Hi there,
I've got an issue with the port forwarding function on a Gargoyle-equipped router. I manually forwarded a few ports in the firewall for different servers that need it.
Now, the setup is a bit more complex than I intended it to be. I simplified it to the relevant parts here.
Modem makes WAN IP available through DHCP -> Gargoyle 1.12 runs on old WesternDigital MyNet N600. Gargoyle firewall specifically allows ports 9091, 9093, and 5006 (non-privileged ports). It acts as the DHCP server for all LAN devices. No extra plugins are enabled. -> a Linux-based NAS runs an OpenVPN client. The server software then uses the tunnel to reach the Internet. -> a second NAS listens on port 5006.
Why not use the router as a client?
Well, first, I have a slow bandwidth of 30/10, but a comparatively large number of devices. Even without saturating the bandwidth or the connections, the single-core CPU inside the N600 routinely gets past 1.00 load during video conference calls / about 300 connections. The CPU doesn't seem powerful enough.
And second, the OpenVPN client configuration page in Gargoyle is really confusing. It doesn't direclty take the parameters the way VPN providers are giving them them (config file ending in .ovpn [not ZIP] + username + password), instead asks for obscure ones such as CA certificate, client certificate, TLS-auth-key, etc. Nowhere to enter username / password. On the other hand, the NAS command line allows to use a .ovpn file, then asks for a username, then a password, then proceeds to establish the connection. I have yet to find a way to daemonize it, but closing the terminal window does it. A bit crude, but at least it doesn't ask for nonsense.
So, when testing the first 2 ports with a web-based ports-checking tool against the WAN IP given by the VPN provider, I find these ports closed. Same goes for port 5006: il always appears as closed.
Why are the ports still closed? Where's my configuration faulty?
Port forwarding still closed?
Moderator: Moderators
Re: Port forwarding still closed?
Here's a great summary on what Gargoyle vpn is and is not designed to do:
viewtopic.php?p=46382#p46382
You may even be able to use some of those instructions to help with your individual provider.
However, your device won't route more than 10mbps over OpenVPN if i had to guess.
By the way, those "obscure" settings are the backbone of all OpenVPN connections. Yes, Gargoyle could do with an update to understand .ovpn too, but that would require time. In the last year it gained support for outputting .ovpn so there's progress.
For your port forwarding, your modem is either not opening the ports as well, or your end devices aren't listening (for whatever reason). An open port to nothing will show closed.
viewtopic.php?p=46382#p46382
You may even be able to use some of those instructions to help with your individual provider.
However, your device won't route more than 10mbps over OpenVPN if i had to guess.
By the way, those "obscure" settings are the backbone of all OpenVPN connections. Yes, Gargoyle could do with an update to understand .ovpn too, but that would require time. In the last year it gained support for outputting .ovpn so there's progress.
For your port forwarding, your modem is either not opening the ports as well, or your end devices aren't listening (for whatever reason). An open port to nothing will show closed.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
Please be respectful when posting. I do this in my free time on a volunteer basis.
Re: Port forwarding still closed?
Thanks for the tip on OpenVPN, at least I know it's not worth it from a practical point of view. I may try it for the fun of it, though.
About the modem, that would apply to a VDSL non-bridged modem. But a cable modem doesn't have any firewall inside, so no ports to open and actually nothing to configure, even though there's a Web interface. The configuration file is always sent by the CMTS. On the LAN side, the server softwares are actually listening on these ports, as they are both accessible and responding when accessing them from inside the LAN.
This WesternDigital replaced a VDSL modem initially repurposed as a router. Briefly, it was a very good modem, but made for a lousy router, would refuse to hand out LAN addresses every now and then for unclear reasons, but at least forwarded the ports correctly during the short periods it was actually working. I reproduced the same configuration by hand in Gargoyle (static DHCP as well, as it's quite common to forget it), and of course expected it to work as all the other parts, modem and LAN devices, stayed the same.
Is there another way in Gargoyle to check the ports are actually open?
About the modem, that would apply to a VDSL non-bridged modem. But a cable modem doesn't have any firewall inside, so no ports to open and actually nothing to configure, even though there's a Web interface. The configuration file is always sent by the CMTS. On the LAN side, the server softwares are actually listening on these ports, as they are both accessible and responding when accessing them from inside the LAN.
This WesternDigital replaced a VDSL modem initially repurposed as a router. Briefly, it was a very good modem, but made for a lousy router, would refuse to hand out LAN addresses every now and then for unclear reasons, but at least forwarded the ports correctly during the short periods it was actually working. I reproduced the same configuration by hand in Gargoyle (static DHCP as well, as it's quite common to forget it), and of course expected it to work as all the other parts, modem and LAN devices, stayed the same.
Is there another way in Gargoyle to check the ports are actually open?
Re: Port forwarding still closed?
Try this external service: https://www.portcheckers.com/Cubytus wrote: Is there another way in Gargoyle to check the ports are actually open?
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0
http://gargoyle.romanhk.cz custom builds by gargoyle users
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0
http://gargoyle.romanhk.cz custom builds by gargoyle users
Re: Port forwarding still closed?
I would remove the modem from the equation and put my own device on the WAN side and test.
You'll need to set a static WAN IP and the test device will need to be static as well.
Then you will know where the fault lies.
For what it's worth, I've seen plenty of cable modems that still require port forwarding/DMZ, and I've seen others where "bridge mode" is more like a half bridge at best.
Also sanity checks, you've definitely got the devices locked to the right IP addresses and you're forwarding to the right addresses?
You'll need to set a static WAN IP and the test device will need to be static as well.
Then you will know where the fault lies.
For what it's worth, I've seen plenty of cable modems that still require port forwarding/DMZ, and I've seen others where "bridge mode" is more like a half bridge at best.
Also sanity checks, you've definitely got the devices locked to the right IP addresses and you're forwarding to the right addresses?
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
Please be respectful when posting. I do this in my free time on a volunteer basis.