Is Vodafone 3G blocking all inbound connections?

Gavinman

I'm a vodafone ireland 3G customer and am using the Dovado router which I plug my e220 into. It works like a champ for outbound connections and allows me to share my connection across 3 computers.

I want to set up a temporary FTP server on one PC, to receive an incoming FTP request and so plan to simply(!) port-forward port 21 on the router to the PC in question. Sounds straight forward.........

However I have not been able to achieve this because it seems like Vodafone is blocking every port for inbound connections. Has anyone else seen anything similar? I've tried ports 21, 80 and 8080 which I assumed would be the most likely to be open.

I also tried a port scanner and it also told me the ports are closed.

Am I going crazy or does vodafone 3G simply not allow any inbound connections?

Any and all insight greatly apprecaited.

lmimmfn

open u a dos prompt, type "ipconfig /all" if it returns 10.wahtever.whatever,whatever as your ip address then your internet is Fuxored as youre behind a subnet

ttm

Don't think its always as simple as forwarding port 21

Try http://homepage.mac.com/car1son/static_port_fwd_ftp_xtra.html for a basic explaination.

If you are just using NAT and don't have any firewall rules setup then try port forwarding port 20 also...... and don't forget to let us know how/if you get it going.

Edit > If you are using rules as well as NAT on the firewall you may need to add rules to allow ports 20 and 21 plus all the high ports 1024 to 65,535 in the relevant directions.

Onikage

lmimmfn wrote: »

open u a dos prompt, type "ipconfig /all" if it returns 10.wahtever.whatever,whatever as your ip address then your internet is Fuxored as youre behind a subnet

The Dovado is a wifi router and creates its own subnet. The correct procedure is to plug the 3G modem directly into a pc and using the dial-up program before doing this test.

ttm wrote: »

Don't think its always as simple as forwarding port 21

Words of wisdom there. DMZ and then a soft firewall is proably the best way of testing this quickly.

Gavinman

Thanks for all the info folks.

I dumbed my test down and placed the Huawei E220 on one single PC and connected to Vodafone network.

I made sure the firewall software was turned off on the PC.

I went to canyouseeme.org and ran a test on ports 80, 8080, 21, 5000 and 5001.

In each case it said that the connection timed out - in otherwords it could not reach it.

I think I can therefore safely conclude that Vodafone Ireland does not allow any incoming connections on their 3G service.

So its kind of like having a telephone where you can call other people, but they can't call you..........

Any other thoughts or ideas anyone????

ttm

I've been caught like that before. First thing I'd do is scan your PC from inside your own network ie from another one of your PC's. There has to be something actually listening on a port before the port will respond. So if you set up one PC as a webserver and another local PC can see a webpage you put on it then you should also see that port (80) open in a local port scan. Once you have that up and running try your test again from the web - obviously have the PC running the webserver as the PC with the modem plugged into it.

But still quite possible O2 only allow outgoing and return traffic.

ttm

http://www.boards.ie/vbulletin/showthread.php?t=2055115306&page=318 take a look gives me some hope that ports may not be blocked.

Try http://private.dnsstuff.com/tools/tracert.ch?ip=xxx.xxx.xxx.xxx&detail=1 where xxx.xxx.xxx.xxx is your internet IP from O2. Will probably show that two Routers on O2's side are blocking unwanted packets but that doesn't necessarily mean they are blocking all incoming traffic. (If you can't read the URL just click it to open the dnstuff page then change the xxx in the URL to your IP which will be given near the top of the web page)

Gavinman

Ok, so I went to whatsmyipaddress.com and it tells me my address is 78.152.217.xxx. (last digits hidden)


I then went to http://private.dnsstuff.com/tools/tracert.ch?ip=78.152.217.xxx&detail=1 and it tells me:

There appears to be a firewall at (hop 16) that blocks ICMP (ping) packets.
There appears to be a firewall at (hop 16) that blocks unwanted UDP packets.
There appears to be a firewall at 74.53.59.130 (hop 16) that blocks unwanted TCP packets.


Hop 15 is as follows:

193.95.147.66 unknown.esat.net


I believe this demonstrates that something is blocking traffic between 193.95.147.66 and my IP external address 78.152.217.xxx.

Any thoughts on whether this is intentional or a network configuration error?

Why would vodafone care if I let incoming connections into my computer, when they collect by the GB for my service.

ttm

Thats the same result I got when I tried several random O2 addresses, hence my suggestion. Always nice when someone actually reads the replies and takes some notice of them

OK so we can only take that information at face value as we don't know exactly what is unwanted traffic, it could be all incoming traffic or just very specific traffic that has know security threats.

When you did your dumbed down test why did you scan ports 80, 8080, 21, 5000 and 5001? Was there any service running on say port 5001 that the scan could connect to?

Gavinman

When I ran the tests, I used an FTP server and changed the listening port from 21, to other potentially open ports like 80, 8080, 5000 etc.....hoping these might be open.

Any other clues.....somebody here must be on Vodafone 3G, must be trying to run a listening process on their computer and so must have encountered this.

lmimmfn

Onikage wrote: »

The Dovado is a wifi router and creates its own subnet. The correct procedure is to plug the 3G modem directly into a pc and using the dial-up program before doing this test.

no i ment a defined direct subnet of the isp( not local subnet ), whatwever the setup is its dependent on the ip address of the e220, if its 10..... then from my own experience - fuXored

I tried this before with O2 and an E220, couldnt get anywhere with it, that modem probably doesnt support port forwarding

ttm

Gavinman wrote: »

When I ran the tests, I used an FTP server and changed the listening port from 21, to other potentially open ports like 80, 8080, 5000 etc.....hoping these might be open.

Bit of a misnomer here. A packet of data has an address in its data saying where its from and where its going to. If nothing stops it on the way like a firewall it can only arrive if the destination exits. If you send a letter to 1001 Dublin Road but Dublin Road only goes up to 1000 it won't arrive. So you could look at a map and see a clear path to Dublin road but it would look like there was some unknow blockage on route when you didn't get a reply to a letter you sent to someone there.

On the whole (vast oversimplification) routers pass all the traffic they are sent without doing anything except look at the destination address and pass the data on to the next router on the route, so you could say on "most" routers ALL ports are open.

A firewall often blocks eveything except the traffic thats wanted (another vast oversimplification). This can be done in lots of ways but one is to look at the source and destination IP and port numbers of the data packets and only allow data to and from specific IP addresses and ports. Conversly a firewall can allow everything except specific unwanted traffic where specific ports are blocked.

So if the router passes on the data and the firewall passes its on as well we still have to have that destination set up and working for the data to arrive at.

The fact that it is possible to traceroute all the way to the destination is an indication that not eveything is blocked as when a firewall is blocking everything except specific traffic on a well locked down network you won't normally be able to trace the route beyond the firewall.

lmimmfn wrote: »

no i ment a defined direct subnet of the isp( not local subnet ), whatwever the setup is its dependent on the ip address of the e220, if its 10..... then from my own experience - fuXored

Thats the whole point of point forwarding. Data comes from an intenet address and is sent to a specifc port at another internet address via a router which triggers the port forwarding to pass the data to a private address (10.x.x.x.192.68.x.x etc). But theres more to set up and understand and so more get wrong.

lmimmfn wrote: »

I tried this before with O2 and an E220, couldnt get anywhere with it, that modem probably doesnt support port forwarding

The modem doesn't need to know about port forwarding for port forwarding to work. Port forwarding is a function of the router.

Having said all that still doesn't mean it will work :P

Gavinman

Just to bring closure to this thread......

I switched from Vodafone to O2 over the weekend and used the "open.internet" APN. The inbound connectivity and port forwarding worked flawlessly without requiring any configuration changes other than the Huawei e220 modem changes.


I'm canceling my contract with Vodafone. Thanks everyone for your advice and insight.

towel401

Gavinman wrote: »

Just to bring closure to this thread......

I switched from Vodafone to O2 over the weekend and used the "open.internet" APN. The inbound connectivity and port forwarding worked flawlessly without requiring any configuration changes other than the Huawei e220 modem changes.


I'm canceling my contract with Vodafone. Thanks everyone for your advice and insight.

do they have static IP's?

Gavinman

I don't know if they have static IPs. I'm just using dyndns.org so I can always reach the computer at xxxxxxx.dyndns.org irrespective of how many times they change my dynamic IP address.

ttm

Glad to hear you found a solution. Can you do the dnsstuff routine for your new O2 connection so we can see if it shows up any difference - useful for future reference

reidyj

Hi, i can confirm that vodafone do indeed block inbound connections. Just got an email back from a vey helpful fella in data support. How well does the o2 work?

Cheers

J