Three Home Broadband blocks incoming connections

Just as an update, I took a look at the syslog for the Hub and can clearly see that iptables (firewall service) is running, even when the "SPI firewall" option is unticked and the device is in IP Passthrough mode. I am fairly convinced that this is a bug as the option should stop iptables running in this case.I'll see if Three Business Support have any info here.

Logs for info:
 Line 3539: Fri May 9 01:02:04 2025 user.notice firewall: Reloading firewall due to ifup of wan (ccmni2)
Line 3649: Fri May 9 01:02:05 2025 user.notice firewall: Reloading firewall due to ifupdate of wan (ccmni2)
Line 3718: Fri May 9 01:02:06 2025 user.err : 10573:[src/firewall_server_ubus.cpp,FirewallNotifyEventHandler,235]wanType:DATA wanStatus:Connected
Line 3719: Fri May 9 01:02:06 2025 user.err : 10573:[src/firewall_server_ubus.cpp,FirewallNotifyEventHandler,255]wanIfName:ccmni2 wanIpAddr:92.40.73.41
Line 3724: Fri May 9 01:02:06 2025 authpriv.notice sudo: firewall : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t filter -F FILTER_FORWARD_IP
Line 3729: Fri May 9 01:02:06 2025 authpriv.notice sudo: firewall : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t mangle -F MANGLE_PREROUTING_MAC
Line 3734: Fri May 9 01:02:06 2025 authpriv.notice sudo: firewall : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t filter -F FILTER_INPUT_PORT
Line 3737: Fri May 9 01:02:06 2025 authpriv.notice sudo: firewall : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t filter -F FILTER_FORWARD_PORTF
Line 3739: Fri May 9 01:02:06 2025 authpriv.notice sudo: firewall : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t nat -F NAT_PREROUTING_PORT
Line 3772: Fri May 9 01:02:06 2025 authpriv.notice sudo: firewall : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t filter -F FILTER_FORWARD_PORTN
Line 3791: Fri May 9 01:02:06 2025 authpriv.notice sudo: firewall : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t filter -F FILTER_FORWARD_DOMIN
Line 3800: Fri May 9 01:02:07 2025 authpriv.notice sudo: firewall : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t filter -F FILTER_INPUT_PARENTAL
Line 3807: Fri May 9 01:02:07 2025 authpriv.notice sudo: firewall : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t filter -F FILTER_FORWARD_PARENTAL
Line 3815: Fri May 9 01:02:07 2025 authpriv.notice sudo: firewall : PWD=/ ; USER=root ; COMMAND=/usr/sbin/ip6tables -t filter -F FILTER_INPUT_PARENTAL
Line 3817: Fri May 9 01:02:07 2025 authpriv.notice sudo: firewall : PWD=/ ; USER=root ; COMMAND=/usr/sbin/ip6tables -t filter -F FILTER_FORWARD_PARENTAL
Line 3818: Fri May 9 01:02:07 2025 authpriv.notice sudo: firewall : PWD=/ ; USER=root ; COMMAND=/etc/init.d/miniupnpd stop
Line 3825: Fri May 9 01:02:07 2025 authpriv.notice sudo: firewall : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t filter -F FILTER_FORWARD_DMZ
Line 3828: Fri May 9 01:02:07 2025 authpriv.notice sudo: firewall : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t nat -F NAT_PREROUTING_DMZ

I see the same. I also see its DHCP log assign the “real IP” to my router. So there is a high chance that NAT is still happening. You need to do double NAT if you really need the incoming port. But you lost the real IP information which need to recover with external help

Thanks. I did get double NAT working actually but it's not what I wanted. Not sure how that affects things like Xbox multiplayer online gaming but it won't be ideal. Still waiting for them to collect my kit after 3 weeks! They have cancelled the contract though at least. 

Did anyone on here look at non-Three hubs as an alternative? I haven't gotten around to it yet but toying with the ZTE MC7010 now! Too much choice 😕. 

Hi Barnbow_Tech

This is very interesting because if the firewall is still enabled despite the gui saying otherwise then this may be the root of the issue. Thanks for your efforts with this.

If you do get anywhere with Three support then please do post your findings here 

Hi Ihuss,

Sadly I got nowhere with Three. I'm on a business contract where you would think more need and more support for features such as port forwarding but I was told my Customer Care that they can't support any extra configuration setup like that! 

I didn't try actual technical support as I just thought that would be a dead end anyway! It may still be an option but at this stage my hub appears broken anyway so I have asked for a replacement, in the hope that another one works 🤞.

It appeared to stop getting a signal entirely and is displaying "on" on the display after customer care suggested I changed the APN to IPv6 mode only. I'd not tried that mode on its own (had used IP4v6 with no success) so I guess it was worth a shot, but most likely wouldn't work anyway seeing as the firewall service appears to be still running despite being off.

I will post again with an update on the replacement hub. Am hoping it comes with a slightly older firmware as I was on the latest one with the current hub (Three didn't really help when I asked about other firnware, but I am sure when I first got the hub it asked to update).

Just wanted to say I had the exact same problem as you, I tried changing the hub from IPV4v6 setting just to see what effect it might have on port forwarding, and just like that the device no longer connects to the Three network, even if I change the setting back or do a factory reset by holding a pin in the reset button. I'm just getting ON, neither the 5G or 4G lights illuminate and the eero displays a red light.

Totally mad that a user can effectively brick the device by changing an innocuous network setting.

Oh wow! Sorry to hear that. Definitely seems like some form of bug in the firmware in that case. Factory reset via the pin method did nothing for me either 😕.

Presumably you had the latest version? Mine was on 130.00100.113.024.

It would be good if we could get some form of support via Greenpacket themselves but I know that's not going to happen! I am instead now waiting on a replacement hub which I was told was arranged last Friday but on checking with them yesterday they hadn't even filled out a form for the return! Hopefully it is coming tomorrow.

I will then have about a week to test before cancelling my contract within the 30 day cool off period!

I'll try post an update as soon as I have any more info. 

Did you contact support or arrange a replacement already WM1990?

There followed two hours of mostly being on hold or waiting for a call back - and I listened to genius advice like "take the SIM card out and reinsert" or "try a factory reset," - which is something I suspect might actually contribute to the device failing - all the while I'm saying "you need to send me a new device".

This has resulted in the support guy "logging a ticket" and they will reply to me "within 7 days", all while I have no internet from the hub. 

He also cannot give me a reference number for the ticket.

It might actually be worth it to start a new outdoor hub contract, use that device until this one is exchanged and then cancel the new one in the cooling off period.

I think you might be right! I've been with Three for years now and their support is awful. And that's being polite!

No sign of my replacement hub either today. I am doubtful it's going to arrive before my cooling off period ends!

Hope you get it sorted.