I've been having this issue lately.. in addition to what seems like my Rogers connectivity deteriorating over the past few weeks, I've now noticed something even more troubling. Today I went to do some routine Port Forwarding on my Cisco DPC3825 - something I have done successfully many times before - to find that via any online scanner I check (including using some friends down south to run a trace from them to me) that all of my ports are either closed or blocked/filtered. Not even the previous forwards I had set up are functioning anymore.
I've contacted Rogers TSRs several times today and they swear to high heaven that Rogers doesn't filter and doesn't block ports.. and that they cannot control how these other websites work and therefore it's not their issue and that if I want to investigate further that I have to PAY for their "advanced" tech support. Really? I have to pay more to get the service I'm already paying for to work properly? Nice.
MY issue is is that I am trying EVERY port scanner service under the sun, and am also trying this through living friends doing traces and pings for me, and they all say the same thing. That suggests that it IS a Rogers issue, no?
Anyone else having any similar experience? I'm at my wits end with this and am so close to just calling it a day and taking my business elsewhere.
Simple Port Forwarding 3.8.1
Free Port Scanner 3.2.7
Simple Port Tester 2.1.5
I think it makes sense, that while having something in the DMZ and the forwarding on, would cause a conflict.
When you put something in the DMZ.. its outside of the firewall. Pretty much, count it like, ITS assuming by default, any connections into the router, if it can.
Port forwarding, would then try to do it again.... OR.. its trying to push to an IP of a device which normally is INSIDE the firewall.. and it now outside of it.
Nice work around, for the same IP address.. 🙂 only other option would be to play around, with one in the DMZ, and the other with port forwarding.
Last i heard (havent heard otherwise) the cgn2 the forwarding DOESNT work on it 😛
Odd, that you cant do BOTH... but again.. i GUESS it makes sense.
Yes, each machine has its own seperate IP address INTERNALLY, right?
BUT... now something, lets say a game server, etc is trying to send info BACK to your house.. it only sees, ANY device from your house.. comming from ONE external IP. Its trying to send to port 12345. It hits your IP address.... now where do i go? Do i go to the one in the DMZ which is open? or do i go to the fordwarded one?
I have the SMC.. it doesnt have a set number of lines.. so not sure if there is a limit or not.
A year ago we were forced to get a CGN-2 in order to obtain download speeds of 45Mbps. Even thought the modem supports up to 320Mbps on the downstream and we thought we were good for quite some time a year later we were forced to upgrade to a CGN-3 to obtain the 150/15 plan.
In both cases we disabled the WIFI and use it simply as a router and cable modem.
The port forwarding in the CGN-2 works fine and even allows SSH (port 22). Why is that important... we use subversion (SVN) over SSH to connect to our code repository and the setting is not easily changed in our developer tools.
And what was the explanation a tech person gave. He said that Rogers blocks ports for security and they are not at liberty to divulge those ports... ummm... NO... this is Rogers firmware specifically dissallowing a specific port from being utilized in their infinite wisdom. The second thing the person said is if you need this they you should have a business account... ummmm... NO the CGN-2 allowed this just fine and yes I realize upselling is huge for Rogers but please give me a break.... Where this further falls apart is that I couldn't even get port 80 or port 443 to port forward either so it just makes the entire conversation with tech support all that more ridiculous.
So if you have a CGN-3 and you have port forwarding here are your options:
1) If you need server ports other than port 22 then skip to 2) otherwise try port forwarding AND if that works... fantastic. My experience is that it does not work and I had the tech person confirm I had the latest firmware to date.
2) Turn off the gateway mode of your CGN-3 so that it is pretty much a dumb modem AND buy a router to sit behind it.
3) Put your server in the DMZ. Now at 1st I was very reluctant to do so as it exposes my entire server but I got this to work and this is what I did.
a) Factory Reset the modem b/c DMZ configuration conflicts with Port Forwarding... and if you ever had anything configured on the Port Forwarding side and it is somehow retained in the modem this won't work. Is it necessary.... not sure... but why not.
b) Add an nic alias to your server. I use Ubuntu Server and this is really easy to do. So for example I have the primary interface listen on 192.168.0.101 and the nic alias uses 192.168.0.102.
c) Put the nic alias in the DMZ in the Hitron CGN-3 configuration and enable DMZ.
d) Any service that wants to be visible to the outside should be configured to listen to to nic alias IP (192.168.0.102).
e) Any service that needs to remain inaccessible from the outside should be configured to listen to primary interface IP (192.168.0.101).
Is step 3) worth it. Probably not and you should probably go with step 2) and I am sure down the road that is what I will do but for now to get things going with what is minimal effort it works for me and port SSH (22) is open again.
The sad thing in all of this is that Rogers firmware is not allowing something that the modem supports and that they have no business messing with as it only makes us jump through hoops like circus animals to get what we need and does ZERO to make their service any more secure than it was beforehand.
I recall hearing that something of rogers management for the modem is via port 22.. why they dont allow it... but that could be wrong (weither the person on the phone knew what they were talking about)
I can 100% guarantee you that port 80 forwarded works, with the CGN3 in router mode.
I currently am running a webhost, through a CGN3, on port 80
(i will PM you with the IP address so you can check it yourself, dont feel like publicly posting it)
I have this, port 21 for an on demand FTP server, and a higher port # for an alternate web server (for a media player streaming externally)
Now, the CGN3 (and many 3rd party routers are like this) dont support LOOPBACK. So if you try to connect, try to run any test, etc.. from INTERNAL on your own network, to the external address.. they will FAIL.
But connecting from an outside address, will work.
EG: I cant connect to my webserver via my external IP from inside, but i can from work. Internally i have to go by its internal address.
But all in all, as many others have found (and that many of us here recomend anyways) is as you have said in step2.
You still take advantage of the CGN3's 24 channels to avoid contenstion, etc.
But then its up to whatever 3rd party router you have, to then do all the work, forwarding, etc. Depending on your choice, this USALLY will give you better options, as long as you get a decent one.
The error message does mention something about "management port" but I don't see how this can relate to Rogers operations i.e. I strongly doubt that remotely managing my modem was the reason they dissallow it b/c then my modem would not be remotely manageable anymore b/c Rogers would hit my server in the DMZ from now on....
I believe you about port 80 working and although it didn't work for me... I didn't try the hardest to get it to work as my big issue was the SSH (22) port. That was a show stopper. In retrospect I played with DMZ setup before going to port forwarding and didn't factory reset and from what I read they conflict. So I believe you... don't need proof... it is either buggier than it should be OR its a case of some peoples work and others don't due to firmware or product or whatever.
I am also well aware of the loopback issue. In fact the Hitron's are taking steps back in this regard. My Rogers SMC from what 6 years ago had no issue supporting loopback. I always use an online port scanner so this is a non-issue IMHO.
Yes... step 2 is the best option... but why buy a $250 modem to dumb down to a $50 product only to buy yet another $50-$100+ device (router) just to get 1 measly extra port out of 3 that I could easily get on the lowly CGN-3 is beyond me. To be clear all I need is SSH (22), HTTP (80) and HTTPS(443)... nothing exotic or beyond even the abilities of the default CGN-3.
One thing I did read online but can't confirm is that someone mentioned that when put their CGN-3 into bridge mode that the modem throughput dropped significantly... but when they ran in gateway mode it worked within the provisioned speeds. Have you noticed this issue? Just curious b/c bridge mode is definitely in the cards down the road b/c I can just see Rogers dissallowing more ports in the name of security down the road....
Now if Rogers comes to their senses and realizes that nothing is gained by dissallowing port 22 or any other port (again we are not talking about blocking - we are talking about dissallowing) except a bunch of upset customers that can't get a descent answer from tech support - b/c there isn't one - and fixes this in a next firmware upgrade then I will be a happy customer.
How soon did you try it?
there was the early version of the firmware, which had other problems (i will talk about below), which its possible the port 80 doesnt work on.
But at least v18.104.22.168, i know works 🙂
Lookback has been an off/on thing... PRE any gateways.. i have used.. probably 8-10 different routers over the years.. some do.. some dont.. its hit and miss... i just usually dont even bother TRYING anymore 😛
The CGN3, isnt $250, at least not anymore. Rogers sell em for $200 odd now.. and pretty much since the summer bestbuy has had them on for $150. Not a huge amount above the stand alone modems.
Alot of it, comes down to WHAT people need. Normally, i would probably wager 80% or higher... DONT have do use port forwarding at all, etc.. just BASIC internet usage. More advanced people.. have often always required more advanced technology.. which often ends up more $$ 😞
Coming back to the firmware.
Initially, the early firmware had an issue with bridge mode.. and gateway mode was about the only stable way to run it.
Some users now in gateway mode, notice a higher ping than bridged.
But, bridged is pretty stable as of 22.214.171.124.
There are MULTIPLE users on here, who were the ones who helped force the issue to GET to the newest firmware, who are on the 150 or 250 package, and are getting their speeds just fine with it in bridged mode.
The only remaining issue mostly with the firmware on the CGN3 right now, has to deal with 10/100 devices.
Which depending on which thread you were reading, may have been what was happening.
Regardless of packages.. any 10/100 device which connects directly to the CGN3.. seems to not link properly.. ends up running at less than 1/2 duplex. (usually seems to MAX out at about 35mbps even if on the 150 package... though with that 10/100 card you would be throttling yourself to 100mbps anyways).
This happens bridged or gateway, doesnt matter. So connecting a 3rd party router with 10/100 ports only, would trigger this.
Until this bug is fixed.. need to connect a gigabit port to it (or have say a gigabit switch inbetween)
Ummm... is 3:00AM today soon enough? I have version 126.96.36.199.
Sure... I agree loopback is hit and miss....
Agreed the CGN-3 lists for $250... I paid $199 for the CGN-2 and a year later $169 for the CGN-3 (and Rogers was nice enough to toss in a credit)... and I bought an AirPort Extreme ($199) for WI-FI b/c the WI-FI in the CGN-2 is total garbage. My point is if I HAVE to buy a modem with Rogers firmware then at least also give me the option to buy a cheap dumb down modem from Rogers and a router of my own choosing. To NOT give the option and intentionally shackle a product in any way is not RIGHT IMHO. And no I don't think a dumbed down modem is worth $150.
UPDATE: Got fed up with the CGN-3 and picked up a Cisco RV320 Gigabit Dual WAN VPN Router ($199) and put the Hitron in bridged mode and I don't have to look at or work with its interface ever again 😉 At least now I have what I need and more.
Thanks for the tip on the issues with 10/100... all my devices and the new router are gigabit... and I am now getting speeds of between 50Mbps - 150Mbps (depends on laptop or device - they are all using N but iOS devices fairing slower) over my:
AirPort Extreme Wi-Fi -> Cisco Router -> Hitron Modem (AC)
Most of the regular newer modems, are around $100-110 range.
Mind you though, those are all only 8 channel modems... there are only two companies with the 24 channel modems at the moment.. havent seen a 'retail' price on them yet tho.. but would expect them to be slightly higher.. so $150 is not COMPLETELY out of the ballpark.. maybe $15 or more so above.
Stand alone modems have been a BIG battle many of us have been fighting around here.. one we may never win..
(its cheaper, easier to manage, for them to have LESS choices. (Easier to support 5 models, than 15)
At min, at least there is the OPTION to bridge mode the units. I remember the very FIRST gateways, you couldnt 😞
I have heard some good things on those routers.. yes to set one up, but would like to 🙂
(at work, i use like $5000 cisco routers which blow that one out of the water XD)
Have talked with a few which have set them up before... the dual WAN ports, for people with DSL as their only option, setting up a BONDED connection, etc.
I would be interested in how you find it, if you ever want to get back to me on it 🙂
Glad your getting the better speeds.
Mileage may varry with wireless.. its such a fickle beast, even with the BEST equipment... with interfearance, etc.
(try working in a place with $3000 cisco wireless APs.. and STILL dealing with interfearance from the metal building, wireless headsets, etc)
I wish apple was more open with the SPECS on their stuff... it would be interesting to see the more details on the processor, memory, etc on the extreeme.. $199 seems expensive for an INTERNAL antenna router, specially if the specs are lower than alternatives (though, many apple things are over priced sometimes).
The Cisco RV320 is a "Small Business" router. I might have bought the RV180 which is 1 WAN for ~$100 but it wasn't available. Setup was as simple as plug it in. Most defaults were well within expectations and everything worked immediately. There are a ton of options in this router but even just the basic QoS.
I too wish Apple would be more open/transparent but the "new" AirPort Extreme has:
- simultaneous dual-band 802.11ac Wi‑Fi.
- six antennaes — three for the 2.4GHz band and three for the 5GHz band
- has router capabilities (NAT, port forwarding, etc...)
- file and printer sharing
- tiny foot print (much smaller than its predecessor but taller)
Not sure what specs are lower than alternatives though???
Is it somewhat pricier than alternatives? Sure... but not by much and it just works... unlike the CGN-3. Also most people don't know that if you buy a laptop with Apple Care it covers your peripherals 2 years back and 3 years forward. Big PLUS!
One thing that I don't like about the Airport Extreme is that I can't use a web browser to configure it. I have to use Airport Utility and the version required no longer works on Snow Leopard (the XP of Mac OS's) but I can use my iPhone 5 to configure it so its no big deal. I use Apple products for business but generally speaking don't like their huge consumer oriented approach but let's not get into an Apple vs. X discussion b/c it is way off topic.
I'll be interested in your opinions on the Cisco router as well as I'm considering a similar approach, separate firewall/router with another wireless router for wireless networking. Thats basically due to our house layout, where I want the wired ports and where I want the wireless router to sit and at the same time, run the CGN3 in Bridge mode.
Yeah.. just not sure if that is where your only weak point is left for wireless speed, etc?
After moving away from internal antenna models both on the WORK end and also personal end.. have found much better performance with the external. Thats really the only weak point i saw left on it.
Comparibly.. to any other AC router in that range, all has external antenas... but i guess apple want to keep it 'clean' looking too, right?
There are becoming alot more options available... really depends on how fancy you want to get.
Running the CGN3.. as a router, etc... really is just for the BASIC user.
Beyond that.. comes down to then HOW fancy you want to get.. getting heavy into QOS, vlan-ing, etc for seperate networks, etc.
One option a friend of mine runs, and i LOVE it.. but requires a PC (though i have seen setups with a similar to rasberry pi setup) to run it.
Running a PFsense server.. makes a PC with two network cards, act as wired router.. but has BILLIONS of preferences for usage limites, monitoring, throttling, etc. Run switches and AP's off of it, etc.
here at work, we are pretty much ALL cisco now, other than our firewall.
My experience thus far is I should have done this years ago... and definitely for the last year with the CGN-2. At this point Rogers can do all they want with the modem... as soon as you turn off the gateway its simply a dumb modem with no interface. You log into your router and you get all the information and configuration you need.
Also - unlike the CGN-2 and CGN-3 which could take 10-20 seconds if not more just to display a page and may have involved a reboot for some settings... the RV320 settings just take a few secs to display and a few secs to save... and they take effect. The only setting that required the device to restart was changing the VLAN 1 IP addressing from 192.168.1.X to 192.168.0.X but that makes total sense b/c the router itself was on that VLAN.
Sure - external antennaes would be great but yes it won't happen with Apple.
Apple likes things to look nice over potential issues like the Apple TimeCapsule that I had that had the transformer inside a metal and rubber sealed unit with a fan and no vent - it worked for 3 years because I had it elevated - when I moved I placed it on a surface and within 3 months the capacitors had blown... the average life was around 17 months IIRC b/c of that great design. All this so that the device had just a plug to the wall without a transformer.
I can definitely confirm though that this unit has much much better range as I had deadspots in my home previously and not anymore and other friends have also seen really good reception and distance. Are external antennaes better... most likely... but it's a non-issue for me as it works and works well and moreover meets my needs.
Most of the pages on the CGN3 which have the issues... are all ones which load the whole DHCP/clients table... or need to access that information.
SOMEONE at hitron (cant really blame rogers per say for this one, as its hitron who makes the interface, modem, etc), in their infinate wisdom.. made it so the page loads all the info when you go to it... and wont let you load the NEXT page/tab you want, till after that information is loaded.
MOST routers, if you want to access that info, there is a button/link you press, which then brings up another page, which laods it.
But all in all... bridge mode is usually the best route to go 🙂
Well... asked for feedback/experience on RV320...
I had been using PPTP with SoftLayer for some time to access production servers and just setup PPTP VPN with extreme ease on the RV320... simply:
- Enabled SSL VPN
- PPTP was already setup (server, passthru and port range)
- Created a SSL VPN Group
- Created an account/password to use the above group
And on my mac simply opened Network Preferences:
- Created a PPTP Service
- Entered the dyndns address
- Entered the account and password
Clicked "Connect" and voila I can:
- Directly manage/SSH to any system on the network including the RV320 (simply point browser to its IP)
- Access SVN over SSH (our code repository)
- Can even remotely backup my Mac to the Time Capsule (runnning on our Linux server)
I should also mention that I turned off SSH Port Forwarding and now the SSH port is not exposed to potential hackers.
All in all super easy and something I have been meaning to do for a long time. Cisco like Apple just works!
ASIDE: RV320 supports up to 10 PPTP connections