1

I am forwarding a port through to a PLC/Management unit type device for a heatpump. The device accepts local connections from the LAN on port 80. It runs a normal web site on port 80 for management.

When forwarding a port through, it simply does not accept any connections. My port forwarding is working, as I am forwarding many other ports through to other devices/servers.

What tickles me, is that the device does not require a username and password to log onto the web interface and start changing some settings. I am wondering if its a possible security feature to drop packets that did not originate from the LAN?

I have tried:

TCP: 1111 -> 80

UDP: 1111 -> 80

(Because I was out of troubleshooting options, wondered if it may have some secondary protocall running used by the website)

TCP: 10556 -> 80

Also tried all of the above to -> 8080

I did fire off an email to the product manufacturer, but not too hopefull for a reply.

Louis van Tonder
  • 141
  • 2
  • 13
  • When you try to connect to the external (forwarded) address, where are you trying to connect from? A client on the LAN, or a machine on the internet? – MadHatter Dec 12 '14 at 07:53
  • I tried both. My firewall supports hairpin nat out of the box, so it should work from the LAN connecting to the dyn address. But just to be safe, I tried connecting form outside the lan as well. – Louis van Tonder Dec 12 '14 at 07:58
  • Have you verified the network configuration on that device? Bad subnet mask maybe? –  Dec 12 '14 at 08:08
  • 1
    If the device only responds to other systems withing the LAN, it may be missing a gateway. That would make responding to internet requests using port forwarding without SNAT impossible. – HBruijn Dec 12 '14 at 08:11
  • Hi, the device uses the same gateway and DNS settings as the rest of the nodes on my lan. But let me double check that again. – Louis van Tonder Dec 12 '14 at 08:17
  • The device definitely uses the same DNS and gateway as other nodes. I have confirmed now, since I dropped the port to 1111, I can indeed access it using the dyn address and port, from within the LAN. But not from outside. As stated, all my other port forwards are operational, so the Firewalling and Dyn DNS are working. – Louis van Tonder Dec 12 '14 at 08:32
  • Can you run tcpdump on the device doing the DNAT? `tcpdump -lnn -i ethX host 192.0.2.1` - replace ethX and the IP address of the PLC as appropriate. – fukawi2 Dec 12 '14 at 08:32
  • Ok, ran tcp dump on my Green interface (LAN). It definitively gets some action when I hit it from outside. Not sure what I am looking for tho.(A bit out of my depth here). Running tcpdump on my RED (PPPOE) interface, does not produce any results. – Louis van Tonder Dec 12 '14 at 08:54
  • I can see my connection coming in to the device. My firewall then requests an ARP lookup to the device, it replies with its MAC. Then the device does various UDP lookups on port: 1900. (pnp). That's about it... There seems to be a whole bunch of dynamic ports used in the 60K range for all of this... – Louis van Tonder Dec 12 '14 at 09:33

1 Answers1

0

This turned out to be an issue with the device. It did not respond properly to outside connections when configured with a static ip.

Louis van Tonder
  • 141
  • 2
  • 13