DrayTek Vigor 2762 Port Forwarding

My smartphone's APP was showing that we had two EV Car charger sockets and also Solar Panels. Whereas we have one socket and no solar panels.

Contacted the manufacturer who sent out a replacement Hub which plugs into my router and has a proprietary wifi connection to the socket box and a request for me to phone on receipt so as to be talked through the replacement etc.

The Hub arrived but the manufacturer’s engineer could not get their server to “see” my new hub.

He suggested that I need to contact my ISP for them to enable Port Forwarding and check that Port 87 is free. I told him that my router is neither ISP supplied nor managed and that there were no issues when the charger socket and hub were installed in Sept 2021.
I think that since this is a warranty job they should send out an engineer (the nearest is less than 2 miles away) but am wondering whether there is a difference in the new Hub compared to the original.

So how can I check that on my DrayTek Vigor 2762 Port Forwarding is enabled and that Port 87 is free?

Many thanks.
Cheers!

In reply to a post by Ancient_Mariner:

So how can I check that on my DrayTek Vigor 2762 Port Forwarding is enabled and that Port 87 is free?

Many thanks.
Cheers!

You would need to find 'Port forwarding' in the Vigor's menu and then make an entry to forward incoming port 87 to port 87 at specific downstream IP address.

Vigor routers normally have that function under NAT / Port Redirection

The manufacturer's website is usually pretty good. Look at draytek.co.uk

This page is relevant : https://www.draytek.co.uk/support/guides/kb-port-for...

That page does mention your model 2762

Port forwarding is an old and insecure technique. Frankly any manufacturer of kit that connects to a network in 2023 that relies on port forwarding is one to run from.

In reply to a post by Pheasant:

Port forwarding is an old and insecure technique. Frankly any manufacturer of kit that connects to a network in 2023 that relies on port forwarding is one to run from.

Agree completely. The new device you are fitting should be designed to connect outbound to their servers. That works everywhere, even on the new ISPs using CGNAT.

Port Forwarding is a way to allow unexpected inbound connection attempts to your network. These hit your Draytek and the "port forwarding" is the technical term saying tell the Draytek where on your network to send the information.

In reply to a post by Pheasant:

Port forwarding is an old and insecure technique. Frankly any manufacturer of kit that connects to a network in 2023 that relies on port forwarding is one to run from.

Presumably the port forwarding that the OP has been asked to enable is only needed as a temporary measure. The router will likely be able to translate the port number which if used makes port forwarding safer.

In reply to a post by Michael_Chare:

Presumably the port forwarding that the OP has been asked to enable is only needed as a temporary measure. The router will likely be able to translate the port number which if used makes port forwarding safer.

Um? "translate" doesn't mean much in this context.

Lets say you are running a website in your home, on a separate computer with the IP address 192.168.0.15 and you want people outside your home to access it.

You can configure the web server software to run on any port you like (easy with Apache, or IIS) you choose port 1234 and so from computers in your home https://192.168.0.15:1234 and this loads.

People outside your home are not so IT savvy, so you set up "port forwarding" on your router to map the incoming port 80 on the router to 192.168.0.15:1234 and then you use a Dynamic DNS provider to generate a name for your public IP, such as myhome.noip.net

Now your friends can go to https://myhome.noip.net and view your web page. But so can any bot or malware that is scanning for websites, and the bad news is that your home webserver will likely be infected by malware, taken over ("owned" in the jargon) and used either to launch spam attacks, or try and find out information about your network.

The "mapping" provides no safety here.

Maybe, but I only want to be able to access equipment at home myself. So when away I go myhome.noip.net:54321 which is forwarded to 10.1.1.2:80 and I can then see my camera.

Using this technique I am not aware of any unwanted remote access

In reply to a post by Michael_Chare:

Maybe, but I only want to be able to access equipment at home myself. So when away I go myhome.noip.net:54321 which is forwarded to 10.1.1.2:80 and I can then see my camera.

Using this technique I am not aware of any unwanted remote access

Risky game you're playing.

So the router receives traffic from any source to destination port 54321 and forwards it to the translated IP on the translated port.
It does this for anyone accessing that external port number, not just you. The router doesn't even know it's you.

In this scenario everyone has the same remote access to your camera and you may be relying only on a user/pass on the camera itself, if that. Some cameras may have multiple views and not all require authentication.

This reminds me to learn more about how to search Shodan for testing my own firewalling.

The safer option is to have a VPN endpoint on your router (or even in a dmz network with your camera), so that only connections which authenticate with your VPN have (selective) access to private devices.

This is also a reminder that the various Dynamic DNS services are for DNS and not security measures,
they don't grant or remove remote access, they are just a mapping of a domain name to a possibly changing IP.

Edited by prlzx (Sun 07-May-23 00:38:54)