seen yet, but very similar to ADDRESS
- I tried browsing to 192.168.1.1, 192.168.0.1, 192.168.2.1 - nothing presented itself as an admin panel
Not sure if that information helps at all... In both cases, Google's response to what my IP was was very similar: say 1.2.30.190 and 1.2.45.195. The first IP's after 192.168.1.1 (or lack thereof) in traceroute were the same. Not really sure what's going on here...
I looked at the fiber conversion box and there's a sticker on the back that has a bunch of warning about lasers and such, with the following information as well: ONT P/N, MAC, ID, S/N. Not sure which one or if I should post any at all, but let me know.
This information is useful.
It is now pretty clear that the fiber box is NOT a router. What I do not understand is the trace route results and what the Orbi reports as its IP address. I just traced the router from my Windows machine to Google:
Line 1 is the Orbi.
Line 2 is NOT the public IP address of my Orbi. It is the first hop "after my Orbi"
and so on until it reaches Google.
The "public side" of the Orbi is not a "hop". It should never be reported as such. It is only the other side of the router.
How about THIS for a test. Try to connect, but instead of using what Orbi reports as its IP address, use the IP that the "What's my IP" services report?
I unfortunetly cannot see the image you posted (it's just a small box with a yellow triangle in it) so I'm a little lost on the first part of your response.
However, I have tried both the IP that Orbi reports as my public IP and the IP that google reports as my IP and both do not work for port scanner services or for the WireGuard service I'm hosting. Orbi's IP, with my iPhone connected to WiFi on my network, does route correctly to the WireGuard service. But as soon as I go back to LTE, the IP does not resolve correctly. Google's IP does not resolve either way
Wow, "technical difficulties" on my end. Maybe if I "attach" the picture.
I think a call to the ISP is in order. My son lives in North Carolina and has fiber from a local company. The IP his Orbi thinks is "public" actually is. I connect to it routinely.
"Hi, internet company. What is my public IP address?" "How come neither my router nor the internet think that's what it is?"
Geez. Maybe you have PPoE rather than DHCP? Nah, surely that's not it.
http://www.cables-solutions.com/pppoe-vs-dhcp-difference.html
I will definitely contact my ISP soon.
Let me say a mistake I made: the IP reported by Orbi is slightly different than the IP reported under traceroute (line 2). I have attached a picture of the traceroute for you to view.
The ISP I have is Greenlight, which services upstate NY and Connecticut. They provided the fiber termination box that's in my basement, which feeds internet to my Orbi.
However, I'm still stumped on why the IP reported by Orbi is different than the IP reported by Google...
DevinAK wrote:Let me say a mistake I made: the IP reported by Orbi is slightly different than the IP reported under traceroute (line 2). I have attached a picture of the traceroute for you to view.
In computers, any difference is "different". This is Good.
How many of the "What is my IP address" web sites have you tried? My public IP comes up the same no matter which I use.
I'm sorry for my error...
I just checked on 4 different sites, along with DuckDuckGo's and Google's automatic showing of my IP and they all report the same IP address.
Well, fudge. Your public IP is well-known, yet when you try to connect to it, the packets never arrive.
Another thing to try: On the Advanced Tab, Advanced Settings, Remote Management. Turn on Remote Management, then try to connect to https://<public IP>:8443.
The web browser will complain about the SSL certificate being expired (or "not secure"), but you should be able to log into the Orbi web interface.
I do not leave the Remote Management function on because my Orbi log gets cluttered with bad login attempts. As soon as the scum on the internet detect that port 8443 is open, they immediately try to log in. With a 25 character password, they have "no change", but it generates too many log entries, so I'd rather leave it off. I use OpenVPN for remote management.
Tried with the IP that google says my IP is: no luck.
Tried with the IP Orbi says my IP is (on my own network): worked, with the SSL error
Tried with the IP Orbi says my IP is (on my phone, on LTE): did not work, no luck.
Tried with the IP Orbi says my IP is (on my phone, on WiFi): resolved to the system, but Safari did not let me continue past the SSL error
- Please report what the ISP says. Looks like no way the IP is connecting to the Orbi.
Got a response:
"Thank you for contacting [us]. You may want to consider purchasing a static IP if you are working with trying to have the same IP for access. The way our network works the public IP would differ due to the way our network is configured. It would cost 10 dollars a month in order to have a static IP. Please contact us via phone at [phone number] if you do wish to purchase a static IP."
Not much to go on, but it sounds like they configured their network a certain way to do this?
This is not an answer. They did not read the question. Virtually everyone has a "dynamic IP". (I certainly do.) This is the reason "Dynamic DNS" services exist. If you check "What is my IP Address?" several hours apart, or even several days apart, I bet it will be exactly the same. Mine has been the same for months.
Orbi has built in support for No-IP.com and Dyn.com (I use No-IP.com. Have no specific reason I picked it.) Orbi periodically checks its public IP address and updates the DDNS service, "I am here now." So, instead of my OpenVPN Client connecting to <my-ip>, it connects to <my-Orbi-name>.mynetgear.com
Yes, every ISP sells static IP addresses for $$/month, and businesses purchase them. In the business world, having a dynamic IP address causes problems when clients cache the IP rather than the name. (Lose business!) For residential customers, a DDNS service takes care of IP address changes.
You got a "canned response" from someone who did not read the question. Hope you can get someone on the phone.
(Sorry about the rant. My cat wanted up early this morning.)
Yeah, I figured as much. I know the purpose of DDNS as well, as once this port forwarding issue is fixed I plan to use Duck DNS for that exact purpose.
I also just received a response back: "Our network is configured and runs on a dual NAT setup. This is why the IPs differ. You have an IP in our network, then a separate IP for the internet off of our IP as a result."
Also, sorry for your cat, mine hits my head when I don't wake up to feed him.
- Then you are screwed.
Ah, I figured! I'm going to email and ask if the static IP would give me a static-public facing IP or a static-inner facing IP. If it's forward-facing, might be coughing up $10 a month for it. Thanks for all of your debugging help! Sorry the solution wasn't that exciting...
I would be very surprised if it is not "public facing". That is the entire point of a static IP.
On a side note, I can understand their situation. Back when the internet was created, there were at most a few thousand computer systems to connect. Blocks of IP addresses where handed out almost on a whim. My university got a "Class B" address space, 137.151 if I remember correctly, which is enough to provide over 65,000 IP addresses. At that point, we had only a couple of thousand devices on the whole campus. Coming in "late to the game", a new ISP may be lucky to get a Class C address space of 254 addresses to support all of their customers.
IPv6 was created to deal with this original failure to anticipate how ubiquitous computer devices would become, but Network Address Translation (NAT) has enabled the world to go merrily along ignoring IPv6.
