DX3301-T0 Can't disable remote management (http ports always exposed)

kian1991
kian1991 Posts: 2
Friend Collector First Comment
edited September 2023 in Home Router

So as the title says I cant get my router to not expose its port publicly. This a major security issue and needs to be addressed asap. Even when I enable Telnet or SSH the respective ports are immediately open to the public.

No one noticed that by now?

All Replies

  • smb_corp_user
    smb_corp_user Posts: 138  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer

    Enabling a port will always make it visible, otherwise it would not be able to respond to valid requests to that port. The only way you can truly hide a port is by closing it (disable the port).

    There are firewall rules you can use to make it more secure, by limiting access to specific subnets or addresses, or things like that. If you want to have invisible open ports, you need something like Port Knocking or combined proxy services using other ports and other addresses different from your real network information.

  • tonygibbs16
    tonygibbs16 Posts: 801  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Hello @kian1991 and @smb_corp_user

    I think that if the ports are not selected against WAN in the above screenshot then they are probably not open to the Internet through your device's WAN connection and your ISP.

    A ShieldsUp port scan by Gibson Research Corporation, which is free, could confirm whether the device does expose those ports or not. see https://www.grc.com/shieldsup

    Setting the device's firewall to at least Medium as shown in the user guide available at https://support.zyxel.eu/hc/en-us/articles/5858783065362-User-Guide-AX-DX-PX-3301-T0-Serie-V5-13-5-50 should help as well.

    I hope that this is helpful.

    Kind regards,

    Tony

  • Well @smb_corp_user sorry but you're certainly wrong in this case. Sure thing i would have my ports open to my local network but sadly with this configuration they are still open to WAN. Even tho I unchecked it.

    But thanks anyway. Also @tonygibbs16 thats the problem even tho I unchecked it I can access everything through my dynamic dns host address (ie. my public IP address).

    My "Workaround" is now to assign a random IP port forward to a not used IP address like this:

    So I think EVERY zyxel DX3301-T0 is just openly accessable which really bad….

  • tonygibbs16
    tonygibbs16 Posts: 801  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Thanks @kian1991 for your reply.

    Are you able to say what version of firmware your device is running please?

    Because there might be a later firmware release with a fix in it for what you have found…

    Kind regards,

    Tony

Consumer Product Help Center