cancel
Showing results for 
would you rather see results for 
Did you mean: 
Need help?

DLink DSL-3782 Router External IP shows router login rather than webserver

ANSWERED
Reply
12 REPLIES 12
kornito
Popular Poster

Swopping a working simple webserver setup with an old Huawei EchoLife HG520b with a more modern DLink (TalkTalk) DSL-3782 we changed the default IP from 192.168.1.1 to 192.168.0.1 and
DHCP IP Address Range 192.168.0.20 to 192.168.0.254
and set up a Port Forwarding rule:
* Status Active
* Interface PVC1
* Internal 192.168.0.3 80-80
* External 80-80
* Protocol TCP
OBSERVATION: Whenever we connect to http Port 80 we see the Router log-in page and not the expected log in for 192.168.0.3.


Googling: Port Forwarding TalkTalk pdf
"Port Forwarding.pdf 1574 KB - TalkTalk Community Page 26 of 40
Port Translation (where a port is intercepted by the router, e.g. port 80)
This mainly affects the Huawei HG633/HG635 routers. It does not affect the DSL-3782. If a PC for example is hosting a web server, connected to the local network, it will use TCP ports 80 and/or 443. When trying to access either of these ports from the internet, normal port forwarding will fail."


Unfortunately the Router does not allow a rule like:
* Internal 192.168.0.1 80-80
* External 8080-8080
* Protocol TCP
allowing us on rare occasions to access Router Menu with 192.168.0.1:8080


Have we omitted a step in getting the DSL-3782 working as the older EchoLife router did?

KeithFrench
Community Star

So you found a probably out of date version of my guide!

 

When I tested the 3782 originally you did not have to do port translation. What firmware is yours on, I didn't test this on the latest firmware, as I was told it only fixed a VPN issue?

 

However, you have made a mistake in your port translation rule, you have the IP address wrong, it needs to be the IP address of the device you are forwarding to:-

 

Internal IP   192.168.0.3

Internal Startport   80

Internal Endport    80

External startport  8080

External endport  8080
Protocol type  TCP

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please mark it as the Best Answer.
OCE's and Community Stars - Who are they? 

kornito
Popular Poster

https://support.opendns.com/hc/en-us/articles/228006087-Huawei-Router-Configuration
This guide refers to a Huawei EchoLife HG520s router, but will apply to most Huawei routers in general.
The standard address of the router's config is 192.168.1.1. (If you have forwarded port 80 to another machine, the location becomes 192.168.1.1:8080.)
COMMENT Above was updated 6 months ago (Jan 2019?). It obviously does not apply to Huawei HG633. The above mechanism is neat and would be useful if applied to all routers used by TalkTalk.

kornito
Popular Poster

Greetings Keith, some observations in chronological order:

2015: DSL-3782 Menu is Copyright @ 2015 D-Link (not TalkTalk)

01 Dec 2016: DLink (TalkTalk) DSL-3782 I used as above had Current Firmware Version v1.08t Firmware Date Dec 1 2016-11:33:53 (Under Management tab, Firmware Upgrades)

02 Jun 2018: Port Forwarding.pdf mentioned above date is 02/06/2018.

11 Feb 2019: "Hi Chris, The router has now updated to version 1.10t." https://community.talktalk.co.uk/t5/Broadband/DSL-3782-New-Firmware/td-p/2313148

15 Mar 2019: says new version "We're currently testing new firmware at the moment but this is for a VPN issue". https://community.talktalk.co.uk/t5/Fibre-Broadband/Dlink-DSL-3782-Firmware-Update/td-p/2331032 (I presume 1.10t is being discussed here)

 

The web server I tested with was on 192.168.0.3 fixed IP. I just realised a bit of confusion. The last part of my post was a failed attempt to change the router 192.168.0.1 to look like the older Huawei EchoLife HG520b so the router menu would be accessed on 192.168.0.1:8080

 

KeithFrench
Community Star

I am not sure I understand your last post. Did the amended rule I suggested work or not & if not exactly how are you testing this?

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please mark it as the Best Answer.
OCE's and Community Stars - Who are they? 

KeithFrench
Community Star

There isn't much point discussing the HG633 at this point, as it is totally different from the DSL-3782.

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please mark it as the Best Answer.
OCE's and Community Stars - Who are they? 

kornito
Popular Poster

Keith Perhaps below is clearer then?

 

Swopping a working simple webserver setup with an old Huawei EchoLife HG520b with a  modern DLink (TalkTalk) DSL-3782 we changed the default IP from 192.168.1.1 to 192.168.0.1 AND
DHCP IP Address Range: 192.168.0.20 to 192.168.0.254
AND set up this Port Forwarding rule:
* Status Active
* Interface PVC1
* Internal 192.168.0.3 80-80
* External 80-80
* Protocol TCP


OBSERVATION: Whenever we connect to http Port 80 we see the Router log-in page showing DSL-3782 and not the expected log in for 192.168.0.3 that is the fixed IP address of the webserver.


Googling: Port Forwarding TalkTalk pdf
"Port Forwarding.pdf 1574 KB - TalkTalk Community Page 26 of 40
Port Translation (where a port is intercepted by the router, e.g. port 80)
This mainly affects the Huawei HG633/HG635 routers. It does not affect the DSL-3782. If a PC for example is hosting a web server, connected to the local network, it will use TCP ports 80 and/or 443. When trying to access either of these ports from the internet, normal port forwarding will fail."

Other posts claim the same regarding DSL-3782.

 

The test setup is laptop with browser and Raspberry PI based webserver via RJ45 ended cables to DSL-3782 router to ancient twisted copper pair to exchange.
Have we omitted a step in getting the DSL-3782 working as the older EchoLife router did?

KeithFrench
Community Star
Solution

I know all about that document, it is mine, I wrote it. The 3782 does not suffer the same problem as the HG633 in the case of port 80.

 

However, I think the problem is in the way you are testing it. If you try to connect to the web server from a device locally connected to your 3782 & use a destination public IP address of your router, the traffic routes out to the internet & back in again. This is classed as loopback traffic & all modern TalkTalk routers block this, considering it a security risk.

 

What happens with the rule back to the external & internal ports set to 80 & you visit a port checking site, such as:-

 

https://portchecker.co/

 

Does channel 80 report as open?

 

By the way, your use of PVC1 will depend on if you use ordinary broadband or fibre. The former uses PVC1, whilst fibre needs to use PTM. This is all explained in my Port Forwarding.pdf (assuming, of course, you are looking at the most up to date version, which is currently dated 18/02/2019).

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please mark it as the Best Answer.
OCE's and Community Stars - Who are they? 

kornito
Popular Poster

Keith, Progress has been...

I tried you kind suggestion in <https://community.talktalk.co.uk/t5/Broadband/Port-forwarding-not-working-for-home-web-server/td-p/2...>
12-04-2019 10:04 PM to Talkatron5000 and it works as you suggested from mobile SIM not local (RJ45 or WiFi connected).

I agree with will123 that "I will have to change my application's settings everytime I want to switch between using it at home and elsewhere (e.g. on a mobile network)" is no good. Testing the setup is also more fraught.
See <https://community.talktalk.co.uk/t5/Fibre-Broadband/Cannot-access-public-IP-address-port-forwards-fr...>
I understand the prob is a TalkTalk customer can get data from everywhere else but TalkTalk bans the customer from seeing their own trusted data that everyone else could see.
OCE_Michelle passed on query to TT Products Team 22-01-2019
By 19-05-2019 no response was apparent.
Chat to TalkTalk won't help. Any way forward?

(After composing above I went back online and found your reply that reaches same conclusion)

KeithFrench
Community Star

It blocks this for security reasons, in this day & age their policy on blocking loopback traffic will probably never change.

 

To access the web server from both inside & outside of your router is very simple:-

 

  1. From outside your network use the public IP address or DDNS Domain (as the public address will change over time).
  2. From inside your network, use the webserver's 192.168.0.3 (I think) address.

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please mark it as the Best Answer.
OCE's and Community Stars - Who are they? 

kornito
Popular Poster

Keith. Thanks for your constructive help. Some points arising from thread:


1. I marked Post 8 as solved as you describe a problem with DSL-3782 Port Forwarding.

 

2. Regarding your post 10 (above) workaround. will123 and I, with greatest respects, had already mentioned this is not acceptable as addressing must be seamless not device connection method/geographic dependent. Way back on 28 Jun 2016 John runs into the same problem of NAT loopback and wants NAT Loopback (post 27).

 

3. We see the terms Port Forwarding (PF) and Port Translation (PT). Can PT be considered a subset of PF? Example:
* Internal 192.168.0.3 80-80, External 80-80 (PF, not PT)
* Internal 192.168.0.3 80-80, External 8080-8080 (PF with PT)

 

4. My method of finding your excellent detailed PDF (post 1 above) is not the best. Is it pinned somewhere, ideally where one can subscribe to in case of change?

 

5. Should you update PDF (currently dated 02/06/2018) could you amend:

a) p19/40 DSL-3782 add Firmware v1.08t Date Dec 1 2016-11:33:53 (Under Management tab, Firmware Upgrades)

b) p19/40 Add that full seamless Port Forwarding to e.g. port 80 for TCP is not possible due to NAT loopback being blocked. This blocking affects webservers, remote home automation, security, camera systems etc viz John post 3 https://community.talktalk.co.uk/t5/Ultra-Fibre-Optic-Broadband-UFO/Nat-Loopback/m-p/1927875

c) p19/40 Note 1 mentions PVC1 and you mention PVC1 in Post 8 above. No mention of PVC2. A note on DSL-3782 would be welcome on why one gets a choice and how it is used. Under Port Forwarding one gets to choose between PVC1 and PVC2 (when ADSL has been selected).

d) p19/40 Note 2 A plea for "there is no need to translate these ports, leave internal/external all as 80 or 443" rewording. Leave implies leave alone but you must still Port Forward but not Port Translate. Perhaps add only use 'Internal 192.168.X.Y 80-80, External 80-80'. Same with 443

e) p26/40 "It does not affect the DSL-3782" can cause people to buy a DSL-3782 that they might not have done had they seen a reference here to the NAT loopback problem. Can a caveat be added here to point to page 33 that says something about NAT loop back. Search for loopback got no hits!

f) p33 "Most routers prevent ‘Loop Back’ as an additional security
measure". So if one is purchasing a router how does one search to see if it blocks NAT loopback? From above links many have questioned the security value. Can anybody from TalkTalk explain the reasoning.

 

6. Is  02-13-2013 04:17 AM workaround by Karsten Iwen feasible on DSL-3782?
Note in passing link also says "What you are looking to do is perform REVERSE PORT ADDRESS TRANSLATION. People call it all sorts of crazy things like: NAT Hairpinning, NAT-on-a-stick, NAT reflecting, and NAT loopback. It is difficult to get to these kind of questions using Google, so I will rephrase:
If you cannot reach an internal server using the GLOBAL IP address and port, then this post is FOR YOU! You have to configure another type of NAT called NVI instead of traditional NAT."

 

7.  Post 2/3 As explained by Keith (thx) "any traffic out to the internet & back into either your router's WAN IP address or DDNS domain is classed as loopback traffic. This is blocked by all TalkTalk routers, as they consider it a security risk" Questions mainly for TalkTalk techie staff: Do the data packets actually leave the router? Where do they go to get turned around by 'the internet' and sent back into the router. If they never leave the router why is it a security risk? The router has enough information to keep the data packets within the private side of the firewall. Why can't the router automatically implement something like the workaround by Karstem above.
Scenario: I just got a packet back in that I just sent out so I block it. But I kept a cached copy behind the firewall that I trust so I send that to the internal user instead.

8. Post 4 above attempts to make sense of DSL-3782 firmware. I have only come across v1.08t and v1.10t. TalkTalk issue DSL-3782 routers with older v1.08t as late as June 2019. If anybody working for TalkTalk is on here can release dates and changes be documented for DSL-3782 firmware.

KeithFrench
Community Star

I'll pick up on a couple of points you mention:-

 

  1. The point of not being able to use the public IP address or DDNS domain to access the router locally and using its local private IP address not being acceptable. Please bear in mind that I am a customer, therefore I am not sure how I am expected to dictate TalkTalk security policy.
  2. Just because something is possible on a commercial router such as any Cisco IoS device, does not mean it would ever be available on an ISP provided router.
  3. You can only ever get my guides from me. They are not held centrally by TalkTalk. There was a move to do that a few years ago, but I would have lost all ability to edit them, so I would not go along with that.
  4. The selection of PVC1 or 2 is simple. If you are on ADSL PVC1 works and PVC2 doesn't. Hence I do not show anywhere to use PVC2 on the 3782 router. PVC1 represents the incoming WAN interface on the router.
  5. As far as rewriting my guide, I only do that when I think it needs it. Please bear in mind that I do not get paid for any of this & it can be very time-consuming.

The latest version of my guide is attached

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please mark it as the Best Answer.
OCE's and Community Stars - Who are they? 

kornito
Popular Poster

Thank you fellow customer Keith 🙂

Of course it is up to TalkTalk staff to dictate security policy and hopefully someone from TalkTalk can append a few notes to say if this NAT Loopback issue can be resolved.

For anyone else reading here Keith's Port Forwarding PDF, that he has kindly attached, is dated 18 Feb 2019 (the Google search method retrieved an older version)