RBK50 Port Forwarding Help

How are you testing the port forwarding?

Can you make a screen shot of the Orbi Port Forwarding page?

I attached the picture. I just tested the service as well on a local device, and the service is available at 192.168.1.19:51820. However the port is not open. Testing using a VPN app -> DuckDNS -> public IP, did not work. Used https://portchecker.co/check and still nothing. Used a couple of other testers and still nothing.

First, I cannot see that anything is incorrect.  This is exactly what I do to open ports for testing.  Are you forwarding TCP or UDP?

(I ask that because this custom port forwarding rule has been given a title "VPN".)

Orbi supports OpenVPN Server (so external devices can connect into the Orbi LAN), which I have running.  I noticed that OpenVPN uses UDP rather than PCP and ran a test on my Orbi using https://check-host.net/check-udp?host=172.249.115.199:12973 and 12974.  Both scans were ambiguous.  If your app is a UDP app, then perhaps port scanning is not going to be successful.

Found one comment about how difficult it is to do UDP port scans: https://serverfault.com/questions/416205/testing-udp-port-connectivity 

The mention of DuckDNS adds another complexity.  If you are using DDNS as a means to allow the service to remain available even when the ISP changes your public IP, it might be worth testing against the actual IP first before introducing DDNS into the situation.  (That's what I did when I implemented OpenVPN on the Orbi.)  I hope you are aware that Orbi's DDNS works only with a couple of DDNS providers.

So far, I have not come up with much in the way of assistance.  Sorry.

Thanks for the reply.

Yes, it's a WireGuard VPN service on a Raspberry Pi on my network.

On Wifi, on my iPhone, I can set the endpoint for the VPN to 192.168.1.19:51820 and have it tunnel correctly.

I then took my iPhone off wifi, replaced 192.168.1.19 with my public IP, and the tunneling stopped working.

That leads me to believe the ports are not forwarded correctly. And yes, I selected UDP from the dropdown.

I even tried enabling dynamic DNS and VPN in Orbi, transferring the ovpn file to my iPhone, using OpenVPN connect to try and connect. Nothing happens. Changed OpenVPN Connect to use UDP only. Looked at logs to verify it was trying to connect on the port that Orbi specified. That didn't work either. The dynamic DNS address orbi gave me did resolve to my public IP, so that's not wrong either. Really grasping at straws here....

Oh, fun. I have been thinking about WireGuard and have a Pi to put it on.  (With OpenVPN working, I am not entirely sure why, but then it's not necessary to have a good reason to try things.)

And, yes, that is exactly how I tested Orbi's OpenVPN.  Took my phone off WiFi, opened a Hot Spot, connected laptop's to the Hot Spot and ran OpenVPN Client.  Got OpenVPN working on Android, Windows 10, and Linux Mint.

There is another (ghastly) thing to try.  Put that Pi into Orbi's DMZ. That's on the Advanced Tab, WAN Setup page.  Of course, this means the Pi will see every packet that comes in.  Would be a way to determine that "the internet" is not somehow filtering out these packets. If it doesn't work with the Pi in the DMZ, then Orbi port forwarding is not the issue.

Good Luck!

I put the Pi's internal IP as the default DMZ and it is still not working.

Maybe it's time to call up my ISP?

Have you been able to forward any other port through the Orbi?  (like HTTP or FTP?)

I haven't really tried before. I'm only recently trying to port forward stuff. I'm actually trying to port forward the VPN in order to use another service on my network that I installed. I tried port forwarding the service directly but that did not work either.

I remain mystified that it isn't working. Brainstorming "reasons" why it isn't working:

• The port number is "too high" and is getting cut off somewhere
• The reported public IP address isn't actually the public IP address
• Somewhere in the ISP network is blocking
• Port forwarding isn't working at all on this Orbi

Putting the server into the DMZ would eliminate the ISP from the equation.

Forwarding some other port to a computer inside the LAN would answer another.
(The Pi probably has FTP or SSH open?)

Regarding the port number, I actually did try lower port numbers just to be sure it wasn't some random fluke with the port number I chose, but same problem.

Regarding my ISP, I emailed their support last night (Sunday night) so hopefully they'll get back to me at some point today or tomorrow. I'm lucky enough to live in a place where a local company is providing fiber to the area and surrounding towns - no Comcast or Verizon or any company like that. Hopefully they'll be able to sort out any issues if it is on their end.

I could also dig out an old router and set it up and see if port-forwarding works on that.

I also did try setting 192.168.1.19 as the default DMZ server, but that did not change anything. I could open SSH for a couple of minutes and see if I can tunnel in from the internet. That would be interesting to try.

---

@DevinAK wrote:

I also did try setting 192.168.1.19 as the default DMZ server, but that did not change anything. I could open SSH for a couple of minutes and see if I can tunnel in from the internet. That would be interesting to try.

---

Unless I am mistaken, the DMZ server is supposed to receive everything.  You could set up the Orbi to collect the entire WAN feed for a short time (or Wireshark on a machine in the DMZ) and see if those packets actually arrive.  Pi's don't have much memory, so it would have to be a short session if you used the Pi.

So I should set the DMZ server to 192.168.1.1? Where would I view these logs? Would it be under the Advanced Tab -> Administration -> Logs? EDIT: I actually just tried that, and go the message: "The DMZ IP address should not be the same as the LAN IP address."

Also, my ISP got back to me today: they say they do not block anything or any ports, and that the issue is with my router. If I cannot figure out the problem, I might have to get out the old router like I mentioned and set that back up to test.

Sorry, I got ahead of myself.  (There are so many issues flying around at the same time.)  If putting the WireGuard or SSH server in the DMZ is not successful, then the question seems to be, "Do these connection attempts actually arrive at all?"  The WireGuard (and probably SSH) work on the LAN, so the ports must be "open".  Either the connections arrive at the Orbi and do not get through, or they never arrive at all.

So, how to verify that connections are arriving?  One way is to put something in the DMZ that will record every packet, such as Wireshark. Another way is to have the Orbi itself record packets.

Orbi has a "debug" page, http://<ip of Orbi>/debug.htm. For me, it is http://192.168.1.1/debug.htm  Log in with the normal admin credentials.

Check the box titled "Enable LAN/WAN Packet Capture".  Then, when you are ready to perform a test, click the box "Start Caapture".  Attempt to connect to WireGuard or SSH on the Pi.  (of course, the SSH port 22 has to be port forwarded on the Orbi).  Then go back to the debug page and Click on "Save Debug Log".  This will copy a zip file to your PC wherever the web browser saves files.  Mine goes into my "Downloads" folder.  The zip file includes LOTS of stuff, including a record of every packet seen on the LAN and WAN interfaces.  These are PCAP packet capture files that can be opened by many software packages.  I use Wireshark.

You know which IP address is attempting to connect, so look in the WAN capture for packets from that IP. If those packets are there, then look for them on the LAN side.  If they are NOT there, then "why?"

Nice! I did not know that Orbi had a debug page like that. I did not find my iPhone's IP anywhere inside either the WAN or LAN pcap files when trying to connect into WireGuard. Interesting...

Another thing I found, and I feel stupid for not checking this, is that the IP that Orbi displays (in ADVANCED -> Administration -> Router Status) is not the same as the IP I find when I google "what is my IP". Does this mean I'm behind a double router or something? I don't believe the box that my ISP gave me is a router, it just takes the fiber and converts it to ethernet, which then feeds my Orbi router. I'm not sure how I would access any page (like 192.168.1.1) that would show me some panel to configure DMZ to my orbi router... Where should I go from here?

Yes, it is sounding more like you have two "routers".  One easy way to tell is to "look under the tail" (hah, humor).  That is, look on the back of the fiber conversion box.  If it has more than one ethernet jack, it is almost certainly a router.  Another test is to do a "trace route" to some well known IP address, such as Google 8.8.8.8.  If the trace shows 192.168.1.1 (the Orbi) and then another "private" IP address before it begins showing public IP addresses before getting to 8.8.8.8, then there is a router in there somewhere.

Is there a label on the fiber box with a brand and part number?

Okay so I did a bit of debugging.

 First of all, I checked the fiber conversion box. The only inputs where fiber and power, and the only output was a single ethernet that went up to my Orbi router.

Second (replacing IPs with identifiers):

• I did a traceroute to 8.8.8.8 on my current setup 192.168.1.1 -> A -> B -> C -> D -> * -> E -> * -> 8.8.8.8
• What Orbi thinks my IP is: A
• What Google says my IP is: some address I haven't seen yet, lets call it ADDRESS

I then plugged the ethernet coming out of the fiber conversion box into a raspberry pi and looked at the internet information:

• Traceroute to 8.8.8.8: A (exactly the same IP as A above) -> B -> C -> ........
• What ipconfig says my IP is: very similar to A, except the last section is different. If A was 111.111.111.111, this IP was 111.111.111.150
• What Google says my IP is: some address I haven't seen yet, but very similar to ADDRESS
• I tried browsing to 192.168.1.1, 192.168.0.1, 192.168.2.1 - nothing presented itself as an admin panel

Not sure if that information helps at all... In both cases, Google's response to what my IP was was very similar: say 1.2.30.190 and 1.2.45.195. The first IP's after 192.168.1.1 (or lack thereof) in traceroute were the same. Not really sure what's going on here...

I looked at the fiber conversion box and there's a sticker on the back that has a bunch of warning about lasers and such, with the following information as well: ONT P/N, MAC, ID, S/N. Not sure which one or if I should post any at all, but let me know.

This information is useful.

It is now pretty clear that the fiber box is NOT a router.  What I do not understand is the trace route results and what the Orbi reports as its IP address.  I just traced the router from my Windows machine to Google:

Line 1 is the Orbi.

Line 2 is NOT the public IP address of my Orbi.  It is the first hop "after my Orbi"

and so on until it reaches Google.

The "public side" of the Orbi is not a "hop".  It should never be reported as such.  It is only the other side of the router.

How about THIS for a test.  Try to connect, but instead of using what Orbi reports as its IP address, use the IP that the "What's my IP" services report?

I unfortunetly cannot see the image you posted (it's just a small box with a yellow triangle in it) so I'm a little lost on the first part of your response.

However, I have tried both the IP that Orbi reports as my public IP and the IP that google reports as my IP and both do not work for port scanner services or for the WireGuard service I'm hosting. Orbi's IP, with my iPhone connected to WiFi on my network, does route correctly to the WireGuard service. But as soon as I go back to LTE, the IP does not resolve correctly. Google's IP does not resolve either way

Wow, "technical difficulties" on my end.  Maybe if I "attach" the picture.

I think a call to the ISP is in order.  My son lives in North Carolina and has fiber from a local company.  The IP his Orbi thinks is "public" actually is.  I connect to it routinely.

"Hi, internet company.  What is my public IP address?"  "How come neither my router nor the internet think that's what it is?"

Geez.  Maybe you have PPoE rather than DHCP?  Nah, surely that's not it.

http://www.cables-solutions.com/pppoe-vs-dhcp-difference.html 

I will definitely contact my ISP soon.

Let me say a mistake I made: the IP reported by Orbi is slightly different than the IP reported under traceroute (line 2). I have attached a picture of the traceroute for you to view.

The ISP I have is Greenlight, which services upstate NY and Connecticut. They provided the fiber termination box that's in my basement, which feeds internet to my Orbi.

However, I'm still stumped on why the IP reported by Orbi is different than the IP reported by Google...

---

@DevinAK wrote:

Let me say a mistake I made: the IP reported by Orbi is slightly different than the IP reported under traceroute (line 2). I have attached a picture of the traceroute for you to view.

---

In computers, any difference is "different".  This is Good.

How many of the "What is my IP address" web sites have you tried?  My public IP comes up the same no matter which I use.

I'm sorry for my error...

I just checked on 4 different sites, along with DuckDuckGo's and Google's automatic showing of my IP and they all report the same IP address.