NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

RWADDELL_1701's avatar
RWADDELL_1701
Aspirant
Apr 26, 2021

ISP Reports Problem with Open Portmapper - how do debug?

ORBI Netgear RB50 + Satellite

Router Firmware Version: V2.7.2.104

 

My ISP (Rogers Canada) emailed me today to say "There's a problem with an internet-connected device in your home that's interfering with the Rogers network in your area. This may be a computer, phone, tablet, sensors or any other device connected to your Wi-Fi. Unfortunately, we're unable to help you identify the problem device." I use their modem in bridge mode so I guess this is why they can't identify the specific device but they also don't want to help me determine which device is the problem. The only details I got are:

 

The IP reported below is the IP responding to scans. It is possible a different IP may be listening and responding from the IP below.
IP 99.XXX.XXX.XXX .
data TIMESTAMP: 2021-04-25 06:32:47
IP: 99.238.182.129
PROTOCOL: udp
PORT: 111
HOSTNAME: cpe80d04ae2ac25-cm80d04ae2ac23.cpe.net.cable.rogers.com
TAG: portmapper
ASN: 812
GEO: CA
REGION: ONTARIO
CITY: YYYYYYY
NAICS: 517311
PROGRAMS: 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
SECTOR: Communications, Service Provider, and Hosting Service
 
  1. Is there something in my NETGEAR Router Orbi setup I can check for port mapping?
  2. When I use Google to get my public IP address, it's different than the one above - how can I tell if the router received a new public IP since 2021-04-25 06:32:47?
  3. I ran this in my Terminal app (macOS v11.2.3) on my computers and the output is below:
  4. rpcinfo -T -p <local IP address>
    Can't contact rpcbind on 192.168.1.131
rpcinfo: RPC: Unknown protocol
  5. I have a Synology DS218 NAS connected via cable to the router for storing files; could that be doing something?
  6. We use Apple iPads & iPhones - is anyone aware of something I should be checking on those?

7 Replies

  • antinode's avatar
    antinode
    Guru
    Apr 26, 2021

    > Model: RBR50|Orbi AC3000 Tri-band WiFi Router

     

       Firmware version?  Connected to what?

     

    > PORT: 111
    > TAG: portmapper

     

       That's typically NFS-related.  I know nothing about Rogers policies
    with respect to servers, but I suspect that (even if they allow it) you
    don't want anything on your LAN exposed that way to the Internet.

     

    > 1. Is there something in my NETGEAR Router Orbi setup I can check for
    > port mapping?

     

       If someone in the outside world gets a response from your router at
    port 111, which seems to be the case (as from here):

    $ rpcinfo -p 99.238.182.129
   program vers proto   port
    100000    4   tcp    111  rpcbind
    100000    3   tcp    111  rpcbind
    100000    2   tcp    111  rpcbind
    100000    4   udp    111  rpcbind
    100000    3   udp    111  rpcbind
    100000    2   udp    111  rpcbind

    then either the router itself is at fault, or it's passing such traffic
    to/from some device on your LAN.  If we assume that the router itself is
    too stupid to have such NFS functionality, then that would suggest one

    of the following:
          UPnP
          DMZ
          Explicit port forwarding rules

     

       As a test, I'd disable all of those.  (See the User Manual for
    details.)

     

    > 2. When I use Google to get my public IP address, it's different than
    > the one above - how can I tell if the router received a new public IP
    > since 2021-04-25 06:32:47?

     

       Its current WAN/Internet IP address should be found at:
          ADVANCED > ADVANCED Home : Internet Port : Internet IP Address


       With my weak psychic powers, I can't see it, but you could plug that
    address into the form at: https://whois.arin.net/ , and see if it is a
    public or private address.


       As shown above, _something_ at "99.238.182.129" is responding at port
    111.  ("telnet 99.238.182.129 111" also gets a connection.)  Whether
    that's your RBR50, or something else of yours, or some other Rogers
    customer is unknown to me.

     

    > 4. rpcinfo -T -p <local IP address>

     

       Bad command syntax.  "man rpcinfo".  _Whose_ "<local IP address>" is
    that?  The complaint from your ISP is about stuff on the WAN/Internet
    side of your stuff, not anything on your LAN.

     

    > 5. I have a Synology DS218 NAS connected via cable to the router for
    > storing files; could that be doing something?

     

       It and a Mac would be plausible NFS users, but, if that activity
    stays on your LAN, then your ISP should neither know nor care.

     

    > 6. We use Apple iPads & iPhones - is anyone aware of something I
    > should be checking on those?


       I doubt it.  A command like "rpcinfo -p localhost" on your Mac might
    spew a bunch of stuff.  You could probe other, less likely devices by
    specifying their LAN IP addresses.  But, again, this stuff is generally
    harmless when confined to your LAN.  If it gets through your router to
    the outside world, then you might expect complaints from your ISP.

    "interfering with the Rogers network" is, I'd say, an exaggeration,
    but running/exposing any server at all might violate their terms of
    service for a residential account.

     

       Note that "port mapping" and "portmapper" are different from "port
    forwarding".

     

          https://en.wikipedia.org/wiki/Portmap

    • RWADDELL_1701's avatar
      RWADDELL_1701
      Aspirant
      Apr 26, 2021

      Thank you for your quick reply. Looks like I did not redact all instances of the IP they sent me, but my public IP address is different than the one in the email. I'm not very knowledgeable about this stuff but I was told if I typed "what is my ip address" into Google it would tell my my public-facing IP (and I get the same value from every device I try that on), and it's NOT what Rogers sent to me.

       

      As to your queries:

       

      • Router Firmware Version V2.7.2.104 (I thought I put that at the top of my post, but I can't see that now when I reply to you)
      • NETGEAR ROUTER ORBI RBR50 is connected via ethernet cable to the Rogers Ignite modem. My iMac is connected by cable to the ORBI, as is the Synology NAS, but everything else is WiFi.
      • Can I check on my end to see if you were able to access me?
      • I do not have port forwarding set up under Advanced Setup > Port Forwarding/Port Triggering
      • UPnP is ON using UDP protocol with two entries in the table:
      Int. Port     Ext. Port   IP Address
3074          3074         ZZZ.ZZZ.ZZZ
9308          9308         ZZZ.ZZZ.ZZZ
      • DMZ is not configured as I don't have port forwarding set up
      • ADVANCED > ADVANCED Home : Internet Port : Internet IP Address has the same value as when I use Google, and it is NOT what was in the report from Rogers.
      • When I plug in the IP from above into whois-RWS it says "Customer=Rogers Cable Inc. BASP (C02170553)"
      • As for rpcinfo, I plugged in the local IP for each of my three computers in the <local IP address> bit to see if there was an RPC service running - each said no. Am I supposed to use the public IP? I tried that and it still says "

        Can't contact rpcbind on ZZZ.ZZZ.ZZZ.ZZZ

        rpcinfo: RPC: Unknown protocol

      The only thing I saw on my Synology NAS was a 'QuickConnect' item in the Control Panel which would allow me to connect to the DiskStation from anywhere. It was enabled but I disabled it, but that would not seem to be the issue as I did that before posting my topic.

       

      One thing I forgot to mention - I have Disney Circle 1st Generation device installed to limit access for my son, as well as a Ring doorbell & chime.

      • antinode's avatar
        antinode
        Guru
        Apr 26, 2021

        > [...] it's NOT what Rogers sent to me.

         

           My psychic powers have not improved since:

         

        > With my weak psychic powers, I can't see it, but you could plug that
        > address into the form at: https://whois.arin.net/ , and see if it is a
        > public or private address.

         

           With no clues other than "different", there's little I can offer.

         

        > o ADVANCED > ADVANCED Home : Internet Port : Internet IP Address has the
        > same value as when I use Google, and it is NOT what was in the report
        > from Rogers.

         

           If Rogers is complaining to you about some other customer's IP
        address, then you should be arguing with Rogers.  At which point,
        further investigation of your stuff might be a waste of time and effort.


        > o NETGEAR ROUTER ORBI RBR50 is connected via ethernet cable to the
        > Rogers Ignite modem. [...]

         

           About which, I know nothing.  A quick Web search suggests that it's a
        modem+router, although it might have a "Bridge Mode" (which you might be
        using):

         

              https://www.rogers.com/customer/support/article/learn-more-about-the-rogers-ignite-modem

         

              https://www.rogers.com/customer/support/article/how-to-bridge-your-rogers-ignite-modem

         

        > As for rpcinfo, [...]

         

           I can't see your actual command, but if you did it right, then I'd
        expect "rpcinfo: RPC: Timed out", rather than "rpcinfo: RPC: Unknown
        protocol".  I infer that you still have that spurious "-T" option in
        there.  Copy+paste is your friend.  On/from my Mac, I get plenty
        (from "localhost" or its own LAN IP address):

        $ rpcinfo -p localhost 
   program vers proto   port
    100000    2   udp    111  rpcbind
    100000    3   udp    111  rpcbind
    100000    4   udp    111  rpcbind
    100000    2   tcp    111  rpcbind
    100000    3   tcp    111  rpcbind
    100000    4   tcp    111  rpcbind
    100024    1   udp    612  status
    100024    1   tcp   1021  status
    100021    0   udp    712  nlockmgr
    100021    1   udp    712  nlockmgr
    100021    3   udp    712  nlockmgr
    100021    4   udp    712  nlockmgr
    100021    0   tcp   1017  nlockmgr
    100021    1   tcp   1017  nlockmgr
    100021    3   tcp   1017  nlockmgr
    100021    4   tcp   1017  nlockmgr
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100005    1   udp    864  mountd
    100005    3   udp    864  mountd
    100005    1   tcp   1023  mountd
    100005    3   tcp   1023  mountd
    100011    1   udp   1018  rquotad
    100011    2   udp   1018  rquotad
    100011    1   tcp    999  rquotad
    100011    2   tcp    999  rquotad

           But, (from the router) at my external/public address:

        $ rpcinfo -p <public_IP_address>
Can't contact rpcbind on <public_IP_address>
rpcinfo: RPC: Timed out

        as expected.

         


        > RWADDELL

         

           "R" for "Rube"?