ASUS AC routers won’t port forward

[Jere Larson]

Hello Sir

This is an inspired idea !! When I woke for a bit (it was 4:35 in Florida), I couldn’t wait to try it !!! I was really hopeful !!! Oh the Shuckens. Foiled by this gremlin again.

Great idea !!

Kind Thanks for you interest and help !!

Jere

PS - Also tried 0.0.0.0:0000, 0.0.0.0:00, 0.0.0.0:0 and 0.0.0.0/0000 but the ASUS GUI didn’t like the format ...

 

[Jere Larson]

PS - Also tried 0.0.0.0:0000, 0.0.0.0:00, 0.0.0.0:0 and 0.0.0.0/0000 but the ASUS GUI didn’t like the format ...

PPS - Hi eibgrad - I just now tried using my

 

[Jere Larson]

PPS - Hi eibgrad - I just now tried using my

PPS - Hi eibgrad - I just now tried using my laptop current IP in the source IP field when trying to access one of my resources in Anchortown.

Nope ...

BTW, does any one know how I can cancel (bail on) my reply once I’m in edit. This forum engine seems very powerful, but I’m a newbe. I’ll rtfm on the system when I wake up !!

 

[dave14305]

Anyway, your question might be beyond my paygrade. This is how I’ve always done it on LinkSys and Netgear, specifying the external and internal ports numbers and the local LAN IP of the resource ...

So to connect to LR Window from within the LAN you use http://192.168.1.241:8241/ ? Just seems odd (to me) to have custom ports on the LAN side (internal port).

 

[Jere Larson]

So to connect to LR Window from within the LAN you use http://192.168.1.241:8241/ ? Just seems odd (to me) to have custom ports on the LAN side (internal port).

Good Morning Dave !!

Hope your neck is better .

That’s correct - my home resources - temperature sensors, cameras, moisture / leak detectors etc. all require a port to be specified to allow external Wan access.

To access this resource externally, I would use - “MyDomain.dyndns.org:8241”

This all has worked perfectly, using earlier LinkSys and Netgear routers as my network has grown become more comprehensive.

My incentive for ASUS is AiMESH, which I have tested extensively earlier and I couldn’t be happier. It’s rock solid in my experience and provides remarkable, seamless WiFi performance.

To sanitize this port forwarding test environment, I’m not using AiMESH ...

I just checked to verify - tried accessing several resources using “192.168.1.241” and this fails locally. I remember one or two resources that I could access without the port, but I don’t remember which. I just always access the recourses locally with the 8xxx port included. This works in all cases.

Again, Kind Thanks for your interest and help. This one has me really stumped.

Sincerely, Jere

 

[ColinTaylor]

So I assume the answer was to clone the old MAC to the new router.

Yes, or in some cases you can just ask your ISP the turn off the CGNAT.

 

[Jere Larson]

Yes, or in some cases you can just ask your ISP the turn off the CGNAT.

Hi Colin !!

Other than the cable modem, my ISP has no interest in any MAC address.

No CGNAT is involved. I searched my ISP
and they don’t offer it.

My ISP has been real straightforward. They don’t block ports and restrict things.

I appreciate your interest in this perplexing problem. I’d be pleased to brainstorm if you have an idea.

Sincerely, Jere

 

[ColinTaylor]

I don't have any ideas beyond those already discussed. The most likely idea was that of Dave in post #24.

How do you normally access these devices using these port numbers? Do you have special client software or some sort of web interface?

EDIT: I found a user manual for a "ISY994I Home Automation Controller". Is this your device at 192.168.1.241 ? The manual suggests that the user interface is accessed with a web browser using the standard ports, 80 and 443. So you are saying that you have gone into its network settings and changed one of these ports to 8241. Are you sure about that? Which did you change, http or https?

 

[Jere Larson]

I don't have any ideas beyond those already discussed. The most likely idea was that of Dave in post #24.

How do you normally access these devices using these port numbers? Do you have special client software or some sort of web interface?

EDIT: I found a user manual for a "ISY994I Home Automation Controller". Is this your device at 192.168.1.241 ? The manual suggests that the user interface is accessed with a web browser using the standard ports, 80 and 443. So you are saying that you have gone into its network settings and changed one of these ports to 8241. Are you sure about that? Which did you change, http or https?

Hi Colin !!

Thanks for the good questions ! Wow, good research !! Yes, the ISY-994i is at ...241. We should not really include this device. It is an exceptional product. I put it in the PF table as an obscure test. It opens it own port it appears, much like a Ring doorbell. I can also access the remote port for the ASUS backdoor GUI. No other device can be accessed remotely.

Each class of device has had its own interface. Many, like cameras, have numerous different options for iOS APPS. Some device types have their own built in web type services. You hit their LAN address locally, or remotely through a port, and they establish an HTTPS session with you, through their internal GUI.

If my ports are open, as reported by any port scanner, everything works fine i.e. using my old LyncSys or Netgear routers.

On ASUS routers, the only ports that are open are the ISY-994i and the ASUS remote administration port, which doesn’t require an entry in the Wan PF table.

One possibly useful observation is from the “Network Analyzer” iOS app. I has a great port scanner in the toolkit. You can give it list of ports, ranges etc. It keeps these lists. If a port is open, there is a green dot next to the port number. Closed ports are red dot, and firewall blocked ports are grey dot. It’s strange - my only green ports are the ISY, and the remote ASUS GUI. All other ports are grey dot (blocked by a firewall). My list of scanned ports is some 17. In my test routers, I only have 5 or 6 entries in my PF table. All the other ports in my scan list have grey dots, including the ones I don’t mention to ASUS.

Many Thanks for your help !!!

Sincerely, Jere Larson

 

[ColinTaylor]

OK. Looking at the X-300 and X-300M specifically. How exactly have you determined that the internal ports for those devices are 8201 and 8202 respectively?

 

[Jere Larson]

OK. Looking at the X-300 and X-300M specifically. How exactly have you determined that the internal ports for those devices are 8201 and 8202 respectively?

Hello Colin and SNB !!

The X-300 is an IP based temperature engine. It allows 10 individual solid state temp sensors to be displayed. It is VERY programmable. When received, you browse to 192.168.?.? (I don’t remember the factory address). Then you configure a bunch of things - Names for each sensor, C or F, calibration data (ice water and boiling if you want super accuracy). And then you specify the LAN IP and WAN port. Neat module - din-rail - size of a cigarette pack - Phoenix connectors - inexpensive. When you browse to it, either locally or thru a remote forwarded port, it answers HTTPS.

The X-300M is my weather station - wind direction and speed, inside and outside temperatures, humidity and rainfall. Operates exactly like the X-300.

As I said, the access method is different for each resource type.

Thanks for the good questions. The fix is out there !!

Sincere Thanks, Jere

 

[ColinTaylor]

OK I think I've found the manual for the X-300. There's no mention of accessing it through HTTPS only HTTP. The also no mention of a dedicated WAN port only the normal HTTP port setting which defaults to 80. I'm assuming that it's this setting that you have changed to 8201 or did you leave it at 80?

 

[Jere Larson]

OK I think I've found the manual for the X-300. There's no mention of accessing it through HTTPS only HTTP. The also no mention of a dedicated WAN port only the normal HTTP port setting which defaults to 80. I'm assuming that it's this setting that you have changed to 8201 or did you leave it at 80?

Colin -

The X-300 is obsolete and no longer marketed. HTTPS was available late in life as a firmware upgrade. I bought one of the first with this feature. Please don’t spend any more time studying my attached devices. They are quite varied in architecture. They all work perfectly if the router opens the ports.

The local network devices are irrelevant to the problem I’m trying to solve.

 

[ColinTaylor]

OK, fair enough. But in the absence of any other ideas I was trying to focus on understanding one specific device on the assumption that a solution for that would lead to a solution for the others.

My understanding from what you said in post #29 is that this port forwarding issue is not effecting all LAN devices only some, because it is working for the ISY-994i and Ring doorbell. Or did I misinterpret that?

 

[Jere Larson]

OK, fair enough. But in the absence of any other ideas I was trying to focus on understanding one specific device on the assumption that a solution for that would lead to a solution for the others.

My understanding from what you said in post #29 is that this port forwarding issue is not effecting all LAN devices only some, because it is working for the ISY-994i and Ring doorbell. Or did I misinterpret that?

That’s essentially true Colin. Ring is completely outside any port involvement.

It grabs a local IP via DHCP and that’s it !!

I do nothing for it or for my Ring Chime annunciator.

ISY has become a red hearing in this discussion. I had added it to my PF table as an unlikely and obscure test. But the ISY, like Ring, has its own abilities to be accessed by the outside.

Trust me, the ISY isn’t revalent to our ASUS closed ports problem.

As I’ve indicated, the remote administration port ( 8??? ) is opened by the ASUS routers if enabled. There is no entry required in the PF table.

I’ve uncovered some interesting data from my own testing. I’m late for a meeting just now, but I’ll explain when I have a few minutes,

Thanks for your help Colin !!

Sincerely, Jere

 

[Jere Larson]

Hello SNB Forum -

I’ve discovered something that narrows things down. Searching Google, I’ve found a number of posts to various forums which clearly indicate that Port Forwarding is not available if the internal ASUS firewall is enabled.

One responder said - Sorry, you will have to choose one or the other. If you really need Port Fowarding, you will need to provide a firewall function elsewhere, possibly in your Windows or Linux game server.

The PF inop cases were “solved” by disabling the ASUS firewall.

I was under the impression that I should just enable the ASUS firewall and forget it.

So now, I try very specific port scans with the firewall on and off. Bit of a breakthrough !!

I use “Network Analyzer” an iOS app. I has a great port scanner in the toolkit. You can give it list of ports, ranges etc. It keeps these lists.

After a scan completes, there is a dot next to each port number:

The dot is GREEN - the port is open and there is somebody answering IP on that port.

The dot is RED - the port is closed ( nobody home to answer IP ).

The dot is GREY - the port is blocked by a firewall.

I am scanning only some 15 individual ports from 8200 and up to the ASUS remote administration webui port. So with the firewall enabled, every port is GREY - (firewall blocked) except GREEN for the ISY and the ASUS remote administration webui port.

Again, ISY is a red hearing. It punches its own whole through firewalls. Beyond my pay-grade how, but it’s irrelevant.

Now, with the firewall disabled, we have a Brave New World !!

Scanned ports not in the Port Forward table are now RED !!! (nobody’s home).

Every port in the PF table are now GREY (blocked by firewall).

No change to ISY and ASUS remote admin, still GREEN.

I can change any RED port to GREY by adding it to the PF table.

It’s as though the firewall function is still blocking any ports in the PF table. There is no other firewall function in the path here. There are a couple Win10 Pro PCs as WiFi clients and they’re running the MS firewall, but they aren’t in the path to my various IOT local devices.

At one time, I thought my ISP could possibly be blocking the ports. Now that I can block them at will by adding them to the PF table, the problem is clearly inside the AX11000 or the RT-AC68U, which exhibit identical behavior.

Is it possible that there’s a subtle firmware issue I’ve stumbled upon and awakened ??

What is going on at ASUS these days ??

Would their Tech Support guys respond to a concisely worded problem description ??

What about DD-WRT which IS available for the RT-AC68U ?? Any chance they support AiMESH WiFi ??

AiMESH is amazing technology and I’ve tested the hell out of it ...

It exceeded every expectation.

AiMESH is the only reason I’m transitioning from Netgear.

This has been a difficult one. I’m approaching 40 hours on this dammed problem.

Thanks for ANY ideas. Not yet desperate, but I’m getting there ...

Sincerely, Jere Larson

 

[ColinTaylor]

Do you have a link to that discussion about having to disable the firewall? If that's true it would be a huge bug in a fundamental part of the router's operation.

But from what you said turning off the firewall should immediately give you access to your remote devices.

The change in coloured dots in your Network Analyzer is normal behaviour when the firewall is enabled/disabled. You should get exactly the same results from scanning any other random ports ranges that are not open or forwarded.

 

[Gene S]

Hello SNB Forum -

I’ve discovered something that narrows things down. Searching Google, I’ve found a number of posts to various forums which clearly indicate that Port Forwarding is not available if the internal ASUS firewall is enabled.

One responder said - Sorry, you will have to choose one or the other. If you really need Port Fowarding, you will need to provide a firewall function elsewhere, possibly in your Windows or Linux game server.

The PF inop cases were “solved” by disabling the ASUS firewall.

I was under the impression that I should just enable the ASUS firewall and forget it.

So now, I try very specific port scans with the firewall on and off. Bit of a breakthrough !!

I use “Network Analyzer” an iOS app. I has a great port scanner in the toolkit. You can give it list of ports, ranges etc. It keeps these lists.

After a scan completes, there is a dot next to each port number:

The dot is GREEN - the port is open and there is somebody answering IP on that port.

The dot is RED - the port is closed ( nobody home to answer IP ).

The dot is GREY - the port is blocked by a firewall.

I am scanning only some 15 individual ports from 8200 and up to the ASUS remote administration webui port. So with the firewall enabled, every port is GREY - (firewall blocked) except GREEN for the ISY and the ASUS remote administration webui port.

Again, ISY is a red hearing. It punches its own whole through firewalls. Beyond my pay-grade how, but it’s irrelevant.

Now, with the firewall disabled, we have a Brave New World !!

Scanned ports not in the Port Forward table are now RED !!! (nobody’s home).

Every port in the PF table are now GREY (blocked by firewall).

No change to ISY and ASUS remote admin, still GREEN.

I can change any RED port to GREY by adding it to the PF table.

It’s as though the firewall function is still blocking any ports in the PF table. There is no other firewall function in the path here. There are a couple Win10 Pro PCs as WiFi clients and they’re running the MS firewall, but they aren’t in the path to my various IOT local devices.

At one time, I thought my ISP could possibly be blocking the ports. Now that I can block them at will by adding them to the PF table, the problem is clearly inside the AX11000 or the RT-AC68U, which exhibit identical behavior.

Is it possible that there’s a subtle firmware issue I’ve stumbled upon and awakened ??

What is going on at ASUS these days ??

Would their Tech Support guys respond to a concisely worded problem description ??

What about DD-WRT which IS available for the RT-AC68U ?? Any chance they support AiMESH WiFi ??

AiMESH is amazing technology and I’ve tested the hell out of it ...

It exceeded every expectation.

AiMESH is the only reason I’m transitioning from Netgear.

This has been a difficult one. I’m approaching 40 hours on this dammed problem.

Thanks for ANY ideas. Not yet desperate, but I’m getting there ...

Sincerely, Jere Larson

Hi Jere, This thread is from a while back I know. But where you able to fix your ASUS router port-forwarding issue? I seem to be having a similar problem with my RT AX82U. I've tried everything I can imagine to fix it, but the router just doesn't want to forward. I don't know why, could it be a hardware malfunction issue? My last resort would be to RMA it with ASUS.

 

[Indi]

Hello SNB Forum -

I’ve discovered something that narrows things down. Searching Google, I’ve found a number of posts to various forums which clearly indicate that Port Forwarding is not available if the internal ASUS firewall is enabled.
Sincerely, Jere Larson

was that just an Asus thing?
I've always used internal FW and port forwarding but not had an Asus before.

Currently using both on RT-AC5300,works fine.

 

[cxmachi]

Another super late bump to this post, but did this ever gets resolved? I am once again having the same issue on an Asus router (AX68U) and I am unable to port forward at all. The ports are forwarded fine on the old router. Getting the same IP from the ISP, not CGNAT, port forwards are listed fine in the System Log section. Tried everything.