Modem / router port remains closed

---

---

Hi,

The Zyxel modem has dsl, internet and 2 unused voip ports. The internet port is connected to the router. The router has 4 (ethernet?) ports. PC and Dreambox are connected to the router. Wireless is off. DHCP is off. I set the "local IP addresses" in the router. Router is xx.x.x.1, PC is #2 and Dreambox #3.

If I understand you correctly I have to forward port 12000 in two steps.
Step 1. From modem to router.
Step 2. From router to Dreambox.
I'm confused which IP addresses to enter at both steps. Maybe you can clarify a bit.

I checked the status of the port through [Only Registered Users Can See LinksClick Here To Register], among others.

As requested I mention the results from ifconfig and ipconfig below.

Ifconfig –a (from Dreambox)

eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:xxx.xxx.xx.xxx Bcast:xxx.xxx.xxx.xxx Mask:xxx.xxx.x.x
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30136 errors:0 dropped:0 overruns:0 frame:0
TX packets:29098 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14219324 (13.5 MiB) TX bytes:2198989 (2.0 MiB)
Interrupt:16

lo Link encap:Local Loopback
inet addr:xxx.x.x.x Mask:xxx.x.x.x
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:352 (352.0 B) TX bytes:352 (352.0 B)


Ipconfig /all (from pc)

Microsoft Windows XP [versie 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

Windows IP-configuratie

Host-naam . . . . . . . . . . . .: xxxxxxx
Primair DNS-achtervoegsel. . . . .:
Knooppunttype: . . . . . . . . . .: onbekend
IP-routering ingeschakeld. . . . .: nee
WINS-proxy ingeschakeld . . . . . : nee

Ethernet-adapter LAN-verbinding:

Verbindingsspec. DNS-achtervoegsel:
Beschrijving . . . . . . . . . . .:
SiS 900-Based PCI Fast Ethernet Adapter
Fysiek adres. . . . . . . . . . . : xx-xx-xx-xx-xx-xx
DHCP ingeschakeld:. . . . . . . . : nee
IP-adres. . . . . . . . . . . . . : xx.x.x.x
Subnetmasker. . . . . . . . . . . : xxx.xxx.xxx.x
Standaardgateway. . . . . . . . . : xx.x.x.x
DNS-servers . . . . . . . . . . . : xx.x.x.x

Thanks.

Thanks for including the ipconfig and ifconfig.

Actually what I was trying to establish was whether all of these devices were on the same network. What are called "private" addresses really don't need to be x'ed out and kept private. "Public" addresses are the ones it is best not to post.

But it seems as if all of these devices are visible to each other, so I guess that is enough.

Your Zyxel modem is capable of forwarding. If wireless is off, I'm not sure why the Netgear is there at all. I'm also not sure what the IP address is for the Zyxel - if it is the same as for the Netgear, there will be a conflict.

Given your setup, without trying to remove or change anything around physically, keep everything the same except to forward the Zyxel to xx.x.x.1 (the Netgear) rather than xx.x.x.3. From what you said earlier, the Netgear is set up properly to forward incoming 12000 to the Dreambox on port 12000.

The CCcam server on 12000 in the Dreambox has to be running to accept connections and to be "seen". You have said you can connect to your friends with your Dreambox, so nothing is blocking outgoing connections.

If this does not work, you should look first to the Zyxel to make sure its firewall settings do not stop forwarding, then to the Netgear for the same check.

Again, from what you have said, the Netgear really does not have to be there and my inclination would be to remove it if changing the forwarding address and checking any firewalls does not solve your problem.

-------------------------

Please check this link:

[Only Registered Users Can See LinksClick Here To Register]

or Google search for Double NAT. This is what you normally wish to avoid. If you must have this sort of physical set up, follow the suggestion for placing the first of the routers in bridge mode, making certain it connects to nothing on your LAN except the second router. This is really just a way of removing the first router without physically unhooking it from your network.

Hi,

As to the Netgear router, the PC and Dreambox are plugged into it because the Zyxel modem simply has no (ethernet?) ports to plug them in directly.

I changed the forwarding address in the modem to the IP address of the router. Port 12000 still remains closed.

As you proposed I had a closer look at the firewall in the modem. I briefly inactivated the firewall in the modem to see what happens. It results in port 12000 being open. I activated the firewall again and added a line to the rules of the firewall:

Packet direction: WAN to LAN
Source IP: any
Destination: <IP address router>
Service: Any(UDP)
Action: Permit

This results in port 12000 being open and (at least) 1 client connected.

Two new questions occur to me:
1. Could you please comment if the additional line I added in the firewall of the modem is safe? Is there a "security hazard" in doing so?
2. At "Service" one can choose Any(UDP) or Any(TCP). Does it matter? (I chose Any(UDP)).

Thanks.

Use any TCP. There is always a hazard opening a port.

Service set to Any(TCP).

OK. I understand now. You just don't have enough physical plugs in the Zyxel modem, so you're trying to use the Netgear more as a [Only Registered Users Can See LinksClick Here To Register] than anything.


So, the firewall was a problem. As people have said, it is TCP rather than UDP you need for cardsh!aring. I would be a bit concerned that you have even one client connected. CCcam uses TCP. As far as I know, UDP alone will not work for CCcam. Someone will correct me if this is wrong.

It doesn't sound absolutely safe. There is always a danger opening ports, as someone has said, but your single rule is causing unexpected (for me) results. You should check if that is really the only rule in force.

TCP alone will do it. Again, I don't think UDP alone should work.

No problem.

As you've seen, this type of setup is quite complicated and difficult to make work properly.

What someone would ordinarily do, would be either to:

1.) Use the router as the modem, but this is not an option for you, because that model has no A/DSL.

2.) Bridge the Zyxel to your Netgear router.
This will make things much simpler. You will have only the Netgear firewall and port-forwarding to worry about, and will not have to worry about possibly inconsistent rules.

Please post back and let us know what you decided and how things are working!

------------------

You could also try disabling NAT in the Netgear router, if this setting is easily changed. That should make the Netgear behave like the hub you are trying to use it for now. You might not want to do this, though. At some point, you might decide having wireless is something you do want.

setup your router and modem in bridge mode, as suggested above. let your netgear act as a dumb hub. disable all firewalls at this point. forward the port to the IP of your dreambox. save and test again.

Hi,

As suggested I tested the modem at bridge mode. There was no problem with port 12000. However, I noticed a few (minor) things:
- I received a new IP address.
- The "line speed" dropped 20% at the first test. At the second test it was back to normal. [Only Registered Users Can See LinksClick Here To Register]
- The "internet light" at the modem is off.
- I could no longer access the web configurator of the modem. I had to reset the modem to the factory settings to switch back to "Router mode".

Again, I forwarded port 12000 to the router and added the above mentioned rule to the firewall:

Packet direction: WAN to LAN
Source IP: any
Destination: <IP address router>
Service: Any(TCP)
Action: Permit

I think adding this rule is more or less the same as bridging all traffic to the router. Correct me if I'm wrong. FYI, there's one more line in the firewall rules:

Packet direction: WAN to LAN
Source IP: any
Destination: <xxx.x.x.x - xxx.x.x.x>
Service: Multicast (IGMP:0)
Action: Permit

This is the #1 line. The line I added is #2. I don't know what #1 is for, but it came with the factory settings after the reset and it was there before.

As some of you mentioned already there's a risk in opening ports. I think all (TCP-) traffic through port 12000 ends up at my Dreambox. I guess that goes for all Dreamboxes, not just mine. Maybe it's unnecessary but it raises concerns with me. Was the risk of opening ports ever discussed? (OK, I could use the search-button).

Since the current configuration is working fine I will keep it as it is, at least for now.

Thanks to all of you.