# Port Forwarding not working no matter what I do



## Alien

Right, so I've been tearing my hair out over this the past few days. I've consulted multiple sources but I cannot find fault with what I am doing.

UPnP is enabled, the router's firewall is set to low, both my computer and antivirus' firewall are disabled and I'm fairly confident that I have set up the port forwarding correctly. I have also made it so WAN to LAN packets are permitted and assigned my computer a static IP address. No matter what I do, a port checking tool tells me that the port is closed and this is confirmed by the fact that I cannot establish a connection to the application which requires the port 52757.

These are my port forwarding settings. I've tried multiple combinations for the settings, such as separating the TCP and UDP protocols into different rules, putting them both together and trying them individually, all to no avail.





Can anyone offer some insight as to why I am having this trouble? Thanks in advance guys.


----------



## johnb35

Port forwarding only involves the specific IP of the computer you want to have access.  Do not enter IP of the router use the IP of the computer.


----------



## Alien

johnb35 said:


> Port forwarding only involves the specific IP of the computer you want to have access.  Do not enter IP of the router use the IP of the computer.



Apologies, this was a copy and paste from another forum. Forgot to make amendments to the original post. I have since only included my computer's IP and removed my router's IP.


----------



## beers

Probably a ridiculous one but can you verify that the application is actually listening on 52757?  

Usually there isn't too much to it, just verify that you have the forwarding rule on your WAN/NAT edge, have the appropriate firewall rule on your endpoint firewall and have the service as listening on that port.

52757 seems like a weird service port unless you manually set the application to listen on that port.  High level ports are typically used as dynamic client-side ports.

Do you have multiple routers in your topology or just one?


----------



## Alien

beers said:


> Probably a ridiculous one but can you verify that the application is actually listening on 52757?
> 
> Usually there isn't too much to it, just verify that you have the forwarding rule on your WAN/NAT edge, have the appropriate firewall rule on your endpoint firewall and have the service as listening on that port.
> 
> 52757 seems like a weird service port unless you manually set the application to listen on that port.  High level ports are typically used as dynamic client-side ports.
> 
> Do you have multiple routers in your topology or just one?



I believe it was at the time, but just in case I was incorrect I also had a port triggering application ensuring that something is definitely listening on the port.

I've tried both adding the ports as rules to my firewall and completely disabling the firewall, no matter what happens I just can't seem to get it to work.

As for the port, I got it from an application that picks any port between 10000 and 65535. It picked 52757 so I went with that one. I had also tried a different port, but to no avail.

I only have one router on my network.


----------



## beers

Can you connect to your server using the client application from your local PC or within your LAN?

What program is it, anyway?


----------



## Alien

beers said:


> Can you connect to your server using the client application from your local PC or within your LAN?
> 
> What program is it, anyway?



I'm not sure what you mean by this first sentence? Apologies.

Vuze. It's a BitTorrent client (Only for legal things, I assure you! My ISP is extremely strict).


----------



## beers

You should be able to use something like PuTTY and telnet within your LAN to that IP and port.  If it times out then you can't connect locally and it's a local issue, but if you get an open connection then it's a problem on the WAN/port forward side instead.

Since there are a few steps that could go awry just trying to narrow it down more specifically.


----------



## Alien

beers said:


> You should be able to use something like PuTTY and telnet within your LAN to that IP and port.  If it times out then you can't connect locally and it's a local issue, but if you get an open connection then it's a problem on the WAN/port forward side instead.
> 
> Since there are a few steps that could go awry just trying to narrow it down more specifically.



I hope I've done this correctly. I've enabled Telnet within Windows and I used the command "open 192.168.1.3 52757", which is my computer's IP and the port which I wanted to open. I've also tried my router's IP and the default port Telnet attempts to connect to. All of these result in the error message "Could not open connection to the host, on port 52757: Connect failed".


----------



## Cromewell

As beers mentioned it really sounds like you are forwarding the port that its communicating on but not the one that listens for incoming connections. Particularly this part


> As for the port, I got it from an application that picks any port between 10000 and 65535.


Vuze says the following ports by default:


> Which ports does Vuze use by default?[edit]
> 
> When you first install Vuze, it selects the "main port" for torrent downloading/uploding usage by random. As described previously, you can change that to something else if you like.
> 
> Vuze also uses some ports for internal use and/or as defaults for some functionality:
> 1900 UDP: Used for UPnP?
> 6880 TCP: Vuze uses this port for internal communication. When you launch Vuze, it always checks that port for an older instance of Vuze being already active. If there is an active Vuze, then the new Vuze instance passes the possible torrent name as parameter to the old instance already running and then dies. (This happens e.g. when you click a "download torrent" link on a web page. A new second Vuze instance gets launched by the browser, but it dies after passing the argument to the old Vuze.) If there was no active old Vuze, then the new Vuze reserves that TCP port and starts "listening" there.
> 6969 TCP: If you enable internal HTTP tracker, this is the default port used. You need to port-forward this port in router for full connectivity.
> 7000 TCP: Default port for HTTPS tracker. (usually not in use)
> 16680 UDP: Used for the 'LAN peer finder' functionality.
> 45100 TCP: Used for magnet URI handling.
> 49001 UDP: Used for Mainline DHT (if that plugin is installed). You need to port-forward this port in router for full connectivity.


----------



## Alien

Cromewell said:


> As beers mentioned it really sounds like you are forwarding the port that its communicating on but not the one that listens for incoming connections. Particularly this part
> 
> Vuze says the following ports by default:



To be honest, I really have no idea what I'm doing, but I'm almost certain I have everything set up correctly.
This is what Vuze says:





Can either of you suggest an application and a port to forward just so I can try and see if port forwarding works at all?


----------



## Alien

I was conferring with someone else about my problem and we discovered that my internet is refusing certain requests. He attempted to ping my IP and the connection was rejected. Does anyone know a reason that this could happen?


----------



## beers

Some routers by default don't respond to ICMP inquiries that originate from the Internet.

Since you can't connect locally on your LAN to that service port, I'd sort that side out first before blaming your ISP.


----------



## Alien

beers said:


> Some routers by default don't respond to ICMP inquiries that originate from the Internet.
> 
> Since you can't connect locally on your LAN to that service port, I'd sort that side out first before blaming your ISP.


When you said that it reminded me of something that I had seen before in my router which said ICMP... 

I changed this from LAN to WAN & LAN, would this make any difference? There are also several other tabs as seen in this picture, most are set to LAN only with FTP and SNMP being set to disabled. Should I change any of these?


----------



## silv55

beers said:


> Some routers by default don't respond to ICMP inquiries that originate from the Internet.
> 
> Since you can't connect locally on your LAN to that service port, I'd sort that side out first before blaming your ISP.



Also with  Comcast router TG862 you wont be able to Port Forward without the Authorization of Comcast.


----------



## Cromewell

Enabling ICMP won't fix your problem. That will do things like let your router answer ping externally.

It's been said already, but until you can connect to the server locally with a client there's no point trying to figure out your port forwards. They may be working. They may not. You can't tell.

If you are insistent on testing forwards first, a simple way to verify port forwarding works is to grab a simple webserver (or ftp server -- port 21) and configure it to listen on 8080 then forward that port to your IP and see if you can connect via your external ip address.


----------



## Agent Smith

Grc has shields up that can test the port and then there is PFPortChecker.

http://portforward.com/help/portcheck.htm

https://www.grc.com/x/ne.dll?bh0bkyd2

Check portforward.com and see if your router is listed. It will have a guide on how to properly port forward in your device.


----------



## Alien

Cromewell said:


> Enabling ICMP won't fix your problem. That will do things like let your router answer ping externally.
> 
> It's been said already, but until you can connect to the server locally with a client there's no point trying to figure out your port forwards. They may be working. They may not. You can't tell.
> 
> If you are insistent on testing forwards first, a simple way to verify port forwarding works is to grab a simple webserver (or ftp server -- port 21) and configure it to listen on 8080 then forward that port to your IP and see if you can connect via your external ip address.



I was asking someone else about this problem, and I was told to enable the World Wide Web services program and try and connect to it with another device on my network. The website loaded on my phone, which I believe indicates that there is no longer a problem locally?



Agent Smith said:


> Grc has shields up that can test the port and then there is PFPortChecker.
> 
> http://portforward.com/help/portcheck.htm
> 
> https://www.grc.com/x/ne.dll?bh0bkyd2
> 
> Check portforward.com and see if your router is listed. It will have a guide on how to properly port forward in your device.



I've checked portforward before, and while they have a method for my router, the screenshots are not actually from my router's webpage and so are not useful for me. Their tool also says all of the ports that I enter are closed.

I used the grc tool and it showed all of my ports as stealth... Which I understand means that they drop connections that they receive? Does this mean port forwarding will not work unless I make it so they are not stealth?


----------



## beers

Alien said:


> I was asking someone else about this problem, and I was told to enable the World Wide Web services program and try and connect to it with another device on my network. The website loaded on my phone, which I believe indicates that there is no longer a problem locally?



That's a different service that has nothing to do with the application you're trying to allow..  It sounds like they had you launch a web server (IIS).  You can connect since the application is listening on it.  

If you really just wanted to test port forwarding anyway you could forward something like external 50000 to internal 80 for that host and then try to have an external/Internet source browse to http://external-ip-here:50000



> I used the grc tool and it showed all of my ports as stealth... Which I understand means that they drop connections that they receive? Does this mean port forwarding will not work unless I make it so they are not stealth?



For a forwarded port it should usually show open if the service is forwarded and listening.  If you are filtering by source IP it may show closed or stealth (which you most probably aren't).  Usually you will see closed if the service is not listening on that port but the port is forwarded.


What are you even trying to accomplish anyway?  Most torrent clients utilize UPnP to begin with.  Are your uploads just sucky?


----------



## C4C

Alien said:


> Right, so I've been tearing my hair out over this the past few days. I've consulted multiple sources but I cannot find fault with what I am doing.
> 
> UPnP is enabled, the router's firewall is set to low, both my computer and antivirus' firewall are disabled and I'm fairly confident that I have set up the port forwarding correctly. I have also made it so WAN to LAN packets are permitted and assigned my computer a static IP address. No matter what I do, a port checking tool tells me that the port is closed and this is confirmed by the fact that I cannot establish a connection to the application which requires the port 52757.
> 
> These are my port forwarding settings. I've tried multiple combinations for the settings, such as separating the TCP and UDP protocols into different rules, putting them both together and trying them individually, all to no avail.
> 
> 
> 
> 
> 
> Can anyone offer some insight as to why I am having this trouble? Thanks in advance guys.



There's a sticky thread in this sections for my guide: http://www.computerforum.com/232855-how-port-forward.html 
It may or may not be helpful if you haven't taken a look already. 

FROM THIS IMAGE YOU HAVE, try to set the port number above and below what you're trying to open. Some routers have issues and won't open the port if the start and end ports are the same. 

ISP's can also block forwarding if you're using a router model they own.


----------



## Alien

beers said:


> That's a different service that has nothing to do with the application you're trying to allow..  It sounds like they had you launch a web server (IIS).  You can connect since the application is listening on it.
> 
> If you really just wanted to test port forwarding anyway you could forward something like external 50000 to internal 80 for that host and then try to have an external/Internet source browse to http://external-ip-here:50000
> 
> 
> 
> For a forwarded port it should usually show open if the service is forwarded and listening.  If you are filtering by source IP it may show closed or stealth (which you most probably aren't).  Usually you will see closed if the service is not listening on that port but the port is forwarded.
> 
> 
> What are you even trying to accomplish anyway?  Most torrent clients utilize UPnP to begin with.  Are your uploads just sucky?



My uploads are pretty god awful, as you mentioned, mostly at 500b/s, but 52757 is just an example that I chose to use for the sake of simplicity. In reality, no port that I forward ever shows as open. For example, I decided to test to see if I could connect to a Teamspeak server hosted on my computer (Which utilises port 9987), and I was unable to connect, as was a third party I requested try and connect. I also occasionally have trouble connecting to users on online games, as I usually have either a closed or moderate NAT. I've also ensured that there's ABSOLUTELY a program listening on the port I am testing.



C4C said:


> There's a sticky thread in this sections for my guide: http://www.computerforum.com/232855-how-port-forward.html
> It may or may not be helpful if you haven't taken a look already.
> 
> FROM THIS IMAGE YOU HAVE, try to set the port number above and below what you're trying to open. Some routers have issues and won't open the port if the start and end ports are the same.
> 
> ISP's can also block forwarding if you're using a router model they own.



Unfortunately, the first thing I did when coming to this forum was check your guide, but I was unable to find a solution within. I've also tried to forward the ports 9986-9988 (Port 9987 is for Teamspeak), but it doesn't appear to have worked, however.





I have a router which is not manufactured by my ISP and is simply a rebranded Zyxel router, but when I checked my ISPs forums their support simply say that they do not "support" port forwarding, and make no mention of actively blocking it.


----------



## Agent Smith

Can you post a screen shot of your router's web page that you set your port forwarding in?

Also, you may want to change the default Teamspeak port. I was using the default port and was running Peerblock with a whole host of country blocks. Well, Iran was constantly trying to get into the default TS port and no one knows that I run TS except my Bro.

Here's my blog post on that. https://blog.************.net/?p=91 

Scroll to the bottom. You don't need to use Putty. I did in the beginning. 
https://blog.************.net/?p=91


----------



## beers

Agent Smith said:


> Well, Iran was constantly trying to get into the default TS port and no one knows that I run TS except my Bro.



Surprised with how paranoid you are you don't ACL traffic sourcing from those countries.  Also, it's pretty easy to do a service fingerprint off of open ports if you're just auto scanning IP ranges.


----------



## Agent Smith

OMFG dude. I don't have enterprise hardware for ACL. Also it's called security through obscurity. Sure, you could scan all 65 thousand + ports, but most probe scans don't do that. I see this monitoring input traffic on SNMP. So far no connection attemps to that port anymore. 


My ACL is Peerblock as stated. They couldn't get in, but it was the fact they were trying that I changed the port.


----------



## beers

Agent Smith said:


> OMFG dude. I don't have enterprise hardware for ACL. Also it's called security through obscurity. Sure, you could scan all 65 thousand + ports, but most probe scans don't do that. I see this monitoring input traffic on SNMP. So far no connection attemps to that port anymore.
> 
> My ACL is Peerblock as stated. They couldn't get in, but it was the fact they were trying that I changed the port.



Facedesk.  You can even use iptables on an Ubiquiti ERL or something that is less than $100 (or flash your router to DD-WRT and drop traffic there).  You could also even drop those subnets on a software firewall layer costing you nothing, which you have indicated with PeerBlock. 

If the traffic is showing up in PeerBlock logs why are you even paranoid about it as it's already being dropped?



> Also it's called security through obscurity.



In a professional realm this means nothing at all.  Usually you get fired taking this approach since obscure implementations by default don't offer anything other than obfuscation.


----------



## Alien

Agent Smith said:


> Can you post a screen shot of your router's web page that you set your port forwarding in?
> 
> Also, you may want to change the default Teamspeak port. I was using the default port and was running Peerblock with a whole host of country blocks. Well, Iran was constantly trying to get into the default TS port and no one knows that I run TS except my Bro.
> 
> Here's my blog post on that. https://blog.************.net/?p=91
> 
> Scroll to the bottom. You don't need to use Putty. I did in the beginning.
> https://blog.************.net/?p=91



I'm going to include all pages of the NAT section, just in case I did not use a correct setting.
I also still am unable to connect to putty or Telnet. I have no idea what could be causing it, as my firewall is not running. I'm simply at a loss.


----------



## beers

What ISP are you using?  PVC0 would imply DSL as the WAN interface.


----------



## Alien

beers said:


> What ISP are you using?  PVC0 would imply DSL as the WAN interface.



Eircom, they're a god-awful Irish ISP.


----------



## Agent Smith

beers said:


> Facedesk.  You can even use iptables on an Ubiquiti ERL or something that is less than $100 (or flash your router to DD-WRT and drop traffic there).  You could also even drop those subnets on a software firewall layer costing you nothing, which you have indicated with PeerBlock.
> 
> If the traffic is showing up in PeerBlock logs why are you even paranoid about it as it's already being dropped?
> 
> 
> 
> In a professional realm this means nothing at all.  Usually you get fired taking this approach since obscure implementations by default don't offer anything other than obfuscation.



My router has been flashed with DD-WRT since circa 2006 and I can use IPtables, but the memory can't hold as many it would require to block the countries I want.


----------

