Reply

Nighthawk X4S R7800 blocking/filtering port 443?

DanielB1990
Aspirant

Nighthawk X4S R7800 blocking/filtering port 443?

Hello everyone,

 

I recently contacted my ISP Ziggo ( The Netherlands ) by it's community ( dutch ) forum due to not being able to reach port 443 for HTTPS.

After struggling sometime, I hard reset ( with the paperclip ) my R7800 after reading this post today in the early afternoon, say around 13:00 / 1 PM.

 

Shortly after resetting and configuring the basics, port 443 was reachable from outside, nmap showed 'open' and I was able to reach my landingspage "Apache2 Debian Default Page" over HTTPS.


Now a few hours later 17:00 / 5PM port 443 is unreachable from the outside again, using nmap it shows 'filtered'.

Though, locally I'm able to visit
So my best guess is that the router is causing this issue, since my server has opened these ports:

ufw status verbose
Status: active
Logging: on (full)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere

Enabling telnet on http://192.168.1.1/debug.htm and logging onto my router a netstat shows the following:

root@R7800:/# netstat -tulen | grep ":80\|:443"
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
tcp        0      0 :::80                   :::*                    LISTEN
tcp        0      0 :::443                  :::*                    LISTEN

Does anyone have any idea why port 443 is getting blocked/filtered or what I should do?

 

Model: R7800|Nighthawk X4S AC2600 Wifi Router
Message 1 of 8
microchip8
Master

Re: Nighthawk X4S R7800 blocking/filtering port 443?

You should set your server in DMZ on the router to bypass any local router firewall rules. I believe port 443 is used by the router for a secure connection when using https://routerlogin.net and routerlogin.com in a brower to reach its WebGUI securely

 

Assign your server a reserved IP address on the router itself. Then go to Advanced -> Setup -> WAN Setup and enable DMZ and put the IP address you gave for the server

Routing: NETGEAR RAX43 - Firmware: V1.0.11.112 (1 Gbps down, 50 Mbps up)
Switching: 2x NETGEAR 8-ports (GS108v4) / 1x NETGEAR 16-ports (JGS516v2)
Desktop: AMD Ryzen 7 3700X - Server: Intel Core i7-7700K - NAS: Intel Pentium G4400, 16 TB
Message 2 of 8
antinode
Guru

Re: Nighthawk X4S R7800 blocking/filtering port 443?

> Model: R7800|Nighthawk X4S AC2600 Wifi Router

 

   Firmware version?  To what is the R7800 connected?

 

> [...] configuring the basics, [...]

 

   Do "the basics" include port forwarding?  Actual rules?

 

> [...] locally I'm able to visit

 

   Using what, exactly, as a URL?  What happens if you specify the R7800
WAN/Internet IP address instead of the server LAN IP address?  Does the
R7800 WAN/Internet IP address match your public IP address?


   Does port 80 ("http://") work as expected?

 

> Does anyone have any idea why port 443 is getting blocked/filtered
> [...]


   Until recently, a Netgear consumer router used only port 80
("http://") for access to its management web site, and there was no
problem using port forwarding with a local web server.  If they've now
added 443 ("https://") for that, then they may have done it badly, so
that port forwarding of port 443 does not work properly.  (It would not
be the first firmware bug to have been added in recent years.)

 


> You should set your server in DMZ [...]

 

   You should not _need_ to do that, but it would be an interesting
experiment.

Message 3 of 8
DanielB1990
Aspirant

Re: Nighthawk X4S R7800 blocking/filtering port 443?

Let me start by excusing myself for the late reply to you guys!

 

@microchip8 

You should set your server in DMZ on the router to bypass any local router firewall rules. I believe port 443 is used by the router for a secure connection when using https://routerlogin.net and routerlogin.com in a brower to reach its WebGUI securely
Assign your server a reserved IP address on the router itself. Then go to Advanced -> Setup -> WAN Setup and enable DMZ and put the IP address you gave for the server

Thanks for you're answer, I've deleted the port forwards and enabled DMZ on the reserved IP Address.
Unfortunately that doesn't seem to change the filtered state of port 443 as you can see:

 

 

nmap thuis.danielbareman.online -p80,443

Starting Nmap 7.01 ( https://nmap.org ) at 2020-01-11 12:24 CET
sendto in send_ip_packet_sd: sendto(4, packet, 40, 0, 94.213.151.221, 16) => Operation not permitted
Offending packet: TCP 46.4.62.86:40401 > 94.213.151.221:80 A ttl=46 id=45392 iplen=40 seq=0 win=1024
Nmap scan report for thuis.danielbareman.online (94.213.151.221)
Host is up (0.036s latency).
rDNS record for 94.213.151.221: 94-213-151-221.cable.dynamic.v4.ziggo.nl
PORT STATE SERVICE
80/tcp open http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 1.86 seconds

@antinode 

 

 

Firmware version?  To what is the R7800 connected?

It runs on the default firmware provided by Netgear, version 1.0.2.68
It's connected to a 'Connectbox' from my provider Ziggo which is set to bridge mode.

 

 

Do "the basics" include port forwarding?  Actual rules?

The basics included settings up the SSID and WiFi password, reserved IP's and doing port forwarding.

 

 

Using what, exactly, as a URL?  What happens if you specify the R7800
WAN/Internet IP address instead of the server LAN IP address?  Does the
R7800 WAN/Internet IP address match your public IP address?

Locally http://thuis.danielbareman.online aswell as https://thuis.danielbareman.online works ( valid certificate by Let's Encrypt ).
Same goes for http://94.213.151.221 and also https://94.213.151.221 when accepting the certificate.

 

But from outside the network, only http ( 80 ) is reachable.

 

Until recently, a Netgear consumer router used only port 80
("http://") for access to its management web site, and there was no
problem using port forwarding with a local web server.  If they've now
added 443 ("https://") for that, then they may have done it badly, so
that port forwarding of port 443 does not work properly.  (It would not
be the first firmware bug to have been added in recent years.)

Both http://routerlogin.net and https://routerlogin.net point to the login of my Netgear, so it could be that what you subscribe is causing this issue.

 

You should not _need_ to do that, but it would be an interesting experiment.

Unfortunately DMZ doesn't change the filtered state of 443 even with and without the specific port forward.

 

 

---

 

What's my next step, file a bug? And if so where? I've previously used DD-WRT on a WNDR4500v2.
I could consider using another firmware like DD-WRT, OpenWRT or any other good suggestion for my R7800 to work around / solve the problem.

 

Message 4 of 8
DanielB1990
Aspirant

Re: Nighthawk X4S R7800 blocking/filtering port 443?

I've seem to have found the fix with the suggestions offered in this post from 2014: https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Open-Port-https-443/m-p/495555

I've disabled both usb and remote management which opens up 443, will disable one / both to see which one it is exactly.
Message 5 of 8
microchip8
Master

Re: Nighthawk X4S R7800 blocking/filtering port 443?

Remote management normally listens on port 8443 for IPv4 and 443 for IPv6. However, the secure version (https) of routerlogin.net listens on port 443 so I suspect this may be a problem (or not)

Routing: NETGEAR RAX43 - Firmware: V1.0.11.112 (1 Gbps down, 50 Mbps up)
Switching: 2x NETGEAR 8-ports (GS108v4) / 1x NETGEAR 16-ports (JGS516v2)
Desktop: AMD Ryzen 7 3700X - Server: Intel Core i7-7700K - NAS: Intel Pentium G4400, 16 TB
Message 6 of 8
DanielB1990
Aspirant

Re: Nighthawk X4S R7800 blocking/filtering port 443?

@microchip8the Remote Management is causing this issue, even when it's configured on 8443, changing it tot 6443 didn't make a difference.
I'll keep it disabled, I i'd like to manage any settings, I'll use the VPN to connect with and  then connect to the Web UI of my Netgear.

Message 7 of 8
microchip8
Master

Re: Nighthawk X4S R7800 blocking/filtering port 443?

Remote management is almost always recommended to be off, regardless of brand. It's been a possible security issue for years across multiple brands and has been exploited multiple times

Routing: NETGEAR RAX43 - Firmware: V1.0.11.112 (1 Gbps down, 50 Mbps up)
Switching: 2x NETGEAR 8-ports (GS108v4) / 1x NETGEAR 16-ports (JGS516v2)
Desktop: AMD Ryzen 7 3700X - Server: Intel Core i7-7700K - NAS: Intel Pentium G4400, 16 TB
Message 8 of 8
Top Contributors
Discussion stats
  • 7 replies
  • 2333 views
  • 0 kudos
  • 3 in conversation
Announcements

Orbi WiFi 6E