I recently contacted my ISP Ziggo ( The Netherlands ) by it's community ( dutch ) forum due to not being able to reach port 443 for HTTPS.
After struggling sometime, I hard reset ( with the paperclip ) my R7800 after reading this post today in the early afternoon, say around 13:00 / 1 PM.
Shortly after resetting and configuring the basics, port 443 was reachable from outside, nmap showed 'open' and I was able to reach my landingspage "Apache2 Debian Default Page" over HTTPS.
Now a few hours later 17:00 / 5PM port 443 is unreachable from the outside again, using nmap it shows 'filtered'.
Though, locally I'm able to visit So my best guess is that the router is causing this issue, since my server has opened these ports:
ufw status verbose
Status: active
Logging: on (full)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
Re: Nighthawk X4S R7800 blocking/filtering port 443?
You should set your server in DMZ on the router to bypass any local router firewall rules. I believe port 443 is used by the router for a secure connection when using https://routerlogin.net and routerlogin.com in a brower to reach its WebGUI securely
Assign your server a reserved IP address on the router itself. Then go to Advanced -> Setup -> WAN Setup and enable DMZ and put the IP address you gave for the server
Re: Nighthawk X4S R7800 blocking/filtering port 443?
> Model: R7800|Nighthawk X4S AC2600 Wifi Router
Firmware version? To what is the R7800 connected?
> [...] configuring the basics, [...]
Do "the basics" include port forwarding? Actual rules?
> [...] locally I'm able to visit
Using what, exactly, as a URL? What happens if you specify the R7800 WAN/Internet IP address instead of the server LAN IP address? Does the R7800 WAN/Internet IP address match your public IP address?
Does port 80 ("http://") work as expected?
> Does anyone have any idea why port 443 is getting blocked/filtered > [...]
Until recently, a Netgear consumer router used only port 80 ("http://") for access to its management web site, and there was no problem using port forwarding with a local web server. If they've now added 443 ("https://") for that, then they may have done it badly, so that port forwarding of port 443 does not work properly. (It would not be the first firmware bug to have been added in recent years.)
> You should set your server in DMZ [...]
You should not _need_ to do that, but it would be an interesting experiment.
You should set your server in DMZ on the router to bypass any local router firewall rules. I believe port 443 is used by the router for a secure connection when using https://routerlogin.net and routerlogin.com in a brower to reach its WebGUI securely
Assign your server a reserved IP address on the router itself. Then go to Advanced -> Setup -> WAN Setup and enable DMZ and put the IP address you gave for the server
Thanks for you're answer, I've deleted the port forwards and enabled DMZ on the reserved IP Address. Unfortunately that doesn't seem to change the filtered state of port 443 as you can see:
nmap thuis.danielbareman.online -p80,443
Starting Nmap 7.01 ( https://nmap.org ) at 2020-01-11 12:24 CET
sendto in send_ip_packet_sd: sendto(4, packet, 40, 0, 94.213.151.221, 16) => Operation not permitted
Offending packet: TCP 46.4.62.86:40401 > 94.213.151.221:80 A ttl=46 id=45392 iplen=40 seq=0 win=1024
Nmap scan report for thuis.danielbareman.online (94.213.151.221)
Host is up (0.036s latency).
rDNS record for 94.213.151.221: 94-213-151-221.cable.dynamic.v4.ziggo.nl
PORT STATE SERVICE
80/tcp open http
443/tcp filtered https
Nmap done: 1 IP address (1 host up) scanned in 1.86 seconds
It runs on the default firmware provided by Netgear, version 1.0.2.68 It's connected to a 'Connectbox' from my provider Ziggo which is set to bridge mode.
Do "the basics" include port forwarding? Actual rules?
The basics included settings up the SSID and WiFi password, reserved IP's and doing port forwarding.
Using what, exactly, as a URL? What happens if you specify the R7800
WAN/Internet IP address instead of the server LAN IP address? Does the
R7800 WAN/Internet IP address match your public IP address?
But from outside the network, only http ( 80 ) is reachable.
Until recently, a Netgear consumer router used only port 80
("http://") for access to its management web site, and there was no
problem using port forwarding with a local web server. If they've now
added 443 ("https://") for that, then they may have done it badly, so
that port forwarding of port 443 does not work properly. (It would not
be the first firmware bug to have been added in recent years.)
You should not _need_ to do that, but it would be an interesting experiment.
Unfortunately DMZ doesn't change the filtered state of 443 even with and without the specific port forward.
---
What's my next step, file a bug? And if so where? I've previously used DD-WRT on a WNDR4500v2. I could consider using another firmware like DD-WRT, OpenWRT or any other good suggestion for my R7800 to work around / solve the problem.
Re: Nighthawk X4S R7800 blocking/filtering port 443?
Remote management normally listens on port 8443 for IPv4 and 443 for IPv6. However, the secure version (https) of routerlogin.net listens on port 443 so I suspect this may be a problem (or not)
Re: Nighthawk X4S R7800 blocking/filtering port 443?
@microchip8the Remote Management is causing this issue, even when it's configured on 8443, changing it tot 6443 didn't make a difference. I'll keep it disabled, I i'd like to manage any settings, I'll use the VPN to connect with and then connect to the Web UI of my Netgear.
Re: Nighthawk X4S R7800 blocking/filtering port 443?
Remote management is almost always recommended to be off, regardless of brand. It's been a possible security issue for years across multiple brands and has been exploited multiple times
