Port 10 Open & Responding to ICMP request?

[SevenFactors]

I recently got AT&T as my ISP. The combo-box router they left me with is a Pace 5268ac. What a nightmare of interface.

I've set my RTN66U on what they call DMZ+ so that it may access WAN directly, do all the firewall business & handle my LAN/WLAN. When I do this everything seems to work find. Going to ShieldsUP, for some reason, reveals that Port 10 is open & responding to ICMP requests.

On contrast, when I place the RTN66U back in the Pace_5268ac's private IP pool, ShieldsUP reports full stealth across the board but then I'm dealing with Double NAT issue. What gives, huh.

I've no idea what port 10 is used for but I was wondering that perhaps Port 10 deals with the firmware update checkup ??

I would place RTN66U back on WAN & test it out myself but the Pace interface is buggy & I'm about to just kick it.

Any ideas? Has anybody else ran into this with their ATT combo-box network setup?

Thanks

 

[RMerlin]

Ports do not respond to ICMP, only to TCP or UDP. You probably misinterpreted the test results.

 

[SevenFactors]

Ports do not respond to ICMP, only to TCP or UDP. You probably misinterpreted the test results.

Hello RMerlin,

This is a text reports from shieldsup.
---RTN66U is already set to not respond to ICMP echo request from WAN.

GRC Port Authority Report created on UTC: 2017-05-08 at 16:03:31

Results from scan of ports: 0-1055

1 Ports Open
0 Ports Closed
1055 Ports Stealth
---------------------
1056 Ports Tested

NO PORTS were found to be CLOSED.

The port found to be OPEN was: 10

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

 

[Zirescu]

Do you have UPNP enabled? Could be that one of the computers behind the router opened the port for gaming?

 

[RMerlin]

Do you have UPNP enabled? Could be that one of the computers behind the router opened the port for gaming?

By default, Asuswrt will refuse to forward privileged ports (ports between 1 and 1023), for security reasons.

- A PING REPLY (ICMP Echo) WAS RECEIVED.

Chances are it's the modem in front of your router that isn't bridged, and is replying to PING requests.

Same thing could be the case with port 10, unless it's your ISP that's filtering that port (some ISPs will filter ports within their network, causing false positives with remote scanners). Port 10 isn't officially allocated to any application, however a quick web search shows that Dark Age of Camelot uses that port (which sounds like a bad idea to me, since it's not an ephemeral port if it's true).

You can check on your router which ports are open/forwarded/in use, through System Logs -> Port Forwarding and Connections.

 

[CaptainSTX]

If you are not comfortable with the modem/router combination from your ISP there isn't any real disadvantage of running a double NAT and for some setups/ people it provides advantages. Nothing wrong with trying it and seeing for yourself.

Assign your N66 a static WAN IP using the PACE box. Then assign your N66 to get its WAN IP using DHCP.

Run a cable from a LAN port on your pace to the WAN port on your N66.

Set a LAN IP for you N66 in a different subnet than the PACE subnet. The DHCP pool for the devices connecting to the N66 will now be in this subnet also.

You should be good to go.

Some of the advantages of the double NAT is that you can run a guest network on the PACE, some or all of your IoT devices particularly those devices where you aren't convinced that have adequate security and if they should be hacked the hackers will not easily be able to connect to devices attached to the N66 if you have disabled access from the WAN on all interfaces.

 

[SevenFactors]

Do you have UPNP enabled? Could be that one of the computers behind the router opened the port for gaming?

No issues with the UPnP service. With it on or off shieldsup yields the same result.

 

[SevenFactors]

By default, Asuswrt will refuse to forward privileged ports (ports between 1 and 1023), for security reasons.



Chances are it's the modem in front of your router that isn't bridged, and is replying to PING requests.

Same thing could be the case with port 10, unless it's your ISP that's filtering that port (some ISPs will filter ports within their network, causing false positives with remote scanners). Port 10 isn't officially allocated to any application, however a quick web search shows that Dark Age of Camelot uses that port (which sounds like a bad idea to me, since it's not an ephemeral port if it's true).

You can check on your router which ports are open/forwarded/in use, through System Logs -> Port Forwarding and Connections.

Checking the logs revealed the expected ports 80, 443, 53 etc. Everything looks normal.

I had no issues prior switching "modems" Before I'd Arris Surboard SB6121 & everything was good.

After much running around, I was able to run a port scan per device & of course the culprit is the Pace combo-box. Ports 10 (unknown) & 53. The behavior I don't get is why this happens only when placing a device on DMZ+ [DMZ+Hole ] When doing double NAT I get full stealth on shieldsup. What gives

Yup, one buggy combo-box

 

[SevenFactors]

If you are not comfortable with the modem/router combination from your ISP there isn't any real disadvantage of running a double NAT and for some setups/ people it provides advantages. Nothing wrong with trying it and seeing for yourself.

Assign your N66 a static WAN IP using the PACE box. Then assign your N66 to get its WAN IP using DHCP.

Run a cable from a LAN port on your pace to the WAN port on your N66.

Set a LAN IP for you N66 in a different subnet than the PACE subnet. The DHCP pool for the devices connecting to the N66 will now be in this subnet also.

You should be good to go.

Some of the advantages of the double NAT is that you can run a guest network on the PACE, some or all of your IoT devices particularly those devices where you aren't convinced that have adequate security and if they should be hacked the hackers will not easily be able to connect to devices attached to the N66 if you have disabled access from the WAN on all interfaces.

Pretty much my current setup but turned the Pace's wifi interface off. I find it to be too buggy. Guess networt on rtn66 works fine

Given that these are my "toys" I wanted to setup the Pace combo-box properly... I never expected the options to be so limited :\

I went ahead set a static IP & let the double NAT take effect. To my surprise ASUSWRT-Merlin automatically detected it & took care of the rest. On my part, all I had to do was update my static IPs & renew. To my surprise all connected devices are able to access the internet without issue. Broadband speeds is still the same. No issues after rebooting Pace, rtn66.

I even noticed that it automatically updated the settings for some of the NAT Passthrough options from "Enable" to "Enable+NAT Helper" Very cool. I've yet to test if my openvnp server.


I honestly I was expecting it to be more chaotic.

 

[sfx2000]

Chances are it's the modem in front of your router that isn't bridged, and is replying to PING requests.

It's probably the GW itself - no worries for the Router/AP in the DMZ...

 

[Deleted member 22229]

This is a known issue and a major bug with the ATT RG 5268ac. So far ATT is doing nothing to fix it and don't recommend using your own router with there devices. Unacceptable.

Just like you and others have noticed while the RG is in DMZplus mode it will respond to ICMP echo requests and not passing them on t o the router to be killed by firewall.

In other words the gateway is passing all traffic to the router for handling except ICMP pings they are wide open to the world with no firewall. Not a good thing.

 

[SevenFactors]

It's probably the GW itself - no worries for the Router/AP in the DMZ...

I know the n66u is standing its ground but just knowing that "modem" is acting all dumb

 

[SevenFactors]

This is a known issue and a major bug with the ATT RG 5268ac. So far ATT is doing nothing to fix it and don't recommend using your own router with there devices. Unacceptable.

Just like you and others have noticed while the RG is in DMZplus mode it will respond to ICMP echo requests and not passing them on t o the router to be killed by firewall.

In other words the gateway is passing all traffic to the router for handling except ICMP pings they are wide open to the world with no firewall. Not a good thing.

I contacted them about this matter. [ -- I kept my cool at all times ^_^ -- ] As expected all I got were answers that had nothing to do with the issue regarding the 5268ac's firewall. I explained how I was able to find this out, how I was able to do it internally, etc. All I got was the always present "it wasn't me" attitude.

Still a massive let down that ATT wont let us bring our own "supported" modem. Why must we be force to use these combo-boxes

 

[Deleted member 22229]

I contacted them about this matter. [ -- I kept my cool at all times ^_^ -- ] As expected all I got were answers that had nothing to do with the issue regarding the 5268ac's firewall. I explained how I was able to find this out, how I was able to do it internally, etc. All I got was the always present "it wasn't me" attitude.

Still a massive let down that ATT wont let us bring our own "supported" modem. Why must we be force to use these combo-boxes

Get rid of your 5268 thats what i did. I had them send me a NVG599 gateway, im using it now in IP-Pass mode with my AC3100 router and its all good now. All ports are closed also no longer responding to ICMP pings and Ipv6 works good to through the Asus router using a 6rd.

 

[SevenFactors]

Get rid of your 5268 thats what i did. I had them send me a NVG599 gateway, im using it now in IP-Pass mode with my AC3100 router and its all good now. All ports are closed also no longer responding to ICMP pings and Ipv6 works good to through the Asus router using a 6rd.

Thanks for the recomendation Kal-El

Today I got the NVG599 replacement for the Pace5268.

- I'm very happy to confirm that the NVG599 does not have the firewall bugs/issues that the Pace5268 has.

- I'm able to happily expose my n66 and maintain stealth.

- Shields Up test as well as UPnP test all clear/stealth.

LAN tests, all good

 

[Deleted member 22229]

Yep the 599 is a far better gateway at least with the 5268 current firmware. Not sure what your 599 has for firmware i just updated mine to there latest and it works great.