Disabled ISP Firewall Still Restricting Traffic?

[PinkFloydEffect]

Frontier is my ISP (they bought Verizon's fios network) so I have a fiber line running to an ONT on my property. From the ONT there is copper Ethernet running to the firewall/router/switch/AP that the ISP provided.

I had Sprint send me their Airave 3 LTE extender which rides on the LAN and pipes out to one of Sprints terminals somewhere. I have been trying for 2 months to get this thing to work, even had a new unit sent to me with no luck. Directions say to open four ports in the firewall which I did but it could not connect to their network, so this had made it so far up the chain I am now in direct contact with one of Sprints engineers. It was suggested I try provisioning it within a DMZ to troubleshoot this, the ISP firewall has no DMZ setting so for testing purposes I physically disconnected all my devices and disabled the firewall. This did not work.

I put a switch between the ONT and the firewall, tapping off that for the LTE extender and bam it worked! This really does not make any sense to me, I called Frontier and they said none of the four ports I need are blocked so why would their firewall restrict traffic when it is disabled?? Sprint basically has left this problem between me and the ISP saying they can not connect to their device, which ultimately is correct it does not seem like Sprints problem.

My plan is to ditch the ISP firewall and buy a Ubiquity security gateway which should surely give me the access I need. However I would still love to know why mine has a restriction in disabled mode. The model is Arris NVG468MQ

 

[degrub]

is it the packet type that is blocked ?

 

[PinkFloydEffect]

I honestly have no idea the "type" I am just entering the network field lately. Will you please expand on that?

 

[ColinTaylor]

Directions say to open four ports in the firewall which I did but it could not connect to their network...

Which 4 ports and how are you "opening" them?

From the Sprint FAQ:

Do specific ports need to be enabled on the customer’s router for the AIRAVE to work?


Installation of the AIRAVE should be simple plug and play. AIRAVE uses standard ports to connect to the Sprint network via the Internet. If your AIRAVE cannot connect to the Sprint network because of a unique network configuration, you may need to open the following UDP ports on your switch, router or firewall that the AIRAVE access point is connected to: 53, 67, 68, 500 and 4500. Contact your broadband Internet provider, router manufacturer or network administrator for detailed instructions on how to open ports on your equipment.

Note that they are talking about "opening" outgoing ports, not port forwarding incoming ports. Most routers have all outgoing ports open by default.

Let's look at the specific ports:

Ports 53, 67 & 68 are DNS and DHCP. DNS should work without any changes unless you have some unusual DNS interception happening on your router, like Ad-Blockers. If so, turn off the Ad-Blocker. DHCP doesn't travel beyond the local network so obviously nothing needs to be done on the firewall for that.

Ports 500 & 4500 are the important ones because they are used by IPsec and are essential for the operation of the Sprint femtocell. NAT is a problem so port 4500 is used for NAT traversal. Short answer: To make IPsec work over NAT you usually need to enable the "helper" in the router's firewall. Look for an option called something like "IPsec Passthrough".

Note that this assumes that your router/firewall is connected directly to the internet (has a public WAN IP address) and is not behind a Carrier-grade NAT (CGN) or another NAT device (double NAT).

I don't know about Sprint in the US, but in the UK femtocells also need UDP port 123 open for NTP. UK femtocells will not work without access to NTP.

 

[PinkFloydEffect]

Excellent response sir!

The ports I am working with are 53, 67, 500, & 4500.

I think you may be onto something here, I indeed used the "port forwarding" section to what I thought was opening a port or range to both incoming and outgoing if I selected TCP/UDP and not just one or the other.

To my knowledge I have no DNS interception present.

I found "IPsec Passthrough" under "ALG Passthrough" and the IPsec is enabled. The only things disabled are PPTP & SIP.

I had to open port 3478 UDP for the STUN functionality of my Ubiquity AP to work, I did this through the "port fowarding" section of my firewall and the STUN error went away so the port forwarding effectively opened a port so I am not sure why it does not work with the Sprint device.

PS - If the Sprint extender is operating outside my firewall, does that mean my phone is operating unprotected? Anyone with my public IP could penetrate the Sprint device since there is nothing keeping them out?

 

[ColinTaylor]

I think you may be onto something here, I indeed used the "port forwarding" section to what I thought was opening a port or range to both incoming and outgoing if I selected TCP/UDP and not just one or the other.

You should remove any port forwarding rules you have for those 4 ports as they might actually prevent it from working. In theory it should "just work".

PS - If the Sprint extender is operating outside my firewall, does that mean my phone is operating unprotected? Anyone with my public IP could penetrate the Sprint device since there is nothing keeping them out?

No, because the device creates an encrypted tunnel between itself and Sprint. An attacker would have to break the encryption (not going to happen). EDIT: Well it depends on what you mean by "outside my firewall". The device will still need to be inside your LAN, unless you have more than one public internet connection.

 

[PinkFloydEffect]

Wow I must be blind! I found the DMZ function in my firewall. There seems to be a few ways to set it up and I could use some advice. Does not seem like it dedicates a particular port to a DMZ rather you can select the device from any port. There are two "types" one is "default server" and the other is "share IP address with WAN" when I choose default server is allows me to choose a device IP from the drop down box below. If I choose share IP with WAN, rather than selecting an internal address it enables pass through mode, which gives me three options to choose from. Manual, DHCPS-dynamic, and DHCPS-fixed. Whats nice is the fixed option allows me to fix the DMZ to a MAC. So from my thinking point, it seems like you have two ways of "locking" the DMZ to a particular device, its IP or MAC...the MAC method seems more secure to me even if your IP is static, but possibly not as easy to change out the device/client if it failed but that only applies to dynamic...static IP lock would be in the same non-functioning state if the unit was replaced.

Help?

 

[ColinTaylor]

Sorry, I'm not familiar with those features.

That said, looking at this, DHCPS-fixed would be the first thing I would try. I see the warning on your screen shot about DHCP reservations, so if you're using DHCPS-fixed make sure that you haven't setup a reservation for the MAC address.

 

[PinkFloydEffect]

I have not setup any reserved dynamic IPs so I figured it would not apply to me. The only thing reserved is the firewall IP itself, and possibly the ONT. Now I think of it possibly also MoCA devices such as my set top boxes as well.