1. When setting up port forwarding, it is necessary to have a public IP address on the router's WAN interface through which it connects to the Internet. If the router's WAN interface uses an IP address from a private subnet, port forwarding will not work.
2. To check whether port forwarding is working, you must access the router's WAN interface from the Internet. Port forwarding will not work when accessing from the local network.
3. The service or application to which port forwarding is performed must be started so that the port can be seen as 'open' during the check. For example, if the FTP server is not started and even if there is a NAT rule for port forwarding, the port status will be 'closed' during the check.
TIP: Tip: You can use special Internet services designed to check the openness of ports—for example, https://hidemyna.me/en/ports/, https://www.whatsmyip.org/port-scanner/, etc.
Or with the nmap utility, which is designed for versatile, customizable scanning of IP networks.
Below are typical reasons that can lead to the inoperability of port forwarding, despite the correct configuration.
1. In a port forwarding rule, the incoming interface is not correctly selected. In the 'Input' field, select the interface through which your Keenetic accesses the Internet and through which you plan to access your home network device remotely.
In most cases, you should select the 'Provider' interface. If you have an Internet connection via PPPoE, PPTP or L2TP, you should select the appropriate connection. When connecting to the Internet via a 3G/4G USB modem, you should specify this connection. When connecting via WISP, select the connection with the network's name to which Keenetic is connected.
2. Your computer uses a firewall or special software for Internet protection. Temporarily disable this application and check that port forwarding is working properly.
3. Some ISPs on their network use 'hidden NAT'. You need to make sure that you are accessing the Internet with the IP address that your ISP gave you and that is used on the Keenetic WAN interface. Sometimes, the ISP provides the client with a public IP address, but in fact, it goes to the Internet with a different IP address. Refer to myip.net. If your IP address is different from that used on the Keenetic WAN interface, port forwarding will not work.
4. Some ISPs filter inbound user traffic by standard protocols and ports. For example, they can filter port 21/FTP, 80/HTTP, 25/POP3, 1723/PPTP and other ports). It is necessary to know exactly whether the provider blocks traffic on any ports.
If there is such a possibility, you need to change the port number and manually set another port, which your provider will not block (for example, when port 21 is blocked, you can use port 2121 on the FTP server).
If there is no possibility of changing the service's port number, you can use port mapping in the port forwarding rule in your Keenetic. You can find more information in the Port forwarding article.
5. In the network settings of the host, to which the ports are forwarded, it is necessary that the IP address of the default gateway is equal to the local IP address of the Keenetic router (by default 192.168.1.1). This is the case if you manually specify the network connection settings on the host. If the host is a DHCP client, i.e. it automatically receives an IP address, subnet mask, default gateway and DNS addresses, then the default gateway will be equal to the local IP address of the Keenetic router.
6. Some port forwarding details for Xbox and PS4 game consoles are presented in the article: Using Xbox and PS4 with a Keenetic router.
7. In the KeeneticOS operating system, NAT logic is implemented under RFC 4787 'Network Address Translation (NAT) Behavioral Requirements for Unicast UDP'. In particular, by default, the source UDP port changes to any other port than the original one when NAT is being passed. This can cause problems with UDP traffic passing through the NAT for some ISPs who are unaware of this RFC. In this case, try running commands in the router's command-line interface (CLI):
ip nat udp-port-preserve
system configuration save
8. When redirecting port 53 to the internal DNS server, you should take into account that if there are Internet Safety components active, Source Network Address Translation (SNAT) of the forwarded packets happens, so the source address changes to the Keenetic's IP address in the home network segment. Because of this, the DNS zones may not be synchronized. Therefore, when using your own DNS server in the home network, we recommend removing the Internet Safety components or changing the port number.
9. If the recommendations above do not help, and for some reason, port forwarding still doesn't work, you can contact our technical support team and attach a self-test file. Information on how to do this can be found in the article Saving the self-test file.
TIP: Tip: Keenetic routers have the ability to organize access to the router even with a private IP address on the router's external WAN interface. KeenDNS is a useful domain name service for remote access. With the help of this service, you can solve 2 tasks:
— Remote access to the Keenetic's web interface. You can find the information in the KeenDNS service article;
— Remote access to resources (services) of the home network or on the Keenetic router. For example, access to a device with a web interface - network drive, webcam, server, or Transmission torrent client interface running in the router. This option is described in the article An example of remote access to home network resources with KeenDNS.