Solved

Port Forwarding & Dynamic DNS both failing

Posted on 2014-04-05
13
1,030 Views
Last Modified: 2016-11-23
SPECS:
Server PC: Win7 Pro SP1, i5, 3.4ghz, 6gb ram, dell OptiPlex 7010, service tag d32pcx1
Uses wifi connection to netgear wgr614v7 router, ATT DSL modem
router manual:
http://www.downloads.netgear.com/files/GDC/WGR614V7/wgr614v7_ref_manual_20apr06.pdf
________

I'm trying to set up port forwarding and free NOIP.com dynamic dns hosting on an office router that gets a dynamic IP from ATT DSL. Here's what I did so far:
>      Set static IP on computer that is to be a software server (ipv4=static, ipv6=auto)
>      In static IP, set DNS server to be same IP as LOCAL ROUTER GATEWAY from ipconfig/all
>      Open future software's port number (TCP) on Windows Firewall
>      Forward port 10021 (TCP) on router to the static IP of the Win7 PC
>      Removed 2 existing forwards (for obsolete software, different ports)
>      Set up dynamic DNS hostname for router's external IP at NOIP.com
>      Download "No-IP’s Dynamic Update Client (DUC)", Set Up, Log In. Set to start with windows
>      Check to see if ATT DSL blocks this port 10021, they don't appear to.


Problems:
>      The NOIP dns hosting / routing only works until the router external IP changes. So DUC isn't working.
>      Port testing is failing (using only online port testers so far). They say that the "Current Public IP Address" is the same as the one on the router status page.
>      As a test, opened port 20 in Win7 firewall, and forwarded to the Win7 static IP. The online pport testers say THIS PORT IS BLOCKED TOO.

Based on what I read at pcwintech.com, here's what I'm going to check when I go back:
>      Try diff port test tools (local software on PC)
>      See if "general security level" of router set too high (if I can FIND it! see below)
>      Check for 2nd router (tho above suggests no)
>      Reset router, reapply settings
>      Turn off / repair windows firewall
>      See if DMZ isenabled on router
>      Restore old port forwards on router? (for older version of software?)


MY QUESTIONS FOR YOU:

(1) I didn't see anywhere in the wgr614 v7 router config or manual to set a "level of security" or to configure individual ports, other than to do port forwarding. Where is it on the wgr614v7?

(2) I noticed on the router there was a page titled "Dynamic DNS", where I could choose DynDNS.ORG from a dropdown. Do I need to enter info THERE AS WELL? (NOIP setup never mentioned this.)

(3) I'm using the local gateway IP as the DNS Server IP in Win7's static IP setup. Because that's the DNS server I got from ipconfig/all. Plus that setup is allowing internet access from Win7. Could that be causing problems? Should I be using DNS IPs from the router status page?

(4) (gripe question) After I downloaded noip's DUC, installed it, and entered my id & password, only one of the 3 status lines were "green", the other 2 were red. Until I went into "manage hosts", put a "check" next to my host, and hit OK.  Then all 3 are green. How is that not default? Especially with one host! It's like setting up a bank account, and then after it's all done, still having to go online and check a box that says, "allow me to use my own money". Very frustrating. Or am I wrong?

(5) DUC must be failing still, because, whereas typing in our host URL (from NOIP) into a browser at the office loaded the netgear router admin page (normal, right?), now from home (12 hours later) it no longer works.  I'll review NOIP's literature. But any suggestions are welcome.

Thanks peepz
0
Comment
Question by:dgrrr
  • 5
  • 4
  • 4
13 Comments
 
LVL 10

Expert Comment

by:Korbus
ID: 39980315
1) Don't know. will take a look at that manual next.
2) No, you would use one or the other.
3) I suspect they want you to use the same DNS on your computer, that you see when you go into the router's status page.  This status page will show you all of your internet settings, as provided by your ISP.  If you are using your router itself as the DNS server, it should pass on the DNS request/replies to the ISP for you.  If you are browsing ok, I don't think this is your problem.
4) Never used that software.
5) This test is not conclusive, we need to make sure it works from home at the same time it's working in the office (otherwise it could be some other office vs home dns issue).  Still, I suspect the software is not updating the address properly.  You can confirm this by doing a ping of the dynamic domain name and note the IP address it returns- then see if this changes when your external IP address changes.  I have not used NOIP.com in particular, but usually there is a "heartbeat" setting that specifies how often to check for a changed IP address.   Alternative:  use the dynDNS on the router instead of the software you are currently using- I've had great luck with that product.
0
 
LVL 10

Expert Comment

by:Korbus
ID: 39980340
1) Took a look at that manual.  Looks like port forwarding is the only way to configure network security.  By default all incoming connections are blocked.  You need to specify the port number of every service you would like to listen for, along with which computer on your network is doing the listening.  It does NOT seem to have any outbound security other than content filtering.
0
 

Author Comment

by:dgrrr
ID: 39980789
So if I try using the router webpage for Dynamic DNS with NOIP, should I disable the NOIP DUC software?

Alternatively, you are suggesting getting an account with another such service, namely DynDNS.com?


PS - I put the Win7 Server IP just outside the DHCP range, which is 0.2 to 0.50. I set Win7 to 0.60.

PS - I set up all the same things on my home computer, and i'm getting exactly the same failures. Except:
> at home when I put the current external IP or my NOIP dynamic domain name into a browser address bar, I get nothing, whereas at work I get the router login page
> when I  use PcWinCheck's "simple port tester" it says the port is open - BUT it's listening to my local computer's IP, NOT referring to the external IP, as the online ones do.
> when I ping my new NOIP dynamic domain name, it returns my current external router IP. The one at work gets no response.
0
 

Author Comment

by:dgrrr
ID: 39980796
Plus I can't test trying dynamic dns settings on my HOME router coz "This Page Currently Not Supported". (bad arris!)

I need to do an idiot check, I feel like I'm missing something basic  --
Normally, if Xfinity Cable or ATT DSL installs a router in somebody's house (for normal default residential use), and I go somewhere else and type their router's external IP into a browser... What's supposed to happen?   Nothing ("no data received"), right?   So why, on the above office router, did I get the router login page instead of "no data received"? That had nothing to do with a port.  It seems like there must be something PRIOR to port forwarding in order to allow any kind of incoming access. Not just to a port, but to the router itself? Am I wrong?
0
 
LVL 10

Assisted Solution

by:Korbus
Korbus earned 333 total points
ID: 39980877
check out page 16-6: remote management, in the router manual.  you probably have this enabled which is why you see a web page when you browse the office's external ip address.
You should probably turn this off, for security. You are SUPPOSED to see nothing when browsing to your external IP address (unless intentionally hosting a public web page or something). I generally use ping to test connectivity, rather than browsing. (note: Some routers don't respond to pings either, also for security reasons (see page 6-8 of your router manual))
To use dynDNS instead of the software, yes, you would probably need to create an account with them.
It is probably not necessary to disable the software if you switch to dynDNS, as long as different dynamic domain names are used.  (but you don't NEED both)
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39981378
at home when I put the current external IP or my NOIP dynamic domain name into a browser address bar, I get nothing, whereas at work I get the router login page

this is normal. i don't think your router does nat reflection so your external ip is not available from your lan. additionally there should be antispoof mesures that prevent accessing even a local service using the wan ip from the lan

It seems like there must be something PRIOR to port forwarding in order to allow any kind of incoming access. Not just to a port, but to the router itself?

the router has a port dedicated to administration. you should not forward that same port to a LAN host. if the port you forward is a different one, it does not matter (but is insecure as stated above)

--

regarding the issue with the open port appearing to be closed, do you actually have a server running ? if not the port will be closed regardless the fact it is open or not in windows firewall. first make sure your server is accessible internally, then take care of port forwarding.

--

regarding the issue with noip, i've been using their services for years without problem with various update clients including a simple shell script. you need to recheck your external ip frequently, and enable log or at least manually perform an update and check it does work. can't help about the first and second line stuff without better information or possibly a screenshot. i'm not running the DUC currently and don't even have a windows around to check
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:dgrrr
ID: 39981613
to skullnobrains:  we don't have the server software yet (it's very expensive) - we want to get everything else working first.  So I guess I'd have to set up some other server software (like an ftp program)?

So for the sake of testing - Are there many kinds of free server software that let you choose your own port?
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39981748
most server software will let you choose the port

there is a netcat port for windows i have never used which is able to listen on any random port and basically do nothing. the same utility is available through cygwin.

other than that, you can install a web server like apache (stick a "listen PORTNUMBER" directive  in httpd.conf), a trivial mail redirector, a vnc server (for an easy graphic config. if you don't setup a password, it will accept connection and provide no access whatever the password you type).... dozens of stuff

you can use an ftp server such as cerberus (easy graphic config as well) but you won't be able to actually do ftp on a single port
0
 

Author Comment

by:dgrrr
ID: 39981923
So if the lack of a listening server on that port is causing the online port forwarding checkers to say "port not open", then installing "netcat port for windows" could fix this?

(I need to be able to say it's working before we buy the server software)

THX!!!
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 167 total points
ID: 39982410
if you start netcat and instruct it to listen on that port, yes. note that not all versions can accept several connections in a row so you probably will need to launch it in a loop.

if you are unfamiliar with the command line and netcat operation, it will probably be easier to use one of the above mentioned servers

---

there is no way it can NOT work. forwarding a port is trivial matter and not a single home router is buggy enough to not handle it once configured properly.

what protocol will your server be using ? there may be glitches with some of them. if you're in doubt, you had better post information.

---

you probably should gain some understanding of basic networking, though :

a closed port is a port that rejects the connection sending an icmp port-unreachable message when you try to connect to it. most kernels will do this normally whenever they receive a connection attempt on a port that nothing listens on as part of their normal IP operation. this is the way they are supposed to behave. this happens even without a firewall. kernels may implement different behaviour but they will certainly not accept a connection if no server software is bound to the port.

when a port is firewalled, in many cases, the firewall unfortunately does not answer at all and the connection attempt times out after a while. other behaviors exist but they mostly will produce either of these results from the remote user's perspective.
0
 

Author Comment

by:dgrrr
ID: 39983791
I found a tool called Port Listener; whenever I told it to listen on a forwarded port, that port tested as open / forwarded on all the port testers.

So now I'm just trying to understand a few more basics:

I set up several kinds of servers on my home desktop PC (easy file servers, tiny web servers, etc). I could access them with my laptop, but only by typing in the desktop's internal IP (10.0.0.xxx). When I type in the no-ip host, it never works, even with all the specified ports forwarded & open in the router & Win firewall.  This is probably because I'm behind an Arris TG862G/GT router that doesn't allow NAT Loopback -- is that right? Or is it because this router NEVER allows such access regardess of setup? (See router manual, page 2-2, "Computers Hidden by NAT")

As you said, each server program requires me to choose a particular port. (And each port I used was forwarded to my home server static internal IP.)  But some server programs require that (on the laptop, client end) I include that port the browser address box; other's don't. (e.g., 10.0.0.123 vs 10.0.0.123:10021)  Why is this?

TinyServer (a web server) allows access regardless of which port I put it on, even if that port is NOT forwarded, as long as I browse to it using a port,e.g. "10.0.0.xxx:portnum".  Why is this?
0
 
LVL 10

Assisted Solution

by:Korbus
Korbus earned 333 total points
ID: 39983853
It's not really a good idea to test the accessibility of your home network from the internet, while INSIDE home your network, as you have discovered.  You will need to test from another location on the internet (like your smart phone [unless on home wifi], a friends house, or the office) to test this properly.  It's not just your arris router, most routers will have problems with this.  

If you do NOT put a port into your web browsers address bar, it assumes port 80, which is the standard web HTTP port.  I suspect this is what port "tinyserver" is listening on.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39985318
I found a tool called Port Listener; whenever I told it to listen on a forwarded port, that port tested as open / forwarded on all the port testers.

good, so forwarding the port (and opening it in the firewall) worked as expected

This is probably because I'm behind an Arris TG862G/GT router that doesn't allow NAT Loopback

yes. this is what i called nat reflection above. there is no official term. most home routers don't handle it, and those which do usually have it disabled by default

Computers Hidden by NAT

i have no time for the man page, but forwarding the port is what makes you not concerned by being hidden by NAT*

10.0.0.123 vs 10.0.0.123:10021)  Why is this?

as mentioned by @korbus, when you use a web browser, a.b.c.d is the same as a.b.c.d.:80 because a web browser assumes you want to query a web server and uses the default www port when not instructed otherwise

TinyServer (a web server) allows access regardless of which port I put it on, even if that port is NOT forwarded, as long as I browse to it using a port,e.g. "10.0.0.xxx:portnum".  Why is this?

if it works with all ports, i have no idea. if it is a specific port (or set of ports), tinyserver may have a bug that makes it ignore the port you set, may be configured to listen on a specific port AND another one (builtin), maybe it's admin port... if you browse on your local machine, maybe it configured itself as a proxy for all ports and redirects everything it sees to it's page..

this is completely unrelated to your question, but you can easily check which port it listens on using netstat, or if you want a graphic program, try process explorer which features a tcp tab where you can see listening and active connections of a specific process
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now