Port Forwarding not working Sky Q Router

mickevh

Distinguished Member
Your outbound 80/20/21 rules are unnecessary as the default outbound rule lets everything out. (Most SOHO routers behave this way by default.)

The inbound rules look fine - we may have to pick apart what's not working rule by rule and see where the problem is. What's not working, what are the symptoms and can you describe how you are testing.

Incidentally, you have HTTP and HTTPS targetted at different hosts - is that deliberate or a mistake..?
 

b1nuzz

Standard Member
Thanks.
I have tidied the rules up a bit. See attached.
I have access to my NAS which is at 0.31
I don't have access to my CCTV which is at 0.160.

When I use yougetsignal, it reports that all the CCTV ports are closed and the NAS ports are open.
As a side note, when I visit myip:80 it reroutes to :8080 which is the HTTP port of my NAS.
The HTTP port of my CCTV is 90, but when I visit myip:90, I get nothing.

I can't figure it out.
 

Attachments

ChuckMountain

Distinguished Member
How are you visiting your IP? If it reroutes to 8080 and still allows you in, then it suggests there is a rule misconfiguration as you don't appear to have that rule set.

Can you access the port 90 from a machine on your LAN ?
 

b1nuzz

Standard Member
How are you visiting your IP? If it reroutes to 8080 and still allows you in, then it suggests there is a rule misconfiguration as you don't appear to have that rule set.
If I visit my NAS IP address from the LAN without putting any port after the address, it auto redirects me to :8080 in the same way it does if I visit it externally.

However when I access the CCTV internally without putting the port, it just fails.

I don’t know why one does one thing, and the other another.
 

ChuckMountain

Distinguished Member
Port 80 is the default port for websites and so will access it directly any redirect will then work properly. 90 is not the default port so that's the reason it doesn't connect.

Can you get a screenshot of the services setup which should list what ports they are assigned as that might be the issue.
 

b1nuzz

Standard Member
Here’s a thought that may or may not be related.
My CCTV NVR which I am trying to connect to is connected to a WiFi bridge. As are all the cameras and a few other hardwired devices.
None of them show up in the ‘attached devices’ list on the router.
Does it have to ‘see’ the device to open the port?
 

mickevh

Distinguished Member
Here’s a thought that may or may not be related.
My CCTV NVR which I am trying to connect to is connected to a WiFi bridge. As are all the cameras and a few other hardwired devices.
None of them show up in the ‘attached devices’ list on the router.
Does it have to ‘see’ the device to open the port?
No, it doesn't. Devices are not "attached" to routers in any meaningful way - it is an entirely "stateless" (a term that has specific meaning in data networking) paradigm. Routers don't need to "know" about devices up/downstream of them, it's all about the addresses on the packets...

A router processes network traffic packet by packet, it will simply examine any incoming (or outgoing) packet, determine which port it need to egress through to get to it's destination, then examine things like any Access Control Lists (ACL) and things like firewall rules to determine whether the packet is allowed to proceed.

It's a bit like to posties working in a sorting office, they don't need to have any knowledge of the goegraphy of the world, they just need to read the addresses on the mail and chuck it in the correct bin to move it towards it's destination.

There are (of course) a few caveats and exceptions: For example uPNP includes a mechanism that allowed clients on the LAN side of you firewall to dynamically request ports to be open, but this wouldn't work "the other way around" - clients on the "outside" of the firewall cannot get ports opened.

Also, it's possibly a device connects inbound on one port, then the target device established a "new" connection "in the other direction" using different ports - which succeeds because SOHO routers have a particularly lapse default state of "allow everything outbound."

If I were testing such things, I'd want to attach an ethernet switch upstream of you router's WAN port, connect a laptop and use that to perform testing. Often you can telnet to the target on the requisite port and see what the response it, though whether that works depends somewhat on the port and protocol.

I would then disable all the rules and introduce them one by one testing each one as we go until we get the functionality required.

Better kit might also allow the ability to "log" rule usage so that you can examine the system logs to determine whether a rule being triggered or not.
 
Last edited:

maf1970

Well-known Member
Default outgoing on the firewall only allows up to port 1024.
Try adding a rule for CCTV8000 to the outgoing rules.
 

maf1970

Well-known Member
OK, Lets go back and start with basics.
Can you provide a diagram of your local network and ip addresses.
What is your make and model of CCTV system?
 

b1nuzz

Standard Member
Thanks. I have attached a network drawing. I appreciate it isn't 'proper' but should make sense.
Everything after the wireless bridge doesn't report an IP address on the router, so I only know what the IP addresses are of the CCTV kit as those are all static.

The CCTV NVR is a HIKVISION DS-7604NI-K1/4P.

Thanks again,
 

Attachments

ChuckMountain

Distinguished Member
Ok so a little bit more complication than previously described.

Does the scan report port closed, open or no reply? Normally for it to be open something had to respond, you might well be getting a timeout because your router isn't routing for some reason across the wireless bridge.

Is there any chance of temporarily connecting a cable from router to NVR?
 

maf1970

Well-known Member
What are the makes and models of the wireless bridge and poe switch ?
Could you indicate where all the kit is in your house ??
Do you know how the devices are getting their addresses ? from DHCP ? Static ?

Following ChuckMountain's suggestion, can you get a network cable from the router to the POE switch ??
 

b1nuzz

Standard Member
Thanks both.

Yes, I can temporarily get a wired connection to the NVR and cameras.

Devices are being given addresses by DCHP from the router, for everything apart from the NVR, NAS and cameras where I have assigned the IP address.

Router and NAS is in hallway, and the bridge, NVR etc is in the office upstairs.

Ports are reporting back as ‘closed’.

I’ll get the wires connection tomorrow and see if anything changes.

Thanks
 

mickevh

Distinguished Member
I suggest you turn on "log" mode on the firewall walls, then start examine the routers system logs to see which rules are being triggered and from where to where. Without any evidence, all you can do is guess.

Sorry, sometimes in networking there's nothing for it but to slog through and do some meticulous forensic analysis. This is one of the many ways network managers earn there money. :D

Personally, I'd start with the inbound rules as your outbound ones are effectively doing nothing (the default rule is allowing everything out, so it's not worth starting there.)
 

b1nuzz

Standard Member
I've been doing a bit more digging on this.
Turned off ALL firewall exceptions and i could still access my NAS.

I have now discovered that uPnP is enabled on the router and the NAS has communicated via this which ports it requires. Turning off uPnP stops access.

So, having enabled uPnP again, I added the NAS back in and added the HikVision to the router via uPnP.
Whilst the router recognises it in the uPnP list exactly like the NAS, the ports are still not opening.

Any further thoughts from anyone?
 

maf1970

Well-known Member
Can you post screenshots of each of the settings tabs for the HikVision.
 

maf1970

Well-known Member
Obvious one but easy to miss -

on your router it is defined as port 443 but on the HiKVision it is 444.
 

The latest video from AVForums

Podcast: CES 2021 Special - Sony, LG, Panasonic, Samsung, TCL and Hisense TV news and more...

Latest News

Sky seals Studiocanal movie deal
  • By Andy Bassett
  • Published
iFi Audio launches iDSD Diablo DAC/Headphone amp
  • By Andy Bassett
  • Published
Samsung launches Galaxy Buds Pro
  • By Andy Bassett
  • Published
Samsung launches Galaxy S21, S21+ and S21 Ultra smart phones
  • By Andy Bassett
  • Published
Mola Mola debuts Kula integrated amplifier
  • By Andy Bassett
  • Published
Top Bottom