I have a femtocell device (T-Mobile cellspot) which requires UDP ports 123, 500, and 4500 to be open to the device. I've set the device to have a static lease at 192.168.1.22, but it's not clear to me how to open those ports specifically for the device. Here's what I've done with /etc/config/firewall
:
config redirect
option src wan
option src_dport 123
option dest lan
option dest_ip 192.168.1.22
option dest_port 123
option proto udp
config redirect
option src wan
option src_dport 500
option dest lan
option dest_ip 192.168.1.22
option dest_port 500
option proto udp
config redirect
option src wan
option src_dport 4500
option dest lan
option dest_ip 192.168.1.22
option dest_port 4500
option proto udp
This does not seem to work as the device still fails to connect to T-Mobile's servers for initial setup. Am I going about opening these ports correctly?
Use putty. Read the wiki.
I have SSH access to the router already, but it's not clear why you think putty is specifically necessary.
The wiki hasn't helped me — I don't understand what the config is asking from me conceptually. As best I can tell the above is correctly configured:
- I have the source zone name set as 'wan' and destination zone set as 'lan'
- I have the destination port (DNAT) set for each port and proto type (UDP on 123, 500, 4500)
- The source port matches the same as the incoming port as desired
- The destination IP is the one statically-leased by the device (pings and checks out with
nmap
scan
Perhaps you can help me from there.
Assuming you're starting with a more-or-less-default firewall configuration (i.e. 'wan' zone is unmodified, no other rules that might take precedence, try the following:
- add single quotes (' ') around the values
- add a name (not sure if this matters)
- add a target type
So the entires will look like this (rinse and repeat for the others):
config redirect
option src 'wan'
option src_dport '123'
option dest 'lan'
option dest_ip '192.168.1.22'
option dest_port '123'
option proto 'udp'
option name 'femto_cell_123'
option target 'DNAT'
1 Like
Thanks, psherman. It turns out that my original config snippet above does work, but the femtocell needed to be reset to engage a second attempt at contacting T-Mobile's servers.
In any case, those are good suggestions to explicitly tag the config sections with a name and target.
Marking the ticket as solved if I can figure out how...