Rules to harden Netgear r6100

started up an old netgear r6100 today to use as a firewall, upgraded the openwrt 15.x to 18.06.1. wireless is turned off on this device as it acts only as a firewall/nat router from cable modem to local lan.

i then ran a port scan check via sheild's up. it returns:

Solicited TCP Packets: RECEIVED (FAILED)
Unsolicited Packets: PASSED
Ping Echo: PASSED

these ports are stealthed according to

135 RPC
139 Net BIOS

do i need to add rules to /etc/firewall.user or LuCI so these ports are blocked? is there an example rules page for post install tweaks?

Check your configuration as none of those ports are open on the WAN side by default in OpenWrt and none, with the exception of 80, have a listener in the default distribution. Port 80 is blocked for WAN access, in the default OpenWrt configuration.

Edit 1:

After trying the [edit: UPnP, not "full"] test on myself (knowing what I should have open and not, and I certainly have ports open with listeners on them), I got

which suggests that you may have UPnP enabled.

These days, unless you've got a really compelling reason to do so, most of the world works just fine without the security risk of UPnP.

Edit 2

Having found it, I ran the "full" test and it isn't accurate for what it identifies as "stealth" ports.

Similarly to @iplaywithtoys comment below, I know Comcast blocks port 25 and wouldn't be surprised if they followed common practices of blocking the Microsoft chatter on 135-139 and a few others as well. They show up as "stealth" in the test results for me, and I know that they are not open past even my first firewall.

Edit 3:

a nmap scan by one of the first "remote port scanner" tools listed by a Google search and those that it does indicate as "filtered" are likely ones that Comcast filters:


(note that the referenced tool only checks a limited number of ports in its "free" version)

(Yes, 80 and 443 are intentionally configured to be open and are served by nginx that is not running on OpenWrt, but on a locked-down service host elsewhere in my network.)

See also:

Which port numbers were flagged as "failed"?

My ISP rejects ports 135-139 (instead of drops), which triggers a "failure" if I use Shields Up!. That Shields Up! test is very useful, but has its limitations. The primary limitation is that it's been written with the viewpoint of assuming that any response to outside traffic is BAD AND EVIL OMG, rather than providing a neutral report of which ports are open, the risk(s) they represent, and letting the user determine whether or not to do anything.

By all means use Shields Up! to verify if you've got any open ports (you might want to have some open ports), but learn to interpret the information it presents to work out if you've got any risks or issues to resolve.

IPv4/IPv6 Online Port Scanner

5		FILTERED	smtp
80		FILTERED	http
137		FILTERED	netbios-ns
138		FILTERED	netbios-dgm
139		FILTERED	netbios-ssn
445		FILTERED	microsoft-ds
1433	FILTERED	ms-sql-s

those were flagged by grc and "IPv4/IPv6 Online Port Scanner". i hadn't used openwrt in a few years. my pfsense box died last night so i fired up the netgear r6100 & updated the firmware. when i saw the results from scanning i checked via LuCI pages if any of those were open. i didn't see them or any rules. so i posted here here to for feedback.

clarification for @jeff and you has helped. didn't want my home wide open while i'm scurrying about to get the r6100 up and running.

Filtered means it didn't respond to the probe. GRC calls that "stealth".

There are three responses:
Open - responded to the probe and accepts traffic
Closed - responded to the probe and reset the connection
Filtered ("stealth") - did not respond to the probe; the probe timed out.

GRC complains about "Closed" because a response rejecting the traffic confirms that something exists at that address, which might attract the attention of ne'er-do-wells. In contrast, "Filtered" doesn't confirm one way or another if a particular device exists. Whether either approach is good or bad depends on your opinion about the benefits of security-by-obscurity.

But, the point to take away is, if a freshly-configured OpenWRT installation is causing an external scanner to report "Filtered", then you can be reasonably confident that those ports probably aren't open to the outside world.

i got the same message returned testing for UPnP. i never had or needed UPnP enabled on the other fw. so i didn't enable it on this r6100 with openwrt.

i went to a few other free port scanning sites after you mentioned grc has some inaccuracies...


t1shopper port-scanner

Scanning ports on x.x.x.x

...isn't responding on port 21 (ftp).
...isn't responding on port 23 (telnet).
...isn't responding on port 25 (smtp).
...isn't responding on port 80 (http).
...isn't responding on port 110 (pop3).
...isn't responding on port 139 (netbios-ssn).
...isn't responding on port 445 (microsoft-ds).
...isn't responding on port 1433 (ms-sql-s).
...isn't responding on port 1521 (ncube-lm).
...isn't responding on port 1723 (pptp).
...isn't responding on port 3306 (mysql).
...isn't responding on port 3389 (ms-wbt-server).
...isn't responding on port 5900 ().
...isn't responding on port 8080 (webcache).

IPv4/IPv6 Online Port Scanner

25		FILTERED	smtp
80		FILTERED	http
137		FILTERED	netbios-ns
138		FILTERED	netbios-dgm
139		FILTERED	netbios-ssn
445		FILTERED	microsoft-ds
1433	FILTERED	ms-sql-s

online nmap free scan

All 100 scanned ports on x.x.x.x (x.x.x.x) are closed (54) or filtered (46)


thanks for your feedback. wanted to be sure this r6100 with openwrt is protecting me and i didn't misconfigure it.

yes, that is the point you two helped me with. thanks for the explanations & confirming that!

1 Like