New installation with default settings - ports are closed, not stealth?

I am a new user. Last weekend, I flashed openwrt to Cudy WR3000 v1. But, I did not connect the device to a live environment at that point.

Today, I changed my Xfinity gateway (means modem and router) to bridge mode so that it act as a modem only. Xfinity calls the gateway "XB7" and here are some further details that I found: Model: CGM4331COM; Vendor: Technicolor. Then, I connected the Cudy router.

I ran a scan of my ports by going to https://www.grc.com/shieldsup
first, click on proceed on the first page. then, there is a tab there that lets me scan "all service ports."

The remote server then scanned ports 0 - 1055.

result:
approx 8 stealth ports
approx 1047 closed ports

I would like to have as many ports as possible in stealth mode because the site that I used to run the check recommends this.

My Cudy settings:
I only changed the DNS server. Everything else is default.

It has pretty much zero practical impact whether ports are ‘stealth’ or closed. Proper network functionality expects closed ports to respond as such.

But, if you do want to change it then you need to alter the firewall rule for input traffic from WAN. The default is reject but you can change it to drop.

xfinity connection is cgnat. So you are scanning their cgnat gateway used by multiple users.

I don't have much familiarity with cgnat. when I run the scan, do you think it's scanning the gateways for all of the users that share my ip address?

when I turn off bridge mode on the gateway and then run the scan, I get the following results:
ports 1 - 1055: stealth mode.

Your ISP is doing that even in "bridge mode."

Do what @krazeh said. I use Xfinity and have never had CGNAT.

image666×396 25.4 KB

Ok, I think I understand. So, the 8 ports in the range 0 - 1055 that Xfinity says that they are blocking, show as stealth.

I am personally not seeing a lot of downside with CGNAT for my use case.
I read that CGNAT could create problems with video calls, and video calls are a service that I have used from time to time.
Also, I have noticed that some websites authenticate you by IP address. So, there is some vulnerability whereby someone with the same IP address as you can impersonate you more easily.
As a positive, I see similarities between CGNAT and VPN client service.
I don't fully understand the pros and cons yet.

But why do you even think you have CGNAT? Is the public IP on your WAN interface different than the IP you saw at grc.com Shields Up?

ifstatus wan | jsonfilter -e '@["ipv4-address"][0].address'
wget -q -O - http://myipv4.addr.tools/

Does the output of these 2 commands match (run on the router)?

In the openwrt GUI, under "IPv4 Upstream," I see my IPv4 address. The only thing that is strange with the IP address is that it has /22 at the end.
The IPv4 address that www.grc.com detects matches this IP address except without the /22 at the end.
I also see an IPv6 address in the openwrt GUI and that one ends with /128.

At the moment, I don't understand how to run commands on the openwrt router. It looks like I have to connect via SSH in order to do that and I will have to read up on how to do that. The good news is that my computer is Linux, so it's probably a little easier.

No worries. You don't have CGNAT. Change the wan Zone INPUT policy to DROP and you should see everything turn stealth on ShieldsUp!.

That /22 represents the subnet mask, a shorthand for 255.255.252.0.

thank you. I found the setting that you were referring to
network -> firewall -> general settings
under "zones"
change wan input to drop

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.