NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

ChocB's avatar
ChocB
Aspirant
Jun 02, 2026
Solved

Port forwarding allow other external ports on Orbi RBR850

I'm only forwarding one external port to internal port 22, however, the logs show various external ports forwarding to internal port 22.  Those external ports have no entries in the "Port Forwarding ...
rbk850
  • StephenB's avatar
    StephenB
    Jun 04, 2026
    ChocB wrote:

    Someone is attempting to connect, for example, from 183.91.14.197 on 13722 which forwards to 10.0.0.134 on port 22 but the log may show a different external port so looks like someone connecting from 183.91.14.197 on 37529?

    Someone was trying to connect from 183.91.14.197:13722 to <router ip>:22, and would therefore receive any replies on 183.91.14.197:13722  

     

    That same someone then tried again to connect from a different source port like 183.91.14.197:37529  And again, and again....

     

    Nothing going wrong in the Orbi - it is doing exactly what you told it to do.  That is to forward any inbound traffic with a destination port of 22 to 10.0.0.134.

     

    A flood of requests suggests that these attempts were not successful - perhaps because they were attempting to guess the admin password, and didn't get it right.   But still, using a VPN to connect instead of forwarding the port is a more secure approach.

ChocB's avatar
ChocB
Aspirant
Jun 04, 2026

Oh, it doesn't look like two screenshots uploaded with my last response (doing this on a Mac)

I was able to do all steps but cannot identify an wan.pcap file.  There are two files with pcap in the name: BR.pcap mape_log_tmp and eth4.pcap speedtest_result.log.  I don't find any that correspond to wan. 

 

The Orbi is on firmware V7.2.8.2_5.1.18

 

So, if I undertand you... Someone is attempting to connect, for example, from 183.91.14.197 on 13722 which forwards to 10.0.0.134 on port 22 but the log may show a different external port so looks like someone connecting from 183.91.14.197 on 37529?

 

 

Below are files and directory contents of the downloaded Debug_log file from http://orbilogin.net/debug.htm

acos_watchdog_log_tmp info.txt

attach_util_log_tmp kmsg_old.log

auto_fw_upgrade_daily.log kmsg.log

auto_fw_upgrade_force.log knowndevices

basic_debug_log.txt log

BR.pcap mape_log_tmp

cloud_backend_log mtd18

critical_attach_log_tmp mtd20

d2d.zip mtd22

dbg_log_tmp mtd25

device_detect.log ntgrlog

devices oc_350_stuck.log

dhcpd_device_release OTP.log_tmp

dmesg.log soapc_log_tmp

eth4.pcap speedtest_result.log

flog tmp

heartbeat_log_tmp wireless-log1.txt

httpd_log_tmp

 

./flog:

ethernet_debug_log_old.txt ethernet_debug_log.txt

 

./log:

dnsmasq.log dnsmasq.log.1

 

./ntgrlog:

bd_logs core_files ntgr_debug_cmd_log

circle_logs dnsmasq.log partition_mount

cloud.log dnsmasq.log.1

configs log_seal

 

./ntgrlog/bd_logs:

bitdefender_logs.tar.gz storage.data

 

./ntgrlog/circle_logs:

vendortest.log

 

./ntgrlog/configs:

client2.conf network

cnss_diag nss

ddns nvram_wifi

device-info openvpn

dhcp6c_widev6_iapdonly.conf openvswitch

dhcp6c_widev6.conf qcacfg80211

dhcrelay repacd

dropbear resolv.conf

ecm ripd

firewall.conf ripd.conf

hostapd_cred_tmp.conf rpcd

hostapd-ath0.conf rstp

hostapd-ath01.conf server_tap.conf

hostapd-ath02.conf server_tun.conf

hostapd-ath03.conf skb_recycler

hostapd-ath1.conf ssid-steering

hostapd-ath11.conf sysstat

hostapd-ath12.conf system

hostapd-ath13.conf ubootenv

hostapd-ath14.conf udhcpd_resrv.conf

hostapd-ath2.conf udhcpd.conf

hyd udhcpd2.conf

hyd-guest.conf upnpd

hyd-lan.conf wifi-wps-enhc-extn.conf

igmpproxy wireless

lbd wsplcd

M.conf wsplcd-guest.conf

macsec wsplcd-lan.conf

minidump zebra.conf

 

./ntgrlog/core_files:

core.dal_service.10425.sig.11.RBR850.04_Sep_2025_09_16_41_DST.tar

core.dal_service.6358.sig.11.RBR850.04_Sep_2025_09_16_24_DST.tar

 

./ntgrlog/log_seal:

circle_status.txt lxc_start_armor-bd.log

csh.log lxc_start_spc-circle.log

d2d.zip lxc_stop_armor-bd.log

dal_ash.log lxc_stop_spc-circle.log

dalh.log Ra.log

dumpsm.log syslog.txt

fing_dil.log UpAgent.log

iptables_rule.log xagent.log

lighttpd

 

./ntgrlog/log_seal/lighttpd:

breakage_root.log breakage.log

 

./tmp:

aws_json_dir

 

./tmp/aws_json_dir:

aws_RBR850_0_pretty.json aws_RBR850_2_pretty.json

aws_RBR850_0.json aws_RBR850_2.json

aws_RBR850_1_pretty.json aws_RBR850.json

aws_RBR850_1.json   

StephenB's avatar
StephenB
Guru - Experienced User
Jun 04, 2026
ChocB wrote:

Someone is attempting to connect, for example, from 183.91.14.197 on 13722 which forwards to 10.0.0.134 on port 22 but the log may show a different external port so looks like someone connecting from 183.91.14.197 on 37529?

Someone was trying to connect from 183.91.14.197:13722 to <router ip>:22, and would therefore receive any replies on 183.91.14.197:13722  

 

That same someone then tried again to connect from a different source port like 183.91.14.197:37529  And again, and again....

 

Nothing going wrong in the Orbi - it is doing exactly what you told it to do.  That is to forward any inbound traffic with a destination port of 22 to 10.0.0.134.

 

A flood of requests suggests that these attempts were not successful - perhaps because they were attempting to guess the admin password, and didn't get it right.   But still, using a VPN to connect instead of forwarding the port is a more secure approach.