Lots of port forwarding messages in router log

campdave

Hi,

Strange behaviour on my laptop since this morning - noticed the wifi drop out briefly, and happened to check my router (bt homehub 5) logs and noticed that port forwarding was being applied about every 30 seconds - see sample below.

I restarted my PC, and ran malwarebytes scan, which reported no threats. This seemed to stop the messages, until about 20 minutes after it restarted, when the wifi dropped again, and once it started up again, the messages went back into the logs.

I've googled port 54198 which doesn't bring up any information about any software, malicious or otherwise that might be performing this request.

I've also not installed any software on this PC for quite some time, and I'm fastidious about being really careful about which sites I visit, and have an up to date virus checker too. There doesn't seem to be anything out of the ordinary in the task manager either.

Can anyone shed some light on what might be causing these?

11:56:23, 20 Jul. (395816.310000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>54198, internal ports: 54198, internal client: 192.168.1.69
11:55:45, 20 Jul. (395778.510000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>54198, internal ports: 54198, internal client: 192.168.1.69
11:55:11, 20 Jul. (395744.670000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>54198, internal ports: 54198, internal client: 192.168.1.69
11:54:34, 20 Jul. (395706.960000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>54198, internal ports: 54198, internal client: 192.168.1.69
11:53:50, 20 Jul. (395663.360000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>54198, internal ports: 54198, internal client: 192.168.1.69
11:53:04, 20 Jul. (395617.810000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>54198, internal ports: 54198, internal client: 192.168.1.69
11:52:32, 20 Jul. (395584.990000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>54198, internal ports: 54198, internal client: 192.168.1.69
11:51:51, 20 Jul. (395544.490000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>54198, internal ports: 54198, internal client: 192.168.1.69

CardinalWolsey

Is your laptop's IP 192...69? Is there another device on your network that could be causing this - Fire TV Stick, Chromecast, Playstation, Xbox etc? If .69 is definitely your laptop, try installing WireShark, this will allow you to definitively confirm your laptop is issuing the instruction. I assume your firewall on the BT router is blocking all external access, or is it set up to allow external engineer access - could it be BT attempting to push a firmware upgrade to your router (I'll take a look at my router logs for comparison).

DoaM

https://community.bt.com/t5/Connected-Devices-Other/Lots-of-port-forwarding-messages-in-router-log/td-p/1762396

Do you have BT Security Hub or BT Cloud installed on the PC?

CardinalWolsey

Nothing like that in my logs. My firmware version is SG4B10002244 - check to see if yours is the same.

AndyPix

some kind of upnp device trying to open a port for its self.
Have you bought any new kit recently ?


Smart light bulbs (lol) etc ??


Open a command prompt on your PC and type


nslookup 192.168.1.69


and it should tell you the devices "name"




Also, FYI, the Wifi dropping before this happens could be a little worrying.
If I were your nect door neighbour, and was attempting to hack your wifi, the first step would be to send a "deauth" packet to kick your device off the network, and then "sniff" the reconnection handshake out of the air to work on

campdave

DoaM wrote: »

https://community.bt.com/t5/Connected-Devices-Other/Lots-of-port-forwarding-messages-in-router-log/td-p/1762396

Do you have BT Security Hub or BT Cloud installed on the PC?

No, don't have either.

Thanks for the advice from several posters.

I posted a similar post on the BT Community forum (which you have linked to), and apparently the TR064 part of the message refers to remote management.

The .69 is the IP of my laptop - which was my concern that the laptop had some software requesting the port to be open.

I tried the other laptop which we have in the house, which hardly ever goes on the internet, and it was doing the same thing (albeit a different port) which reassured me somewhat as the other laptop hasn't been used for several days so couldn't have had something installed on it.

Googling the precise message brought a couple of other posts from the BT forum of users having the same issues with the message and the wifi on their PC wobbling just before it happened.

I've rebooted the Homehub, and turned off uPNP and although I've been out most of the afternoon and the laptop has been in standby and not connected to the network, the messages have stopped now.

campdave

CardinalWolsey wrote: »

Nothing like that in my logs. My firmware version is SG4B10002244 - check to see if yours is the same.

Can't see a firmware version on my hub anywhere (5A) - but I am aware it updated the software on 9 July 2017 (to Software version 4.7.5.1.83.8.236.1.2) but the issue definitely only started today.

The router appears to be blocking external access, as there are messages in the log about blocking remote administration - googling the IP addresses from these specific logs advised they are malicious Chinese addresses trying to pick up unsecured networks, but that the firewall is correctly blocking them.

esuhl

Personally, I'd just keep UPnP turned off. At least you're in control of which ports get opened then.

campdave

Thanks, after reading up on uPNP today I don't think I will need to do it anytime soon, so we are safer with it turned off.