L2TP port remains open after disabling l2tp

Maggiore81 · November 17, 2023, 5:47pm

Hello
Brand new router 7.11.2
reset configuration with no default configuration
enabled the dns server (to have an open udp port)
just assign on ip on the eth port where I am connected to.

I do a port scan on UDP port 53,1701 so have a comparison.
53 is open (dns server running)
1701 is closed.

I enable the L2TP server
I repeat scan, 1701 UDP is open, OK!
I disable the L2TP server but the port remains open.
I reboot the router, the port remain open.

I think that is a bug.

How can I close the port, and avoid the service running on that port?
thank you

sindy · November 17, 2023, 7:59pm

First of all, what does the sniffer show you on the WAN port of the Brand New Router when you run the scanner? The definition of “open port” is not that easy with UDP.

With TCP, if you send the initial SYN packet from a client, the server must respond with a SYN+ACK one so that the session could be established, regardless the application protocol it carries. So if the SYN+ACK one doesn’t come, the scanner knows nothing is listening on that port even if it gets no ICMP “destination port unreachable” message.

With UDP, if the responder receives a packet it doesn’t understand on application level, it may silently ignore the packet. So most scanners consider a UDP port open if they don’t get an ICMP “destination port unreachable” back. So it depends on your firewall settings (silent drop vs.reject) what the scanner can see.

What does the sniffer show when you scan UDP port 1701, and what does it show when you scan e.g. port 17010?

Maggiore81 · November 17, 2023, 11:08pm

Hello.
The router is new, reset to default with no configuration, as I wrote before.
Blank configuration, no firewall rules.

If I make a portscan in the first state, nmap show closed port and that is fine, while shows 53 open.
After I start and then stop the l2tp server, the port become open and stays open. When I portscan the port, I got log entries in thr MT log about new packet from xx.xx.xx on l2tp facility. I dont have any firewall, as I wrote, is a blank configuration.

If you make port scan on 1701 on a blank router, no log entries are logged, nothing answers on that port.
If you enable then disable l2tp server, you got log entries and the open port, and your packet actively reach the daemon listening there on 1701/udp
Reboot doesnt help.

I put a firewall rule in the inbound chain but the issue is not resolved, I mean… the service is listening there!