Argthtjtr

I hope this is not too much focused on home networks, because that's where I hit the problem, but I think it may be of general interest nonetheless.

I have a cable connection (Cisco EPC3208) and a NAS (Synology DS413). Basically, I have problems setting up the samba share for access from the internet, but I found out the problem is much more general. So suppose I want to set up an SSH server on the NAS and I can chose the port freely. If I connect the NAS to a router, I can use any port and the SSH server will be seen under that port within my local network. Now, having connected the NAS to the cable modem, I am not able to connect to the SSH server if it is running on one of the ports 135, 137, 139, 445, 3127 and 9898. All other ports that I tested, including 134, 136, 138, 140, 444, 446, 3126, 3128, 9897 and 9899, these all work. I could confirm this from three remote locations, work, university and 3G, as well as using an external port scanner [1]. The NAS firewall is off. So I am pretty sure incoming traffic on these ports is blocked by my provider, "for security" probably.

My cable provider (Unitymedia, Germany) claims to not block any traffic, repeatedly. They ask me to contact the router manufacturer (I told them I do not use one), asked me to double-check my NAS configuration (I told them I can connect just fine internally when using a router), and so on and so on - not of interest here.

Now, what can I do to prove that they ARE blocking traffic on these ports (provided they are), either in their network or in the cable modem? Is there any way to trace a packet sent to a specific port and see where it's lost, similar to a traceroute?

[1] http://www.heise.de/security/dienste/portscan/test/go.shtml?scanart=1

Blocking ports 135, 137, 138, 139 and 445 is considered being a good net neighbor here in my neck of the woods (central US).

So, these ports may be blocked at such a level that the ISP has forgotten that they are blocked.

Chances are good that these ports (all associated Windows with file / print sharing / messages) were filtered primarily on ingress. You could probably run a sniffer on some device on these ports and not see connections coming in to them.

There is also a chance that these are egress filters closer to your (multiple) client test point(s).

Maybe this is a NAT (CGN) Problem. As far as I know, Unitymedia is doing DS-Lite with new customers because of the lack of IPv4 addresses. So you do not have an real public IPv4 address.

The Bad news is, you share your Public IPv4 with 64 People. So you can not connect to your Network from Outside with Port Forwarding in IPv4 anymore.

The good news is, you have IPv6 and every Device in your Network has its own IPv6 Address.

Check The Connection:

http://www.kame.net/

http://www.heise.de/netze/tools/meine-ip-adresse/

Some links:

http://www.synology-forum.de/showthread.html?40458-IPv6-Unitymedia-Wirrwar

http://www.fukurama.org/wordpress/2013/06/13/unitymedia-und-ipv6-oder-wie-ich-wieder-eine-ipv4-bekam/

http://www.ip-symcon.de/forum/threads/21857-Unitymedia-nativ-IPv6-%28DSLITE%29-von-aussen-erreichen-%28iFront%29-%28Fritzbox%29-%28sixxs%29

http://www.youtube.com/watch?v=K0hT1PpfxxQ