Topic: [7RC2] Can't connect from remote host

[dtech]

Hi all;

I just did my first production SME install on a small network. Internally everything is working as expected. I'm used to using Fedora Core whatever as a server OS, but decided to give SME a try and I'm liking it.

This office has a dynamic IP on a DSL connection. I set up a DynDNS account, which I got working by using the DynDNS name as the domain name of the SME install. Now SME updates DynDNS the way it's supposed to. I read this little piece of info in the forums somewhere, I assume this is the correct way to set dynamic DNS up. This office does not intend to run a website on the SME server, and their email is outsourced too. All this server really needs to do is be a file and dhcp server for now. It is set up as a server and gateway.

Now to the problem; I can ssh into the box from a remote host, both as admin and root. I can't seem to connect to the SME box via a web browser, either using the DynDNS domain name or the IP of the office. I can't connect to port 80 or port 443, to the server-manager or to the default web site on the server; the connections time out. If I do a port scan I see that port 80 is not there, but 443 is open. And yes, I allowed acces to my home IP in the Remote Access panel.

Any ideas on this? Thanks in advance,

-Pete

PS - I'd like to see a little more in the way of configuration options for ssh access. I usually set LoginGraceTime at 10 seconds, and then I only allow access from my home IP in hosts.allow. I can do this manually I know, but then my changes are overwritten if I use the Remote Access panel again. I'm not a programmer, but I'm wondering how hard this would be to do in the SME templates.

[MSmith]

If you want to access the Server Manager, login via PPTP VPN to the SME box then use the internal IP address.

[dtech]

Hi MSmith;

Thanks for the reply. I'm really more interested in discovering why this is happening more than I'm interested in getting to the server-manager, since I can also access it from an ssh connection. Or, as you suggest, a VPN, which I haven't tried yet.

Here's some more info; from the office the server-manager is accessible using the DynDNS URL. If I try to connect either from my house or from the office using a proxy that gives me an IP that is different from the office IP, I can't connect to either the server-manager or the default web site. So I suspect this has something to do with apache only accepting internal requests, although this is an area that I don't have any knowledge of. Just wondering if this is a bug, or a configuration issue.

-Pete

[pfloor]

Hi MSmith;

Thanks for the reply. I'm really more interested in discovering why this is happening more than I'm interested in getting to the server-manager, since I can also access it from an ssh connection. Or, as you suggest, a VPN, which I haven't tried yet.

Here's some more info; from the office the server-manager is accessible using the DynDNS URL. If I try to connect either from my house or from the office using a proxy that gives me an IP that is different from the office IP, I can't connect to either the server-manager or the default web site. So I suspect this has something to do with apache only accepting internal requests, although this is an area that I don't have any knowledge of. Just wondering if this is a bug, or a configuration issue.

-Pete

More than likely a configuration problem.  Access from behind the firewall using the URL will allways work as sme has it's own DNS server and resolves it's own domain names internally.

Is your server connected to a dsl router/firewall?
If so, do you have the ports from the router/firewall forwarded to the server?
In the server-manager on the "review configuration" panel, what are the internal and external IP addresses?  (You may cut off the last 2 sets of numbers like this if you want 192.168.xxx.xxx)

[dtech]

More than likely a configuration problem.  Access from behind the firewall using the URL will allways work as sme has it's own DNS server and resolves it's own domain names internally.

Is your server connected to a dsl router/firewall?
If so, do you have the ports from the router/firewall forwarded to the server?
In the server-manager on the "review configuration" panel, what are the internal and external IP addresses?  (You may cut off the last 2 sets of numbers like this if you want 192.168.xxx.xxx)

Paul;

Thanks for your reply. I was intending to post a reply to myself just to wrap this thread up, so here it is, although I'm still not absolutely sure why things now work.

I can now connect to the DynDNS url of the SME box, although only by https://. An external port scan of the IP of the SME box shows ports 113 (closed), 443, 465, and 1723 as open. Port 80 isn't there, and I suspect that this is being blocked by the DSL ISP, although I have not confirmed this yet.

As far as my original problem goes, I'm wondering if it was a DNS propagation issue with the DynDNS domain. I was attemtping to connect within hours of registering with DynDNS, and I had set  the domain of the SME server to the DynDNS domain. About a day after I had registered with DynDNS, the connection started working. I just don't know if a DynDNS url needs time to propagate.

So the answers to your questions; the server is directly behind a DSL modem, the Westell 2200. As far as I know, the modem has firewall and DHCP capabilities, but is set up in bridge mode with all of its features turned off. This is probably worth looking into as far as the port 80 issue goes.

Internal IP of the server is 192.168.0.1, and external is 70.16.XXX.XXX .

But again, things seem to be working now, all except my PPTP connection  issue that I mentioned in another thread, but I don't think that has anything to do with this.

-Pete

[pfloor]

Two possibilities that come to mind.

1-Your ISP is blocking ports.  Go to their website and check their policies.

2-Your server may be set up as "Private-Server/Gateway" (instead of Server/Gateway).  I can't find info on Private-Server/gateway, it is rarely used but I would assume that some of the ports will be closed under this configuration.

The standard ports open for Server-Gateway are as follows:

80 - http
20 - ftp
21 - ftp
22 - ssh
25 - smtp
110 - pop3
143 - IMAP
443 - https
465 - SMTP over SSL
980 - server-manager on internal interface
993 - IMAP over SSL
995 - POP over SSL
1723 - PPTP (VPN if you have enabled pptp access for 1 or more users)

If you disable any of the services in the server-manager then the associated ports will be closed.

[dtech]

Two possibilities that come to mind.

1-Your ISP is blocking ports.  Go to their website and check their policies.

2-Your server may be set up as "Private-Server/Gateway" (instead of Server/Gateway).  I can't find info on Private-Server/gateway, it is rarely used but I would assume that some of the ports will be closed under this configuration.

The standard ports open for Server-Gateway are as follows:

80 - http
20 - ftp
21 - ftp
22 - ssh
25 - smtp
110 - pop3
143 - IMAP
443 - https
465 - SMTP over SSL
980 - server-manager on internal interface
993 - IMAP over SSL
995 - POP over SSL
1723 - PPTP (VPN if you have enabled pptp access for 1 or more users)

If you disable any of the services in the server-manager then the associated ports will be closed.

Paul;

Today I did a grc.com port scan of the external IP, port 80 was stealthed. But then I could browse from inside the network to the default web site. The ISP is Verizon, and although I can't find anything on their site that addresses port 80 blocking, there is plenty of anecdotal evidence in various forums on the internet. Also, the server is in server/gateway mode, not private server/gateway mode.

Just for discussion purposes, both an nmap scan and the grc.com scan show port 113 auth/ident as closed, to add to your list above.

-Pete

[pfloor]

Is this rc2?

Also, just to make sure your server is set correctly, do this from the command line and post the results:

config show SystemMode

and

config show httpd-e-smith

[pfloor]

After reading a couple of articles on Verizon DSL it would be a safe assumption to think that Verizon is blocking port 80.  As one person stated:

You have a 1 in 10 chance that you will be able to run a server on port 80 with a verizon dsl account.  They have now even started to block port 80 on their "business class" accounts.

I think you are wasting your time trying to get a web server to work on the standard port 80.

[dtech]

Is this rc2?

Also, just to make sure your server is set correctly, do this from the command line and post the results:

config show SystemMode

and

config show httpd-e-smith

Yes, RC2.

SystemMode=servergateway

and

httpd-e-smith=service
    TCPPort=80
    access=public
    status=enabled