Cannot set up port forwarding on a speedport W723V

31 posts in this topic

Posted

Hi All,

I bought into the new 50MB/s DSL router package from t-com, and so far I've not been able to setup port forwarding...:(

Since its all in german I'm having a hard time figuring things out. I've used google translate but in spite of doing what

I think is right, I'm not being able to forward port 443 which I need to allow through from outside to reach my ssh server

thats configured to listen on. With my previous speedport router I managed to set up the port forwarding and along with dynamic

dns I could ssh -p 443 my.server.org or telnet my.server.org 443 and it would open and connect.

Now with this new speedport router, though I do get the speed it claims, the port forwarding is just not working!

If anyone has managed to set up port forwarding on this specific router (speedport W 723V) , please can you show/tell me how its

done wrt all the options on whichever page of the router's website please?

Just in case, some short briefs on what I've done so far:-

on my pc I've setup ssh to listen on port 443.

on the router, I've entered info for my pc's ip address and mac address.

on the router, I've activated port weiterleitung for port 443 for my entered pc's option...

saved, and tried out, but get connection refused..

What could be wrong? I've posted an attachment of the port forwarding rule after it was saved.

Thanks...

post-144641-1307483772788_thumb.png

0

Share this post


Link to post
Share on other sites

Posted

From the screenshot it looks like you've done the correct thing.

Did you click "Speichern" once you had entered in the port details?

I have the W701V and port forwarding works ok without a reboot, but perhaps you could try rebooting the modem after you've entered the details.

Tried a static IP on your PC?

Also, port 443 is a common HTTPS port. Have you tried opening another uncommon port much higher up the range and seeing if that works?

You can use this site to check.

1

Share this post


Link to post
Share on other sites

Posted

Hi Willsbob, Thank you for replying.

Yes, I've clicked on save...

I 've also rebooted et al,

I do have a static ip set up for my pc to where I am trying to forward to..

And as per your suggestion I've set up ssh to listen on another higher port.

I used to have a speedport older model, all worked well. I know how to do port forwarding et al

Its just that in this router its not working...

I have put off my firewall on my local pc.

There are a few things I don't understand..

The "firewall" option is "ein", but the word firewall is greyed out and I can't configure it or see whats inside..

The english translation for the router's hint sections says something like "for security reason the firewall cannot be

put off". But I don't want to put it off , on the contrary I want to checkup on and ensure port forwarding is ok.

Do you know if I use another router whether I would get the same speed? This ones giving me a 50mbps on speed tests.

But the port forwarding doesn't work.

canyouseeme.org does see the port though, which is surprising...because I cannot ssh to the server nor telnet to the port

to test connectivity from outside.

0

Share this post


Link to post
Share on other sites

Posted

and what if you nmap your computer, inside (on another computer) and outside your network?

0

Share this post


Link to post
Share on other sites

Posted

I've tried that, the results were a bit strange. I've forgotten what they were, but will post the results soon as I run nmap

again.

I'm also thinking of checking if the port forwarding works if forwarded to a windows computer. You never know what might be in the firmware of these latest gizmos. Though I hope that it doesn't or else I'll be really pissed. Reason I think this is because when I asked for technical support the guy on the phone said they didn't support linux which is what I use.

I'll post the nmap results soon.

0

Share this post


Link to post
Share on other sites

Posted

Talking of firmware - have you tried updating the W723V's firmware? I believe there's a pointy-clicky option to do it easily from the menu.

0

Share this post


Link to post
Share on other sites

Posted

No I haven't done that yet. The entire interface is in german and unfortunately I don't understand it. I did click on it and it took me to some web site, but my login there failed. I believe ( from browsing the internet ) that there's a file to download

from the web site which is then uploaded into the router.

I'll try it again soon as I get back home.

Thx.

0

Share this post


Link to post
Share on other sites

Posted

OK,

an nmap from localhost to localhost shows:-

Starting Nmap 4.62 ( http://nmap.org ) at 2011-06-15 19:41 CEST

Interesting ports on localhost (127.0.0.1):

Not shown: 1713 closed ports

PORT STATE SERVICE

21/tcp open ftp

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 0.132 seconds

and an nmap from localhost to my external ip shows:-

Starting Nmap 4.62 ( http://nmap.org ) at 2011-06-15 19:40 CEST

Interesting ports on p4FF0DAA1.dip.t-dialin.net (79.240.218.161):

Not shown: 1711 closed ports

PORT STATE SERVICE

21/tcp filtered ftp

53/tcp open domain

139/tcp filtered netbios-ssn

445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 1.519 seconds

The 79.240...address I got from whatismyipaddress.com and it also is the same ip

as my dynamic dns ip.

and an nmap from localhost ( 192.168.2.2 ) to my router 192.168.2.1 shows:-

Starting Nmap 4.62 ( http://nmap.org ) at 2011-06-15 19:55 CEST

Interesting ports on speedport (192.168.2.1):

Not shown: 1709 closed ports

PORT STATE SERVICE

21/tcp filtered ftp

53/tcp open domain

80/tcp open http

139/tcp filtered netbios-ssn

443/tcp open https

445/tcp filtered microsoft-ds

MAC Address: 5C:4C:A9:DA:2F:EF (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.582 seconds

and finally, an nmap to my localhost's ip 192.168.2.2 shows port 443 open

Starting Nmap 4.62 ( http://nmap.org ) at 2011-06-15 19:56 CEST

Interesting ports on 192.168.2.2:

Not shown: 1713 closed ports

PORT STATE SERVICE

21/tcp open ftp

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 0.127 seconds

This will obviously be the same as nmap to localhost.

sshing from localhost or even another pc on my internal LAN to my local pc works

but,

an ssh to my external ip address shows:-

ssh -p 443 79.240.218.161

ssh: connect to host 79.240.218.161 port 443: Connection refused

My firewall is off on the localhost.

what gives? folks..

0

Share this post


Link to post
Share on other sites

Posted

sshing to your external ip from within your local network is a weird thing to do. it works for me on my network, but I don't think that means anything.

0

Share this post


Link to post
Share on other sites

Posted

Well, it is 1 way of testing sshing to my local pc from outside isn't it? Its like a u-turn, so you go out, and then try to come back in through the router's and / or local pc's firewall. Or so I think. Used to work for me to test connectivity with my older router. This new router just sucks! I keep getting connection refused refused.

what's interesting is the nmap to external IP doesn't show port 443 as open but nmap to router shows it open. I would think that an nmap to external IP would run the port scan on the router from outside isn't it?

0

Share this post


Link to post
Share on other sites

Posted

ok, I have an update,

I did an nmap from outside (work pc) to my external ip and I could see ports 21,80 and 443 open.

A telnet established the connection but then hung after showing Escape character is ^]

so it didn't give me the ssh version banner thereafter i.e

An ssh -p 443 external_ip

gives time out because of some host exchange identification problem

ssh_exchange_identification: Connection closed by remote host

Any ideas?

0

Share this post


Link to post
Share on other sites

Posted

Does anyone here possess a speedport W723V please?

I would ordinarily use google translate to help me with the hints on the router's website but

the hints keep changing as I move the mouse away from the object whose hint I want to translate

and it is not easy for me to figure out how to do this.

If anyone possesses a speedport W 723V and has set up port forwarding ( weiterlietung I believe it is )

please can you let me know and if you could guide me through what I need to do on my router to atleast

have it correctly configured? I'd really appreciate it. Can't get much help from the T-come guys...

Many Thanks

0

Share this post


Link to post
Share on other sites

Posted

Does anyone also have the latest firmware perhaps? The one I use is 1.000.074

0

Share this post


Link to post
Share on other sites

Posted

That is some weird voodoo then.

0

Share this post


Link to post
Share on other sites

Posted

From outside to inside:-

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-06-17 10:01 CEST

Interesting ports on p4FF0DAA1.dip.t-dialin.net (79.240.218.161):

Not shown: 1677 filtered ports

PORT STATE SERVICE

21/tcp open ftp

80/tcp open http

443/tcp open https

Nmap finished: 1 IP address (1 host up) scanned in 20.885 seconds

Above is the result of nmap from outside world to my pc.

I have port 21 and 443 accepting ftp and ssh on my local pc.

I do not have port 80 enabled. My web server is off.

So is port 80 the router's web server?

Also, ssh -vvv -p 443 79.240.218.161

shows:-

ssh -vvv -p 443 79.240.218.161

OpenSSH_4.4p1, OpenSSL 0.9.8d 28 Sep 2006

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug2: ssh_connect: needpriv 0

debug1: Connecting to 79.240.218.161 [79.240.218.161] port 443.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_dsa type -1

ssh_exchange_identification: Connection closed by remote host

I cannot understand the FilterFunktion section and the Nat Portregln-whatever section of my router.

The filter function I believe is for wireless clients, and the Port forwarding section allows NAT to these clients.

But How do I forward a port to a wired client? When I do a Hinzufugen I cannot enter the MAC address of my eth0 card

in there as it doesn't accept the full hex address. Its all so strange and weird.

It's possible that my ssh server is not properly configured and I can attempt to fix that, but whats the answer to

the question above?

Any one?

To: eean,

Hi eean, do you have this particular router? If so is the interface in english? I doubt it. Its made for the german market only.

But if the interface is in english then do you have port forwarding configured? There isn't an english manual for this router anywhere. And the firmware I've got, I think is the latest.

To: everyone else,

Can someone please help before I go nuts!

Thank yu.

p.s Isn't there someone from T-Com who has this router here? :)

0

Share this post


Link to post
Share on other sites

Posted

no I don't have it. sounds like level 7 filtering to me... the ISP identifies it as a SSH connection and shuts it down. Try running another service, like a http server.

seems like a conflict of interest to get your router from your ISP...

0

Share this post


Link to post
Share on other sites

Posted

It is standard to get routers from the ISP here. You can't even say no (although you can replace it).

Call Customer service with your provider (if you have enough German), after putting a supported OS on your computer (doesn't every with Linux run in a partition with some Microsoft OS?) and get them to fix it. I bet it's on their side (they need to change your settings), but they won't do so while you run an unsupported OS, even though they could.

0

Share this post


Link to post
Share on other sites

Posted

Isn't the bigger issue that they (probably) don't support running servers? It's easy to pretend you are running Windows if thats a problem.

anyways if you aren't forced to run this crap router, have you tried connecting to the modem directly and see if SSH etc works then? we're not even sure that it is the router causing the problem at this point.

0

Share this post


Link to post
Share on other sites

Posted

To gail123, and eean,

Sorry for the delay in replying. I was in the t-com office yesterday - nothing much happened, and long story short I'll get a call from a english speaking technical support guy tomorrow eve.

I tried to make this work on windows as well. Installed a ssh server on windows and tried it out. Same thing. Connection refused.

I can ssh to and from the windows pc and the linux pc via the router and I'm using port 22 (though this will have to change to 443 in the future but just for now I'm sticking to standard protocol numbers ). The connection refused, once again, happens when I try to ssh to my external IP from any of these local pcs. The same happens when I try to connect from outside via internet to my local linux pc (for e.g. from work).

Eean, I think they should support running servers, cause so far no one I spoke with in t-com has mentioned anything about that.

Yesterday I tried to connect the cable coming straight from the wall into the ethernet port of my local linux pc ( so no router

connected ) and attempted to use pppoe in linux to establish a dsl connection. I think I can do this. pppoeconf and pppsettings and a host of other ppp/pppoe programs (atleast in debian linux) allows this as far as I can remember ( Am I right? or do I have to connect my ethernet cable of my linux pc to the router? ), but since I didn't know what the dsl telephone number was to dial out, I couldn't continue. The t-com dsl username and password I have, but I'd need a telephone number to dial out for the pppoe client to work isn't it? If I can make that work then I can use my linux pc as a router/firewall and screw this t-com router for now. If you or anyone knows about this and agree with me then I'll pursue this method (I'll have to find out the number to dial thats all).

But what do you mean connecting to the modem directly? Do you mean I unplug the dsl cable from the router and only keep my two pcs' ethernet cables plugged in and see if the ssh between these work? I'm gonna try that out now, though I think that will work because I've already tried that (see 2nd para above )

0

Share this post


Link to post
Share on other sites

Posted

I tried the pppoe connecting the ethernet straight to the wall but I guess I'm wrong, it'll probably not work as there's no modem.

I tried disconnecting the dsl modem and keeping only the 2 pc's ( 1 windows and 1 linux ) connected to the router, and the ssh between these two work ( whether or not port forwarding is configured, but funnily even if port forwarding is configured so as to not allow 1 pc to ssh to another...) anyway, I'll see what happens monday.

0

Share this post


Link to post
Share on other sites

Posted

Well, the 2 PCs are on the same network, so there is no firewall between them.

I know that ISPs will block things like SMTP and HTTP, so you have to buy business class service from them in order to run servers from your house, but I dont know why they would shut down SSH.

But, it is Telekom, so stranger things have happened.

0

Share this post


Link to post
Share on other sites

Posted

update:-

Good news and Bad news

Good news:-

I got a free shell a/c and could ssh into my local pc from there so the NAT forwarding is working only if I come from outside to inside.

Bad news:-

It doesn't seem to work for any port when I try to go from inside outside and back inside. Thats definitely a router thing.

I came across multiple similar cases of other people having exactly the same problem and it was all dependant on the router they had.

That sucks!

But, atleast I can ssh to my internal lan from outside now. I'm gonna ask the tech support guys to show me how to modify the router

to allow me to do what I've been trying all this while.

WTF T-kom!?!

Thank you very much for your support all...

0

Share this post


Link to post
Share on other sites

Posted

I was confused, I guess your router is your DSL modem? You only have one box? Certainly you can't plug your computer into the wall and expect that to work.

When doing PPPoE there is no "phone number" to dial, though you do need your username and password.

0

Share this post


Link to post
Share on other sites

Posted

so to lay out what an ideal solution would be: you are to set your router/modem to some sort of "pass through" mode: either on the IP address level, this would be called a DMZ. However looking at the screen shot this doesn't seem possible since you can't even turn the firewall off.

or you could see if hidden somewhere is a way to do it on the Ethernet level, so then you could do PPPoE on your computer and your computer would have the public IP address. Then you'd route to your other devices in some alternate fashion. This is what I've done with my DSL modem, which also has aspirations of being a router.

for this you'd typically need to turn off NAT, routing, all of the above. Once you make the change you won't even be able to connect to your modem's web page anymore since it would stop having an IP address (until you reset the modem again).

0

Share this post


Link to post
Share on other sites

Posted

Yeah the box is a router-cum-modem so I have only 1 box which serves as both. I've enabled pppoe pass thru. On this box I can't set the firewall off ( Its not allowed, the entry is greyed out ).

Previously, before I joined t-com, I had the kind of modem that you described above. Turned off NAT, routing etc and my computer had the external ip address assigned to ppp0 and I ran the firewall on the same linux pc using iptables.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now