Neither of these worked for any of the ports I tried to pass through.
Interestingly - i have 2 rules that work - one is on 443 and one is on 5000
the reference to 443 is in the filter rules (TCp port 443 - Action- accept ) - if I hit canyouseeme.org it says its open - if I disable the filter - its closed. So ok that seems like something works to me…
The reference to port 5000 is on NAT tab (TCP port 5000 To Adress is 192.168.88.139) NOTE this address is from a computer that no longer exists. If I change the to address to 192.168.88.12X the port is no longer reachable from Canyouseme.org.
I was basically just looking to make sure I wasnt blocking some gaming ports in an effort to tune my connection for online gaming. So I was most interested in ports -
TCP: 3074,27015-27030,27036-27037
UDP: 3074,4380,27000-27031,27036
So I setup the first rule for 3074 – Ip/ Firewall/ Nat + (TCP - Port 3074 - Action DST-NAT) I the walk throughs didnt suggest a dest IP so I left that blank - but I experimented and adding a destination IP didnt help either.
is it possible that my assumption that canyouseeme.org cant see the port means its not open is wrong ?
You can test ports via numerous methods (yougetsignal, portforward as websites, and nmap/zenmap as applications)
Regarding your OS, whats your network described as? Public, work or private? Sometimes, you need to set ports in windows firewall also, even if it says its disabled. I had couple of issues, where only disabling firewall via group policy really disabled firewall.
but this “add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.125 to-ports=80”
Does not work - 192.168.88.125 is a real address - but I cant check for an open port on 80 wiht this rule …
This “add action=dst-nat chain=dstnat dst-port=5000 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.139 to-ports=5000-5001” Works but only if I point the port to a phantom IP that is NOT in use…if I point that rule to an actual PC (192.168.88.125) it fails too.
I also reset the router and tried from a factory reset which does some initial setup (DHCP / Bridged Wlan and LAN etc) and I was still unable to open any ports. I have since restored back to the settings exposed here for simplicity.
There are no other firewalls on the network…win10 FW is off -
Lets just focus on this one rule - I changed it to add in the suggested to address -
Now if I go to Canyou seeme.org - it reports the port is closed - However if I look at the NAT rule just after checking I can see 60 bytes and 1 packets on the rule line - so that means that traffic is coming in but getting dropped regardless of the rule?
but this “add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.125 to-ports=80”
Does not work - 192.168.88.125 is a real address - but I cant check for an open port on 80 wiht this rule …
How you check this? Does 192.168.88.125 actually have a webserver (or something else) running on port 80? Maybe its the firewall on the machine? The gateway of 125 is the router?
I guess it is a Synology so it should just work fine if the gateway is correct, and only port 5000 is needed.
This “add action=dst-nat chain=dstnat dst-port=5000 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.139 to-ports=5000-5001” Works but only if I point the port to a phantom IP that is NOT in use…if I point that rule to an actual PC (192.168.88.125) it fails too.
That does not make sense.. There shouldn’t be two to-ports=5000-5001 when only one dst-port is configured. That might does the trick
Also when testing myself with a DST-NAT to a phantom IP get this result: http://canyouseeme.org/ → Error: I could not see your service on xx.xx.xx.xx on port (8080) Reason: No route to host
This should then also be the message on your DST-NAT on port 3074? When a port is closed (not configured at all, so blocked) i get the reason: time out.
For the 3074 rule, since you you do get a hit on this NAT the rule is good.
Your firewall rules look default so they should accept all in the DST-NAT but for testing you might want to add:
add action=accept chain=forward dst-port=3074 in-interface=ether1-gateway protocol=tcp
and place it on top.
If is still fails then the endpoint is not configured for this port, or has firewall on it, or doesn’t know a route back (gateway incorrect?)
Yes when I turn on the web server -80 passes through and CANyouSeeme validates it -
port 5000 is working because …it should - I had the wrong Ip in mind when I said that was a phantom IP - 139 is indeed a synology NAS - itis online which is why the rule works.
3074 and the other ranges referenced in the first post might not validate through canyouseeme as I would expect so maybe my assumption is wrong and the rules are working.