Port Forwarding Defaults

On the Force 190, if data port forwarding is set to disabled, what, if any, ports are blocked and which are open? Or with port forwarding disabled, do any ports get blocked, ie. all ports are passed through. I am using a Force 190 with PPPoE authentication and a public IP address, and my customer says we are blocking some ports they are needing to use. I can’t find where, by default, Cambium blocks any ports. Any clarification on this topic would be appreciated. I’ve never ran across this issue before.


By default these radios do not block ports. This goes for all of the ePMP line.
Port forwarding on these radios is the same as a port forward in a SOHO router, it opens that port from the outside and is only effective IF you enable the onboard firewall or use NAT on the radio. It has no effect in Bridged or Router mode unless the firewall is on.

These radios use a flavor of iptables to create the modes, if you understand iptables then you will understand these radios.

As for your blocked ports, depending on your gateway router you can be blocking a lot of ports! Your use of PPPoE also adds to the confusion of port handling as pppoe is normally setup as either PAT or 1:1NAT using an inside:outside model. If you client wants to directly host then pppoe is probably not going to allow it without some sort of hack workaround. Even DDNS will not fix this issue, but a VPN to a third party VPN provider can.

We use PPPoE still, mostly for residential connections where we do not allow hosting services but we are moving away from it in favor of EAP-TTLS and routed. This still allows us to use are large RADIUS database (SQL backed) to provide authentication of the SM and provide the SM its configuration from our database. This is also the model needed to use IPv6 properly as it is network of subnetworks where private IP ranges do not really exist ( yes, there is link local addresses but these are not the same as an rfc1918 address) and all devices get a globally assignable address from the assigned network. The advantage of reducing complaints of Xbox owners not being able to host a game far out weigh the work we have been putting in to migrate in my opinion.

Assuming you are doing PPPoE on the radio ? And then DHCP / NAT to whatever device (or devices) the customer has connected to the radio ? It’s not that you are blocking the ports but that the radio can’t forward them because it hasn’t been told where to forward them.

So 3 options you need to know about.

(1) Port Forwarding. You tell the radio what ports to forward to what IP addresses
(2) DMZ. You tell the radio to forward all ports to one address
(3) uPNP IGD (Universal Plug and Play). You tell the radio to figure it out.

Enabling uPNP on the radio fixes things for most of your gamers (Xbox , Plastation, etc…)

Also note that uPNP will not work at all if Port Forwarding (or I believe DMZ) are enable on the radio.

For a lot of security cameras and a lot of other “server” type devices you will need to do port forwarding or DMZ . We have had a lot of problems in the past with DMZ working at all on ePMP, it works as expected on Canopy and 450. We stopped trying at all on ePMP so it has possibly been fixed in recent firmware and we just don’t know it. We also had a lot of problems where port forwarding would just stop forwarding on ePMP… most of our customers that needed port forwarding got accustom to power cycling their radios when it would stop working so I don’t know if that has been fixed in v4 firmware or if everyone just power cycles their radios these days instead of calling us.

Also, the customer’s wireless router works just like the ePMP radio so unless uPNP, Port Forwarding or DMZ are configure on the customer’s router then it won’t know where to forward it to either.

Also, also. Last I checked the ePMP radio will not forward any port being used by the management interface even if your management interface is using an entirely different subnet ( e.g. Separate Management IP enabled). So if your customer needs port 80, 443 or 22 then you have to change the port the ePMP uses for http, https and/or SSH (or 23 for telnet if you have that one enabled).