Verizon FiOS → Why UDP ports are open and TCP ports are not?

I was port forwarding some rules from my primary router to get caller id going and I noticed that only the UDP ports and not the TCP ports are opened. Is that what's supposed to happen? Is there a difference between the two protocols? Do you need both prone or the other? I created the rules using the option for both protocols, sending the rules to the fios router with a static ip, the guide, VOD,widgets and my remote DVR are working but is the caller id that's really getting to me. I put back the fios router and lo and behold the caller id wasn't working, so I called Verizon and they couldn't even find out what was wrong, anyway they gave me a ticket number, and said they were going to fix it at a later time. Who knows, I hope they find I solution because it seems that caller id do work with having fios as a bridge from LAN to WAN according to really nice guy from the Verizon forums who was helping me get things in order. He has the same setup I have and all he did was port forward the rules from the fios router back to the router using his primary router.

UDP VS TCP - one shows open and the other doesn't is based on the equipment and how it's programmed to communicate. In your example, your equipment was told to listen or be on the look out for UDP packets.

usually one or the other is used, but most people program them both just to be on the safe side and cover there basis.

caller id on tv for fios typically is over UDP, and that's how Verizon wants it. they can change that if they want to. just depends on the skill level of the rep you get. But again most people doing that are doing UDP from the screenshots and discussions we've all had.

sounds like a fun adventure, hope it works out well for you.

Thanks for replying, and for the valuable piece of information.

UDP and TCP are completely separate protocols, they don't share ports or have anything in common. You need to allow whatever the application actually uses.

Why would the router open one and not the other. For example, I port forward port 35000 both UDP and TCP and only the UDP is open. Why? Is it Verizon or my router?

How are you checking if the ports are "open"? Do you have a service listening on 35000?

If you forward the port on the router to a certain LAN IP, there needs to be something listening on the device at that port number to truly test if the port is open. If you're just randomly opening ports and pressing "Check", then you're unlikely to see any useful information.

I am particularly interested in opening the ports to a Quantum Gateway router that I use as a secondary router. That router has a static ip address that I use to forward the ports to. That's where the STB's are connected to and getting their ip's. I cannot port forward the rules to the boxes because they are in a different subnet. When you refer to something listening on the device , you mean the boxes connected to the fios router? I don't see the boxes connected on my primary router but I see them when I log in to the fios router. I don't know if its better to have the fios router on a different subnet or not, I followed one of the options from the FAQ's about using the fios router as a secondary router so basically I don't know the advantages for doing that. I am new at port forwarding and find it fascinating, however I don't quite understand who has the power or the control to open or close ports in general, is it the router or the ISP?

Both can close ports. On FiOS, very few ports are blocked at the ISP level (I think just port 25 right now). Everything else is controlled by the router.

For the two router setup, you want your primary router to forward to the IP address of the Quantum Gateway. Then the Quantum Gateway will configure itself appropriately.. you shouldn't need to manually open any ports on it for Verizon STBs.

Forward ports all you like, but at the end of the day, if nothing is actually listening there the port will appear closed.

For example: say I forward port 80 to my PC. I go into the router and tick the boxes, pop in my IP, and hit save.

I can scan myself to my heart's content but until I fire up Apache, IIS, or something else that listens on port 80, the result will always be closed.

So, in your case, there is nothing listening on tcp/35000. There IS something listening at udp/35000. For this reason, you observe tcp/35000 as closed. It's got nothing to do with your router at all. The router's forwarding packets just as it should, but there's nothing there to respond to them.

There are 3 possible response states for TCP. Either the server end responds that it is open and proceeds to establish a connection, the server ends responds that it is closed, or there is no response. UDP is connectionless, so it only has 2 response states: either the server responds that it is closed, or there is no response at all. There will be the same lack of response if something is listening, if a firewall drops it without a response, or if no device is even present at the IP address in question. Port scanners are only slightly useful for UDP in order to compare the desired port to the others and see if there is any difference.

That's what I thought, so basically any port that is open by Verizon should open when I port forward a rule, correct? All the forwarding rules must be sent to the Quantum router?Once I do that I shouldn't configure anything on the Quantum since it would do what it always has.

Just put the Quantum in your primary routers DMZ, no port forwarding needed.

Have you run the caller ID troubleshooter in the STB menu?
My firewall passes tr69_1: UDP Any -> 63145 and tr69_2: TCP Any -> 35000 and all is working.

Verizon uses both UDP and TCP for listener services for caller ID/Remote DVR/etc. UDP has always much more reliable than TCP for Caller ID reliability and I suspect they're moved most to UDP because of it.

Is it ok to do that?That's even easier than port forward, I thought that it wasn't a good idea because it leaves it expose, but the only thing connected to it are the boxes, I am going to try that! Thanks for the suggestions!If you put it in the DMZ you don't need the pf rules anymore right?

Yeah, I get the same numbers, that tr69_1 thing, what does that mean anyway?Wouldn't it be better to use instead of single port forwarding a range like 63145-63148? or 35000-35003?

Putting it in the DMZ is fine. The Quantum router would be exposed to the internet if you had it as a primary router anyway, so there's not much of a concern there.

Its no different than having the Verizon router as primary, its firewall is fully active. Port Forwards would be redundant

Verizon sets these specific ports, not ranges.