Fresh Merlin install and blocked inbound ports

[jernau]

I've recently swapped out my RT-AC3200 for an RT-AC88U with a from scratch config on 384.15

One weird issue I'm facing is that I run a web server in my internal LAN on a port forward using the standard port 80. No issues on my old router running 384_13_4 using a port foward for this but on a fresh 384.15 I get connection refused.

When I looked in the iptables nat rules I see this;

-A VSERVER -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:40870

Anyone have any idea what part of the config is causing this entry to be generated? I'm sure I'm being dumb and its down to have not doing a config from scratch for a while

Anyway thanks to @RMerlin for the great work on this firmware !

 

[dave14305]

Do you have other ASUS features enabled like IFTTT, or Alexa or something else embedded that uses a web server?

 

[jernau]

I certainly don't have IFTTT, Alexa or remote WAN access turned on and I even ensured the Asus NAT tunnel was disabled. The weird thing is there is nothing listening on port 40870 on the router so have no idea why this port forward is being automatically generated.

If I remove the rule via SSH my port forward to my web server on the LAN works fine, I have temporarily put an iptables rule in /jffs/scripts/firewall-start as a work-around but this is not always triggered depending on the changes made in the GUI and this auto generated port forward seems quite persistent.

Edit - I did wonder if this was something to do with letsencrypt certificate validation but I have turned off letsencrypt and still it persists.

 

[Dabombber]

Might be worth checking your remote access settings at the bottom of Administration > System.

firewall.c

Spoiler

    if (strcmp(config, "vts_rulelist") == 0) {
        // need multiple instance for tis?
        if (nvram_get_int("misc_http_x")) {
#ifdef RTCONFIG_HTTPS
            int enable = nvram_get_int("http_enable");
            if (enable != 0) {
                wan_port = nvram_get_int("misc_httpsport_x") ? : 8443;
                fprintf(fp, "-A VSERVER -p tcp -m tcp --dport %d -j DNAT --to-destination %s:%d\n",
                    wan_port, lan_ip, nvram_get_int("https_lanport") ? : 443);
            }
            /* do not support http (enable != 1) */
#else
            {
                wan_port = nvram_get_int("misc_httpport_x") ? : 8080;
                fprintf(fp, "-A VSERVER -p tcp -m tcp --dport %d -j DNAT --to-destination %s:%d\n",
                    wan_port, lan_ip, nvram_get_int("http_lanport") ? : 80);
            }
#endif
        }
    }

 

[jernau]

@Dabombber thanks for the tip but no remote access is definitely off

 

[ColinTaylor]

Similar thinking to @Dabombber's suggestion, try running these commands on the router and see if you get anything.

nvram show | grep 40870

netstat -nlp | grep 40870

 

[L&LD]

I've recently swapped out my RT-AC3200 for an RT-AC88U with a from scratch config on 384.15

One weird issue I'm facing is that I run a web server in my internal LAN on a port forward using the standard port 80. No issues on my old router running 384_13_4 using a port foward for this but on a fresh 384.15 I get connection refused.

When I looked in the iptables nat rules I see this;

-A VSERVER -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:40870

Anyone have any idea what part of the config is causing this entry to be generated? I'm sure I'm being dumb and its down to have not doing a config from scratch for a while

Anyway thanks to @RMerlin for the great work on this firmware !

Before doing your 'from scratch config' (which I'm assuming was manually and minimally copying the settings from your previous router to the new one, without using a saved backup config file), did you first do a full reset to factory defaults after flashing the RMerlin firmware to the RT-AC88U? (Including checking the 'Initialize all settings...' checkbox too)?

It may even help to perform a full reset/Initialize, flash the (same) firmware again, and perform another full reset/Initialize too to get the router to a good/known state. It's not there now.

Please see the link in my signature below for the M&M Config and also the Nuclear Reset guides for further details to get your router and entire network to a good/known state.

HTH.

 

[jernau]

Before doing your 'from scratch config' (which I'm assuming was manually and minimally copying the settings from your previous router to the new one, without using a saved backup config file), did you first do a full reset to factory defaults after flashing the RMerlin firmware to the RT-AC88U? (Including checking the 'Initialize all settings...' checkbox too)?

It may even help to perform a full reset/Initialize, flash the (same) firmware again, and perform another full reset/Initialize too to get the router to a good/known state. It's not there now.

Please see the link in my signature below for the M&M Config and also the Nuclear Reset guides for further details to get your router and entire network to a good/known state.

HTH.

Thanks for the suggestion and very useful links. Yes I did do a full reset, flashed RMerlin and then reset again. I will look to reset again at some point, unfortunately owing to working from home given the current climate I'm not now in a position to do a full reset right now.

 

[dave14305]

Thanks for the suggestion and very useful links. Yes I did do a full reset, flashed RMerlin and then reset again. I will look to reset again at some point, unfortunately owing to working from home given the current climate I'm not now in a position to do a full reset right now.

Don't forget to run Colin's commands in post #6. It will help us narrow things down with you.

 

[jernau]

Similar thinking to @Dabombber's suggestion, try running these commands on the router and see if you get anything.

nvram show | grep 40870

netstat -nlp | grep 40870

Thanks for the suggestion. Both commands reveal a big fat nothing on matches. Given I haven't copied across an old config, reset when I flashed RMerlin I'm very perplexed as to where this rule is being generated from. There is no way I would create such a rule even if I had copied across an old config so it looks very suspect why would one redirect any inbound traffic on port 80 to this random port on the router itself

myuser@Router:/# netstat -npl |grep 40870
myuser@Router:/# nvram show |grep 40870
size: 67371 bytes (63701 left)
myuser@Router:/#

 

[ColinTaylor]

Very strange. When you reboot your router does the rule appear straight away (as far as you can tell)? I'm wondering whether it's the router creating the rule or some client on the LAN.

Is it always the same port number?

 

[jernau]

Well I’ve rebooted the router a few times and have now been been unable to re-create the issue as the rule is no longer being created. I’m a little stumped as to how this happened in the first place so will keep an eye on it just in case it is a LAN client doing this. Thanks all for your help and support