TPG Community

Get online support

TPG VX220 Firmware

SOLVED Go to solution
Ady_G
Level 3

Hi @Aubrey and the other support staff

 

My TPG Originated Router details are:

Firmware Version:2.0.0 0.9 v603c.0 Build 220517 Rel.49186n
Hardware Version:VX220-G2v v2.0 00000000
 
Could I ask if this is the latest version of the Firmware.
 
I am having all sort of issues with reliability of the WiFi, connection, and ability to create a DMZ.
Port forwarding is partially functional, but unreliable.
 
Thanks
 
Ady
1 ACCEPTED SOLUTION

Accepted Solutions
Ady_G
Level 3

Hi @david64 

 

Thanks for the patience...

 

Well it definitely appeared that the "port blocking" that I had turned off, was in fact, no turned off (ARG!)...

 

So I did the toggle on and then toggle back off (15 mins between each toggle)... and hey presto, I have access.

 

At the moment the certificates are from the Lets Encrypt "dev" - so next is to turn the configuration over to the proper configuration.

 

I'm not going with the DMZ, after reading more - it seems taht it literally opens all ports up and that's definitely not a good place to be :-D

 

So, again, thanks for the assistance an patience.

 

Ady

View solution in original post

9 REPLIES 9
david64
Master

Hi @Ady_G . In what way is port forwarding unreliable?

The  computer being forwarded to needs a fixed local ip address so the router can find the device based on the rule. DDNS is used to handle changes to your WAN ip address.

Is there a reason for wanting to create a DMZ?

Ady_G
Level 3

Hi @david64 

 

OK, here we go, more details on the forwarding issues...

But I'd still like to know about updated firmware :-D

 

LAN

- Host has fixed LAN IP address (w.x.y.z for arguments sake)

- Host resolves the external IP (dig magic-roundabout.duckdns.org)

- Host updates DuckDNS address automatically

- Running Caddy for a reverse-proxy

- Caddy will be issuing LetsEncrypt (ACME) certificates for SSL/TLS access on port 443.

 

Router

- Disabled the DMZ

- Port Forwarding configured

  - External 443/TCP --> w.x.y.z:443

  - External 80/TCP --> w.x.y.z:80

  - External 443/UDP --> w.x.y.z:443

 

DuckDNS

- magic-roundabout.duckdns.org

- Host running an automatic update script for the external IP

- nslookup.io on phone, disconnected from LAN, resolves the A record

 

DMZ:

- I was trying to ensure a bit more "restriction" on the traffic from outside to these ports going to the Host only.

- The router does not have a proper DMZ feature that allows for a new network (eg 10.0.0.0/24)

 

I have had varying success with the access to magic-roundbout.duckdns.org using:

- http://magic-roundbout.duckdns.org - has worked

- https://magic-roundbout.duckdns.org - never worked

 

The problem arises in that the request for an SSL to be issued from ACME times out as it appears that the call to the resolved external IP fails to be let through correctly.

Error given:

caddy | {
"level":"error",
"ts":1704468372.6744535,
"logger":"tls.obtain",
"msg":"could not get certificate from issuer",
"identifier":"magic-roundabout.duckdns.org",
"issuer":"acme-staging-v02.api.letsencrypt.org-directory",
"error":"HTTP 400 urn:ietfSmiley Tonguearams:acme:error:connection - 106.69.186.120: Timeout during connect (likely firewall problem)"
}

Hope that gives you enough details.

Ady

 

 

Ady_G
Level 3

@david64 

 

I posted a reply last night, but it's gone missing... I'll respond again in a while... need to collect all the information again (ARG!).

 

Ady

david64
Master

@Ady_G . Looks like your missing post has shown up at last. A bug in Community!

 

Your router firmware is latest as at October 2023. This user asked that question.

https://community.tpg.com.au/t5/Modems-and-Devices/NAT-dropout-after-FTTP-upgrade/m-p/137904/highlig...

 

Are you getting connection dropouts? What happens to lights on router and NBN box?

In the router System Log, are there any PPP messages at that time?

 

What is the issue with wifi? Low speed, or losing connection?

 

You should open a new thread to enquire about firmware, connection and wifi stability.

 

TPG can't help with port forwarding and your description is beyond me also. 

In the router, when defining the rules, you need to specify an interface name known to router. This will be the active WAN interface, eg. ewan_pppoe.

Setting DMZ opens all ports to the specified host. Less restricted.

How often does the host check its WAN ip address?

 

Have you considered starting with a simpler setup?

The router can manage DDNS with a company like No-ip. Their free service enforces a particular format of the host name. No need for host to worry about WAN ip address.

Your host computer provides the SSL certificate to the client connecting. It can be self-signed if your clients are happy with that. Or buy a certificate from a CA.

Ady_G
Level 3

Hi @david64 

 

Thanks for the response... here's the details I think you'll need to help resolve the problem.

 

DMZ

  • I use a DMZ because I want to isolate the communication from outside to a single "host".
  • This is the only option I have for restricted access using the TPG Firmware.
  • The TPG router does not allow for the DMZ to be on a separate private network (grumbles) so it's not really a true DMZ configuration, in my limited opinion (IMLO).

 

WAN

  • I am using DDNS (duckdns/dynu/etc), to provide an A record for the router.
  • I am running a script that updates the DDNS every few minutes.

 

LAN

  • Turned off DMZ temporarily, tested... Re-enabled and tested... no changes.
  • Virtual Server ports mapped (WAN --> LAN):
    • 80 --> IP Address 80/TCP
    • 80 --> IP Address 80/UDP
    • 443 --> IP Address 443/TCP
    • 443 --> IP Address 443/UDP
    • Screenshot:
      Screenshot from 2024-01-07 16-50-08.png
    • I know the UDP isn't needed on port 80, it is for HTTP/3 on port 443.
      Will be removing the 80/UDP / Have disabled it.

 

Internal Reverse Proxy

  • NOTE: I creasted a throw-away DuckDNS entry for testing (dyno-test.duckdns.org) which I'll kill once this is working.
  • Running on the targetted host (localhost/192.168.1.139)
  • HTTP response working
    Screenshot from 2024-01-06 13-30-33.png
  • External HTTP request (Phone, no WiFi), Fails

This leads me even more to wondering if the problem lies at the Firewall/Modem.

 

Interesting...

Ady

 

Ady_G
Level 3

Hi @david64 

 

OK...

I've just set up a no-ip DDNS resolver and set up on the router...

The No-IP Site cannot reach port 80 nor 443, and it is suggesting the ports are blocked at the ISP.

 

Grumbles...

 

Ady_G
Level 3

Well, this is going to take 15-30 minutes to check...

 

Port blocking was "off" in my management console... but I am wondering if it was not really off, so I have toggled the setting... will wait 15 minutes adn test and then if that fails, toggle and test agin 15 minute later.

 

@david64Many thanks for the assistance anyway...

if it is this as a problem, then I'm not a happy camper as I am sure that I'd disabled the port blocking previusly and somehow it got re-enabled.

 

Ady

david64
Master

@Ady_G . Not convinced you need to use DMZ.

On the Virtual Servers display, what is the Interface Name being used in the rules? Is it the name on the Status screen that has the WAN ip address?

Are those ports in Listening state on the server? (netstat -an)

Is dyno-test.duckdns.org 106.69.179.46 your router's current WAN address?

I have a hostname setup on no-ip forwarded to my PC. The port is closed. When I put my hostname in my phone's browser, the reply comes back immediately: This site can't be reached.

Ady_G
Level 3

Hi @david64 

 

Thanks for the patience...

 

Well it definitely appeared that the "port blocking" that I had turned off, was in fact, no turned off (ARG!)...

 

So I did the toggle on and then toggle back off (15 mins between each toggle)... and hey presto, I have access.

 

At the moment the certificates are from the Lets Encrypt "dev" - so next is to turn the configuration over to the proper configuration.

 

I'm not going with the DMZ, after reading more - it seems taht it literally opens all ports up and that's definitely not a good place to be :-D

 

So, again, thanks for the assistance an patience.

 

Ady