I’ve only recent switched to a BT Hub 4 and hope someone with more knowledge can help me with this?
I was noticing a lot of connections being repeatedly opened and closed on the event log, so I disabled UPnP as have I read that this can allow unsafe access. However, I’m still getting the same sort of activity in the log (after disabling UPnP) for example:
01.51.38, IN ACCEPT  Connection closed (Port Forwarding: UDP 192.168.1.69:33411 < -- > 86.XXX.XXX.XX:33411 [18.104.22.168:28154] ppp0 NAPT)
01.51.37, IN ACCEPT  Connection opened (Port Forwarding: UDP 192.168.1.69:33411 < -- > 86.XXX.XXX.XX:33411 [22.214.171.124:28154] ppp0 NAPT)
I put the XXs in and a search shows the other IP address is in the USA.
Is this something I should worry about? I thought disabling UPnP would stop this but it hasn’t.
Thanks for your help.
You must have something running on the device at IP address 192.168.1.69 which is using port 33411. If you do not have any game or file sharing installed, then you may have a trojan program which is controlling your computer.
If you have not manually setup port forwarding, and uPnP is disabled, then first of all do a factory reset of the home hub. Then right away, disable uPnP.
See if the log entries go away.
I have not manually set up any port forward and uPnP is disabled - so will try a factory reset tonight.
The device is an ipad then wasn't being used at the time. Can ipad's get trojans?
I also notice the this device kept asked for a new lease every hour or so (when its set for 24 hours). Would that be related?
Apple devices open lots of ports, for things like AppleTalk.
Did you look at the owner of the USA IP address, its probably Apple?
The lease renewal problem is a bug in the home hub firmware.
The IP address belongs to Time Warner Cable in Maine USA so I dont think its apple. I cannot see port 33411 on the apple link.
Maybe its an app installed on the ipad updating itself? I understand the request to open the port must come from the device - not from the outside to the device?
On the lease renewal problem. Would a firmware update solve that or is it ok to leave it?
Thanks very much for your help.
The request to open the port would have to come from the device, but what you are seeing, could simply be a normal reply to a request.
If uPnP is disabled, then that would be the only way, as far as I am aware.
If uPnP was the culprit, I would expect to see port mapping requests being generated, and showing in the log.
The lease renewal issue has existed for a while, and I am not aware that its been fixed.
Its not really an issue unless your are trying to keep the same LAN IP address.
When I disabled uPnP is appeared on the event log as having been disabled but I didnt retsart the hub. Should I have reset the hub for the change to have taken effect?
I'll monitor the log over the next couple of days to see whether this is a usual update caused by an app.
You should not need to reset the hub. Existing port mappings should be automatically deleted, occasionally this does not happen, and a factory reset is needed.
I was still getting the same port (33411) being opened and closed yesterday during the day with varying IP addresses.
Looking further back in the log I found the following entry just before I disabled UPnP (UPnP was disabled via GUI):
- Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any ->33411, internal ports: 33411, internal client: 192.168.1.69
The hub then rebooted itself mid evening on its own. accord:
- OpenRG is going for reboot by IPC command.
It looks like, as you say, the exisiting port mappings were not automatically deleted by disabling the UPnP. The auto reboot may have cleared them now as I have not seen an additional opening/closing on that port/device since.
I shall monitorthe log today and overnight and let you know if this has solved my problem or not.
Thanks for your ongoing assistance.
It looks like, as you say, the exisiting port mappings were not automatically deleted by disabling the UPnP.
That tends to be the case, which causes no end of problems for people manually forwarding ports, as they get conflicts.
I still use a HH1 and can block all outgoing ports, apart from the common ones used for web, mail etc.