How i open WAN port directly to FritzBox ?

Sidebar Sidebar
Upgrade 3CX to v18 and get it hosted free!
A

alfonzo

Neuer User
Mitglied seit
6 Feb 2011
Beiträge
59
Punkte für Reaktionen
0
Punkte
0
Hello.

How i open one specified WAN port (from DSL Internet) directly to my FritzBox ?

I run inside my stock (not freetz like) FBF any special service. Port is reachable on local address (192.168.178.1:66666)

But

1) i want open this port 66666 from WAN inteface too, but it is NOT possible map port via webinterface to 192.168.178.1 !!!

2) is ANY WAY to allow this port ONLY to specified IP range (11.22.33.1-11.22.34.255 for example?) from Internet?

I have question: HOW i open port 66666/tcp from wan? Have any example for ar7.cfg etc? Or what is way?

Tks.
 
The maximum port is 65535, 66666 is therefore invalid. If you can work with iptables, but simply use the remote control of the Fritz box, standard accepts only requests from the same subnet.
 
this is only example, sure port id 7777/tcp for real.

i need access from Internet(DSL), not from same subnet in LAN, and my stock fritz 7390 not have iptables?:

# iptables
-sh: iptables: not found

"use the remote control " - what is remote control? You mean Web Interface? This allow map ports only to 192.168.178.2-255, not for 192.168.178.1 !!!
 
Zuletzt bearbeitet:
Both wishes should be possible. You will have to alter ar7.cfg for this.

!!Be warned, a faulty ar7.cfg can make your box unusable and you might have to recover/reenter all your settings!!

1. Open a port from the internet: You will need a forwarding to "0.0.0.0", which is not allowed via the GUI. I suggest you place a "dummy-rule" here to alter it later.
So just add a forwarding for the desired port to the desired port with any local address say 192.168.178.123. We will us this later ;-)

2. You can alter the internal firewall only in ar7.cfg itself.

Now copy ar7.cfg to ram, eg.
Code: 
cat /var/flash/ar7.cfg > /var/tmp/ar7.cfg

Now we have to edit the file. Hope you know some "vi basics"?!?
Code: 
vi /var/tmp/ar7.cfg
Now find the line you made for the forwarding, it shound look like this:
Code: 
                        forwardrules = "tcp 0.0.0.0:800 192.168.178.11:80 0 # HTTP-Server", 
                                       "tcp 0.0.0.0:7777 192.168.178.123:7777 0 # my fake rule", 
                                       "tcp 0.0.0.0:8000 192.168.178.22:80 0 # HTTP-Server2"; 
                }
edit the rule forwarding to "192.168.178.123:7777", so that it points to "0.0.0.0:7777"
Code: 
                        forwardrules = "tcp 0.0.0.0:800 192.168.178.11:80 0 # HTTP-Server", 
                                       "tcp 0.0.0.0:7777 0.0.0.0:7777 0 # my fake rule", 
                                       "tcp 0.0.0.0:8000 192.168.178.22:80 0 # HTTP-Server2"; 
                }

To address the firewall, search some lines above the forwardingrules, there will be a section named lowinput:
Code: 
                        lowinput {
                                policy = "permit";
                                accesslist = 
                                             "deny ip any 242.0.0.0 255.0.0.0", 
                                             "deny ip any host 255.255.255.255";
                        }
                        lowoutput {
you must add two lines for your IP- and port-ranges, for the default policy of the firewall is
to allow all traffic (so first, allow "your" net, then deny "any").
Please check that the lines you add are really "clones" of the present lines
(same number of whitespaces prior to the rules, the "," at the end of a line (";" on the last line)...)
Code: 
                        lowinput {
                                policy = "permit";
                                accesslist = 
                                             "permit tcp 11.22.33.0 255.255.255.0 any eq 7777", 
                                             "deny tcp any any eq 7777", 
                                             "deny ip any 242.0.0.0 255.0.0.0", 
                                             "deny ip any host 255.255.255.255";
                        }
                        lowoutput {
Note, this "allow all" is no special "risk", for traffic is usually denied, if you do not put a forwarding in ;-)

So, if you are really sure, everything is fine, write it back and reboot immediatly after that to ensure, nothing will overwrite your changes.

Code: 
cat /var/tmp/ar7.cfg > /var/flash/ar7.cfg
reboot

And again, just to be sure:
!!Be warned, a faulty ar7.cfg can make your box unusable and you might have to recover/reenter all your settings!!

You might want to try these changes "outside" the box with the "FBEditor"
 
many thx for this...

ps: where is hiden iptables inside avm fw?
 
There is no iptables binary on AVM stock firmware. There are some boxes (e.g. 7390) with restrictes built in iptables support but w/o the iptables binary.
 
Um antworten zu können musst du eingeloggt sein.

Zurzeit aktive Besucher

Gesamt: 213 (Mitglieder: 1, Gäste: 212)

Neueste Beiträge

Statistik des Forums

Themen
244,948
Beiträge
2,221,401
Mitglieder
371,720
Neuestes Mitglied
thefirsttimeforme
Holen Sie sich 3CX - völlig kostenlos!
Verbinden Sie Ihr Team und Ihre Kunden Telefonie Livechat Videokonferenzen

Gehostet oder selbst-verwaltet. Für bis zu 10 Nutzer dauerhaft kostenlos. Keine Kreditkartendetails erforderlich. Ohne Risiko testen.

3CX
Für diese E-Mail-Adresse besteht bereits ein 3CX-Konto. Sie werden zum Kundenportal weitergeleitet, wo Sie sich anmelden oder Ihr Passwort zurücksetzen können, falls Sie dieses vergessen haben.
Ihr E-Mail-Adresse verifizieren

Ihr E-Mail-Adresse verifizieren

Wir haben Ihnen eine E-Mail geschickt. Klicken Sie auf die Schaltfläche im E-Mail-Text, um Ihre E-Mail-Adresse zu verifizieren – (Können Sie diese nicht finden können, dann überprüfen Sie Ihren Spam-Ordner).

IPPF im Überblick

Neueste Beiträge

Direktlinks Telefonanlage

Website-Sponsoren

3CX sponsor
KONTAKTIEREN SIE UNS BEI INTERESSE
| Style by ThemeHouse
XenPorta 2 PRO © Jason Axelrod of 8WAYRUN
Oben Unten
Zurück