chrishick Posted March 16, 2017 Posted March 16, 2017 Hi guys, I apologize if this is not the right sub-forum. I couldn't find anyplace else that seemed to fit. Anyway, I know there are a lot of networking gurus here on the forum so I thought somebody might be able to help me. I can't keep my tag manager online. It seems like it was fine for a week or two when I got it (I don't remember how long it worked exactly) but now it goes offline randomly sometimes after 10-15 minutes, sometimes after 12-24 hours. If I unplug the network cable and plug it back in it will go back online for awhile. I did contact support and they sent me a new tag manager but it has the same problem. I brought the old one to work today and plugged it into my Comcast Business router and it has been online all day with no problems. This all leads me to my home router as the cause of the problem. The manufacturer's FAQ says some routers block outgoing traffic on IRC port 6667. They say the router will work for awhile initially, but then start blocking traffic on 6667, which doesn't make sense to me. Why would the router allow traffic for only a few days then block it? Anyway, they say to telnet to their server on 6667 to test connectivity which I have tried and failed every time. But I am able connect to other IRC servers using my IRC client with no problem so I don't know if that would be the problem since I am able to make IRC connections. I have FIOS with an Actiontec MI424WR router. The tag manager has a fixed IP reservation on the router. I have tried port forwarding on 80 and 6667, port triggering and also a DMZ for the tag manager with no success. Is anyone familiar with the Actiontec router or the port requirements of the tag manager? I could use some help here please.
larryllix Posted March 17, 2017 Posted March 17, 2017 The Tag manager requires no port forwarding or any special router treatment. I does it's own connecting just like your browser does. Look into your Firewall settings and make sure they allow the IP address of the TAG manager, to pass. For a test, turn it off.
chrishick Posted March 17, 2017 Author Posted March 17, 2017 Yes, it doesn't make sense to me. I've turned off the firewall this morning for a test. I also increased the DHCP lease time from 24 hours to 30 days to see if that makes a difference. I have the firewall set to medium security which is supposed to allow all outgoing connections. What do you mean by "allow the IP address of the tag manager to pass"? This is from the support website. I just can't find a setting on the router to open 6667 because on medium security no outgoing ports are blocked. "You have to open out-going port for TCP 80 and 6667 (IRC) connection. Some firewall will initially allow IRC connection but cuts it after a while. In such case, you may get "Your Tag Manager is not connected to the Internet" even if the green "cloud" icon is lit."
paulbates Posted March 17, 2017 Posted March 17, 2017 (edited) Guessing that its a router bug that most would not run in to.. .don't know for sure, but it won't take long to prove. I would try individual rules opening 6667 and 80. Most routers allow individual port forwarding (LAN to WAN) firewall rules to be set. Usually its an "advanced" feature. If you can set an outbound firewall rule for the Tag manager, set rules for: 6667 for TCP/UDP - tftp binds to UDP & TCP 80 for TCP - HTTP(S) binds to TCP A search came up with these directions Paul Edited March 17, 2017 by paulbates
larryllix Posted March 17, 2017 Posted March 17, 2017 (edited) Yes, it doesn't make sense to me. I've turned off the firewall this morning for a test. I also increased the DHCP lease time from 24 hours to 30 days to see if that makes a difference. I have the firewall set to medium security which is supposed to allow all outgoing connections. What do you mean by "allow the IP address of the tag manager to pass"? This is from the support website. I just can't find a setting on the router to open 6667 because on medium security no outgoing ports are blocked. "You have to open out-going port for TCP 80 and 6667 (IRC) connection. Some firewall will initially allow IRC connection but cuts it after a while. In such case, you may get "Your Tag Manager is not connected to the Internet" even if the green "cloud" icon is lit." Your firewall will accept an IP address of the Tag manager that will allow it free reign to send whatever it wants. This has nothing to do with your router and/or port forwarding. The firewall is part of your OS. Port forwarding is not required for the Tag system. Port forwarding allows things from outside to get through your router into your LAN. Edited March 17, 2017 by larryllix
chrishick Posted March 17, 2017 Author Posted March 17, 2017 Guessing that its a router bug that most would not run in to.. .don't know for sure, but it won't take long to prove. I would try individual rules opening 6667 and 80. Most routers allow individual port forwarding (LAN to WAN) firewall rules to be set. Usually its an "advanced" feature. If you can set an outbound firewall rule for the Tag manager, set rules for: 6667 for TCP/UDP - tftp binds to UDP & TCP 80 for TCP - HTTP(S) binds to TCP A search came up with these directions Paul Thanks Paul, but those instructions are for incoming port forwarding at which I am very skilled. According to CAO I need to open outgoing ports, which on my router at medium security, all outgoing ports are supposed to be open. Your firewall will accept an IP address of the Tag manager that will allow it free reign to send whatever it wants. This has nothing to do with your router and/or port forwarding. The firewall is part of your OS. Port forwarding is not required for the Tag system. Port forwarding allows things from outside to get through your router into your LAN. Thanks Larry. This is most definitely a router problem as the problem goes away when I use my work router. I would like to replace my home router with a better more configurable one but because it is FIOS I am stuck with the Actiontec because of the MOCA WAN connection. The firewall is built into the router. I disabled it this morning and have not lost connection to the tag manager yet. If it turns out to be the Actiontec firewall blocking outbound port 6667 then I may just leave the router firewall disabled and insert a different firewall between the router and my network. I'm not sure even that would work though because my LAN is mixed MOCA/ Ethernet and the new firewall would only protect the Ethernet portion of the LAN. The MOCA shares the same coax cable as the WAN and could not run through the firewall.
Scottmichaelj Posted March 18, 2017 Posted March 18, 2017 Thanks Paul, but those instructions are for incoming port forwarding at which I am very skilled. According to CAO I need to open outgoing ports, which on my router at medium security, all outgoing ports are supposed to be open. Thanks Larry. This is most definitely a router problem as the problem goes away when I use my work router. I would like to replace my home router with a better more configurable one but because it is FIOS I am stuck with the Actiontec because of the MOCA WAN connection. The firewall is built into the router. I disabled it this morning and have not lost connection to the tag manager yet. If it turns out to be the Actiontec firewall blocking outbound port 6667 then I may just leave the router firewall disabled and insert a different firewall between the router and my network. I'm not sure even that would work though because my LAN is mixed MOCA/ Ethernet and the new firewall would only protect the Ethernet portion of the LAN. The MOCA shares the same coax cable as the WAN and could not run through the firewall. I maybe off base but could this be Double NAT issue/loop?
chrishick Posted March 19, 2017 Author Posted March 19, 2017 I maybe off base but could this be Double NAT issue/loop? I'm not sure what that is or where to begin troubleshooting. I'm almost ready to give up. I've got over 50 devices connected to my LAN, all with DHCP reservations, many with port forwarding rules, many cloud connected, and this is the only device I'm having problems with. I've tried setting my router security level to low. I've tried a DMZ for the tag manager I've tried turning off the Internet Connection Firewall on the router I'm not sure where else to go. I have been exchanging emails with the manufacturer so maybe they will be able to help.
Scottmichaelj Posted March 19, 2017 Posted March 19, 2017 I'm not sure what that is or where to begin troubleshooting. I'm almost ready to give up. I've got over 50 devices connected to my LAN, all with DHCP reservations, many with port forwarding rules, many cloud connected, and this is the only device I'm having problems with. I've tried setting my router security level to low. Capturea.JPG I've tried a DMZ for the tag manager Captureb.JPG I've tried turning off the Internet Connection Firewall on the router Capturec.JPG I'm not sure where else to go. I have been exchanging emails with the manufacturer so maybe they will be able to help. Whats the options under "routing mode"?
chrishick Posted March 19, 2017 Author Posted March 19, 2017 Whats the options under "routing mode"? "Route" and "NAPT"
Scottmichaelj Posted March 19, 2017 Posted March 19, 2017 "Route" and "NAPT" I found this: http://www.dslreports.com/faq/4626 For fun change it to "route" reboot and see what happens. Also for testing if you haven't already plug the smart tag into the router/modem and change cables. I could be wrong but think your having a NAT issue. I haven't worked with a lot of DECA/MOCA devices but they should all behave the same.
chrishick Posted March 20, 2017 Author Posted March 20, 2017 Ok I tried that. After reboot I lost internet connectivity on my laptop. I disconnected/reconnected to the LAN a couple of times with no improvement. My router and my computers network connection monitor both told me I had internet connectivity. When I changed the router back to NAPT I immediately had internet again. I have my phone set to receive connection alerts from the tag manager. During the time I was messing with my computer (maybe 5-10 minutes) I was getting connected/disconnected alerts about once per minute. This is interesting behavior and leads me to believe you might be onto something.
Scottmichaelj Posted March 20, 2017 Posted March 20, 2017 (edited) Ok I tried that. After reboot I lost internet connectivity on my laptop. I disconnected/reconnected to the LAN a couple of times with no improvement. My router and my computers network connection monitor both told me I had internet connectivity. When I changed the router back to NAPT I immediately had internet again. I have my phone set to receive connection alerts from the tag manager. During the time I was messing with my computer (maybe 5-10 minutes) I was getting connected/disconnected alerts about once per minute. This is interesting behavior and leads me to believe you might be onto something. Edit: OK go back to NAPT and add your tag IP to the NAT tables rules. Heres instructions. Make sure to reboot. Hopefully we can get you up and working. Im trying! http://www.dslreports.com/forum/r24829180-Actiontec-MI424WR-How-to-enable-StaticNAT-IPpassthrough Edited March 20, 2017 by Scottmichaelj
chrishick Posted March 22, 2017 Author Posted March 22, 2017 OK tried that, it went almost 24 hours before it lost connection again. I'm not sure if I did it right and I'm not sure I understand how this would help when I don't have a static public IP address. It's frustrating to troubleshoot because it takes so long to test the changes each time. I may try bridging my router again this weekend. That would pass all traffic though the Actiontec to my secondary router Netgear AC1900/R7000 running dd-wrt. I failed last time but I was very close. I was able to get the secondary router to get a dhcp IP address from my isp, but I couldn't get online.
larryllix Posted March 22, 2017 Posted March 22, 2017 Are you attempting to connect the Tag manager to a secondary router (Actiontec) talking to your primary router (Netgear) via WiFi? Routers don't typically block any traffic from inside your LAN unless you enable those special features. Native router firewalls are for outside initiated traffic and this is not the case for a Tag Manager on your LAN. It doesn't require any port forwarding from outside to inside your LAN.. I doubt you had to punch holes in your router firewall to browse the Internet. You shouldn't have to, to allow your Tag Manager communicate to the outside world either, a basic router function. Once you enable those router features in your router then only specific IP addresses and ports may be allowed to pass, depending which method you blocked things with, usually one of two methods.... Block everything except the list I specify or Allow everything except the list I specify. I don't use any blocking features in my router for LAN traffic.
chrishick Posted March 22, 2017 Author Posted March 22, 2017 Are you attempting to connect the Tag manager to a secondary router (Actiontec) talking to your primary router (Netgear) via WiFi? Routers don't typically block any traffic from inside your LAN unless you enable those special features. Native router firewalls are for outside initiated traffic and this is not the case for a Tag Manager on your LAN. It doesn't require any port forwarding from outside to inside your LAN.. I doubt you had to punch holes in your router firewall to browse the Internet. You shouldn't have to, to allow your Tag Manager communicate to the outside world either, a basic router function. Once you enable those router features in your router then only specific IP addresses and ports may be allowed to pass, depending which method you blocked things with, usually one of two methods.... Block everything except the list I specify or Allow everything except the list I specify. I don't use any blocking features in my router for LAN traffic. My primary router/modem (Actiontec) handles DHCP, port forwarding and firewall functions. Wireless radio is disabled. My secondary router (Netgear) acts only as a wireless access point and network switch. It is configured as access point mode. It is connected to the primary router via cat 5 cable. I use this router for wireless access because I get better coverage than with the Actiontec. The tag manager is connected to the primary router via cat 5 cable. I have no outbound traffic restrictions configured on the router. If you look at the attached photo, medium security allows all outbound traffic. I don't even have the option to limit outbound connections unless I set security to high first. This is why I don't understand why I am having so many problems.
chrishick Posted March 22, 2017 Author Posted March 22, 2017 Also, if there was any type of outbound blocking going on I would expect the tag manager to never function. As it stands now, sometimes it works for 15 minutes, sometimes it works for 24 hours. So it is connecting and functioning properly, but it randomly disconnects.
larryllix Posted March 22, 2017 Posted March 22, 2017 (edited) Very weird. From the two screen shots I assume your Tag Manager must be at 10.0.0.19 trying to circumvent the total block set by the Maximum Security setting locking out all outbound traffic. Why block all outbound traffic and then attempt to punch a special hole in it? Do you need to block items in your LAN from talking to the outside world? OTOH: The settings you are playing with would normally only affect traffic going out through the WAN. Is your router attached to the ISP via the ActionTec WAN port? I could never make that work on my Cisco talking to my Netgear (primary to ISP). Only LAN to LAN connections ever worked and bridge mode never functioned properly either. I am no expert at this stuff but hear your frustration and just trying to point out "maybe" obvious things to me. Edited March 22, 2017 by larryllix
Scottmichaelj Posted March 22, 2017 Posted March 22, 2017 OK tried that, it went almost 24 hours before it lost connection again. I'm not sure if I did it right and I'm not sure I understand how this would help when I don't have a static public IP address. Captured.JPG It's frustrating to troubleshoot because it takes so long to test the changes each time. I may try bridging my router again this weekend. That would pass all traffic though the Actiontec to my secondary router Netgear AC1900/R7000 running dd-wrt. I failed last time but I was very close. I was able to get the secondary router to get a dhcp IP address from my isp, but I couldn't get online. You might try "any in, to any out" and "any out, to any in" for just that IP. Also if you add another router put the frontier into bridge mode and turn everything OFF - firewall, DHCP server etc. Then the new router needs to be setup with the firewalls, port forwards etc. Might be more time spent that its worth. I personally would try and get the Frontier device working. At least now your getting it to connect and staying connected for longer periods of time. Does that router show device states? If so filter the tag manager IP and see what ports its really trying to connect to.
chrishick Posted March 22, 2017 Author Posted March 22, 2017 Very weird. From the two screen shots I assume your Tag Manager must be at 10.0.0.19 trying to circumvent the total block set by the Maximum Security setting locking out all outbound traffic. Why block all outbound traffic and then attempt to punch a special hole in it? Do you need to block items in your LAN from talking to the outside world? OTOH: The settings you are playing with would normally only affect traffic going out through the WAN. Is your router attached to the ISP via the ActionTec WAN port? I could never make that work on my Cisco talking to my Netgear (primary to ISP). Only LAN to LAN connections ever worked and bridge mode never functioned properly either. I am no expert at this stuff but hear your frustration and just trying to point out "maybe" obvious things to me. The screenshot shows maximum security as checked, but I only use medium security so there should be no blocking of outgoing ports. Yes the Actiontec WAN port (coax MOCA) is connected directly to the Verizon ONT (Outside network terminal) I keep returning to this from the manufacturers web page. It still doesn't make sense that the router is blocking outgoing ports 80 and 6667. "You have to open out-going port for TCP 80 and 6667 (IRC) connection. Some firewall will initially allow IRC connection but cuts it after a while."
chrishick Posted March 22, 2017 Author Posted March 22, 2017 Does that router show device states? If so filter the tag manager IP and see what ports its really trying to connect to. There are multiple options on the router for logs but I have not been able to capture any traffic from the tag manager yet for some reason.
chrishick Posted March 22, 2017 Author Posted March 22, 2017 The second tag manager that I brought to work has been running strong for close to a week so I know it has to be something in the Actiontec router configuration.
larryllix Posted March 22, 2017 Posted March 22, 2017 The screenshot shows maximum security as checked, but I only use medium security so there should be no blocking of outgoing ports. Yes the Actiontec WAN port (coax MOCA) is connected directly to the Verizon ONT (Outside network terminal) I keep returning to this from the manufacturers web page. It still doesn't make sense that the router is blocking outgoing ports 80 and 6667. "You have to open out-going port for TCP 80 and 6667 (IRC) connection. Some firewall will initially allow IRC connection but cuts it after a while."[/size] The only firewall I ever had to allow access for was my Windows 10, 7, and java firewalls.
Scottmichaelj Posted March 23, 2017 Posted March 23, 2017 The second tag manager that I brought to work has been running strong for close to a week so I know it has to be something in the Actiontec router configuration. I was adding failover lte and my tags went offline. So I know the cell network blocks them. Might be an ISP thing but NAT firewall rules work both ways. Like I suggested make sure it allows any in and any out for ports and protocols for that IP.
Scottmichaelj Posted April 6, 2017 Posted April 6, 2017 The second tag manager that I brought to work has been running strong for close to a week so I know it has to be something in the Actiontec router configuration. You get things working?
Recommended Posts