2Degrees Broadband blocking port 445?

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › 2Degrees Broadband blocking port 445?

tegraman

11 posts

Geek

#280349 10-Dec-2020 09:15

We have 2Degrees business broadband in the office, and I am trying to access an Azure storage account. Mapping a drive to the account fails, and the cause is that port 445 is being blocked.

The same thing works fine via my home ISP (Vodafone).

Does 2Degrees block port 445?

(I've tried asking 2Degrees directly via their contact page, but have had no response!)

1 | 2

16 posts

Geek
Inactive user

#2619166 10-Dec-2020 09:24

This is likely (almost certainly) due to CGNAT if it isn't a misconfiguration on your end. Although I would have thought that a business connection would have a static IP set. You will probably be forced to ask them for a static IP to resolve this.

SaltyNZ

8219 posts

Uber Geek

Trusted

2degrees

Lifetime subscriber

#2619168 10-Dec-2020 09:25

We don't block anything, no. Check your router first. I'm not familiar with the connectivity requirements for an Azure store drive mapping. You may need to setup some port forwarding.

That said, we use CGNAT on individual broadband connections as do many providers, due to IPv4 addresses being an extremely finite resource. Although we go to some lengths to ensure it does not materially impact service, sometimes it can. If you are absolutely sure that your router isn't the problem, you could ask for a static IP address.

But check your router first. Alternatively you could try IPv6.

But check your router first.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

NickMack

962 posts

Ultimate Geek

Trusted

Lifetime subscriber

#2619208 10-Dec-2020 09:56

SaltyNZ:

We don't block anything, no. Check your router first. I'm not familiar with the connectivity requirements for an Azure store drive mapping. You may need to setup some port forwarding.

That said, we use CGNAT on individual broadband connections as do many providers, due to IPv4 addresses being an extremely finite resource. Although we go to some lengths to ensure it does not materially impact service, sometimes it can. If you are absolutely sure that your router isn't the problem, you could ask for a static IP address.

But check your router first. Alternatively you could try IPv6.

But check your router first.

All business customers are assigned a static IP, so it will be a configuration item on your router or server/application configuration.

Nick

https://nick.mackechnie.co.nz | NZ ISP latency monitoring - https://smokeping.thenet.gen.nz

tegraman

11 posts

Geek

#2619229 10-Dec-2020 10:29

The router is the Fritz!Box 7490 supplied by 2Degrees.

I can't see any settings via the Fritz!Box web interface that indicate any port blocking is in place. I can can see where that would be set up (Internet->Filters->Access profiles->Blocked Applications) but there's nothing there.

But then I found this: http://www.ab-weblog.com/en/open-ports-135-137-and-445-in-avm-fritzbox-routers/

... which says that some ports are blocked by default in these routers, and the only way to open the ports is to manually edit the config file.

I'll try this and report back.

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2619230 10-Dec-2020 10:29

Hi, ummmmm are you trying to connect a direct SMB share over port 445 (which is SMB default port)? if so do you understand the security issues related with doing this, was this something Microsoft advised you to do?

Cyril

Edit, there is a very good reason the Fritz has those ports blocked by default, please understand to do SMB over the internet is not a safe thing to do.

tegraman

11 posts

Geek

#2619261 10-Dec-2020 10:58

Yes, Azure uses SMB 3.0 and this is how Microsoft advises users to map to their Azure file shares.

My understanding is that SMB 3.0 is internet-safe, while previous versions were not.

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2619278 10-Dec-2020 11:08

Fair enough as long as you are aware that connecting to anything less than SMB3.0 shares is a major security risk, hence many ISPs and SOHO router vendors block it by default for very good reason.

Cyril

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

c0ld

234 posts

Master Geek

#2619403 10-Dec-2020 13:11

tegraman:

The router is the Fritz!Box 7490 supplied by 2Degrees.

I can't see any settings via the Fritz!Box web interface that indicate any port blocking is in place. I can can see where that would be set up (Internet->Filters->Access profiles->Blocked Applications) but there's nothing there.

Internet->Filters->Lists->Global FIlter Settings

You'll find 'NetBIOS filter enabled' setting in there. As mentioned previously, be mindful of risks if disabling.

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2619410 10-Dec-2020 13:21

Can I please ask exactly what you are trying to achieve? Are you trying to expose a file share from your LAN to the world?

I am a bit confused because the Azure Files is the other way around and the documentation says port 445 should be open for outbound connections.

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2619417 10-Dec-2020 13:26

Hi, I think you will find the Fritz is blocking 445 outbound to stop users connecting to things they should not. I dont believe the OP intends to port forward 445 into his lan, well thats as I read it.

Cyril

tegraman

11 posts

Geek

#2619446 10-Dec-2020 13:51

Thanks everyone! To summarize:

- The Fritz!Box router was blocking port 445 outbound

- Unchecking: Internet->Filters->Lists->Global FIlter Settings->NetBIOS filter enabled opens the port

- But yes, I do need to consider the security implications!

Just a further comment: I take it that some of the above posters are from 2degrees. Does anyone actually check and respond to messages sent via the 2degrees support page? I asked the same question there more than 2 weeks ago, and got absolutely no response. Now I post the question on this public forum and get it sorted in a matter of hours.

SaltyNZ

8219 posts

Uber Geek

Trusted

2degrees

Lifetime subscriber

#2619502 10-Dec-2020 14:48

tegraman:

I take it that some of the above posters are from 2degrees.

I am, albeit I work in the mobile network, not the fixed. @NickMack was with us in the fixed network up till very recently.

Does anyone actually check and respond to messages sent via the 2degrees support page? I asked the same question there more than 2 weeks ago, and got absolutely no response. Now I post the question on this public forum and get it sorted in a matter of hours.

I believe they do; not sure why you didn't get any answer. Sorry!

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

dryburn

430 posts

Ultimate Geek

#2619509 10-Dec-2020 15:15

Also on two degrees an I have a similar issue with port 8081 and 32400 using a Fritxbox, it used to work earlier on in the year but stopped at some point. Using duckdns and ports are forwarded on the router. still been scratching my head trying to figure it out

c0ld

234 posts

Master Geek

#2619531 10-Dec-2020 16:01

dryburn:

Also on two degrees an I have a similar issue with port 8081 and 32400 using a Fritxbox, it used to work earlier on in the year but stopped at some point. Using duckdns and ports are forwarded on the router. still been scratching my head trying to figure it out

As you mention port forwarding (i.e incoming connectings) - are other port forwards still working? If not you've probably been migrated to CGNAT unless you've specifically requested a static IP.

dryburn

430 posts

Ultimate Geek

#2622903 16-Dec-2020 16:48

Yes it's CGNAT, I remember looking into this, but then got distracted. Called 2 degrees $10 for a static IP, they don't offer dynamic any more as an option :(

Which providers out there still offer dynamic IPs?

1 | 2