Telenet Docsis 3.0 port forwarding

[benoitmabille]

Hello,

After hours spent on it, I believe that the port forwarding works erratically (configured from mytelenet.be)!

Access to
localIP:port# works 100% of the time (Telenet router bypassed)
publicIP:port# works..sometimes
(I have 6 port redirections each one to the same port#)

Also the DHCP cannot be modded or disabled anymore

Would anyone have an advice i.e. put an external firewall/router in the DMZ after the telenet router ? I have not doen it before so an advice would be welcome

Thanks !!!

[ubremoved_539]

publicIP:port# works..sometimes
(I have 6 port redirections each one to the same port#)

And did your PC always had the same local IP-address ?

Also the DHCP cannot be modded or disabled anymore

This has never been the case.

[petzl]

i have never problems with port forwards with telenet routers, so i gues you are doing something wrong

- give your devices a fixed ip, i use the range of 192.168.1.90-192.168.1.99 since .90-99 does not give conflicts on other routers like b-box, and then i only need to change 1 number if a customer changes from opperator.
- DCHP has noting to do with de correct working of your port fowards, if you use fixed and non conflicting ip's.

- i only use TCP forwarding and not BOTH (UDP and TCP)
- If i can i give my internal devices 2 ports that can be used like 80 and 8000 and then i do a 1-1 port forward with the second http port "8000"
if you do not 1-1 port forward this can give problems when you have a page refresh when you do reboot a the device..


1-1 = like port 8000 to port 8000
not 1-1 = if you do forward port 8000 to port 80

[leokes]

Hello Benoit,

I have the same issue: locally everything works fine
Remotely nothing works: not even the DMZ.

When I perform a portscan remotely I always get that the ports are either "filtered" or "closed" but never open.

Discussing this with the helpdesk is useless - spend 30 mins yesterday and the guy on the other side did not even understand what I was trying to tell him.

So if anyone finds a solution for this problem please share it (will do it if I find a solution)

Anyhow: going to log a problem with Telenet.

Rgds

[ubremoved_539]

Please realize that configuration changes are not always immediate but might taken some time to arrive on your router. Performing continuos changes via "Mijn Telenet" therefore sometimes results in a router being "confused"... in such case you can contact Telenet and request to reset these rules so you've a clean start.

Apart from that port-forwarding works fine... if it doesn't it is usally PEBKAC (in other works, user error).

PS. Testing locally has no value at all since you don't go via your router... so there's also nothing to forward.

[Kenniey]

Leokes, how are you testing if the ports are open remotely?
Are you testing from a seperate connection or are you testing the public ipadres from your same local telenet connection?

[raf1]

So if anyone finds a solution for this problem please share it (will do it if I find a solution)

Fastest solution: Don't use routers that lack solid user documentation and a local web interface if you want to configure more advanced settings than an average user would normally do.

I would highly recommend to ask Telenet for a replacement with a modem only device, like the CV7160E modem and use your own router behind this modem.

[leokes]

@Kenniey: I am testing remotely (from work on ADSL - so no company network involved) with Linux and NMAP portscan
Also test via mobile phone hotspot thru GSM network
Result is exactly the same: nothing works with his modem 24*8 DOC 3 WIRELESS(DOCSIS) - EURODOCSIS 3.0 - in other words I can not get in from a remote site

@Raf1
Think that will be the solution, but if I read people's experiences with having the modem replaced you need to have luck to go to a Telenet shop and get what you want.......

Was also thinking: may be Telenet does not provide all the services for a "basic internet" connection?

[serialchiller]

Everybody in this thread is aware of the fact that Telenet blocks certan ports??? (mostly well known standard ports)
As it isn't mentioned in this discussion, I thought my comment could be helpful.
It's documented here. Sorry, but Telenet only offers this page in Dutch or French.

[ubremoved_539]

Result is exactly the same: nothing works with his modem

Maybe you should explain how it is configured, what service is exposed and what you're trying to do.

If it works for me and other people I don't see why it shouldn't work for you ?

[leokes]

@serialchiller: Your post is useful but I was aware of that since mijntelenet.be tells you that on the modem config screen.

@r2504: I'll explain my setup: I have a raspberry PI running sshd on port 2222 and apache2 on 8080
Have changed the sshd port from 22 to 2222 and the apache from 80 to 8080, since everything below 1024 is blocked.
My RPI has IP 192.168.0.3 (which is fixed): internally I can use putty on Windows and SSH on linux and use FF to see the default apache webpage
The RPI is attached to the EURODOCSIS 3.0 with an RJ45 - so no wireless

3 things I tried:
1. I have put the RPI in the DMZ and tried to connect from outside going to my WAN IP with putty on port 2222: result timeout
Have tried to connect to apache with FF to myip:8080 - time out

2. Have put nothing in DMZ
created two ipv4 port forwarding entries
- (192.168.0.3) 2222 - 2222 - TCP/UDP/Both: no combination works for putty or ssh
- (192.168.0.3) 8080 - 8080 - TCP/UDP/Both: no combination works for http access

3. Attached an old wireless ICIDU router to the cable modem and gave it a local LAN 172.16.1.x range
The router got an 192.168.0.xxx local address as WAN address
Attached the RPI to the ICIDU with an RJ45 and gave it fixed IP 172.16.1.3
Configured port forward on the ICIDU router to 172.16.1.3 does not work either
HOWEVER: The router has a remote management feature, which I configured to work on port 9000 and guess what I happens: I can connect with FF to myip:9000 to perform router management, but can not reach the RPI internally.
So there must be a different behaviour of the eurodocsis when a router is attached.....

Any advice is welcome of course.

[philippe_d]

Have changed the sshd port from 22 to 2222 and the apache from 80 to 8080, since everything below 1024 is blocked.

This is absolutely not true. Telenet does not block everything below 1024 (this was many years ago)!
You did not read the last post of serialchiller with the link to Telenet's site (with the short list of blocked ports)?.

Attached an old wireless ICIDU router to the cable modem and gave it a local LAN 172.16.1.x range
The router got an 192.168.0.xxx local address as WAN address
Attached the RPI to the ICIDU with an RJ45 and gave it fixed IP 172.16.1.3
Configured port forward on the ICIDU router to 172.16.1.3 does not work either.

Looks like you found the root cause, which is not related to the Telenet router (as port forward on the ICIDU router does not work either) .

HOWEVER: The router has a remote management feature, which I configured to work on port 9000 and guess what I happens: I can connect with FF to myip:9000 to perform router management, but can not reach the RPI internally...

which confirms that port forwarding on the Telenet router works fine

[ubremoved_539]

My RPI has IP 192.168.0.3 (which is fixed)

Did you configure a default gateway on it ? Can you do a ping 8.8.4.4 from it ?

This is absolutely not true. Telenet does not block everything below 1024 (this was many years ago)!

These stories will live forever I guess.

[leokes]

@r2504 (deel van 't meubilair):
Thanks for your suggestion: will check that when back at home and let you know the outcome.
Will buy you a couple of beers when that resolves my issue!

here is the results of a webbased NMAP of 10 mins ago (I obfuscated the IP address and logical name)

Starting Nmap 6.00 ( http://nmap.org ) at 2017-01-06 14:59 EET
Initiating Ping Scan at 14:59
Scanning 84.194.xxx.yy [4 ports]
Completed Ping Scan at 14:59, 0.28s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 14:59
Scanning d54C27***.access.telenet.be (84.194.xxx.yy) [1024 ports]
Increasing send delay for 84.194.xxx.yy from 0 to 5 due to 11 out of 12 dropped probes since last increase.
SYN Stealth Scan Timing: About 10.25% done; ETC: 15:04 (0:04:31 remaining)
Increasing send delay for 84.194.xxx.yy from 5 to 10 due to 11 out of 11 dropped probes since last increase.
SYN Stealth Scan Timing: About 19.58% done; ETC: 15:04 (0:04:11 remaining)
SYN Stealth Scan Timing: About 28.56% done; ETC: 15:04 (0:03:48 remaining)
SYN Stealth Scan Timing: About 37.99% done; ETC: 15:04 (0:03:18 remaining)
SYN Stealth Scan Timing: About 47.95% done; ETC: 15:04 (0:02:44 remaining)
YN Stealth Scan Timing: About 57.42% done; ETC: 15:04 (0:02:14 remaining)
SYN Stealth Scan Timing: About 66.85% done; ETC: 15:04 (0:01:45 remaining)
SYN Stealth Scan Timing: About 76.42% done; ETC: 15:04 (0:01:14 remaining)
SYN Stealth Scan Timing: About 85.99% done; ETC: 15:04 (0:00:44 remaining)
Completed SYN Stealth Scan at 15:04, 310.91s elapsed (1024 total ports)

[+] Nmap scan report for d54C27***.access.telenet.be (84.194.xxx.yy)
Host is up (0.024s latency).
Not shown: 1023 filtered ports

PORT STATE SERVICE
443/tcp closed https


Nmap done: 1 IP address (1 host up) scanned in 312.21 seconds
Raw packets sent: 1392 (61.224KB) | Rcvd: 7116 (407.310KB)

@r2504 06 Jan 2017 18:20
there was indeed no default gateway in the dhcpcd.conf file.
Shame on me!
It now works for port 2222 & 8080.
Even no DMZ and port forwarding works.
Many thanks for your help!

[ubremoved_539]

there was indeed no default gateway in the dhcpcd.conf file.
Shame on me!

No problem... mistakes happen... glad it is solved.

Only a shame that people like raf1 immediately jump on topics like this to recommend a different modem (which is not needed in 99% of the cases).

[benoitmabille]

Hello,

PORT FORWARDING
I am using non-blocked ports (100xx range). My devices are on static IP of course.
6 ports are forwarded, the test is simple :
1) Disable all forwards.
2) enable the first forward, test OK
3) enable the second forward, test OK
..
6) enable the fifth forward, test OK
7) enable the sixth forward, test NOK
Have tried numerous time, with different ports, with more than 5 forwards, some are ignored
The telenet router can do 10 forwards (limited by its interface presumably)

DHCP
I am using Telenet for 15 years and, yes, the DHCP used to be configurable. When that option disappeared a few years ago, I asked Telenet to switch it off for me, I use my own DHCP.

UPDATE
Two days ago, for the first time I had a knowledgeable person named IAN (he is studying for CISCO certification) at Telenet support, he understood quickly everything, we performed some tests and trials together, he liaised with his technical team and a technical report has been made. I am promised an answer within 3 days.
An alternative is to get a Telenet modem-only (yes it is possible) and I will provide my own firewall/router
The WiFi on my DOCSIS is erratic, devices dont connect etc.. My 3 other AP work well with the same devices
I believe that my DOCSIS has an issue (firmware ?)

Thanks all

[ubremoved_539]

DHCP
I am using Telenet for 15 years and, yes, the DHCP used to be configurable. When that option disappeared a few years ago, I asked Telenet to switch it off for me, I use my own DHCP.

I has never been and to my knowledge you can't ask it neither.

[benoitmabille]

DHCP
I am on the Fiber200 scheme, but wih a professional account, maybe that makes a difference.

Lucky I guess

[Kenniey]

Can you provide a screenshot of your portforwardingscreen in "mijn telenet"?
I think something is wrong there.

[xayana]

Unexpected reboot as in: factory reset....

[benoitmabille]

Yes, rebooted a few times. The Telenet guy was not too keen on a full factory reset.

Right now, only one forward works unpredictable
After the router there is a Netgear GS116E switch, DHCP is performed by the NAS.

Thanks !

[philippe_d]

Right now, only one forward works unpredictable

You have overlapping ports:
device 192.168.1.3 from 10001 to 32400 ??

DHCP
I am using Telenet for 15 years and, yes, the DHCP used to be configurable. When that option disappeared a few years ago, I asked Telenet to switch it off for me, I use my own DHCP.

I has never been and to my knowledge you can't ask it neither.

Last time I had a Telenet technician who refused to install the "modem-only" (because I'm using an own router). He suggested me to disable DHCP (which I refused because not solving my problem).
Apparently, it's possible for Telenet to switch DHCP off (although not available trough the "My Telenet" web interface ...

[Kenniey]

The ports in Mijn telenet are start en end. Not internal and external port.