Topic: RESOLVED: Port Forwarding doesn't work...

[spanna]

Hi Guys,

I'm hoping someone can help me on this.

I've been having a little trouble with port forwarding from the server manager. The strange thing is the port forwarding used to work, it's only recently stopped. I've tried deleting and recreating the rules, and I've also rebooted the server a few times too (even though I shouldn't really need to do either, I know). Neither of these approaches worked.

I haven't changed any settings on the server either, so it should still be working.

More details follow, hopefully to avoid a few questions;

The server is in server and gateway mode
The server is connected to our ADSL line by a Cisco modem (not a router)
The first network card in the server has our external IP
The second network card has the IP 192.168.1.1

The server I want to forward a port to has the IP 192.168.1.3
The server I want to forward to NEEDS to have the port 8080
I can contact the server internally using http://192.168.1.3:8080/reg/
I can't contact the server externally, but I used to be able to

The rule created looks like this;


So, is there something I am doing wrong, or is this a known issue with SME7 Final?

Thanks,
Adam

[CharlieBrady]

I haven't changed any settings on the server either, so it should still be working.

Have you changed anything on the server you are forwarding to? If it's default gateway is not set to 192.168.1.1, then the forwarding will not work.

BTW, I doubt that you need to forward UDP as well as TCP.

[spanna]

Hmm...

As far as I can tell everything will be okay. I haven't changed any settings on the other machine, no.

The output of ipconfig gives me the following;

Code: [Select]

Windows IP Configuration

   Host Name . . . . . . . . . . . . : terminalserver
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet
 NIC
   Physical Address. . . . . . . . . : 00-90-F5-36-EC-0C
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.1

Does anyone know if there are any settings for Apache that make it only see/talk to internal networks?

I know there's probably no need for UDP, but that shouldn't cause an issue. I'll remove that line anyways and see what happens.

Thanks, Adam.

[mercyh]

Have you tested this with the www.grc.com port scanner from the windows machine to see what it shows?

Your settings look correct. If you search the forum for port forward there are a lot of posts with a lot of different scenarios. (Yours may be unique though)

Port forwards are very hard to troubleshoot as the problem could come form very different sources.

The strange thing is the port forwarding used to work, it's only recently stopped.

If there has been no change in the SME or the MS server I would try to put a Windows computer in front of the SME, give it the SME External IP address information, Open up the firewall on it and then test that port with GRC.com to make sure that your problem is not upstream. (I once spent several days trying to figure out what had changed and found that an upstream router needed to be rebooted)

You could also attach a computer directly to the WAN side of the SME, and see if you can hit your internal machine using SME's IP address to see if the forward is working through from that point.

[CharlieBrady]

Port forwards are very hard to troubleshoot as the problem could come form very different sources.

They shouldn't be hard to troubleshoot. There's really only a few questions to get answers to:

- do packets arrive at the external interface of the gateway?
- are those packets forwarded with the correct address rewriting to the internal server?
- do return packets arrive back at the gateway?
- are return packets sent back to the originating machine with the correct address rewriting?

tcpdump is a very useful tool to get answers to those questions.

[mercyh]

Charlie,

Thanks for your input.

I should have said "for me" to troubleshoot.
(there are an awful lot of tricks that I don't know)

The times I have really sweated on this is when the problem was:

- do packets arrive at the external interface of the gateway? = No

I guess I don't know how to make ISP's do what I want.  



Royce H.

[spanna]

Merych:
I connected a machine to the WAN interface but couldn't convince it to do anything. I'm not entirely sure how to configure that.
Strange thing is that I could contact the server on 8080 last night with no problems for about two hours, then it stopped again. But I still had full access to the SME (webmail, Primary I-Bay, etc).

CharlieBrady:
I am beginning to wonder if it's something at my ISP, or something with the other server on 8080. Unfortunately I don't know how to use tcpdump, but I'll see if I can find something to teach me.
The points

do packets arrive at the external interface of the gateway?

and

are return packets sent back to the originating machine with the correct address rewriting?

worry me. Simply because the first is most likely out of my control, and the second is going to be quite hard to fix.

Thank you both - I'm going to have a good poke around now I've got some pointers to go on. Would it be worth contacting my ISP at this point?

[CharlieBrady]

The points

do packets arrive at the external interface of the gateway?

and

are return packets sent back to the originating machine with the correct address rewriting?

worry me. Simply because the first is most likely out of my control, and the second is going to be quite hard to fix.

The second is provided to you by the linux kernel and netfilter developers, and by me, and that bit does work, I'm sure.

The first is beyond control of the SME server for sure, but not beyond your control. You need to ensure that DNS is configured correctly, and you need to ensure that your ISP is not blocking connections on the port you care about.

[spanna]

Hmm, I set up a Windows box directly to the modem yesterday once everyone had left the offices (the only time I can really do it, or they whine), disable the firewall and set IIS to output to port 8080.

It was dead. So very dead.

At this point I'd like to apologise - it would appear the problem is not with the SME. I've had a look through the modem settings, and it's literally a birdge. It doesn't do any NAT work or forwarding at all.

I have left a message with my ISP and I'm waiting for them to get back to me, but what reason would they have to block 8080?

[mercyh]

Did you try the GRC port scanner from the windows server you are trying to reach (192.168.1.3)?

Go to the following website from the windows machine:
https://www.grc.com/x/ne.dll?bh0bkyd2

In the last box on that screen you should see the IP address you will be using to access the server from outside your network. Is this the address you are using?

Click proceed on that screen.

On the next screen put your port number in the box and click User Specified Custom Port Probe

If the forward is working It will show as open.

If you can get your windows box upstream of the SME again you can go through the same steps and see if it is working from there.

A few thoughts.

1. Intermittent = Bad (these are harder to troubleshoot and harder to get the ISP to fix if it is on their side)
2. Testing. You cannot test from inside your network without something like GRC or using a remote client. (If Charlie or somebody else out there has a technique to test forwards from inside the network, I would love to here how they do this.)

I had a situation that displayed exactly the same symptoms as this one.

1. Forward worked for a while and suddenly stopped.
2. Intermittently worked after above.

After much research and through visiting with the other IT people in our small town, we found that two of us had the same set of problems going on. It turned out that two of us had loaded the same static external IP address into our routers.

I don't know why it worked at all, but it did (now and then).

[spanna]

Yeah I tried GRC, it said the port was steathed, meaning it (probably) didn't get a reply.

I understand that you can't test port forwards directly from inside the network. My normal strategy is to SSH into my computer at home and try accessing it over the terminal, or if it's something graphical I'll VNC in.

I rang my ISP today to see if they could offer some assistance, as they are charging us a fair wedge for a 'Business' line (or, rather, ADSL with a 'lower' contention than their domestic lines).

I also asked if they throttle or block any ports but I couldn't get a coherant/useful answer from the guy on the phone.

It is frustrating that it's an intermittant problem, yes. If it was straight dead it would be so much easier to find.

[mercyh]

My normal strategy is to SSH into my computer at home and try accessing it over the terminal, or if it's something graphical I'll VNC in.

I normally use Windows RDP through my home machine. I was hoping somebody had a better way.

(So much to learn, so little time....................)

[spanna]

Haha, I don't think there are any other easy ways apart from actually connecting from outside.

In the good news though, the problem has been resolved after many hours on the phone to my ISP. When they told me they "don't block any ports or use traffic shaping of any kind" they were lying.

Which does mean, for me, the SME server is once again flawless!

My next bit of fun is getting the machine to back itself up to an external hard disk (DAR?).

[CharlieBrady]

Which does mean, for me, the SME server is once again flawless!

Please edit the subject of this thread, then. It's false.

[kruhm]

use port 3389 for ts/rdp

as the ts/rdp client is always available