- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After spending over 16 hours trying to get openVPN to work (including a call to level 2 support, which gave inaccurate, unhelpful information), I finally found the answer here -> https://www.dslreports.com/forum/r30964836-Networking-FIOS-Quantum-Gateway-router-G1100-issue-with-L...
Normally, you should be able to port forward like this source port = 1194, destination port = 1194. Because of the firmware bug in the FIOS Gateway FIOS-G1100, you have to make the source port = "Any"
Obviously, this is a security concern because it is less restrictive than setting the port to 1194.
In conclusion
Anyone who is trying to port forward for openVPN:
- set the source port to "Any"
- set the destination port to 1194 (or a another port, if you have configured openVPN to use another port)
Here is an example configuration
Solved! Go to Correct Answer
Correct answers
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the reason why this works is due to the way most networked programs function. Programs rely on Listener ports and Ephemeral ports. In this case, a VPN client you're trying to permit through the router to a server on your network, will make a request from an Ephemeral port, usually a 5 digit port number, and something which is completely random/unknown. Unless the application is otherwise designed to communicate FROM a specific port at all time, the rule "Any" for Source will be required.
The Destination simply tells the router what host to send traffic destined for a certain port, to.
An example here is OpenVPN will make a connection from Client port 35564 to Port 1194. On the next connection attempt, OpenVPN will make a connection from Client port 25463 to Port 1194.
The only way a rule with 1194 > 1194 will work is if OpenVPN always makes a connection attempt from Port 1194 on the client to Port 1194.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't think that is anything specific to the G1100.
Port forwarding on all the fios routers I've ever used has been the source port defined as ANY and the destination the port you are forwarding.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't save my config from the ActionTec router but if memory serves, I used source port as 1194, not "All"
And even if this is typical for FIOS routers, best security practice is to disallow everything but what you specifically need to allow. A router/firewall should enable you to use the most restrictive rule possible
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the reason why this works is due to the way most networked programs function. Programs rely on Listener ports and Ephemeral ports. In this case, a VPN client you're trying to permit through the router to a server on your network, will make a request from an Ephemeral port, usually a 5 digit port number, and something which is completely random/unknown. Unless the application is otherwise designed to communicate FROM a specific port at all time, the rule "Any" for Source will be required.
The Destination simply tells the router what host to send traffic destined for a certain port, to.
An example here is OpenVPN will make a connection from Client port 35564 to Port 1194. On the next connection attempt, OpenVPN will make a connection from Client port 25463 to Port 1194.
The only way a rule with 1194 > 1194 will work is if OpenVPN always makes a connection attempt from Port 1194 on the client to Port 1194.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the information, this is far more useful than what I was given over the phone. I thought that the source port was the WAN port that would receive the packets and the destination was the port it sent it to on the destination machine. Clearly, I was wrong about that.
The extremely frustrating aspect of this was, if the incoming port needs to be set to "Any", Verizon Level 1 and Level 2 support should have been able to quickly diagnose and provide instructions on solving it.
Also, since not everyone is familiar with ephemeral ports, the manual should specify that the source port needs to be "Any" in the Port Forwarding or the Advanced Port Forwarding instructions (http://www.verizon.com/about/sites/default/files/fios-qgr-userguide140925.pdf - pages 96-98).
Come to think of it, how many applications can/do control their client side outgoing port? Why not make the Port Forwarding source port be set to "Any" and have a pop up warning for anyone who wants to change it?