Comcast Router Management Interface

[David]

Got into the Comcast router interface. Port forwarding,
port triggering, DMZ and more. Comcast could not tell me
how to set up port 80 as it is now blocked for my little HFS
file server which comes in handy every now and again.

[VanguardLH]

David wrote:

> Got into the Comcast router interface.

Presumably that means you connected a web browser to http://10.0.0.1 to
get to its web UI.

> Port forwarding, port triggering, DMZ and more. Comcast could not
> tell me how to set up port 80

Not within the realm of their support to figure out how for you to use
their gear in a non-default manner, even more so if you are not leasing
their cable modem. They only know how to use the gear in its default
provisioned config for you to use their service, not for you to provide
your own (which may violate their TOS if you make it a public service).

> as it is now blocked for my little HFS file server which comes in
> handy every now and again.

You never mentioned the brand and model of which cable modem that you
have (leased or purchased). Different brands and even different models
within a brand have different config screens in their web UI.

For the Arris TG1682G that I have now (leased from Comcast), and after
connecting to 10.0.0.1 and logging in (hopefully you have already
changed away from the default password to prevent hacking), I click on
the Advanced category (left pane in the web UI). Port forwarding, DMZ,
remote management, etc are under there.

Under Advanced is where you must first enable port forwarding and then
configure to which of your intranet hosts you want the unsolicited
inbound packets to get routed. There is no password security at this
level so you will have to insure that the host to which you forward
those inbound packets will accept unsolicited inbound connects and is
secure.

[Steve Baker]

On Tue, 11 Oct 2016 14:10:58 -0400, "David" <nos...@example.org>
wrote:

Like Vanguard said, you need to set up port forwarding to the local
address of the computer hosting the server. I checked to make sure
that Comcast itself wasn't blocking port 80 and found something
curious that I'm hoping someone here might be able to shed some light
on.
I forwarded ports 80-85 to my computer. Here's the gist of what I
saw when I telnetted to myself from a remote host:

telnet <my.public.IP.address> 80
Connection refused

telnet <my.public.IP.address> 81
No route to host

telnet <my.public.IP.address> 82
Connection refused

telnet <my.public.IP.address> 83
Connection refused

telnet <my.public.IP.address> 25
Connection timed out

"Connection refused" shows that the connection attempt reached my
computer and that a "No server running on that port" response was sent
back. "Connection timed out" shows that no response to the connection
attempt was received, which is what's expected since Comcast is
blocking port 25. But what's up with that "No route to host" response?
I'm seeing it consistently, so it's not one of those extremely rare
quirky things.

--
Steve Baker

[VanguardLH]

Steve Baker wrote:

> I forwarded ports 80-85 to my computer. Here's the gist of what I saw
> when I telnetted to myself from a remote host:
>
> telnet <my.public.IP.address> 80
> Connection refused
>
> telnet <my.public.IP.address> 81
> No route to host
>
> telnet <my.public.IP.address> 82
> Connection refused
>
> telnet <my.public.IP.address> 83
> Connection refused
>
> telnet <my.public.IP.address> 25
> Connection timed out
>
> "Connection refused" shows that the connection attempt reached my
> computer and that a "No server running on that port" response was sent
> back. "Connection timed out" shows that no response to the connection
> attempt was received, which is what's expected since Comcast is
> blocking port 25. But what's up with that "No route to host" response?
> I'm seeing it consistently, so it's not one of those extremely rare
> quirky things.

Was the firewall in your computer configured to accept unsolicited
inbound connection requests on those ports?

Were there processes running on your computer to listen for inbound
connects on all those ports? Look like a No because you said there was
a "no server" response sent back to your client on the remote host:
there was a timeout waiting for a listening process to pickup the
connection request.

Port 81 is unassigned by IANA. While it is often used for torpark onion
routing, that's unofficial. Did you have a listening process on that
port? Since it is not an ephemeral port, maybe the firewall doesn't
know what to do with any connects via that port.

"No route to host" means a networking routing problem (e.g., routing
tables) and is not a response from the targeted host. Is your intranet
segmented? Since the cable modem contains a router, looks to be
something amiss with its routing table. I'm assuming that the targeted
host is not a gateway or another router. I'm also assuming that you
aren't using MoCA to bridge to a coax network.

Is the "remote host" another intranet computer (i.e., on the LAN-side of
the cable modem or router)? Or is it external or on the WAN-side? Port
forwarding would expect the packet to arrive on the WAN-side to get
routed to a LAN-side host, not between intranet (LAN-side) hosts. I
don't see a user-mode means of managing the [static entries in the]
routing table in the cable modem, if it even incorporates one.
http://www.tp-link.us/faq-560.html gives an example with routers and
where you have to define static routes so intranet hosts can find each
other. I suspect the cable modem router's routing table contains only a
few entries and all for outbound connects to the ISP's primary,
secondary, or tertiary DNS servers and maybe a couple for multi-cast and
broadcast routes. The router (and firewalling) features are minimal in
the home cable modems and most home units don't allow editing or
managing the small internal routing table. The cable modem is meant to
sit at the network interface between your intranet and the ISP, so all
it needs for routing entries is how to get to the ISP's servers.
Business-class cable modems or even decent consumer-grade routers give
you much more control. I also don't know what you have in your network
between the cable modem's LAN-side and "your computer".

Is the intranet (targeted) host connected to the cable modem using wi-fi
(wireless) or Ethernet (wired)? Or is there other components in the
path, like APs, routers, or switches (that might provided other network
segments)?

In the cable modem's own firewall, what level of security is configured
for IPv4 (since you're probably using those type of IP addresses)? I
changed mine from the default of Minimum to Typical. Comcast's cable
modems don't give much granularity in configuring the security, just in
picking preset levels.

[Steve Baker]

On Wed, 12 Oct 2016 04:04:16 -0500, VanguardLH <V...@nguard.LH> wrote:

>Steve Baker wrote:
>
>> I forwarded ports 80-85 to my computer. Here's the gist of what I saw
>> when I telnetted to myself from a remote host:
>>
>> telnet <my.public.IP.address> 80
>> Connection refused
>>
>> telnet <my.public.IP.address> 81
>> No route to host
>>
>> telnet <my.public.IP.address> 82
>> Connection refused
>>
>> telnet <my.public.IP.address> 83
>> Connection refused
>>
>> telnet <my.public.IP.address> 25
>> Connection timed out
>>
>> "Connection refused" shows that the connection attempt reached my
>> computer and that a "No server running on that port" response was sent
>> back. "Connection timed out" shows that no response to the connection
>> attempt was received, which is what's expected since Comcast is
>> blocking port 25. But what's up with that "No route to host" response?
>> I'm seeing it consistently, so it's not one of those extremely rare
>> quirky things.

BTW, I didn't just assume what was happening based on the results of
trying to telnet, I saw (or didn't see) the packets arriving at my
computer using Wireshark.
An interesting side note is that I searched the web for a
TCPtraceroute site to try to glean more info. I found one that let me
set the target port. But when I set the port to 81 it still sent the
packets to port 80.

>
>Was the firewall in your computer configured to accept unsolicited
>inbound connection requests on those ports?

The firewall on my computer was turned off.

>Were there processes running on your computer to listen for inbound
>connects on all those ports?

Nothing was listening on any of those ports.

>Look like a No because you said there was
>a "no server" response sent back to your client on the remote host:
>there was a timeout waiting for a listening process to pickup the
>connection request.
>
>Port 81 is unassigned by IANA. While it is often used for torpark onion
>routing, that's unofficial. Did you have a listening process on that
>port? Since it is not an ephemeral port, maybe the firewall doesn't
>know what to do with any connects via that port.

But it would know how to handle connection attempts on ports 80 and
82?

>"No route to host" means a networking routing problem (e.g., routing
>tables) and is not a response from the targeted host. Is your intranet
>segmented? Since the cable modem contains a router, looks to be
>something amiss with its routing table. I'm assuming that the targeted
>host is not a gateway or another router. I'm also assuming that you
>aren't using MoCA to bridge to a coax network.
>
>Is the "remote host" another intranet computer

No, it's out on the Internet. I connect to it via SSH.

>(i.e., on the LAN-side of
>the cable modem or router)? Or is it external or on the WAN-side? Port
>forwarding would expect the packet to arrive on the WAN-side to get
>routed to a LAN-side host, not between intranet (LAN-side) hosts. I
>don't see a user-mode means of managing the [static entries in the]
>routing table in the cable modem, if it even incorporates one.
>http://www.tp-link.us/faq-560.html gives an example with routers and
>where you have to define static routes so intranet hosts can find each
>other. I suspect the cable modem router's routing table contains only a
>few entries and all for outbound connects to the ISP's primary,
>secondary, or tertiary DNS servers and maybe a couple for multi-cast and
>broadcast routes. The router (and firewalling) features are minimal in
>the home cable modems and most home units don't allow editing or
>managing the small internal routing table. The cable modem is meant to
>sit at the network interface between your intranet and the ISP, so all
>it needs for routing entries is how to get to the ISP's servers.
>Business-class cable modems or even decent consumer-grade routers give
>you much more control. I also don't know what you have in your network
>between the cable modem's LAN-side and "your computer".
>
>Is the intranet (targeted) host connected to the cable modem using wi-fi
>(wireless)

Yes.

>or Ethernet (wired)? Or is there other components in the
>path, like APs, routers, or switches (that might provided other network
>segments)?

No.

>
>In the cable modem's own firewall, what level of security is configured
>for IPv4 (since you're probably using those type of IP addresses)?

Yes, I was telnetting to my IPv4 address. But I was connected to the
remote host via IPv6, should that matter.

> I
>changed mine from the default of Minimum to Typical.

You sure you don't have that backwards? Comcast has had some crazy
default settings. Like blocking port 587 when they were leading up to
blocking port 25 and recommending port 587.

>Comcast's cable
>modems don't give much granularity in configuring the security, just in
>picking preset levels.

Like I said, I did port forwarding for ports 80-85, so those basic
security levels weren't a factor.

--
Steve Baker

[Steve Baker]

On Thu, 13 Oct 2016 22:27:00 -0500, Bill <no...@none.invalid> wrote:

>> Like I said, I did port forwarding for ports 80-85, so those basic
>>security levels weren't a factor.
>

>Have you played around with the Shields Up application at www.grc.com?
>It may be able to tell you more about ports that are responding.
>
>https://www.grc.com/x/ne.dll?bh0bkyd2

Hey, good thinking, thanks! Doesn't really explain what's going on,
but, like I suspected, it does indicate that it isn't something going
on with Comcast.

--
Steve Baker

[Barry Margolin]

In article <1juqvbpm3cquncb7g...@4ax.com>,

"No route to host" means that it received an ICMP Host Unreachable. I'm
not sure what would cause that to happen for this port.

When you run Wireshark, do you see your computer sending that?

Can you run tcpdump or wireshark on the machine you're telnetting from?
If you capture the ICMP messages, you should be able to see where
they're being sent from -- whether it's a router along the way or your
computer.

--
Barry Margolin
Arlington, MA

[Steve Baker]

On Fri, 14 Oct 2016 12:39:40 -0400, Barry Margolin
<bar...@alum.mit.edu> wrote:

>"No route to host" means that it received an ICMP Host Unreachable. I'm
>not sure what would cause that to happen for this port.
>
>When you run Wireshark, do you see your computer sending that?

No.

>Can you run tcpdump or wireshark on the machine you're telnetting from?

No, I can't do stuff like that; it's a free shell account and I
don't have the permissions, and I don't have a clue about using
tcpdump anyway.

>If you capture the ICMP messages, you should be able to see where
>they're being sent from -- whether it's a router along the way or your
>computer.

I'm thinking that my computer or a "regular" Internet router
wouldn't send a response like that for a specific port. Internet
routers don't usually look at the TCP header, do they? Packets sent by
Shields Up to port 81 got through, so I'm thinking it's probably about
a firewall at the remote host's end. The obvious next step would be to
ask them about it, but where it's a free account and all, I don't want
to be a pest.

Thanks!

--
Steve Baker

[Barry Margolin]

In article <tv230chji661a36v3...@4ax.com>,

Enterprise-class routers definitely have packet filtering capabilities
that look in TCP and UDP headers. This was available when I was a
network engineer 25 years ago, and the capabilities must be far better
these days. So it's a possibility that it was coming from something at
the hosting end.