Topic: ISP blocking access from my SME server??

[cgetty]

Hi Every body

In review: I was under the impression that my port was being blocked by my ISP.
It was pointed out to me that there was no evidence of that. It was also pointed out
that the SME server will not work if the modem from the ISP is acting as a nat /
router. I hope I got that straight

I was able to reconfigure the ISPs modem (feeding the SME server) From a
Nat / router (which it was configured as) to a plane old dumb bridge.

The old ISP was serving me PPOE. The new one is DHCP. So after I
reconfigured the ISPs modem to a bridge and my ISP updated the DHCP IP address
feeding their modem I re-established my  Internet connection.

Then from the outside (now @ work) tried to ssh sgetty.ath.cx -l admin to the server.
Not able to login. Below are the messages I got after my login attempt.

ssh: connect to host 63.168.104.2 port 22: Connection refused

An error occurred while loading http://sgetty.ath.cx/
Could not connect to host sgetty.ath.cx.
At the DynDNS web site it looks ok.

No problem in the inside.

I'm hoping that it just a simple miss configuration on my end. I fell I'm stepping into the
world of the big boys now by running SME server. Lots of network administration to learn.

I suspect that after I get this thing up & running (see I have hope) It will get the crap
beat out of it from the dark side. Since this is my test / learning server that just part of the
way it goes. Gota learn some time.

Also I would like to thank everyone for their help so far.
Clark

[funkusmunkus]

there are a couple of things we can look at:

first give us a little diagram of your network (eg internet==>modem/router==>SME==>internal network) or what ever you have, that would help us
understand how to answer your questions.

second if your SME external ipaddress is a 192.168.x.x one then your SME is behind a nat firewall, which means you not only have to forward
port 80 and port 443 (and what ever port you need) from your router that's doing the NATing to your SME server, but you will also have
to disable the dyndns update feature on the SME, because it will update dyndns with the wrong ip address.

to me it sounds like you've got the correct IP address sorted but you're router isn't forwarding port 80 to your SME server (although it could
be the ISP that's doing that, but check the router first and get back to us)

cheers

[cgetty]

Hi funkusmunkus

I posted a flash file of some of the screen shots of my  configuration.

http://scmug.azusalw.com/scmug/sme.swf

Thanks for offering to take a look.

Clark

[mackayr]

Just an observation.  Don't you have residential ADSL?  If so, shouldn't PPPoE be selected rather than DHCP with ethernet address in your configuration?

[mackayr]

Also, I noticed that all of your ports are filtered (as reported by nmap).  Have you confirmed that your modem is not filtering (blocking) your ports?  You made some configuration change to the modem, which I didn't exactly understand, but I'd recommend just leaving the NAT operational and just open the ports you need.  I'd start with port 22 to allow remote SSH access to your server.  I'd make sure you use certificates to prevent unauthorized access as well.  Some months ago (and probably ongoing) there were many many attacks on SSH ports.  Once you get that open and operational, you can continue troubleshooting.

Trying to help ...

[cgetty]

Hi mackayr

Don't you have residential ADSL? If so, shouldn't PPPoE be selected
rather than DHCP with ethernet address in your configuration?

My DSL service is residential. My old ISP served me
PPPoE. My new ISP is Verizon in my neck of the woods
(Calif) DHCP is my only option.

 These are the settings before I configured
the modem as a bridge.
http://scmug.azusalw.com/scmug/6100.swf

On the Westell forum (makers of the modem) these are the
instructions for changing the modem configuration to a bridge.
http://text.dslreports.com/forum/remark,14770977

After the reconfiguration I still have the same problem.
If filtering is going on I don't see any thing in the westell modem that is doing it.

Also being new to SME server I'm not sure that the initial settings are correct.
 http://scmug.azusalw.com/scmug/sme.swf

Thanks
Clark

[cgetty]

Hi mackayr

On the last slide of the modem flash file it states that
inbound traffic can be controlled by port forwarding.
Dose that mean like finding my web site??

http://scmug.azusalw.com/scmug/6100.swf

I can try port forwarding. I'm looking for a step by step
( I'll even make a flash file for the next newbee).

The link you referred  me to did not have any info in it???
 http://mirror.contribs.org/smeserver/contribs//mblotwijk/Contribs/httpd10080/

Do you know of any other links?

Thanks
Clark

Like this ?

[mackayr]

Yeah ... that last screen looks like your problem.  It appears that it's currently configured to block everything.  You could try the next setting up.  I'm not sure what ports they consider to be high risk though.  If you can manually configure portwarding, I'd do that.  That's what I have to do with my SME behind my router.  I just forward port 80 (internet side) to my SME server IP port 80.  Try that.  If that doesn't work, perhaps try some odd port number for the outside, and forward to port 80 on your SME.  Post the port number here, and I'll test it for you.

Good luck!

Rob

[electroman00]

 perhaps try some odd port number for the outside, and forward to port 80 on your SME.  Post the port number here, and I'll test it for you.
Rob

Sorry that won't work.

If you could post the output of ifconfig then we all would be able to better help
you, that's the first step to diagnosing network connection problems.

Without that info were just shooting in the dark, not enough information
to acurately help you.

[electroman00]

cgetty

Hey....I just checked and it looks like your on the air.

So I guess it was a "Faulty Operator" and not port blocking as Charlie
had indicated.

Charlie is the man to listen to for sure.

BTW....nice site.

[mackayr]

Sorry that won't work.

Actually, yes ... it will work!  SME port forwards work quite well, and so do those of most routers.  You can easily set a router to "listen" on one port (eg. 10080) and forward traffic to port 80 on a lan machine.  I've done it!  I had an ISP that blocked port 80 and used port 10080 to access the web server.

Indeed his problem wasn't port blocking as I had suspected, rather it was the modem (with built in router functionality) that was blocking the traffic.  To view the ifconfig output would certainly assist identifying SME Server configuration issues, but his problem started before switching to SME!  In any event, yes ... he's successfully up and running now!

Regards,

Rob

[electroman00]

mackayr

Bear with me hear, lets say you that you are as green as green can be about networking, you have no idea what a PF is and for that matter what
an IP is. Now that's pretty green wouldn't you agree.
You just came to this forum for help and you read the following.

Sorry that won't work.

Actually, yes ... it will work!  SME port forwards work quite well, and so do those of most routers.  You can easily set a router to "listen" on one port (eg. 10080) and forward traffic to port 80 on a lan machine.  I've done it!  I had an ISP that blocked port 80 and used port 10080 to access the web server.

Indeed his problem wasn't port blocking as I had suspected, rather it was the modem (with built in router functionality) that was blocking the traffic.  To view the ifconfig output would certainly assist identifying SME Server configuration issues, but his problem started before switching to SME!  In any event, yes ... he's successfully up and running now!
Rob

Question is will it help or compound an existing situation?

Then I will let you ask yourself the second question....

Charlie....I'm learning teach.

[electroman00]

Well I just re-read my own post above.....it sucks.

Surely doesn't read the way I intended.

Let's try this

Bear with me hear, lets say someone (newbie) is as green as green can be about
networking and that someone has no idea what a PF is and for that matter what an IP is.
Now that's pretty green wouldn't you agree.

That's a little better but no cigar...

mackayr

I wasn't speaking of you directly (meaning green) although that's the way it read and I'm sorry for that.

Open mouth insert foot.....works for me.

[mackayr]

haha ... that's a bit better.

I certainly may not know what port forwarding is "for", but I sure know a way to use it.  Since my (former) local ISP indeed engages in port blocking (follow the link on http://www.ualberta.ca/HELP/www/telus.html ), I used it to facilitate serving a web site from my SME box.

I set up a port forward on my router to redirect any inbound traffic to my external IP address (the unique four segment number representing my computer on the internet) on a given port (port 10080 in my case - it wasn't blocked) to my SME box, local IP address (192.168.X.X), port 80.  And voila!  My website was live on the internet, though users had to add ":10080" to the end of my domain name.  Needless to say, I've since left this provider for a more expensive alternative that doesn't block ports, so this isn't an issue for me any more.  Maybe port blocking is not common elsewhere, but it sure is prevalent in western Canada, since Telus is one of the two major high speed providers!

Regardless, thanks for the "softening" of your post, electroman.  Much appreciated!

Rob