Firewall questions

Hi There,

I'm using following config NetworkCable

When I go to I see a lot of connections and some disturbs me...

  1. |IPV4|UDP|QNAP-TS869L.lan:53626||604.62 KB (5368 Pkts.)|

  2. |IPV4|UDP|QNAP-TS869L.lan:53626||603.70 KB (5365 Pkts.)|

  3. |IPV4|UDP|QNAP-TS869L.lan:53626||365.09 KB (4591 Pkts.)|

  4. |IPV4|UDP|QNAP-TS869L.lan:53626||365.04 KB (4590 Pkts.)|

  5. IPV4|TCP|Clevo-901c.lan:49166||24.90 KB (215 Pkts.)

I have some questions..

I thought that http = 80 and https =443 why does the source uses sometimes very high numbers? Like in Line 5?

I also noticed that sometimes the source is using the same port but is going to a different address on the destination see line 1,2,3 Is this normal behavior?

I also noticed that sometimes the source is using different ports but is going to the same destination, is this normal behavior?

Some destinations have easy reading web page adres in them others are hosted in China or the Netherlands where I don’t have a server running. How can I determine how my NAS (QNAP) is going to and eventually closes this connection.

Last question is the standard firewall from OPENWRT considered as everything is closed and needs to be opened on command, the reserve or otherwise?

Is there a good way to scan for open ports? I ask this because when I use a scanner on my phone when on wifi I get different results for port and

Sorry for this long epistel I hope somebody or several can shed some light into the tunnel.
Thanks for reading

80 and 443 are the destination ports. The client is free to use any port of its choosing to connect to those ports. Source and listener ports under 1024 are typically reserved for privileged applications, though not all OSes enforce this.

Yes, especially for browsers that open multiple connections to the same server. The combination of source IP, source port, destination IP, and destination port are what make a connection "unique". If you're connecting to from a given host, then every connection needs a different source port to be unique.

iptables in its "raw" form is not a discard/reject-all firewall by default. However, OpenWrt configurations typically add a discard or reject rule for anything not explicitly allowed for incoming connections on "WAN" (or rely on IPv4 NAT to not pass the packet).

nmap is one tool that is often used.

You will get different results from different subnets if there is any routing or firewall in play.

I'm not sure what you're asking here. There seem to be two questions, one related to the path packets take, another related to how long a connection stays open. Would you clarify the question(s) a bit?

Thanks for answering so fast...

You've made a lot of things easier to understand and I learned a lot.

If I understood you correctly, when somebody makes a connection to a site over https from a home every connections get a different port. But hypothetically what happens if I have a very large home with over 65535 pc's al connecting to the same adres?

I split the question ..

Some lines in this: are easily readable and don't make me suspicious take:

|IPV6|TCP|||54.35 KB (58 Pkts.)|

The previous line make sense because I'm visiting this site.


  1. |IPV4|UDP|QNAP-TS869L.lan:53626||604.62 KB (5368 Pkts.)|

  2. |IPV4|UDP|QNAP-TS869L.lan:53626||603.70 KB (5365 Pkts.)|

  3. |IPV4|UDP|QNAP-TS869L.lan:53626||365.09 KB (4591 Pkts.)|

Are more suspicious because I don't know why my NAS is making a connection to these addresses.

I don't know how to block it, or even how to investigate where it's coming from.

I did a whois on the internet and it seems:

1 is originating from the States

2 is originating from Japan

3 is coming from China

I would like to investigate and know which program is responsible for contacting to these addresses.

I would like to learn how I can stop this, if this is something my NAS shouldn't do.

If you or somebody else would help me in this, it would highly be appreciated.

Kind regards.

Guy F

Thankfully, most homes behind NAT don't have tens of thousands of computers trying to connect to the same site and port at the same time! Yes, address and port exhaustion can be a problem, but it is typically not an issue except at the enterprise level.

The names for addresses that you see in lines like

|IPV6|TCP|||54.35 KB (58 Pkts.)|

come from "reverse" DNS. The name is looked up given the IP address. There is no "law" that every IP address has to have a reverse DNS entry ("PTR"). It is also very common for one IP address to be returned for multiple "forward" DNS names, nor that just one IP address be returned for a given name. That there is a symbolic in the entry doesn't mean that it is "good" or "bad", just that it exists.

I'm not familiar with your NAS software, nor what you or someone else has running on hosts at For someone learning how to "watch" TCP/IP traffic, the wireshark program running on a "desktop" is perhaps the easiest tool to start to use. I know it runs on Linux- and FreeBSD-based OSes, as well as macOS. I believe it can run under Windows as well. It's a little too much for most OpenWrt routers to run natively, but there are some tricks on how to capture the packets on OpenWrt and then look at them on another machine connected through ssh. You can also "snoop" the traffic at some point in your network with a decent-quality switch and a "spare" Ethernet dongle or port.

"Well known ports" can be looked up in `/etc/services'. For other ports, an Internet search can be revealing. I checked 20001 as it isn't one I recognize, and the first result returned by Google was necessarily the best, just the first) which states, among other things:

QNAP CloudLink uses port 20001 UDP to allow access without explicit port forwarding (technology similar to STUN for VoIP). CloudLink is not required if ports are manually forwarded and the NAS accessible.
QNAP uses the following ports:
Web server: 80,8081 TCP and 443,8080 TCP (web admin)
FTP/SFTP/SSH: 20,21,22 TCP and 13131 TCP (telnet)
Remote Replication: 873,8899 TCP
VPN server: 1723 TCP (PPTP), 1194 UDP (OpenVPN)
CloudLink: port 20001 UDP (optional, only required for access without manual port forwarding)

Based on that, i would guess that your QNAP box is either "phoning home" or connecting to another cloud-based service. Looking into how your QNAP box works, including any cloud-based services you use may provide further insight. It may also be connections to/from QNAP-specific clients that are outside of your internal network.

NAT is a hack to extend the life of ipv4, in your example the hack breaks... Welcome to the world where we need ipv6 in a serious way.


It sounds like QNAP makes your NAS accessible to the outside world (hopefully through some kind of authentication/encryption) by some kind of situation where QNAP uses a proxy to carry the traffic thereby getting around the fact that most people don't have working ipv6 with inbound open ports for specific purposes. Or, since they mention STUN in that description perhaps this port 20001 traffic is just to command/control outbound traffic towards the external access. is a well known provider of "cloud VPS" machines, so QNAP probably rents instances from them to handle this proxying / cloud connectivity service.

If you want to turn off this traffic, it's pretty easy in LuCi to define a firewall rule to drop any outbound UDP packets to port 20001

Hi thanks all for the help,

Indeed the QNAP was offering services which I disabled and indeed the adresses disappeared from the list.
I especially would also like to thank Jeff for clarifying so many questions in one answer.

Thanks again

Kind Regards

1 Like

Consider marking the topic solved by clicking the checkmark near the bottom of the post with the solution.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.