Firewall/Port Forwarding

I'm fairly new to OPENWRT and have been exploring and configuring my network. I've managed everything so far but one thing and wondered if anyone could give me some advice. I've "stealthed" all my ports apart from the specific ones I need for certain services which I have set them to open with port forwarding rules. I successfully managed to open port 5000 which is great. However, I recently purchased a smart home device which requires ports 5671 and 5672 in order to be communicated with. I set up port forwarding rules but the device is still not accessable remotely. When using the grc shields up test the port shows up as closed rather than stealth but for some reason is not open. Is this because the service isn't running on the smart device or is it configuration error on my end? Thanks to anyone who can help.

Make sure the device you're forwarding to is using your OpenWrt router as default gateway.

Yes it's definitely the default gateway. The modem behind the router ( router is WRT3200ACM) is in bridge mode.

It's quite unusual for home smart devices to require specific ports to be open and forwarded to them, most users are unable to configure their routers accordingly. I would first make sure that this is not a misunderstanding or bad translation.

Then you can use almost any monitoring tool to check that those devices effectively have the required ports open themselves, from inside the LAN.

1 Like

I think you're probably right. I had to contact their support as upon initially setting up the device I realised that I am unable to control the device from outside of the lan. One of their suggestions was to ensure that ports 5671 and 5672 are open. But even after setting up port forwarding on those ports, they don't seem to open. I imagine this is most likely because it doesn't actually require these ports but I just wanted to make sure I wasn't doing something obviously wrong.

While slightly off topic, I'd take the information of what ports the IoT device needs access to, as well as what IP blocks it needs access to, configure rules for those specific ports and IP blocks, then block all other traffic to and from it.

  • IoT devices are a security nightmare, as 99% of companies do not properly implement basic network security, making many, if not most, IoT devices easily exploitable, either for DDoS attacks or for accessing the device directly for data mining (such as this rare encounter with a nice hacker, who hacked into an owner's NEST camera and told him to change his password)

Thanks for the advice. I'm guessing the only way to establish this is to ask them?

You could try that, or use a packet sniffer/port connection monitor to monitor the traffic to/from the IoT device over a 24hr period of it being actively used.

  • For example, it's likely going to use ports 80 & 443, however you wouldn't want to configure port forwarding port rules for those two ports, instead, you'd want to configure /etc/config/firewall [fw3] or /etc/firewall.user [iptables] rules for blocks of IP addresses or for individual IP addresses
    • I'd personally prefer iptables rules directly via /etc/firewall.user, as it will allow you to configure connection limits and specify to allow new traffic only when initiated by the IoT device, rejecting all new inbound requests

I would bet they mean that those ports must be open for the device to establish outgoing connections, not the other way around.

As @JW0914 commented, I thinks it's time to use a packet monitor.

1 Like