I have an Archer C7 running 18.06.1 and my setup is 'basic': ISP Modem (FTTH ONT as bridge) -> openwrt.
I was checking if a portforward was open through canyouseeme.org and almost every port I tried was open. I checked then GRC ShieldsUP and got the following result, while the test through speedguide.net gave me 45 open ports.
The weird thing is that the 'dummy' ports are open, while the service ones like 53, 445 and 25 are filtered (this in speedguide).
Am I doing something wrong with my settings? This is my firewall config.
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option network 'wan wan6 modem'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'DROP'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Block-Outbound-TFTP'
option src 'lan'
option dest 'wan'
option dest_port '69'
option proto 'udp'
option family 'any'
option target 'REJECT'
config rule
option name 'Block-Outbound-Syslog'
option src 'lan'
option dest 'wan'
option dest_port '514'
option proto 'udp'
option family 'any'
option target 'REJECT'
config rule
option name 'Block-Outbound-SNMP'
option src 'lan'
option dest 'wan'
option dest_port '161 162'
option proto 'udp'
option family 'any'
option target 'REJECT'
config rule
option name 'Block-Outbound-SMB'
option src 'lan'
option dest 'wan'
option dest_port '135 137 138 139 445'
option proto 'tcpudp'
option family 'any'
option target 'REJECT'
config rule
option proto 'tcp'
option dest_port '22'
option family 'ipv4'
option dest 'wan'
option target 'REJECT'
option name 'Block SSH from lan'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '21'
option dest_ip '192.168.1.1'
option dest_port '21'
option name 'ftp'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option dest_ip '192.168.1.1'
option dest_port '51413'
option name 'transmission'
Thanks in advance!!