Open firewall ports when upgrading build

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
ohnoo
DD-WRT Novice


Joined: 31 May 2020
Posts: 24

PostPosted: Wed Sep 02, 2020 21:17    Post subject: Open firewall ports when upgrading build Reply with quote
Hi, I've flashed a WRT54G2v1 and a WRT54 V6 with v24-sp2-14929 (08/12/10) micro . After upgrading to 40189 or v3.0-r43516 micro generic (following users that reported success use as AP) I'm finding firewall is not working well as gateways. If I revert to 14929, all ports shows as stealth.
I've tested with https://www.grc.com/shieldsup that shows open ports (80 and 53). Settings are pretty stock, no port forwarding or UPNP. I'm attaching a picture of results.
Prior and after flashing, factory reset is always applied.
If one of them were put to work as AP only, is it better to stay on 14929 or to upgrade (question here is if with the upgrade it's actually failing or not).

Thanks for your help!



SHUP.png
 Description:
 Filesize:  37.43 KB
 Viewed:  3271 Time(s)

SHUP.png




Last edited by ohnoo on Fri Sep 11, 2020 19:10; edited 1 time in total
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Sep 03, 2020 4:53    Post subject: Reply with quote
Not clear from your post if this router is configured as a router (w/ active WAN), or configured as a WAP (w/ WAN disabled). If it's the latter, then its firewall is irrelevant. A WAP is bridged to the existing network, and any reports from Shields Up are only reporting the results of the upstream WAN of the primary router.
_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
ohnoo
DD-WRT Novice


Joined: 31 May 2020
Posts: 24

PostPosted: Thu Sep 03, 2020 5:32    Post subject: Reply with quote
eibgrad wrote:
Not clear from your post if this router is configured as a router (w/ active WAN), or configured as a WAP (w/ WAN disabled). If it's the latter, then its firewall is irrelevant. A WAP is bridged to the existing network, and any reports from Shields Up are only reporting the results of the upstream WAN of the primary router.


Hi, both routers were tested as gateways routers. I want to know:
1- If it's possible to run a build newer than 14929 as a gateway with a solid firewall (provided I'm right in concluding there's a flaw, having used the testing method mentioned above)
2- One of them will be used as WAP only (WRT54G V6), then I guess to avoid Krack vulnerability I should upgrade to the newest build possible?

I ran the test on both units just to rule out a hardware faillure.

THANKS!
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Sep 03, 2020 6:00    Post subject: Reply with quote
Always a good idea to use the latest firmware, esp. if the router will be configured as a router. When configured as a WAP, it's usually less critical, but still a good idea, esp. if there are known wifi vulnerabilities w/ the old firmware.

ftp://ftp.dd-wrt.com/betas/

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Sep 03, 2020 7:38    Post subject: Reply with quote
Things have changed a lot have you done a full reset and put settings in manually?

I have multiple routers running with recent builds but none as old as your router the oldest is a Linksys E2000 so of course it could be something specific for your router (Linux K 2.4) in that case you should file a bug report

Code:
GRC Port Authority Report created on UTC: 2020-09-03 at 07:33:18

Results from scan of ports: 0-1055

    0 Ports Open
    0 Ports Closed
 1056 Ports Stealth
---------------------
 1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
turbowells
DD-WRT User


Joined: 14 Sep 2019
Posts: 301
Location: Maine, USA

PostPosted: Thu Sep 03, 2020 10:08    Post subject: Reply with quote
I typically have my WRT54G2v1 (r44251) setup as a guest router, but was able to get a small window to connect directly to my modem.

I can confirm ohnoo's results.

My TP-Link ARCHER-C7 v4 running Linux 3.18.140-d4 works fine, so it seems it's a K2.4 issue.
ohnoo
DD-WRT Novice


Joined: 31 May 2020
Posts: 24

PostPosted: Sat Sep 05, 2020 3:06    Post subject: Reply with quote
egc wrote:
Things have changed a lot have you done a full reset and put settings in manually?



Yes, factory resets before and after flashing, power cycle, manual settings, Waterfox explorer.

I know they are old, I was working with an e900, but it´s bricked in a way serial recovery is useless (all lights solid and dimmed on) so I went on with these two oldies. If they are still supported I´ll search how to file a bug report. If not, I´ll leave them just for AP.

Thank you all.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Sep 05, 2020 6:18    Post subject: Reply with quote
As always the important information is in the forum guide lines, link in my signature at the bottom of this post Smile

https://svn.dd-wrt.com/

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Thu Sep 17, 2020 16:37    Post subject: Reply with quote
It's been a long time since I used GRC's port scan! Smile

I tried its Full Port Scan with my RT-N18U and DD-WRT BS build 44251, here is the Text Summary:
Code:
----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2020-09-17 at 16:37:37

Results from scan of ports: 0-1055

    0 Ports Open
    0 Ports Closed
 1056 Ports Stealth
---------------------
 1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.

----------------------------------------------------------------------



_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
hackler756
DD-WRT User


Joined: 17 Sep 2014
Posts: 68
Location: Austria

PostPosted: Thu Sep 17, 2020 20:22    Post subject: Reply with quote
Security Scan on R7000 with r44340

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2020-09-17 at 20:13:37

Results from scan of ports: 0-1055

0 Ports Open
0 Ports Closed
1056 Ports Stealth
---------------------
1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.

----------------------------------------------------------------------

Here is how you do it:

update to the latest version.

WebUI Configuration:

TAB [Security][Firewall]
Firewall Protection:
SPI Firewall Enable

Additional Filters:
ARP Spoofing Protection Enable

Block WAN Requests:
[Check] Block Anonymous WAN Requests (ping)
[Check] Filter Multicast
[Check] Filter IDENT (Port 113)
[Check] Block WAN SNMP access

TAB [NAT /QoS][UPnP]
UPNP Configuration:
UPnP Service - Disable

TAB [Administration][Management]
Remote Access:
Web GUI Management - Disable
SSH Management - Disable
Telnet Management - Disable


Save, Apply Settings and Reboot

run grc test again ... you should be good.

_________________
ZTE MC801A - 5G bridge mode
R7000 - router, AP 2.4Ghz / 5Ghz
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 7463
Location: Dresden, Germany

PostPosted: Fri Sep 18, 2020 8:05    Post subject: Re: Open firewall ports when upgrading build Reply with quote
ohnoo wrote:
Hi, I've flashed a WRT54G2v1 and a WRT54 V6 with v24-sp2-14929 (08/12/10) micro . After upgrading to 40189 or v3.0-r43516 micro generic (following users that reported success use as AP) I'm finding firewall is not working well as gateways. If I revert to 14929, all ports shows as stealth.
I've tested with https://www.grc.com/shieldsup that shows open ports (80 and 53). Settings are pretty stock, no port forwarding or UPNP. I'm attaching a picture of results.
Prior and after flashing, factory reset is always applied.
If one of them were put to work as AP only, is it better to stay on 14929 or to upgrade (question here is if with the upgrade it's actually failing or not).

Thanks for your help!


not much info about your firewall configuration

_________________
"So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 7463
Location: Dresden, Germany

PostPosted: Fri Sep 18, 2020 9:27    Post subject: Reply with quote
bug found and fixed. will be included in next release. usually already today
_________________
"So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
ohnoo
DD-WRT Novice


Joined: 31 May 2020
Posts: 24

PostPosted: Fri Sep 18, 2020 14:50    Post subject: Reply with quote
BrainSlayer wrote:
bug found and fixed. will be included in next release. usually already today


I tried to get iptables status but neither the web interface nor the telnet cli works. Firewall configuration haven't been changed from factory.

Update:I've read your reply in the svn ticket https://svn.dd-wrt.com/ticket/7234#no2
So iptables don't produce output on micros for it's own limitations. Is there another way to get that?

Thanks for your help. I'll wait for that and report further tests.
js290
DD-WRT Novice


Joined: 21 Sep 2014
Posts: 22

PostPosted: Sat Sep 19, 2020 1:01    Post subject: Reply with quote
BrainSlayer wrote:
bug found and fixed. will be included in next release. usually already today


Sorry for the n00b question. The changeset for this fix is 44407, but the build for Sept 18, 2020 is r44406; changeset 44406 is dated Sept 17. Is r44406 just a reference point?


Last edited by js290 on Sat Sep 19, 2020 1:10; edited 2 times in total
js290
DD-WRT Novice


Joined: 21 Sep 2014
Posts: 22

PostPosted: Sat Sep 19, 2020 1:08    Post subject: Re: Open firewall ports when upgrading build Reply with quote
ohnoo wrote:
Hi, I've flashed a WRT54G2v1...


I've also been testing dd-wrt on the WRT54G2v1. The one I have is horrible for latency sensitive apps like RDP, which I noted in this thread. Web surfing and streaming seems fine. What's your experience with your G2?

BTW, I'm running v3.0-r44251 micro (08/27/20) on my G2. I ran nmap against the WAN interface, and I'm not seeing the port open issue you are.

Code:
# nmap -p 1-1055 10.23.21.46
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-18 21:42 EDT
Nmap scan report for 10.23.21.46
Host is up (0.0023s latency).
Not shown: 1051 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
53/tcp  closed domain
80/tcp  closed http
514/tcp closed shell
MAC Address: 00:21:29:D5:26:FB (Cisco-Linksys)

Nmap done: 1 IP address (1 host up) scanned in 19.09 seconds


Upgraded to v3.0-r44406 micro (09/18/20) with same nmap results (and same latency issue).
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum