The Site > Old Forums > Qwest > Actiontec 701 Port Forwarding

reply to dumberdrummer

Re: Actiontec 701 Port Forwarding

this is my problem as well.

i log into the modem
1) Setup / Configuration
2) Advanced Setup
3) Begin Advanced Setup
4) Port Forwarding.

i fill out
IP Port Range Protocol IP Address
#### to #### udp/tcp Internal IP#

Yet it does not forward. so i click advanced.
And i fill out

Remote IP Port Range Remote IP Address
#### #### anyIP

Using the above #### as the same port number, [I only want 1 port forwarded], Why would there be no connectivity in the forwarding?

thanks

You don't want the advanced forwarding, so don't go to that page. Have you clicked "save and restart" after entering the port forwarding information? Did you check to make sure that the port forwarding was still showing up in the "List of Forwarded Ports"?

ok, so i'll remove the advanced information. and yes the basic information was still showing in "List of Forwarded Ports".

What kind of machine are you forwarding the port to? If its Windows XP, do you have Windows Firewall enabled (its on by default starting with SP2). You need to open the port in the Windows Firewall also.

You can check to see whether or not the port is being forwarded by the modem, but it's a little involved. Do you know how to telnet into the modem? If so, do you know how to capture (cut and paste for example) output for commands you type in? I'd like to see the output from typing "iptables -v -L" and "iptables -t nat -v -L". If you don't know how to do this, here are some more specific instructions for windows:

1) Start a cmd prompt window by clicking on "run" from the start menu. Then type "cmd" in the box and click OK.

2) Type "telnet 192.168.0.1" (use the internal IP address of your modem). Login using user name "admin" and password "admin" (the password will be different if you've changed the web admin password).

3) Then type "iptables -v -L" and then type "iptables -t nat -v -L" (hitting return after each command).

Now you need to cut and paste the output from the cmd prompt window. To do this:

1) Right Click on the title bar and click on properties. On the options tab make sure that "Insert Mode" is checked and "Quick Edit Mode" is not checked under "Edit Options".

2) Scroll back the cmd prompt window using the scroll bar until you can see the start of where the iptables output begins. Right click within the window and click on "Mark". Then left click and select the text starting at the first character and dragging down to the bottom right. Holding the mouse near the bottom of the window will cause the window to scroll automatically down to the bottom so you can select all the text in one operation.

3) The text should all be inverted now (by default it will be black text on white background). Hit return within the window and the text will no longer be selected but it will now be in the windows copy buffer.

4) start notepad and click on "paste" under the "edit" menu bar. Save the file.

5) Attach the file here so that we can hopefully diagnose the problem.

It would also be helpful to know 1) the internal IP address of your modem (by default it's 192.168.0.1), 2) the internal address of the machine you are trying to forward the port to, and 3) the port number you are trying to forward.

reply to msj
I'm at my whits end, I just can't get port forwarding to work. Even got static IP addresses from my ISP. I've tried it with and without firewall on XP and always kept the Actiontec firewall off. This is from telnet using the suggested iptables coomands. The formatting is a little off. With satic IP's I dont have NAT's on, I'm set to off.
0 0 DROP tcp -- ppp0 any anywhere anywhere
tcp dpt:telnet
3 144 DROP tcp -- ppp0 any anywhere anywhere
tcp dpt:www
0 0 QUEUE udp -- br0 any anywhere anywhere
udp dpt:domain
0 0 ACCEPT icmp -- any any anywhere anywhere

5 952 ACCEPT all -- ppp0 any anywhere anywhere
state RELATED,ESTABLISHED
157 12460 DROP all -- ppp0 any anywhere anywhere

Chain FORWARD (policy ACCEPT 596K packets, 348M bytes)
pkts bytes target prot opt in out source destination

334 86351 QUEUE udp -- ppp0 any anywhere anywhere
udp spt:domain
335 21750 QUEUE udp -- any ppp0 anywhere anywhere
udp dpt:domain
12677 1119K ACCEPT udp -- ppp0 any anywhere anywhere
udp dpt:65530
1644 80420 ACCEPT tcp -- ppp0 any anywhere anywhere
tcp dpt:65530
0 0 ACCEPT tcp -- ppp0 any anywhere anywhere
tcp dpts:6000:7000
0 0 ACCEPT udp -- ppp0 any anywhere anywhere
udp dpts:6000:7000
3739 185K ACCEPT tcp -- ppp0 any anywhere anywhere
tcp dpts:49153:50000
16616 1771K ACCEPT udp -- ppp0 any anywhere anywhere
udp dpts:49153:50000
0 0 REJECT tcp -- br0 any anywhere anywhere
state INVALID,NEW,RELATED,UNTRACKED tcp dpt:telnet flags:!SYN/SYN rejec
-with tcp-reset
359K 301M sLog all -- !ppp0 ppp0 anywhere anywhere
sLog max_num 50 timeout 300

Chain OUTPUT (policy ACCEPT 6067 packets, 850K bytes)
pkts bytes target prot opt in out source destination

0 0 QUEUE udp -- any br0 anywhere anywhere
udp spt:domain
0 0 DROP udp -- any ppp0 anywhere anywhere
udp spt:route
#

OK, lets clear up a few things:

1) Port forwarding only makes sense in the context of NAT. If you turn off NAT then you don't need to forward any ports. Of course things won't work if you turn off NAT unless you have a block of static IP addresses (i.e. not just one).

2) You say you have turned off NAT, but the iptables result that you posted indicates that NAT is still on. The iptables command results would look quite different with NAT off. Also, if you do have NAT on I would also need the output from iptables -t nat -v -L, not just iptables -v -L.

3) So, do you have a block of static IP's, or just one? If you have just one then we can work on getting port forwarding working for you. If you have a block of static IP's then you don't need to get port forwarding to work. Instead you need to set things up so that the modem will properly route the extra static IPs to different machines on your network (the modem still takes on of the IP's). Note that you will need to turn on the modem firewall or make sure that all your machines have a firewall running, because they will all be directly visible on the internet (well, you have the option of making some machines externally visible, and others can still use NAT behind the IP address that the modem uses).

4) If the only reason you got the block of static IP's is due to the fact that you couldn't get port forwarding to work we can still work on getting port forwarding to work so that you can stop paying for a block of static IP's. If your ISP is not Qwest.net then perhaps your ISP doesn't offer a single IP address option, in which case you still might want to keep the block so that you don't have to deal with thinks like dynamic DNS.

Yes, I got a block of IP because I thought I needed them. Both Qwest and Actiontec said I'd need a static IP to do port forwarding. I so I got a block of 8. Five that I can use. I set the gateway as the last useable IP and set the computer on the first useable IP. In other words, computer at xxx.xxx.xxx.25, gateway at xxx.xxx.xxx.29. The reserved gateway is at xxx.xxx.xxx.30, the reserved broadcast is at xxx.xxx.xxx.31, subnet is 255.255.255.248, oh and the reserved Network is at xxx.xxx.xxx.24. I don't know if this info makes any difference, just in case.

But I did set the NAT to off, and I just looked and it shows it still being off. I assume I need it off if I use static IP's. But if I don't really need static IP's then I rather not spend the cash. From another posting on another site they indicated that you had to go into iptables and manually set port forwarding. That every time the Actiontec power cycles you would need to set it again via Telnet. Here is the post.

»utterlyboring.com/archives/2003/···ment.php

Here is the text from that post near the bottom.
-------------------------------
penguin2501 said on 06/27/05 @ 09:59 PM:
well people,
the reason why you still get the config page even after port forwarding is setup is because the 701 runs linux on the inside. if you look at the iptables stuffs, you see that it is forwarding traffic from the outside, but not from the inside. you can telnet into the modem to fix that, but the setting won't hold when the modem gets power cycled.

as to the original statement of not using actiontec modems in a corporate environment, sigh. i work for qwest dsl support. as far as technical specifications, i'm surprised the sales team can count to three. not because they are stupid, but because they are not properly briefed on the equipment. not that my department is either... haha. they should at least tell sales to not send those pieces of crap to people who need a semi-reliable unit.

yeah. i agree with you all about actiontec and here is why. they only design the case that the pcb comes in. the ic design and the firmware compilation are all done by TI. ti doesn't tell actiontec anything, actiontec doesn't tell qwest corporate anything, corporate sure as hell doesn't tell us anything.

about the 675, yeah. it won't work. the 675 only runs on cap signaling. the 678 can have the firmware flashed to use dmt, which i imagine you have if they sent you a 701. if you _really_ need to do good port forwarding on a 701, learn iptables, figure out a good config for what you need, and then write a perl script to restore the settings when the modem loses power. as for the wifi, just forget about it. i'd average that 1 in 5 access points are bad right from the factory. again, crappy hardware with firmware that only 5 people understand under the hood.

as for a permanently stable unit(until the hardware fails during the next lightning storm)there have been projects to actually modify the linux micro-distro on the 701, but i've only seen limited inovation. i've been thinking about taking that up myself if any of you are interested...

any takers?
-----------------------------
If you can make this Actiontec work for me I'll be forwever greatefull, well untill it get's replaced with the next model.. Thanks.

Marcus

I've been working on the iptables config using commands like

iptables -t nat -A PREROUTING -d 80.177.205.142 -p tcp --dport 6881 -i ppp0 -j DNAT --to-destination 192.168.1.10:6881

With my own numbers, and nothing works. This is the most frustrating irritating piece of crap in the world. I wish companies like Actiontec would just die, and Qwest would too for supporting such lousy hardware. I've only managed to find two posts with any kind of attempt like the one above that alters the tables. Just shows there are no solutions for this poorly engineered hardware, must be designed by engineers who only got D's, and drank too much during college. I'd like to find the manager type at Qwest who approved this and tell him where he can shove this.

Does Cicso make a modem that works with Qwest, and what model? At least they make hardware that works, and if your serious about IT you don't use anything else for networks.

reply to mdamberger
Which Actiontec do you have? I know port forwarding works just fine on the GT701. I don't know about the other earlier Actiontec modems.

That posting you referenced from the "utterlyboring" board is misleading. You can get port forwarding to work without having to do manual iptables commands. Once setup, port forwarding will continue to work if you reboot the modem.

However, a lot of people might have set it up correctly and then assumed that it wasn't working because the Actiontec does not support NAT from the internal lan port, so you can't test the port forwarding easily from inside your network.

I read the post you excerpted, and people were saying that when they set up port forwarding for port 80 they got the internal modem web site instead. Again, that is normal, because the Actiontec does not forward ports for the internal network, only for the external network. So port forwarding may very well have been working for that person, but they just assumed it was not. Now, if you want port forwarding to work from the internal network (there really isn't a need to do this, other than to test the port forwarding, because you can access the machines directly from inside your network), THEN you need to do manual iptables commands. That is what "penguin2501" was referring to. His post made it seem like port forwarding wasn't working, but he was simply addressing the issue of seeing the modem web page instead of the intended web page when trying to access the website using the external IP from inside the network.

So, if you want to get port forwarding to work so that you can stop paying for that block of static IP's, first start with the latest firmware for the modem. Then, since you've probably been changing all kinds of settings, perhaps it might be best to set the modem back to factory default options, just to make sure you are starting with a clean slate. Set the modem up for a normal PPPoA connection, specifying that you want to obtain an IP address via PPPoA (right now the ISP should deliver one of your static IP addresses if you do that).

After you get your basic connection working you need to assign an INTERNAL static ip address to any machines that you will be forwarding ports to. An internal static IP is simply an address out of the internal subnet that you have configured on the modem (i.e. it is not an address you need to buy from your ISP, because addresses like 192.168.0.2 are for internal use only, i.e. those addresses are not supposed to ever be seen on the external internet, and won't be routed if they do). The default for the Actiontec is 192.168.0.2 through 192.168.0.254 (the modem uses 192.168.0.1 on the internal lan port). Just choose addresses starting with 192.168.0.2 and increment from there. Most of the work involved in assigning a static IP is done on the individual machines, not the modem. For example, for a windows machine you would not check "Obtain an IP address automatically" on the lan ports TCP/IP properties page, but instead would enter a specific address (e.g. 192.168.0.2) with a netmask of 255.255.255.0, and then gateway specified as 192.168.0.1. You would also specify 192.168.0.1 as your preferred DNS server.

Now, if you assign static IP's to all of your internal machines then you can turn off DHCP in the modem, because there won't be any machines requesting dynamic addresses. If you want to have a few machines still allocate addresses dynamically (e.g. a laptop) then you need to change the DHCP configuration so that the pool of addresses it allocates for dynamic use does not overlap the static IP addresses you have used. If you don't turn off DHCP then change the DHCP Server configuration default Beginning IP Address from 192.168.0.2 to 192.168.0.100. This leaves 98 static IP's available. Again, the only machines that you have to assign a static internal IP address to are the ones that you will be forwarding ports to (or putting in the DMZ).

Now you can set up your port forwarding. Go to the port forwarding page under Advanced Setup. For a single port, specify the same port in both boxes, otherwise specify the start and end port. Choose either TCP or UDP (if you need to forward the same port(s) for both TCP and UDP you will need to enter two different port forwarding rules). In the IP address box specify the internal static IP address of the machine you are forwarding the port(s) to. Now click on "Add". Then continue to specify port forwarding rules until you have them all set up. All the rules you set up should be now have an entry in the "List of Forwarded Ports" box. Click on "Save and Restart". Wait for the modem to reboot and then go back and recheck the "List of Forwarded Ports" to make sure all the entries you made are still there.

At this point port forwarding should be working. But you can't verify it by simply trying to connect to a port using your external IP address. Instead you need to use a service like www.canyouseeme.org. Let us know what your results are.
If you still can't get it to work we can take further steps to diagnose the problem.

If you do get it to work you can call Qwest (is Qwest your ISP?) and get rid of your static IP block. You can then use a service like dyndns to make it easier for people to find your current external IP. Another alternative is to buy a single static IP.

Just FYI, on my Actiontec 701 I use port forwarding to host a ssh daemon, a web server and BIND (DNS server) on one machine. I also occasionally run a BitTorrent client on another machine, and my son sometimes hosts a game on another machine, again all via port forwarding to up to three different internal machines. I haven't had any problems with it. So, I know first hand that it works on a GT701. I've also experimented with setting up a DMZ machine and that works fine also.

Here are the tables. I reset to defaults and reinstalled the Qwest software using their Quick Connect program and had the PPOa get setup via that program. I then entered the port to be forwarded, I also set my computer to a static IP address. The same one I was given dynamically. 192.168.0.3. Reset saved. After I was able to connect to the internet. But www.canyouseeme.org can not see me at all. I even tried the other ports they listed, like 80 for web, no go. All list stealth. I do have a Actiontec 701. I'm trying to use BitTorrent. I've also tried DMZ, before to no avail. This modem just does not seem to take any settings. But you can see them in the settings web page. I'm on Qwest.net, I assume they don't block any ports? I don't understand how port 80 is stealth yet I still get web pages, don't I need that open to get on the web? This is driving me nuts. Thanks for the efforts.

# iptables -v -L
Chain INPUT (policy ACCEPT 281 packets, 26357 bytes)
pkts bytes target prot opt in out source destination

0 0 DROP tcp -- ppp0 any anywhere anywhere
tcp dpt:telnet
2 120 DROP tcp -- ppp0 any anywhere anywhere
tcp dpt:www
0 0 QUEUE udp -- br0 any anywhere anywhere
udp dpt:domain
1 28 ACCEPT icmp -- any any anywhere anywhere

5 952 ACCEPT all -- ppp0 any anywhere anywhere
state RELATED,ESTABLISHED
245 23645 DROP all -- ppp0 any anywhere anywhere

Chain FORWARD (policy ACCEPT 12298 packets, 4121K bytes)
pkts bytes target prot opt in out source destination

11 2968 QUEUE udp -- ppp0 any anywhere anywhere
udp spt:domain
11 711 QUEUE udp -- any ppp0 anywhere anywhere
udp dpt:domain
82 3928 ACCEPT tcp -- ppp0 any anywhere anywhere
tcp dpt:49153
212 17605 ACCEPT udp -- ppp0 any anywhere anywhere
udp dpt:49153
0 0 REJECT tcp -- br0 any anywhere anywhere
state INVALID,NEW,RELATED,UNTRACKED tcp dpt:telnet flags:!SYN/SYN reject
-with tcp-reset
7517 3644K sLog all -- !ppp0 ppp0 anywhere anywhere
sLog max_num 50 timeout 300

Chain OUTPUT (policy ACCEPT 212 packets, 64096 bytes)
pkts bytes target prot opt in out source destination

0 0 QUEUE udp -- any br0 anywhere anywhere
udp spt:domain
0 0 DROP udp -- any ppp0 anywhere anywhere
udp spt:route
0 0 DROP icmp -- any ppp0 anywhere anywhere
icmp destination-unreachable
0 0 DROP icmp -- any ppp0 anywhere anywhere
state INVALID
#
# iptables -t nat -v -L
Chain PREROUTING (policy ACCEPT 2618 packets, 209K bytes)
pkts bytes target prot opt in out source destination

31 1524 DNAT tcp -- ppp0 any anywhere anywhere
tcp dpt:49153 to:192.168.0.3
185 15450 DNAT udp -- ppp0 any anywhere anywhere
udp dpt:49153 to:192.168.0.3

Chain POSTROUTING (policy ACCEPT 250 packets, 20079 bytes)
pkts bytes target prot opt in out source destination

2041 158K MASQUERADE all -- any ppp0 anywhere anywhere

Chain OUTPUT (policy ACCEPT 9 packets, 868 bytes)
pkts bytes target prot opt in out source destination

#
#

did you try this? this worked great on my modem, except in order for it to stick I had to turn off the modem for 30 seconds, restart it. then enter the commands as listed in the faq. If I tried to do it after the modem had been on for a while it wouldn't stick. after I entered it straight after powering off the modem it has remembered it ever since even though reboots and power cycles.

»US West/Qwest DSL »How Do I Set Up My 701 To Work With Bittorrent?

reply to mdamberger

Yes, I had set that up to be port 49153. I had read to change it from the typical setting of 6881 because some ISP's blocked that port.

When I go to www.canyouseeme.org I get back the following error.

Error: I could not see your service on 71.39.36.30 on port (49153)
Reason: Connection timed out

At »www.grc.com/x/portprobe=49153 I get

Port
Status Protocol and Application

49153
Stealth Unknown Protocol for this port
Unknown Application for this port

I get the same response on other ports, like POP3 mail etc.. My ipconfig is as follows.

C:\Documents and Settings\mdamberger\Desktop>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . :
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Actiontec Gateway
Physical Address. . . . . . . . . : 00-0F-B3-74-AA-6B
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1
205.171.3.65

XP Firewall is set to off. There are no other firewalls setup. In fact the old hard drive failed a few weeks ago, so I reinstalled XP and took all the updates. I am the administrator of the computer, says so under users.

The first thing I did when I could not get port forwarding to work, I went to Qwest's firmware update site and updated to the latest version. I checked a few days ago, and they are still the same. This is the version I have.
Thanks.

Firmware Version: QW04 -3.60.2.0.6.3-GT701-WG

reply to mdamberger
OK, so we're still not sure where the packets are getting dropped. Here's the next thing to do. Go to this webpage:

»www.winpcap.org/windump/install/default.htm

Download and install WinPcap 3.1 and then download WinDump.exe. These need to be installed on the machine that has IP 192.168.0.3. WinDump is the windows equivalent of tcpdump for Linux, and it requires WinPcap to run.

Then start a command prompt window and cd to the directory where you placed the windump command. Then type:

windump -D

This will list all of the network interfaces on your machine. Note which number interface is your ethernet interface (assuming you have just one). You need to use that number with the -i option below. Now, first make sure it is working. Type:

windump -i 2 -n port 80

Substitute the appropriate number for the 2 above, which is the right interface on my machine. I'll continue to use 2 in the following example.

Start up a web browser and go to any external web page. You should see windump dump a bunch of packet traffic if it is properly monitoring your ethernet interface.

Use control-C to terminate the above windump command. If the above worked then you should type:

windump -i 2 -n port 49153

Now go to www.canyouseeme.org and test port 49153 again. windump is fairly good at seeing all traffic, even if the port is being blocked by the OS or other software. If windump doesn't show anything then the evidence points back to the modem as the source of the problem, and we'll continue to debug that. If windump does show something (it should show two packets if you use www.canyouseeme.org) then the problem is with your PC configuration.

As an extra step, before you do these tests, power cycle the modem so all the iptables counts are reset. Then, if the above windump test fails, repost the iptables -v -L and iptables -t nat -v -L output from the modem, just to make sure we have consistant data .

reply to mdamberger
Oh, one more thing. I've been assuming a fairly simple network, i.e. either you have one PC hooked up directly to the Actiontec modem, or you have a simple switch/hub (not a router) between the Actiontec and the PC. Is that correct?

reply to msj
I only have the PC connected directly to the modem. No other devices connected or between them. This is what I got when I ran winpcap.

C:\Program Files>windump -i 2 -n port 49153
windump: listening on \Device\NPF_{6E544437-5954-4FB9-B744-AF8AC39260ED}

0 packets captured
115 packets received by filter
0 packets dropped by kernel

C:\Program Files>

So, it looks like I'm not getting any packets through the port. Looks like the modems as fault. I tried canyousee me and another site. Both came back negative. I then changed my IP address just to make sure to 192.168.0.152. Still nothing.

Here are the tables.

# iptables -v -L
Chain INPUT (policy ACCEPT 234 packets, 26488 bytes)
pkts bytes target prot opt in out source destination

0 0 DROP tcp -- ppp0 any anywhere anywhere
tcp dpt:telnet
0 0 DROP tcp -- ppp0 any anywhere anywhere
tcp dpt:www
19 1235 QUEUE udp -- br0 any anywhere anywhere
udp dpt:domain
0 0 ACCEPT icmp -- any any anywhere anywhere

20 4911 ACCEPT all -- ppp0 any anywhere anywhere
state RELATED,ESTABLISHED
5 330 DROP all -- ppp0 any anywhere anywhere

Chain FORWARD (policy ACCEPT 3642 packets, 1099K bytes)
pkts bytes target prot opt in out source destination

6 1416 QUEUE udp -- ppp0 any anywhere anywhere
udp spt:domain
7 446 QUEUE udp -- any ppp0 anywhere anywhere
udp dpt:domain
183 8816 ACCEPT tcp -- ppp0 any anywhere anywhere
tcp dpt:49153
724 102K ACCEPT udp -- ppp0 any anywhere anywhere
udp dpt:49153
0 0 REJECT tcp -- br0 any anywhere anywhere
state INVALID,NEW,RELATED,UNTRACKED tcp dpt:telnet flags:!SYN/SYN reject
-with tcp-reset
2345 982K sLog all -- !ppp0 ppp0 anywhere anywhere
sLog max_num 50 timeout 300

Chain OUTPUT (policy ACCEPT 198 packets, 77748 bytes)
pkts bytes target prot opt in out source destination

16 3992 QUEUE udp -- any br0 anywhere anywhere
udp spt:domain
0 0 DROP udp -- any ppp0 anywhere anywhere
udp spt:route
0 0 DROP icmp -- any ppp0 anywhere anywhere
icmp destination-unreachable
0 0 DROP icmp -- any ppp0 anywhere anywhere
state INVALID
#
# iptables -t nat -v -L
Chain PREROUTING (policy ACCEPT 847 packets, 65916 bytes)
pkts bytes target prot opt in out source destination

71 3416 DNAT tcp -- ppp0 any anywhere anywhere
tcp dpt:49153 to:192.168.0.3
166 15671 DNAT udp -- ppp0 any anywhere anywhere
udp dpt:49153 to:192.168.0.3

Chain POSTROUTING (policy ACCEPT 247 packets, 19783 bytes)
pkts bytes target prot opt in out source destination

621 48883 MASQUERADE all -- any ppp0 anywhere anywhere

Chain OUTPUT (policy ACCEPT 10 packets, 657 bytes)
pkts bytes target prot opt in out source destination

#
#