GRC Shields Up test result

buggz

How do I correct the following ports?

GRC Port Authority Report created on UTC: 2023-12-10 at 01:06:10

Results from scan of ports: 0-1055

1 Ports Open

70 Ports Closed
985 Ports Stealth

1056 Ports Tested

The port found to be OPEN was: 443

Ports found to be CLOSED were: 0, 1, 2, 3, 4, 31, 61, 62, 91,
92, 121, 122, 151, 152, 182,
183, 212, 213, 242, 243, 272,
273, 302, 303, 332, 334, 363,
364, 393, 394, 423, 424, 453,
454, 484, 485, 514, 515, 544,
545, 606, 607, 637, 638, 667,
668, 695, 697, 725, 726, 755,
756, 786, 787, 816, 817, 846,
847, 876, 877, 906, 907, 936,
937, 966, 967, 996, 997, 1026,
1027

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

Negan

It looks like your connection has a cgnat or your behind another router, but not much info in your wan setup here....

buggz

@Negan

Wow!
You nailed that.

First, I am using a 5G router with T-Mobile Home Internet.
It is CGNAT.
As I understand, there isn't anything I can do about that?
This router does not allow pass through, which I vaguely understand.
So, again as I understand, there is a dual NAT from there to the pfsense box?
I don't understand NAT, let alone dual NAT.

T-Mobile 5G <> pfsense box <> rest of house.

JKnott

@buggz

Cell networks, at least 4G & later, generally run IPv6 only and use 464XLAT to access IPv4 sites.

"T-Mobile US became IPv6-only using 464XLAT"

It should also provide a /64 on IPv6 to your local LAN. At least that's what I get, when I tether to my cell phone.

NAT is simply a means to share a single IPv4 address among several devices. It's necessary due to the lack of IPv4 addresses. With Dual NAT, you're going it twice. There is no such shortage on IPv6, where that single /64 prefix will provide 18.4 billion, billion addresses.

JKnott

@Negan said in GRC Shields Up test result:

It looks like your connection has a cgnat or your behind another router, but not much info in your wan setup here....

I just tried with my cell company (Rogers) with my notebook computer tethered to my phone. I get solid green on www.grc.com.
BTW, this shows a short coming with them. They only test IPv4 and report nothing about IPv6. There are many people on IPv6, even if they don't know it and several large ISPs provide it to their customers.

buggz

I have ALL IPV6 settings disabled everywhere I can find them, router, pfsense, and clients to all client connection settings to pfsense.
Shrug, I guess it is what it is and can't be changed due to the nature of the offering from T-Mobile.

JKnott

@buggz said in GRC Shields Up test result:

I have ALL IPV6 settings disabled everywhere I can find them, router, pfsense, and clients to all client connection settings to pfsense.
Shrug, I guess it is what it is and can't be changed due to the nature of the offering from T-Mobile.

Why??? Why not use IPv6. I know T-Mobile uses it for their cell network, as do other cell companies. Same with many ISPs and content providers. I know some people don't want to admit it, but the world is moving to IPv6 and fighting against it is counter productive.

You use VoLTE or VoNR (VoIP over 4G or 5G)? You're using IPv6.
Do you have Comcast X1 TV? You're using IPv6
Do use the Internet with an Android or iPhone on 4G or 5G? You're using IPv6.
Major content providers, such as Google, YouTube, Facebook and more provide content to users on IPv6, if they can.

Anyone who thinks sticking with IPv4 is fine has their head in the sand.

As an experiment, plug a computer directly into that Comcast box and see what addresses you get on it. If you see a public IPv6 address, you can use it on your network.