Stealth Ports on TL-R600VPN - Bridge mode

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Stealth Ports on TL-R600VPN - Bridge mode

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
14 Reply
Re:Stealth Ports on TL-R600VPN - Bridge mode
2021-09-26 03:26:04

On an Internet-facing, non-controlled (standalone) ER605 I was able to accomplish all stealth (verified using Shields Up! and Nmap) except TCP Port 0.

 

I followed all the 'Recommended Solution' guidelines except:  I didn't need to make any 'IP Address' or 'IP Group' entries at all.  The 'Virtual Servers' and the 'Service Type'+'Access Control' fields all allow you to specify IP address ranges right in the fields, seemingly obviating the need for the 'IP Address' and 'IP Group' to be filled out at all.

 

I am uncertain if the 'IP Address' and 'IP Group' fields are necessary for the 'Recommended Solution' author's setup, but they don't appear to be for mine.

 

The problem remaining now is, the 'Virtual Servers' field treats TCP Port 0 as invalid (allowing only 1-65535) or else I could fully stealth the ER605.  Hopefully TP-Link will make a code change to allow for stealthing TCP Port 0 as well by allowing 'Virtual Servers' to accept 0-65535...

  0  
  0  
#12
Options
Re:Stealth Ports on TL-R600VPN - Bridge mode
2021-10-07 01:20:07
This solution works to stealth all ports on a TL-R605 V1 running 1.1.1 firmware. Thank you very much! I'll be doing some testing to see if its broken anything. tp-link please make "stealth" a built in Firewall rule with a check box to enable it.
  0  
  0  
#13
Options
Re:Stealth Ports on TL-R600VPN - Bridge mode
2022-01-06 07:54:48

@G777 

There's a slightly better way to finish this off. I'm on an ER-605 which also follows the strict letter of the Internet spec and has all ports closed by default.

 

Adding in a DMZ server lets you send EVERYTHING except ports you manually set up to a non existant IP.
 

Go to Transmission -> NAT -> NAT-DMZ and put a dummy IP address. My main network is on 10.0.0.0 / 24 so I'm sending DMZ traffic to 192.168.33.1

I'm not entirely sure if you need to do the full setup of an IP Group for this, I did it but then I figured out the DMZ was a much better way to do this.

 

  0  
  0  
#14
Options
Re:Stealth Ports on TL-R600VPN - Bridge mode
2022-01-06 08:34:43

@G777 

 

Much quicker than the accepted solution:

Turn on the NAT-DMZ. I'm on an ER-605 but I believe this is similar to the posted item.

Transmission -> NAT -> NAT-DMZ  + Add a DMZ entry going to any IP address that doesn't exist on your network.

This will catch all traffic not sent to a specifically forwarded port so you can open ports with virtual server and this rule will only act on all the other ports.

 

  0  
  0  
#15
Options