FIOS Gateway FIOS-G1100 ***FIRMWARE BUG*** and how to workaround
compsult
Newbie

After spending over 16 hours trying to get openVPN to work (including a call to level 2 support, which gave inaccurate, unhelpful information), I finally found the answer here ->  https://www.dslreports.com/forum/r30964836-Networking-FIOS-Quantum-Gateway-router-G1100-issue-with-L...

Normally, you should be able to port forward like this source port = 1194, destination port = 1194. Because of the firmware bug in the FIOS Gateway FIOS-G1100, you have to make the source port = "Any" 

Obviously, this is a security concern because it is less restrictive than setting the  port to 1194. 

In conclusion

Anyone who is trying to port forward for openVPN:

  1. set the source port to "Any"
  2. set the destination port to 1194 (or a another port, if you have configured openVPN to use another port)

Here is an example configuration

image

0 Likes
1 Solution

Correct answers
Re: FIOS Gateway FIOS-G1100 ***FIRMWARE BUG*** and how to workaround
smith6612
Community Leader
Community Leader

So the reason why this works is due to the way most networked programs function. Programs rely on Listener ports and Ephemeral ports. In this case, a VPN client you're trying to permit through the router to a server on your network, will make a request from an Ephemeral port, usually a 5 digit port number, and something which is completely random/unknown. Unless the application is otherwise designed to communicate FROM a specific port at all time, the rule "Any" for Source will be required.

The Destination simply tells the router what host to send traffic destined for a certain port, to.

An example here is OpenVPN will make a connection from Client port 35564 to Port 1194. On the next connection attempt, OpenVPN will make a connection from Client port 25463 to Port 1194.

The only way a rule with 1194 > 1194 will work is if OpenVPN always makes a connection attempt from Port 1194 on the client to Port 1194.

View solution in original post

Re: FIOS Gateway FIOS-G1100 ***FIRMWARE BUG*** and how to workaround
viafax999
Community Leader
Community Leader

Don't think that is anything specific to the G1100.

Port forwarding on all the fios routers I've ever used has been the source port defined as ANY and the destination the port you are forwarding.

0 Likes
Re: FIOS Gateway FIOS-G1100 ***FIRMWARE BUG*** and how to workaround
compsult
Newbie

I didn't save my config from the ActionTec router but if memory serves, I used source port as 1194, not "All"

And even if this is typical for FIOS routers, best security practice is to disallow everything but what you specifically need to allow. A router/firewall should enable you to use the most restrictive rule possible

0 Likes
Re: FIOS Gateway FIOS-G1100 ***FIRMWARE BUG*** and how to workaround
smith6612
Community Leader
Community Leader

So the reason why this works is due to the way most networked programs function. Programs rely on Listener ports and Ephemeral ports. In this case, a VPN client you're trying to permit through the router to a server on your network, will make a request from an Ephemeral port, usually a 5 digit port number, and something which is completely random/unknown. Unless the application is otherwise designed to communicate FROM a specific port at all time, the rule "Any" for Source will be required.

The Destination simply tells the router what host to send traffic destined for a certain port, to.

An example here is OpenVPN will make a connection from Client port 35564 to Port 1194. On the next connection attempt, OpenVPN will make a connection from Client port 25463 to Port 1194.

The only way a rule with 1194 > 1194 will work is if OpenVPN always makes a connection attempt from Port 1194 on the client to Port 1194.

Re: FIOS Gateway FIOS-G1100 ***FIRMWARE BUG*** and how to workaround
compsult
Newbie

Thank you for the information, this is far more useful than what I was given over the phone. I thought that the source port was the WAN port that would receive the packets and the destination was the port it sent it to on the destination machine. Clearly, I was wrong about that.

The extremely frustrating aspect of this was,  if the incoming port needs to be set to "Any", Verizon Level 1 and Level 2 support should have been able to quickly diagnose and provide instructions on solving it. 

Also, since not everyone is familiar with ephemeral ports, the manual should specify that the source port needs to be "Any" in the Port Forwarding or the Advanced Port Forwarding  instructions (http://www.verizon.com/about/sites/default/files/fios-qgr-userguide140925.pdf - pages 96-98).

Come to think of it, how many applications can/do control their client side outgoing port? Why not make the Port Forwarding source port be set to "Any" and have a pop up warning for anyone who wants to change it?

 

0 Likes