Secure the NAT Port Redirection connections by Port Knocking

Configuring NAT Port Redirection rules is the typical way to allow the internal servers to be accessible from the Internet. However, once the port opens, it is exposed to the Internet and can be scanned by the malware.

Port knocking is a technology that can add an extra layer of protection to the internal servers. Its basic idea is that only open ports are at risk of being attacked, so it allows all ports to be closed at the beginning. Do not open them, and then set a password based on the port combination. Only those who know the password can open the ports and connect.

Vigor Router will support Port Knocking with TOTP. The supported models are:

Vigor3912S fw 4.3.5.1

Vigor3910/ 2962 fw 4.4.3*

Vigor2927/2865 fw 4.4.6*

*Future support

Below are the configuration for using the Port Knocking feature.

1. Ensure the router gets the correct system time.

2. Configure a Port Knocking rule via NAT >> Port Knocking.

• Enable the profile

• Select the WAN interface and the Protocol

• Enter the Server IP, the Public Port and the Private Port

• Configure the first Port Knock Port

• Scan the Qrcode by a phone with the Google Authenticator installed.

• Enter the 6 digit code from the phone to the Validation Code field in the router’s Web, then click Verify.

• When seeing the Verify successfully message, please click OK to save the profile.

• The Port Knocking timeout setting is locked to 3600 seconds and cannot be changed.

3. Try to access the server by Vigor Router’s WAN IP and TCP Port 52201. The connection cannot be established because the port is not open.

4. Using the Port Knonck Tool on the client’s computer.

• Enter the server’s public IP

• Enter the first port knock port

• Enter the 6 digit validation code from your phone

Then the tool starts knocking the door of the Vigor Router.

5. After unlocking the ports successfully, the client can access the server. The established connection will not be interrupted even if the port locks again. When there is no packets or new session from the client IP and the idle timeout time 3600 seconds passes, the client needs to use the tool to unlock the connection again.

We can see which IP tried to unlock the NAT Port Redirection profile successfully via the Status Table. (available in firmware version 4.4.3.)

The Syslog will show the following logs when the port is unlocked successfully.

2023-10-17 05:36:54 [Port Unlock] P:6 220.132.88.33:42829->111.251.222.116:52201 #192.168.1.12:8080