Posted: Sat Aug 09, 2025 19:40 Post subject: DDWRT sending unsolicited packed to GRC Shields Up!
Have a Linksys WRT 1900ACS router. Running DD-WRT v3.0-r62036 std (08/08/25)
I usually do a GRC Shields Up! test (port scanning the first 1056 ports) every time I update. As usual, all ports were stealthed. Solicited TCP Packets PASSED and Ping Echo PASSED.
However, my Unsolicited Packets test resulted in a RECEIVED FAILED status.
While I was trying to troubleshoot why this was happening, playing (checking/unchecking) with the new options under Security > Firewall...
Code:
Detect and Block Port Scanners (checked),
Slowdown connection attempts (tarpit) (checked)
Filter TCP/SYN flood (unchecked, due to interfering with VPN)
Filter UDP Floods (unchecked, interfering with VPN)
Filter Ping Echo Request Floods (checked)
...I ended up not being able to run the GRC test anymore. I think the server decided I was pinging it too many times and refused connection/tarballed me (already cleared all my cache and cookies, and it works fine from a different IP). So, I can't even continue my troubleshooting.
So what is happening here with my FAILED status, and how do I fix it?
It should be noted that ALL options under Security > Firewall are checked, EXCEPT for filter proxy, filter cookies, filter TOS/DSCP, Filter TCP/SYN floods, Filter UDP floods.
Joined: 13 Aug 2013 Posts: 7155 Location: Romerike, Norway
Posted: Sun Aug 10, 2025 10:10 Post subject:
This is how the Shields Up Test are working. Before you start, it show from what IP Address the test will originate from.
You should also Disable the Port Scan Protection, otherwise it will blocked after a few ports.
I hadn't tried grc.com's ShieldsUP in a year or two and I'm also failing now with:
Code:
Unsolicited Packets: RECEIVED (FAILED) — Your system's personal security countermeasures unwisely attempted to probe us in response to our probes. While some users believe that "tracking down" the source of Internet probes is useful, experience indicates that there is little to gain and potentially much to lose. The wisest course of action is to simulate nonexistence — which your system has failed to do. Your counter-probes immediately reveal your system's presence and location on the Internet.
I'm on dd-wrt r64210 so not very old.
I have these checked in Security->Firewall
ARP spoofing protection
Filter invalid packets
Anonymous WAN requests (ping)
Multicast communication
IDENT (Port 113)
WAN SNMP Access
Anybody else failing the ShieldsUP test? Any ideas?
Thanks for the tip. I tried unselecting these two and then the test passed.
ARP spoofing protection
Filter invalid packets
Turned them back on one at a time to find the culprit and the test continues to pass. I'm back to my original settings and True Stealth Analysis is now stamped PASSED.
I'll revisit this later and report back if anything useful comes up.
Note: I was clicking on "All Service Ports" in Shields UP!
Joined: 16 Nov 2015 Posts: 7208 Location: UK, London, just across the river..
Posted: Mon May 11, 2026 20:16 Post subject:
kernel-panic69 wrote:
Pretty sure all the new firewall features need to be disabled for it to act right.
yep those must be disabled unless you know what you are doing very very well...and if something get into the tarpit then you'd need to hard boot/cable off the router..as it gets blocked for X amount of time...to me all those are good only in very specific scenario and yes those tend to cause troubles..so, its a horses for courses...and nmap does better for checking... _________________ Atheros
TP-Link WR1043NDv2 -DD-WRT 64453 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 -OpenWRT Kong 25.12
Netgear XR500 -DD-WRT 64954 GTW/SmDNS/DoT,AD-Blk,Forced DNS,AP&Net Isolation,x2VLAN,Vanilla
Netgear R7800 --DD-WRT r64954 Gateway/DNSCryptv2,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla,VPN cli
Netgear R9000 --DD-WRT 64764 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Dynalink DL-WRX36-DDWRT 64453
Broadcom
Netgear R7000 --DD-WRT 64954 GTW/DNScrypt-proxy2/AD-Block,IPset Firewall,Forced DNS,x4VLAN,VPN cli
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 7208 Location: UK, London, just across the river..
Posted: Tue May 12, 2026 7:48 Post subject:
It wont harm if i share mine...im not using some of those with blocking rates for reason, nor the tarpit ...
my ISP provides relatively "clean" connection...but from time to time i do have port-scanners if i expose my SSh on WAN side, but i dont care as ssh key does the job...hope so _________________ Atheros
TP-Link WR1043NDv2 -DD-WRT 64453 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 -OpenWRT Kong 25.12
Netgear XR500 -DD-WRT 64954 GTW/SmDNS/DoT,AD-Blk,Forced DNS,AP&Net Isolation,x2VLAN,Vanilla
Netgear R7800 --DD-WRT r64954 Gateway/DNSCryptv2,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla,VPN cli
Netgear R9000 --DD-WRT 64764 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Dynalink DL-WRX36-DDWRT 64453
Broadcom
Netgear R7000 --DD-WRT 64954 GTW/DNScrypt-proxy2/AD-Block,IPset Firewall,Forced DNS,x4VLAN,VPN cli
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
