Lots of port forwarding messages in router log

campdave
campdave Posts: 2,198 Forumite
Hi,

Strange behaviour on my laptop since this morning - noticed the wifi drop out briefly, and happened to check my router (bt homehub 5) logs and noticed that port forwarding was being applied about every 30 seconds - see sample below.

I restarted my PC, and ran malwarebytes scan, which reported no threats. This seemed to stop the messages, until about 20 minutes after it restarted, when the wifi dropped again, and once it started up again, the messages went back into the logs.

I've googled port 54198 which doesn't bring up any information about any software, malicious or otherwise that might be performing this request.

I've also not installed any software on this PC for quite some time, and I'm fastidious about being really careful about which sites I visit, and have an up to date virus checker too. There doesn't seem to be anything out of the ordinary in the task manager either.

Can anyone shed some light on what might be causing these?

11:56:23, 20 Jul. (395816.310000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>54198, internal ports: 54198, internal client: 192.168.1.69
11:55:45, 20 Jul. (395778.510000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>54198, internal ports: 54198, internal client: 192.168.1.69
11:55:11, 20 Jul. (395744.670000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>54198, internal ports: 54198, internal client: 192.168.1.69
11:54:34, 20 Jul. (395706.960000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>54198, internal ports: 54198, internal client: 192.168.1.69
11:53:50, 20 Jul. (395663.360000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>54198, internal ports: 54198, internal client: 192.168.1.69
11:53:04, 20 Jul. (395617.810000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>54198, internal ports: 54198, internal client: 192.168.1.69
11:52:32, 20 Jul. (395584.990000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>54198, internal ports: 54198, internal client: 192.168.1.69
11:51:51, 20 Jul. (395544.490000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>54198, internal ports: 54198, internal client: 192.168.1.69

Comments

  • Is your laptop's IP 192...69? Is there another device on your network that could be causing this - Fire TV Stick, Chromecast, Playstation, Xbox etc? If .69 is definitely your laptop, try installing WireShark, this will allow you to definitively confirm your laptop is issuing the instruction. I assume your firewall on the BT router is blocking all external access, or is it set up to allow external engineer access - could it be BT attempting to push a firmware upgrade to your router (I'll take a look at my router logs for comparison).
  • Nothing like that in my logs. My firmware version is SG4B10002244 - check to see if yours is the same.
  • AndyPix
    AndyPix Posts: 4,847 Forumite
    Fifth Anniversary 1,000 Posts Name Dropper Photogenic
    some kind of upnp device trying to open a port for its self.
    Have you bought any new kit recently ?


    Smart light bulbs (lol) etc ??


    Open a command prompt on your PC and type


    nslookup 192.168.1.69


    and it should tell you the devices "name"




    Also, FYI, the Wifi dropping before this happens could be a little worrying.
    If I were your nect door neighbour, and was attempting to hack your wifi, the first step would be to send a "deauth" packet to kick your device off the network, and then "sniff" the reconnection handshake out of the air to work on
  • campdave
    campdave Posts: 2,198 Forumite
    DoaM wrote: »

    No, don't have either.

    Thanks for the advice from several posters.

    I posted a similar post on the BT Community forum (which you have linked to), and apparently the TR064 part of the message refers to remote management.

    The .69 is the IP of my laptop - which was my concern that the laptop had some software requesting the port to be open.

    I tried the other laptop which we have in the house, which hardly ever goes on the internet, and it was doing the same thing (albeit a different port) which reassured me somewhat as the other laptop hasn't been used for several days so couldn't have had something installed on it.

    Googling the precise message brought a couple of other posts from the BT forum of users having the same issues with the message and the wifi on their PC wobbling just before it happened.

    I've rebooted the Homehub, and turned off uPNP and although I've been out most of the afternoon and the laptop has been in standby and not connected to the network, the messages have stopped now.
  • campdave
    campdave Posts: 2,198 Forumite
    edited 20 July 2017 at 3:50PM
    Nothing like that in my logs. My firmware version is SG4B10002244 - check to see if yours is the same.

    Can't see a firmware version on my hub anywhere (5A) - but I am aware it updated the software on 9 July 2017 (to Software version 4.7.5.1.83.8.236.1.2) but the issue definitely only started today.

    The router appears to be blocking external access, as there are messages in the log about blocking remote administration - googling the IP addresses from these specific logs advised they are malicious Chinese addresses trying to pick up unsecured networks, but that the firewall is correctly blocking them.
  • esuhl
    esuhl Posts: 9,409 Forumite
    Part of the Furniture 1,000 Posts Name Dropper
    Personally, I'd just keep UPnP turned off. At least you're in control of which ports get opened then.
  • campdave
    campdave Posts: 2,198 Forumite
    Thanks, after reading up on uPNP today I don't think I will need to do it anytime soon, so we are safer with it turned off.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 349.8K Banking & Borrowing
  • 252.6K Reduce Debt & Boost Income
  • 453K Spending & Discounts
  • 242.8K Work, Benefits & Business
  • 619.6K Mortgages, Homes & Bills
  • 176.4K Life & Family
  • 255.7K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.