Port Forwarding not working Sky Q Router

b1nuzz

Standard Member
Joined
Sep 3, 2005
Messages
162
Reaction score
2
Points
39
Hi all,

Can anyone shed some light as to why the settings in the screenshot are not allowing the ports to be open?

80 and 20/21 are reporting back as open.
All the others are reporting back as closed! HELP!


TIA
 

Attachments

  • 71740F6C-9982-441A-AF37-95813FE82695.png
    71740F6C-9982-441A-AF37-95813FE82695.png
    449.9 KB · Views: 867
Your outbound 80/20/21 rules are unnecessary as the default outbound rule lets everything out. (Most SOHO routers behave this way by default.)

The inbound rules look fine - we may have to pick apart what's not working rule by rule and see where the problem is. What's not working, what are the symptoms and can you describe how you are testing.

Incidentally, you have HTTP and HTTPS targetted at different hosts - is that deliberate or a mistake..?
 
Thanks.
I have tidied the rules up a bit. See attached.
I have access to my NAS which is at 0.31
I don't have access to my CCTV which is at 0.160.

When I use yougetsignal, it reports that all the CCTV ports are closed and the NAS ports are open.
As a side note, when I visit myip:80 it reroutes to :8080 which is the HTTP port of my NAS.
The HTTP port of my CCTV is 90, but when I visit myip:90, I get nothing.

I can't figure it out.
 

Attachments

  • Screenshot 2019-02-05 at 17.57.37.png
    Screenshot 2019-02-05 at 17.57.37.png
    124.3 KB · Views: 1,317
How are you visiting your IP? If it reroutes to 8080 and still allows you in, then it suggests there is a rule misconfiguration as you don't appear to have that rule set.

Can you access the port 90 from a machine on your LAN ?
 
How are you visiting your IP? If it reroutes to 8080 and still allows you in, then it suggests there is a rule misconfiguration as you don't appear to have that rule set.

If I visit my NAS IP address from the LAN without putting any port after the address, it auto redirects me to :8080 in the same way it does if I visit it externally.

However when I access the CCTV internally without putting the port, it just fails.

I don’t know why one does one thing, and the other another.
 
Port 80 is the default port for websites and so will access it directly any redirect will then work properly. 90 is not the default port so that's the reason it doesn't connect.

Can you get a screenshot of the services setup which should list what ports they are assigned as that might be the issue.
 
Can you get a screenshot of the services setup which should list what ports they are assigned as that might be the issue.

The attached?
Thanks
 

Attachments

  • 8905DE89-8A20-425F-A35B-84746ADE677A.png
    8905DE89-8A20-425F-A35B-84746ADE677A.png
    293.9 KB · Views: 707
when I visit myip:80 it reroutes to :8080

This bothers me as according to your own rules you don't allow 8080 so how are you accessing your network? Are you using a 4G connection on your mobile?
 
Are you using a 4G connection on your mobile?

Yes, using 4G and my external IP, and i have a DDNS set up as well.

Yeah, it’s very odd. As far as I can tell, none of my rules work, but somehow 8080 is open.
 
Here’s a thought that may or may not be related.
My CCTV NVR which I am trying to connect to is connected to a WiFi bridge. As are all the cameras and a few other hardwired devices.
None of them show up in the ‘attached devices’ list on the router.
Does it have to ‘see’ the device to open the port?
 
Here’s a thought that may or may not be related.
My CCTV NVR which I am trying to connect to is connected to a WiFi bridge. As are all the cameras and a few other hardwired devices.
None of them show up in the ‘attached devices’ list on the router.
Does it have to ‘see’ the device to open the port?

No, it doesn't. Devices are not "attached" to routers in any meaningful way - it is an entirely "stateless" (a term that has specific meaning in data networking) paradigm. Routers don't need to "know" about devices up/downstream of them, it's all about the addresses on the packets...

A router processes network traffic packet by packet, it will simply examine any incoming (or outgoing) packet, determine which port it need to egress through to get to it's destination, then examine things like any Access Control Lists (ACL) and things like firewall rules to determine whether the packet is allowed to proceed.

It's a bit like to posties working in a sorting office, they don't need to have any knowledge of the goegraphy of the world, they just need to read the addresses on the mail and chuck it in the correct bin to move it towards it's destination.

There are (of course) a few caveats and exceptions: For example uPNP includes a mechanism that allowed clients on the LAN side of you firewall to dynamically request ports to be open, but this wouldn't work "the other way around" - clients on the "outside" of the firewall cannot get ports opened.

Also, it's possibly a device connects inbound on one port, then the target device established a "new" connection "in the other direction" using different ports - which succeeds because SOHO routers have a particularly lapse default state of "allow everything outbound."

If I were testing such things, I'd want to attach an ethernet switch upstream of you router's WAN port, connect a laptop and use that to perform testing. Often you can telnet to the target on the requisite port and see what the response it, though whether that works depends somewhat on the port and protocol.

I would then disable all the rules and introduce them one by one testing each one as we go until we get the functionality required.

Better kit might also allow the ability to "log" rule usage so that you can examine the system logs to determine whether a rule being triggered or not.
 
Last edited:
Default outgoing on the firewall only allows up to port 1024.
Try adding a rule for CCTV8000 to the outgoing rules.
 
Default outgoing on the firewall only allows up to port 1024.
Try adding a rule for CCTV8000 to the outgoing rules.

Tried this. It made no difference sadly.
Still no further forward.
 
OK, Lets go back and start with basics.
Can you provide a diagram of your local network and ip addresses.
What is your make and model of CCTV system?
 
Thanks. I have attached a network drawing. I appreciate it isn't 'proper' but should make sense.
Everything after the wireless bridge doesn't report an IP address on the router, so I only know what the IP addresses are of the CCTV kit as those are all static.

The CCTV NVR is a HIKVISION DS-7604NI-K1/4P.

Thanks again,
 

Attachments

  • Network.pdf
    25.9 KB · Views: 404
Ok so a little bit more complication than previously described.

Does the scan report port closed, open or no reply? Normally for it to be open something had to respond, you might well be getting a timeout because your router isn't routing for some reason across the wireless bridge.

Is there any chance of temporarily connecting a cable from router to NVR?
 
What are the makes and models of the wireless bridge and poe switch ?
Could you indicate where all the kit is in your house ??
Do you know how the devices are getting their addresses ? from DHCP ? Static ?

Following ChuckMountain's suggestion, can you get a network cable from the router to the POE switch ??
 
Thanks both.

Yes, I can temporarily get a wired connection to the NVR and cameras.

Devices are being given addresses by DCHP from the router, for everything apart from the NVR, NAS and cameras where I have assigned the IP address.

Router and NAS is in hallway, and the bridge, NVR etc is in the office upstairs.

Ports are reporting back as ‘closed’.

I’ll get the wires connection tomorrow and see if anything changes.

Thanks
 
Yes, I can temporarily get a wired connection to the NVR and cameras.

Done this today and it hasn't made any difference.
Still no external access.
I'm very confused and short of ideas.
 
I suggest you turn on "log" mode on the firewall walls, then start examine the routers system logs to see which rules are being triggered and from where to where. Without any evidence, all you can do is guess.

Sorry, sometimes in networking there's nothing for it but to slog through and do some meticulous forensic analysis. This is one of the many ways network managers earn there money. :D

Personally, I'd start with the inbound rules as your outbound ones are effectively doing nothing (the default rule is allowing everything out, so it's not worth starting there.)
 
I've been doing a bit more digging on this.
Turned off ALL firewall exceptions and i could still access my NAS.

I have now discovered that uPnP is enabled on the router and the NAS has communicated via this which ports it requires. Turning off uPnP stops access.

So, having enabled uPnP again, I added the NAS back in and added the HikVision to the router via uPnP.
Whilst the router recognises it in the uPnP list exactly like the NAS, the ports are still not opening.

Any further thoughts from anyone?
 
Can you post screenshots of each of the settings tabs for the HikVision.
 
Attached Network Settings from the HikVision NVR.

TIA.
 

Attachments

  • Screenshot 2019-02-24 at 19.35.53.png
    Screenshot 2019-02-24 at 19.35.53.png
    404.6 KB · Views: 425
  • Screenshot 2019-02-24 at 19.35.56.png
    Screenshot 2019-02-24 at 19.35.56.png
    414 KB · Views: 392
  • Screenshot 2019-02-24 at 19.36.01.png
    Screenshot 2019-02-24 at 19.36.01.png
    478.1 KB · Views: 489
Obvious one but easy to miss -

on your router it is defined as port 443 but on the HiKVision it is 444.
 

The latest video from AVForums

TV Buying Guide - Which TV Is Best For You?
Subscribe to our YouTube channel
Back
Top Bottom