Hi, I got hacked quite badly so I decided to purchase a Surf Soho after reading Michael Horowitz’s blog.
This is what I wish to achieve. A non wifi Ethernet network with each port a VLan isolated from each other. I believe this is more secure than WiFi but I am willing to learn a different way if it’s more secure.
The main problem I have will demonstrate how new to setting up a router is.
I want to know how to securely connect the Wan using my ISP’s router in Modem Mode.
Do I enter my IP address or Gateway addressed assigned by my ISP?
Another thing confusing me is one of the ports will be used for a Tivo box.
How would I set that port up so it can communicate with my ISP which is Virgin Media UK.
Is it possible to make the Surf router ports totally stealth?
Can I change the IP to a private address starting with 10 or 172?
I will also be connecting a pc via ethernet port and would like that to have a private IP plus total stealth. I believe the pc will not need to communicate with the ISP like the Tivo box. Also, I use VPN software with the pc.
Hopefully someone can help me out especially with the Wan settings, I would really appreciate it.
Also, any other suggestions for the highest security settings while still being able to watch YouTube and generally Surf the web.
I don’t want or need any remote access like Telnet and SSH as I have no understanding of them and don’t need a server.
I hope that post isn’t too long winded and clear enough to understand so you can help.
Thanks very much, Spangled
Hi, I got hacked quite badly so I decided to purchase a Surf Soho after reading Michael Horowitz’s blog.
Once you have the Virgin Media router set to modem mode the SOHO will get allocated a public IP by the modem if you leave the WAN port in default settings (ie DHCP). No need to manually set WAN IPs, and in fact using DHCP is useful as if your Virgin media cable connection is anything like mine - when the modem loses internet connectivity, your SOHO WAN will be assigned a private IP (192.x.x.x) so you can access the cable router and find out what the issue is.
Using VLANs on you LAN for security purposes is a good idea. You could put your TIVO box into its own VLAN if you want, although I don’t as I like to cast video from my mobile devices to the TIVO so isolating it from devices on other VLANs (disabling inter VLAN routing) isn’t what I personally want to do.
You can change the LAN IP subnet to whatever private range you’d like. Everytime you add a VLAN on the SOHO you’re adding another subnet.Remember to disable inter vlan routing on those vlans/subnets that should only have internet access and not communicate with other devices on other VLANs locally.
Not sure exactly what you want to achieve here. I assume you want this PC to be able to access the internet right so you can use your VPN client? I suppose you might be asking how to block all traffic to and from the PC apart from that needed for the VPN software to work - is that what you mean?
Welcome, fellow router smashed one. Horowitz sends another refugee to Peplink’s golden citadel.
Hi, Michael Horowitz here.
Ethernet is and will always be more secure than WiFi and I would have said that pre-KRACK too.
If you read my overview of the Surf SOHO and found something unclear, pleeeeeeeeze let me know.
As for an ISP router in modem mode, it is not necessary to get started. That is, you can be up and running with any new router just by plugging its WAN port into a LAN port of the ISP device. This assumes the router is using DHCP mode for the WAN connection. In my experience this is the default mode of operation for most, if not all routers.
That said, dumbing down the ISP box is more secure and the official term for this is Bridge Mode. But, replacing the ISP box completely, is even more secure. More proof here.
To set each LAN port as its own VLAN, you first need to create 4 VLANs. Each one gets its own subnet, so yes, you can use IP addresses starting with 10 for each VLAN. For example, VLAN number 3, could use 10.3.3.x and VLAN number 4 could use 10.4.4.x, etc. The router would have a different IP address on each VLAN.
Nothing special needs to be done for Tivo or Virgin Media, this should work for all devices and all ISPs. You PC does have to communicate with your ISP, all your devices do. I must be missing something about your question.
Not sure what you mean by LAN ports being stealthed. Stealth is an attribute of TCP/IP ports, a logical thing, not a physical thing. The firewall in a router determines which TCP/IP ports are stealthed. With the Surf SOHO, they are all stealth by default on the WAN side. The only open port would be the one you use for Remote Admin, if you use Remote Admin at all.
VPNs should work fine without any special tweaking of the Surf SOHO. I am working on documenting configuring a new Surf SOHO for maximum security. Telent and SSH are disabled by default on Surf SOHO.
Hi, I’m really really sorry for not replying sooner because I’m actually quite humbled people of your stature and knowledge would take the time to respond and advise a random person on the internet because I appreciate time is precious to researchers and security consultants.
Especially since my ISP manager of tech staff told me modems are impossible to hack. I thought he was joking but he was laughing at me being worried after I lost control of my router because someone was changing the password faster than I could log in after resetting.
Then large phone companies tech staff laughing at me when I said I think my sim has been cloned because Google maps shows I flew to Papa New Guinea yesterday and today I’m walking about town about half a mile away.
I almost wish some White Hat would do a show like Ramsay’s Kitchen Nightmares and go into technical departments of large companies to show them how to run things properly.
Anyway rant over. The reason it’s taken so long to reply is because the hack and losing so much equipment along with the vulnerability issues of ISP tech has rattled my confidence. I did try after getting a new laptop but Windows 10 freaked me out because it starts up with wifi enabled to seek open Hotspots so I rapidly turned off wifi and Bluetooth, uninstalled their drivers but restarting the computer just reinstalls the drivers. I tried a couple times then it got stuck in Flight Mode so I couldn’t even connect to the Surf Soho. I just gave up and used my new phone for basic internet use but it’s not the same plus Android is apparently one of the most vulnerable systems going because too many apps are created for Google to check them like Apple does. I couldn’t afford to replace everything and get an iPhone.
I’ve blocked wifi using an Applock but something is opening it up and I have to keep turning it off.
Thank you to Martin from Peplink support who replied and reassured me that it’s quite simple to connect to the Wan as long as DHCP is running.
My query regarding the computer being stealth with a private IP was a mixed up way of asking how could I pass the Gibson Research test which said my ISP modem had 7 vulnerable open ports and should be stealthed.
Mr Horowitz, I’m having a problem setting up 4 ethernet VLans. It will probably be me not understanding properly your instructions.
This is what is happening. I’m setting up VLans and in Port settings choosing them from the drop down list which says Trunk or Access which I don’t understand.
However when it comes to the Lan address 192.168.50.1 if I don’t choose that as one of the ports I lose ability to connect to the router and have to reset. I can change the default Lan ip easily enough so the login page isnt default although I don’t know if that is good or not.
Is it possible to have all 4 ports VLan? I’ve been using 10.11.11.2 and DHCP range outside of every port number. But when I leave the default Lan ip on port 1 it says None in the VLan id number list.
Also, in Security settings their is an option to block Intrusions with a list of things like Ping and Dos prevention but it’s disabled by default. I’m very limited when it comes to understanding such things but I feel like turning it on but am worried because Peplink defaults are mostly user friendly.
In the admin and password settings there is an option for read only. If I leave this blank it means no one can use it?
Sorry to ask too many questions, I don’t like taking up your time but do you think it’s possible a Tivo box if hacked could then be used to hack the firmware on my TV? After losing so much equipment I’m totally paranoid haha sorry.
Thanks very much again everyone for replying to me, I really think it’s amazing and appreciate it. I can’t wait to read your security set up advice regarding the Surf Soho.
Thank you murgatroid for your welcome, pleased to meet you and hope to learn from reading the forum and not writing novels of posts asking for advice.
Oh, just one more thing, Virgin Media sent an engineer because my Tivo wasn’t setting up. I told him I had the Superhub on modem mode because I just heard about Krack. He told me not to worry because VM patched that in May. I didn’t even bother asking.
Ok, I promise to be much more concise in future, thanks again and hope you can help.
Modems are computers and thus can be hacked, but its rare. That said, the term “modem” is often used to refer to gateway devices (combination modem and router) and those are hackable as heck.
No one who cares about security should use Windows 10. Chromebooks are much more secure.
Android has a setting (not sure if its in all versions) to turn on Wifi after you have turned it off. Check every setting you can find.
Wow, 7 open ports on Shields Up is a lot. The Surf SOHO has none open, other than Remote Admin if you use that. Even an Asus router that I just tested had no open ports.
After VLANs are enabled in the Surf SOHO, then go to Network -> Network Settings -> LAN and create the 4 VLANs there. Each one should use a different network. The router will have a different IP address in each VLAN network. In Port Settings you want the Port Type to be Access. This allows one device and one VLAN on the Ethernet port. Trunk is more complex.
Sounds like you are using a VLAN, say 10.10.10.x and trying to connect to 192.168.50.1. Thats wrong. You need to connect to 10.10.10.1 from that VLAN to access the router (assuming you assigned the router number 1, this is a custom not a rule). Again, the router will have 4 different IP addresses if you have 4 different VLANs.
Yes, it should be possible to have each LAN port on its own VLAN.
As a rule, the Surf SOHO is secure by default. I dont know why it does not enable DDOS protection by default.
Peplink routers allow for two userids, one that can make changes and one that can not (read only). The safest option, if you don’t want to have a read-only user is to create one anyway and give a long ugly password.
In a normal network, yes a hacked Tivo box can possibly screw up other devices on the same network. Peplink lets you easily prevent devices on the same network from seeing each other, which prevents this. A hacked device cant mess up devices that it can’t even see. The option is Layer 2 Isolation and its a single checkbox.
You might find this article created as a introduction to get your router configurred using VLANs for printing useful starting point, @Michael234 is on the ball, there are many other good articles here in the forum to guide you in securing your router also.
Happy to Help,
Hi Michael and Marcus, thanks very much for replying and helping me.
I will report back within a few days as I was considering installing Ubuntu live on my laptop as I think it’ll be safer for me as I don’t know how to make Windows secure but Michael has confirmed my worst fears so I’m going to install Ubuntu after a format. However I wasn’t supplied with a Windows cd so if for some reason I have to return the laptop I think I will need to put the original Windows back on the drive. However, I don’t know how to make a complete install cd so I’m going to have to read up on that before I can get around to setting up the router and with a little trepidation connecting to the internet again.
It annoys me Windows installation discs aren’t supplied. Although it annoys me even more that optical drives are being dropped from laptops, there is a massive price difference to get a machine with similar specs that has a dvd drive. I mention that because with an optical drive you don’t need a hard drive because Ubuntu Live cd cannot be written to and as far as I know it’s the only media that has this security. All sd and usb media can be written to I’m sure. I know the ram can be written to but I’m not sure if hackers write permanent info onto ram?
Also, manufacturers should make the wifi and Bluetooth adapter easy to access and remove just like a hard drive can. Wifi seems to be the favourite point of entry for hackers so it should be something a user can totally disconnect. My old Samsung laptop that got hacked had this ability.
I wonder if I can install Chrome? Is it more secure for newbies like myself than Ubuntu? I shall have a search.
Thanks again for helping me, I really appreciate it.
Hopefully I’ll report back soon using my laptop successfully connected to the Surf Soho.
Sorry I forgot to mention, Michael when you said I should be able to access the login page using the new IP I configured in the port 1 VLan. This is what I thought but every time I tried I couldn’t get a connection. I reset the ethernet adapter, used ipconfig to see the gateway to confirm the new 10.2.2.x address which was there but for some reason I think the error message Windows kept reporting was ‘Badly configured device’ or something similar.
Although I was in Trunk mode, maybe that’s why?
You don’t need to reply, once I set up using the advice you’ve all given I’ll be able to identify what I was doing wrong hopefully.
Hi, I’m sorry I haven’t replied for a while.
I made a terrible spur of the moment mistake.
I installed Ubuntu 16.04 over my laptop’s Windows 10 because I prefer Ubuntu. However I didn’t make a Windows 10 installation disc because I have a Windows 7 disc and the serial number on that has already been registered as Windows 10 premium which I’ve used to reformat and upgrade before without a problem. That was with an internal Dvd writer.
My new laptop doesn’t have an internal Dvd writer so I bought an external one.
I must be up front and honest here because I don’t know if it’s against the rules to ask the following question because it’s not about the router, it’s about Linux and I already asked on StackExchange but they closed my thread stating my query didn’t make sense. I thought it was simple.
I’m asking here because I am paranoid since the first hack and I’m worried I might have been hacked again even though I have never connected to a WiFi network or typed a password for a network.
I also disabled WiFi on my ISP gateway modem.
This is my concern:
Installation of Ubuntu said successful but when I rebooted a large scrolling of error messages appeared so fast I couldn’t read them before restarting to the login page.
I logged in ok but the touchpad wasn’t functioning.
I searched Dash for Boot-Repair but it didn’t show up.
I then booted into Recovery mode to check Filesystem.
It reported Filesystem ok but the very last line said Filesystem Unknown.
I thought this was strange.
Then the computer started to perform another action without any input from me.
Started to tell Plymouth to write out runtime data.
Reached target network (Pre)
Set Console Scheme
Created system-getty slice
Started LSB: App Armour
Starting raise network interfaces
Reached target network is online.
Control-D to continue
Is this suspicious activity considering I disabled WiFi on modem and laptop?
I don’t understand why it’s reporting a network connection has been established.
I also don’t want to connect to the Soho incase I have a virus which might affect your servers.
I tried to install Windows 7 but the external DVD doesn’t have the drivers.
I formatted the disc using a Windows command.
Reinstalled Ubuntu, this time no error messages but touchpad still disabled and a network connection established before restarting.
Once again I’m sorry if this is inappropriate question for this forum.
I hope someone can put my mind at ease.
All though many of us in this forum are competent in computer support, your PC needs are a bit outside the forums current focus on Peplink manufactured equipment.
Rather than leaving you stuck in the web, you may find some guidance to a suitable computer support centre local to you by reaching out to your local Peplink Partner. You can find your local Peplink Partner here at the URL of https://www.peplink.com/peplink-certified-partners, or let the forum know where you are (which country) so the local partner can reach out to you.
Happy to Help,
Hi Marcus, thanks for replying.
I think I’ll have to find another Linux forum as I did think it was probably not right to ask it here.
I don’t really have a problem with the router at the moment as I want to make sure my computer is clean before connecting and the information already provided should get me up and running.
I think I might have to connect to the internet to get drivers for the touchpad.
Would it affect Peplink’s servers in any way if I did have a hidden virus and connected my laptop to the router? I really don’t want to connect it directly to the ISP modem.
Also, I received an email from the vendor on Amazon UK who I purchased the router from. He’s asking for the serial number so he can give it to Peplink, is that a normal request?
Thanks again for replying.
No one would say that malicious software on a network won’t affect a system, though Peplink have been very careful to put in place above industry standard protection on the management systems, so even if you connect your computer to your SOHO and jump online, you are unlikely to affect there systems.
All the best with getting your PC sorted.
Happy to help,
All support queries start with the serial number so yes this is a normal request.
Hi guys, thanks again for replying. Sorry I took so long to respond but it took me a while to remove the WiFi Bluetooth adapter. I could be overreacting because if I’m being targeted then the skill levels of the hackers are going to get in through ethernet anyway.
Just trying to be as cautious as possible.
I used to be good at setting things up but I don’t know what I’m doing wrong with the router.
I changed the IP to a harder to guess private address as advised by Mr Horowitz.
I made all 4 ports VLANs although I’m not sure port 1 is supposed to be set up this way because it’s the only one that doesn’t have an entry box for VLAN number like the other 3. It just says None under Number. I choosed Access for all VLANS.
I can log in using the new ip on Port 1.
However after setting up settings which are mostly default I connected the Wan from the ISP gateway which is switched to Modem Mode but although ifconfig shows the IP of the ISP the Tivo box doesn’t run when connected to LAN 1.
I also connected the laptop to LAN 1 but there is no internet.
I think the error message mentioned a DNS problem but I checked the DNS servers and they are both Virgin Media.
I’m using Ubuntu and set firewall to sudo UFW enable and verbose says default settings Deny all incoming Allow all outgoing.
I’m scratching my head, I really don’t know what to do.
Oh yeah I turned off WiFi so it can’t be those settings.
I didn’t use iControl to set up in case my laptop is comprimised and as I said I want to avoid connecting to your servers until I’m quite sure it’s safe.
If I can login to the router on Lan 1 shouldn’t that mean it is set up correctly for Internet?
Once again, apologies for the long post, I hope you can help me.
I’ve also made sure the DHCP address range is outside of the main IP.
First off, I came to these forums exactly because I was having difficulty/questions about setting up VLANS for each of my different LAN ports. I was told to set up a DMZ because I could not reroute a (Steam) port through the remote ports provided by AirVPN, which are fantastic. I have posted Michael Horowitz’s site pretty much everywhere, as well as the merits of Peplink and AirVPN (they’re a nonprofit, they provide excellent security services that most VPNs don’t care about, they report EVERYTHING). I don’t feel confident setting up a DMZ or even port forwarding right now.
I think, based on this thread, I can figure out the VLAN part. I’m not sure how I’m going to create a secure temporary server to a Steam p2p port array without my VPN or Steam permitting this. Remapping ports is new to me, and dangerous. I have to figure all this out.
In any case, I wanted to point out some things to OP Spangled, others feel free to disagree or correct me:
Don’t believe Gibson Research. It’s not that Gibson is a bad person or incompetent or something, it’s just there’s a lot of things going on, and for new users, his terror warnings are confusing. I have read many security professionals say far less respectful things about his tests. ipleak and dnsleak are good tools (I believe they are run by AirVPN even). Learn everything you can about NoScript, Ublock, and, if you have the time left over, Umatrix and http headers (and other kinds of headers). You’re using Firefox and not Edge, Chrome or Safari (right?), type about:config, jump past the warning, get to know what’s going on. I am only now learning about the latter tools to any useful degree. Chrome is okay for security, but you’re part of a deep learning project, if that doesn’t bother you, keep using Chrome.
I read in maybe 3 of your posts “my ISP modem.” You mean you are still using ISP hardware? Please stop using ISP leased hardware. Here’s a story:
I leased Comcast’s “Big Black Brick,” the standard Cisco* unit. Utterly featureless. The firmware is a complete joke. A couple Decembers ago, it was announced, all the way up to Homeland Security’s website, that a gigantic backdoor was in this gateway modem. I had signed up for security warnings from Comcast. I have never received a single one, not on that zero day and nothing ever since. When Comcast wants to update your gateway modem, they do so by DDOSing it. You can see this in the logs yourself when they release a "patch."
While difficult to identify the exact origin vector(s), I was hacked horribly, my entire network, including my phone, my deceased mother’s mac (and all of her personal files) were invaded, it was quite a nightmare. I did pretty good, all things considered, but I’ll save that for another day.
I examined my gateway modem; the firmware was NOT DOING ANYTHING. it has been completely gutted and replaced with a mirage. I managed to catch some logs of the botnet/script kiddy upstairs phoning home, I saw logs disappear in real time, I managed to stop the thing on my PC, pulled out the ram and flash it on my mom’s mac, I tried everything I could find on blackhat forums. I struggled to understand nmap, tiger, tcpdump, I had no idea what I was doing. I got it to intentionally infect a Linux install disc, just to prove that the trojan was able to traverse my network in multiple ways. I still keep that drive to remind myself I’m not crazy, the botnet trying to hack my MSN account every day doesn’t hurt either.
I looked at every single file on that disc. Aircracking, “firmware nuking,” bluetooth jacking, metaexploit, a host of infections and malware names in the news at the time, dictionary crackers, keyloggers, nstructions on installing hidden torrent services, I learned a whole lot about how evil works in the world of stupid people with bad equipment. It was all on there, like a swiss army knife of script kiddy carnage.
I called my ISP. I was forwarded to a fellow in another nation who’s solution was for me to purchase a year’s subscription to Norton Antivirus. I called Apple upper tech support, they didn’t know any of the viruses or zero days I was talking about (there were tons in 2015-16). Apple has convinced people that everything is ok. They’re the technological equivalent of the East India Company. I called my ISP again to order a new modem to work with my new Peplink. The tech support guy GOOGLED MODEMS and sent me a link, which wasn’t a Comcast link, but some random spam site.
So that’s my abridged tale of ISP equipment. Throw it away.
The sooner the better.
*The popular Cisco gateway modem in question is not mentioned anywhere on Cisco’s site. They provide no guides, no firmware, no patches, no articles, no specs, nothing. It did not exist outside of Comcast’s domain.
I think I have a headache.
Hi, my mind is totally boggled.
I’m sorry to hear about your troubles Murgatroid, I think a similar thing happened to me as well as a very skilled hacker using my network for practice.
My current problem is I have set 4 ports to Vlans.
I changed the router ip ip and can log in using that.
When I connect the Wan I get the error message "your configuration is correct but there is no DNS responding."
I have tried OpenDNS, ISP DNS and automatic DNS on VLan 1 which is a private address that connects to the admin page. I assumed I could use that to connect to the internet once the Wan was connected.
I also tried Port 2 which is also a private ip with OpenDNS servers but I’m getting the same error.
What is strange is when I check settings via ipconfig /all, I cannot see any mention of my gateway modem’s ip address or gateway. The gateway is the same ip as Port one and so is the DNS server when set to automatic.
The only settings I changed that might have an effect is the Block Applications settings where I disabled all remote access.
I also unchecked FTP and Ipsec Nat-T because it looked like something I wouldn’t need.
I can’t think of anything else.
Does anyone at Peplink have a secure configuration file I could upload so I can use it to get online but also see the settings and what it is I’m doing wrong please?
Sorry for going off the rails there a little, I didn’t mean to disrupt your thread.
I was hopefully getting across the sentiment that “I support you, believe you, and you aren’t crazy.”
Couple things here, and I don’t want to boggle anyone’s mind any further.
Michael Horowitz advises keeping the modem open, whereas 3com, the vendor who sold me my SURF SOHO, advised me to block the modem IP from the LAN, the opposite of his recommendation. They also told me to block 192.168.0.0, but not the 10.dots or 172.x. My VPN uses 10.4 as the subnet for its tun0 services. I’m a little worried that blocking all access to 10.dots will mess up my VPN. Something I’ve never even though about. The VPN probably pokes a hole right through any such block, I thought, but when I put my LAN on a VLAN, connectivity to the internet stopped. I am thinking I have to use a static IP and manually connect through that VLAN IP, and possible do some fiddling with my VPN to get it to work right.
The keep in tandem with the OP’s issue.
Spangled, regarding DNS problem: Do you have DNS Forwarding Setup > Forward Outgoing DNS Requests to Local DNS Proxy enabled? Each VLAN has its own DNS server, the LAN does as well, the WAN will be the network reaching out to OpenDNS or 126.96.36.199 or however you have it set up. I have had no issues using FTP services with this stuff off. All I can gather is is that it’s meant more for FTP/TFTP servers or traffic management; I don’t use IPSEC tunnels so don’t need that. FTP is a dangerous protocol, but it isn’t on unless you turn it on, and it requires outgoing only to make a connection. I’d like to have it removed, but it’s pretty ingrained in how everything works online. I also really love wget… I don’t know what I’d doing, clearly.
Application blocking-- Where are these applications being blocked? Local users? Remote users? Does blocking e-mule mean nobody can make an outgoing or incoming connection using e-mule, what’s the actual control? Is this meant for net admins trying to control user application privileges?
OSPF: Still no idea why I should use this on my LAN, but I use it anyway. MD5 cryption and all.
VLANS: I have read a whole lot of VLAN posts on here, and still trying to figure out where I’m going wrong. The solution of signing up to InControl to set up VLAN as mentioned is not an option for me. I’ll keep trying, but there are continual other things I’m trying to figure out (Linux, general security, my place in the world, etc.), when something is breaking my connection, I don’t always have hours to debug it. I will give MH’s kind guidance another read and give it another shot.
Spangled, if I make any progress I will share anything I learn. I feel like I understand what you are going through. Just remember, it’s only a computer, and there’s always other things.
Hi Murgatroid, thanks for replying. It looks like we’re making some kind of progress although for me it’s one step forward two steps back.
I finally got my laptop to connect to the internet but the joy was short lived.
This is what I ended up doing.
In the WAN Details section I typed in my ISP ip address and then instead of trying to use different DNS servers I just set every VLan to Automatically detect DNS servers as I knew they would be my ISP’s.
All the 4 Vlans had private ip addresses so I just plugged the computer into Port 1 after connecting the ethernet to the WAN port.
I got success but then things went a bit messed up. I reinstalled Windows which took forever to download updates but when it came to installing the updates I got an error message “update failed.” I’ve never seen that before and I’ve installed Windows on a lot of computers.
Then I thought I would check the Network using ipconfig but then that said “Access Denied.” Haha I swear someone is messing with my head. I had only made one Admin account and when I tried to uninstall software I also got the message Access Denied.
At first Firefox was fine then every page I tried to reach gave the error "Bad certificate, cannot load page, Google.com has been set up incorrectly."
Very strange because I don’t think that had anything to do with the router.
What ruined my hopes of finally having a working setup router was Port 2 was connected to the Tivo box but it just kept saying "No connection."
I don’t know why Port 1 connected to the internet but Port 2 didn’t because they were both set to automatically use the ISP DNS servers.
I’m sorry I don’t understand what you mean about forwarding DNS Servers?
I understand your frustration, everything was fine for years now hackers have got me so paranoid I’m wondering if they’ve already hacked again and that’s why Windows didn’t update and one port is fine while another is not.
I hope you find a solution soon, it sounds like you know more about it than I do.
The worst thing is I bet it’s something really simple that we’re missing as I think the router does look quite straightforward with its settings page.
I’m almost resigned to just using the phone for browsing. It’s too small for chat forums, YouTube and playing chess.