Topic: port forward

[enchesss]

Hi,

The port forwarding settings in the server manager are not working.

The SME is in dedicated server + gateway mode

It has been configured to have access to internet via a bridged modem.

The internet works well and access to internet works for local network

I want to forward incoming traffic for port 9000 to an internal server

This did work before changing gateway to SME Server (when previously just port forwarding via modem)

We used to access by putting the web address http://openworldsproject.info:9000 in the viewers address

The port forwarding settings in the server- manager console are:

Protocol                               tcp
Source Port(s)                       9000
Destination Host IP Address       internal server ip
Destination Port(s)               9000
Rule Comment                       opensim
Allow Hosts                       [left blank - not sure about this]

I can access the apache server via firefox e.g. http://internalip

I can access the via firefox e.g. http://internalip:9000

Am trying to look for errors in logs - but not sure about this

Thanks

Not sure how to do a port scan but the output of the following might show that the ports are not open

netstat -an| grep 0.0.0.0|grep LISTEN|grep :

tcp        0      0 0.0.0.0:993                 0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:515                 0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:995                 0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN     
tcp        0      0 127.0.0.1:139               0.0.0.0:*                   LISTEN     
tcp        0      0 serverip:139            0.0.0.0:*                   LISTEN     
tcp        0      0 serverip:2222           0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:143                 0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN     
tcp        0      0 127.0.0.1:980               0.0.0.0:*                   LISTEN     
tcp        0      0 127.0.0.2:53                0.0.0.0:*                   LISTEN     
tcp        0      0 serverip:53             0.0.0.0:*                   LISTEN     
tcp        0      0 127.0.0.1:3128              0.0.0.0:*                   LISTEN     
tcp        0      0 serverip:3128           0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN     
tcp        0      0 127.0.0.1:26                0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:636                 0.0.0.0:*                   LISTEN



The server manager log files do not show any errors

There is an error in the OpenSim viewer though indicating that port 9000 is not open:

2015-06-30T22:40:14Z WARNING: ll_apr_warn_status: APR: Connection refused
2015-06-30T22:40:14Z WARNING: BaseCapabilitiesComplete::httpFailure: [POST:http://110.175.1.173:9000/CAPS/6b25878a-f804-4148-8ec0-bd19c73ef5440000/] [status:499] [reason:STATUS_EXPIRED] [content:!]

[Daniel B.]

OpenSim does not work internally - but did/ does before changing gateway to SME Server

I think you mean from the outside. But still "doesn't work" is a bit vague. Not enough for us to help you

[janet]

Enchesss

You need to provide more details.
Look in the sme server & second apache server log files to see what error messages (or otherwise) that are recorded around the time you try accessing from an external location.
Remember if you try accessing the second server via the port forward, from behind the sme server, it will not work as port fowarding does not forward internal requests

Also please describe your network arrangement, is your sme server in server & gateway mode & does it act as the firewall for your network, is there any other firewall device between sme server & the Internet, is the service running & open on the second server (it sounds like it may be as you say you can access it using an internal IP/URL) etc etc (anything else pertinent).
You could also provide us with the real world external address (URL) & we could test & check access.

Also have you done a port scan to ensure port 9000 is really open/ accessible, see grc.com.

[enchesss]

Thanks

The SME is in dedicated server gateway mode

Please see modified initial description

[janet]

Enchesss

From a workstation on the LAN (behind the sme server gateway), open a web browser to www.grc.com & perform a port scan.
You will probably need to do a manual scan after nominating that port 9000 (as it is not included in a standard scan). Have both servers operating for this test.

From what you say port 9000 is closed "somewhere".

Also how is that domain configured on sme server eg did you add it to the Domain panel or did you only set up the port forward for that particular address & port in the port forwarding panel ?

[janet]

If I open a browser to
http://openworldsproject.info/
I get

ERRORThe requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: http://openworldsproject.info/
Read Error
The system returned: (104) Connection reset by peer
An error condition occurred while reading data from the network. Please retry your request.
Your cache administrator is webmaster.
Generated Tue, 30 Jun 2015 23:55:21 GMT by tx22rrpep2gb (hpm/3.0.70.2)


If I open a browser to the IP mentioned in the error message (ie http://110.175.1.173) I get

This web site is under construction

which appears to be a sme server standard ibay index file.

It looks like you have a domain setting that is overriding the port forward setting, or otherwise the port forward is incorrect or not been enabled/instigated.

Do you have any thoughts on this as you know the configuration of your sme server & external DNS records.

[guest22]

Allow Hosts                       [left blank - not sure about this]
[/l]

So that would mean no host is allowed to access the service on that port. Maybe you should try to put  '0.0.0.0' in there for testing purposes only.

I could be wrong.

[enchesss]

Thanks

have attempted your suggestions and still not working - even on the localhost, strange.

Will go back to router for further testing

Will try again soon

[enchesss]

Using the router only without the SME server gateway - the openworldsproject.info:9000 works on an opensim viewer such as kokua

If you want to test it you can log in with

username: guest user

password: sme

Will leave it like this until the port forwarding issue is identified


thanks again

[janet]

enchesss

Will leave it like this until the port forwarding issue is identified

If you revert to an earlier setup, then we cannot really test your non working setup, can we ?

Do you want help or not ?
The faulty system needs to be troubleshooted, not a working system
If you keep changing things then you are just wasting our time.

Did you read my earlier posts & suggestions, what is the outcome ?

[enchesss]

the port scan for

port 9000

at https://www.grc.com

failed


modifying the dns settings to internet servers in the domain settings did not change the outcome - they have been returned to default and are set to resolve locally

the domain settings at crazydomains.com are standard - and have been working without the SME as a gateway

 

So - the problem seems to be my acute lack of knowledge about how to forward ports - using the server-manager

these are the settings in the server manager (that do not work):

Protocol    Source Port(s)    Destination Host IP Address    Destination Port(s)    Allow Hosts    Rule Comment    Action
TCP    9000-9050    internalserverip    9000-9050    0.0.0.0    opensimtcp    Remove
UDP    9000-9050    internalserverip    9000-9050    0.0.0.0    opensimudp    Remove

[janet]

Enchesss

The domain name does not seem to resolve to your sme server.

Can you please temporarily delete all the port forward settings & advise when they are deleted.

I can then test access using the domain name URL.

Thanks

[janet]

Enchesss

The domain name & IP both resolve to

This web site is under construction.

So in the sme server Domains panel have you configured the domain http://openworldsproject.info to point to an ibay or to the Primary ibay ?

[enchesss]

Yes

openworldsproject.info is resolved to the primary ibay - the website has not been installed yet (will do that if/ after the portforwarding issue is sorted)

Can the

openworldsproject.info:9000

resolve to a second server on the lan using port forward?

[janet]

enchesss

You should be able to do a port forward

Go to a command prompt on the sme server & show us the output of
db domains show

Then as a test/experiment, then please setup this portforward

Protocol    TCP
Source Port(s)    9000
Destination Host IP Address   localhost
Destination Port(s)     80
Rule Comment    test1-9000to80
Allow Hosts

click Next & click Add

Then go to a command prompt on the sme server & show us the output of
db portforward_tcp show
db portforward_udp show

Finally then open a browser on a external device & see if
http://openworldsproject.info:9000
resolves to the Primary ibay index file

Let us know the outcome of these tests

[CharlieBrady]

So that would mean no host is allowed to access the service on that port. Maybe you should try to put  '0.0.0.0' in there for testing purposes only.

I could be wrong.

Yes, you are wrong. The "Allow Hosts" will usually be empty, which means open access. Putting 0.0.0.0 there will mean that only packets with source address 0.0.0.0 will be forwarded, and that's not a valid Source IP address.

There generally won't be any log messages associated with port forwarding problems.

The most likely causes of port forwarding problems are 1) somebody is trying to test from the LAN network (doesn't work - only WAN to LAN traffic works, which implies testing from outside the local network) or 2) the destination device doesn't have the SME server configured as its default gateway, so that reply packets don't pass through SME server.

tcpdump is the most useful tool for troubleshooting port forwarding. Verify that packets are arriving on the SME server WAN interface, verify that the ports are forwarded to the destination IP and port, and verify that reply packets return from the destination device, and verify that those packets are correctly modified and sent back to the original source.

When portforwarding is in use I think you will see entries in /proc/net/ip_conntrack. You can run /usr/sbin/iptstate to visualise the changing state of netfilter expectations.

[CharlieBrady]

You should be able to do a port forward

Go to a command prompt on the sme server & show us the output of
db domains show

Portforwarding doesn't have anything to do with the contents of the domains db.

[CharlieBrady]

have attempted your suggestions and still not working - even on the localhost, strange.

I have no idea what you mean. localhost is not involved in any way with portforwarding. Portforwarding only applies to traffic arriving from the Internet at your WAN address, which you want to be forwarded to a different IP and/or port.

If "just works". If there is a problem, it's because the destination is not configured to deal with the traffic, or is not replying properly (e.g. via the correct default gateway), or somebody doesn't understand it and is testing it wrongly.

[janet]

Portforwarding doesn't have anything to do with the contents of the domains db.

Yes I realise that Charlie, I just wanted to see if the domain is configured on that server.

[janet]

enchesss

You should be able to do a port forward

Go to a command prompt on the sme server & show us the output of
db domains show

Then as a test/experiment, then please setup this portforward

Protocol    TCP
Source Port(s)    9000
Destination Host IP Address   localhost
Destination Port(s)     80
Rule Comment    test1-9000to80
Allow Hosts

click Next & click Add

Then go to a command prompt on the sme server & show us the output of
db portforward_tcp show
db portforward_udp show

Finally then open a browser on a external device & see if
http://openworldsproject.info:9000
resolves to the Primary ibay index file

Let us know the outcome of these tests

[enchesss]

Hi Janet

# db domains show
openworldsproject.info=domain
    Content=Primary
    Description=Primary domain
    Nameservers=localhost
    Removable=no
    SystemPrimaryDomain=yes

configured port forward rule as you suggested

# db portforward_tcp show
9000=forward
    AllowHosts=
    Comment=port 9000-80 testing
    DenyHosts=
    DestHost=localhost
    DestPort=80

openworldsproject.info:9000 now resolved to primary ibay


The website https://www.grc.com also now says that the port is open

something interesting using: http://superuser.com/questions/621870/test-if-a-port-on-a-remote-system-is-reachable-without-telnet

# cat < /dev/tcp/127.0.0.1/9000
-bash: connect: Connection refused
-bash: /dev/tcp/127.0.0.1/9000: Connection refused

more curious

# nc 127.0.0.1 9000 < /dev/null; echo $?
1

So in effect - these commands say that the port is closed?

[Stefano]

now edit the rule to forward the traffic toward the internal machine and try again.. from an external machine (i.e. from WAN side)

if it doesn't work, check on the internal machine too.. maybe it's firewall or an internal rule is blocking traffic coming from WAN..

finally, double check, as Charlie suggested, that the internal server has SME IP as gateway

[enchesss]

Please see previous modified post - it still does not forward to internal host on port 9000 (or any other port) from external

[Stefano]

please DON'T edit posts, write new one.. you (generally speaking) can't expect me (genrally speaking) to RE READ all the topic

that's a bad habit.

[janet]

enchesss

openworldsproject.info:9000 now resolved to primary ibay
The website https://www.grc.com also now says that the port is open

OK that is a good result, it proves external settings are correct, & that your modem/router is not interfering, & that sme server is handling a port forward OK.

Charlie made a good point about your second server being configured to use the sme server as its gateway (rather than directly to outside or to your modem/router).
"If there is a problem, it's because the destination is not configured to deal with the traffic, or is not replying properly (e.g. via the correct default gateway)....."

Please check & correct that setting to point at sme server for Internet access.

Then configure a port forward like:
Protocol    TCP
Source Port(s)    9000
Destination Host IP Address   local LAN IP of 2nd apache server
Destination Port(s)
Rule Comment    opensim9000to9000
Allow Hosts

that is all you should need to configure for it to work.

[enchesss]

Hi Janet

It still does not work

The local server has always had the SME set as the gateway

As previously indicated - when it is set to use the modem - it works well

I have tested the ports using: http://superuser.com/questions/621870/test-if-a-port-on-a-remote-system-is-reachable-without-telnet


for the SME server:

# cat < /dev/tcp/127.0.0.1/9000
-bash: connect: Connection refused
-bash: /dev/tcp/127.0.0.1/9000: Connection refused

more curious

# nc 127.0.0.1 9000 < /dev/null; echo $?
1

to double check - testing the web port 80:

nc 127.0.0.1 80 < /dev/null; echo $?
0

says that the web port 80 is open

from the sme to LAN server:

# nc LANipaddress 9000 < /dev/null; echo $?
0

this indicates that the LAN server port 9000 is open, however the SME port 9000 is closed

So in effect - these commands say that port 9000 is still closed?

[Stefano]

the service running on lan and listening on 9000 does accept packets coming from a WAN address?

for example, in a SME in  server and gateway mode, we can have something running on port XXX but that port is available only from internal IP.. and that's not only a FW rule, but also a host.deny rule (IIRC)

so, in the end, did you check the configuration on the internal server? I don't need to know if the service is running and listening on port 9000, I (no, wait, YOU) must be sure that it's listening on port 9000 and available for any address

[CharlieBrady]

So in effect - these commands say that port 9000 is still closed?

Please take more time to read and understand the messages we are posting for you to read here.

You can only test portforwarding by connecting via the Internet to your WAN interface. This is because port-forwarding only applies for packets arriving from the Internet to your WAN interface.

Is that not clear enough for you?

port 9000 on the localhost interface shows as closed because no service is listening on it. However, if you try to access port 9000 on the WAN IP address via the WAN interface, then the connection will be port-forwarded to localhost:80, which *is* open (if/when you configured the portforwarding suggested by janet).

I told you to use tcpdump. Have you done so? We told you to check the default gateway setting on your opensim system. Have you done so? Have you checked the port 9000 is open on that system? You can use telnet, you don't need to use cat.

[enchesss]

Hi CharlieBrady

To summarise the situation

If the SME server is removed and the modem is used as a gateway - the local opensim server is accessible from the internet via NAT virtual server settings that forward port 9000 to the opensim local ip address on port 9000 in the modem. This works perfectly.

When the SME server is used as a gateway - there is no access to the opensim server via the internet (on port 9000 or 80)

there is also no access to opensim via the opensim viewer that uses port 9000 via the local network ip addresses

and also there is no access to the opensim viewer that uses port 9000 on the actual server [previously referred to as the 'localhost'] (which is a ubuntu desktop)


This may not be the SME server, however, when it is removed - things work really well.

I have examined tcpdump using -nXS from here: https://danielmiessler.com/study/tcpdump/

There is nothing obvious in the data there - not that I am sure what to look for.

The https://www.grc.com website says that port 9000 is open on the SME server

Telnet opensimserver_ip 9000

says connected

however

telnet SMEserver_ip 9000

says telnet: Unable to connect to remote host: Connection refused

from both the SME and the opensimserver



other information:

from another LAN workstation:

using web browser - http://opensim_ip

i get the apache page

using web browser - http://opensim_ip:9000

i get the opensimwebpage


using web browser - http://openworldsproject.info:9000

no access

the latter of these is also not accessible from internet - though I think it should be


regards

[enchesss]

Thank you everyone

Testing the SME server from an external IP (at a friends house) - and everything works.

Still some problems becuase no access to the opensim server is achieved locally yet

Should I label this as resolved ??

I am unable to access opensim locally at this stage - tnot a sme9 issue - though - or is it?

[CharlieBrady]

however

telnet SMEserver_ip 9000

says telnet: Unable to connect to remote host: Connection refused

from both the SME and the opensimserver

Please read again what I have written earlier. It seems you are still not understanding what I have written.

[janet]

enchesss

Port forwarding does not provide a method for connecting to your second server from workstations on the LAN (behind sme server).
You have been told why this is so a number of times in this thread.
Port forward ONLY works from external WAN sources to the LAN destination. It cannot forward internal LAN to LAN traffic.
You need to address the 2nd server using the LAN IP eg
http://192.168.2.18:9000

This is no longer a sme server issue. Port forwarding appears to be working correctly now.

Your problem is a network configuration issue.

Maybe you would be better off putting opensim onto sme server or perhaps proxy passing the whole domain to the second server, see FAQ for proxy pass.

[enchesss]

Janet,

Apologies for the frustration (You have been told why this is so a number of times in this thread.)

however

I am still not able to access the opensim through the viewer by putting the localip address e.g. http://localip:9000

It says socket time out and seems to be getting blocked by the SME server

This means that currently there is no access to opensim on the local network - even from the host itself - because SME is blocking it

not sure if it is a network configuration issue -  can you explain where to find more info about this


Also - they are great suggestions about using a proxy pass

If you know how to install mono on SME to be able to run opensim then please point me in the right direction

[stephdl]

Also - they are great suggestions about using a proxy pass

If you know how to install mono on SME to be able to run opensim then please point me in the right direction

http://wiki.contribs.org/Mono
&
http://wiki.contribs.org/SME_Server:Documentation:ProxyPass

Please if you can get something workable, can you upgrade the mono howto (not relevant yet to sme9)

[enchesss]

Thanks Stefano

The Mono contribs is out of date and the links no longer work - hence running a second server

Will have a go at teh proxy pass - but still confused about this (and the need for it)

Is there any way to get access on the LAN to the opensim in the meantime?

work needs to be completed on it soon

[janet]

enchesss

Remove the port forward, remove the domain from the Domains panel & configure the proxy pass as per FAQ link.
It should take all of 5 minutes to do, so you will get an answer quickly.

Is there any way to get access on the LAN to the opensim in the meantime?

If still persisting with the port forward, then use whatever method (URL) that is accessible on the second server eg
http://localIP/opensim (or whatever).
If proxy pass works OK, then just use the same URL as you would use externally eg http://domainname/opensim

[enchesss]

Janet

I would like to 'persist' with the port forward because currently the server is working well from the internet.

However there is currently no way to access opensim (using the opensim viewer) from the local network

by using the LAN_ip_address:9000 of the opensim server

Very confused -

can i set up a route? or masq?

[Daniel B.]

I would like to 'persist' with the port forward because currently the server is working well from the internet.

You should define more clearly what's setup, what's working and what is not, 'cause nothing is clear to me. Here you're saying it's working from the outside

However there is currently no way to access opensim (using the opensim viewer) from the local network
by using the LAN_ip_address:9000 of the opensim server

And here that it's not working from the LAN. If it's working from the outside then your portfoward is already setup, and working. To access it from the LAN itself, SME is not involved at all, clients talk directly to the end box running your app, you you have to debug why opensim isn't responding on port 9000 (which is a non sens: why would it accept connexions from the outside and not from the LAN ?)

[enchesss]

Thanks

The opensim server is accessible from the internet but not from the LAN - using the opensim viewer

I have absolutely no idea why

my only suggestion is that it is being blocked by the SME becuase it is the gateway and when I was using a modem/ router previously as the gateway - the opensim viewer worked well from the internet and the LAN

[Daniel B.]

Nothing is being blocked by SME because SME is not (or should not) be involved. My guess is that in opensim viewer, you have setup WAN_IP:9000 instead of LAN_IP:9000 to reach the server. so packets are directed to the SME server, which has nothing running on port 9000, and as the packet isn't comming from the WAN side, the portforwarding isn't applied. Your old modem probably included a NAT reflexion mecanism (which can apply port forwarding also from the inside), which could explain why it's working before. Anyway, you should just use a correct DNS name/IP from the LAN and it'll work. If you want it to work from both inside and outside, you should setup your domain in such a way that the same name resolve to the public WAN IP from the outside, and to the LAN IP from the inside

[janet]

enchesss

......when I was using a modem/ router previously as the gateway - the opensim viewer worked well from the internet and the LAN

Because there was no second server involved.
If everything was installed on sme server, you would not have any problem.

I would like to 'persist' with the port forward because currently the server is working well from the internet.

You need to use a different arrangement if you want the same URL to resolve from externally & internally when you are using 2 servers.

I suspect proxy pass may work & it will take you 5 minutes to find out.
You can easily & quickly revert to the port forward if proxy pass does not work as expected.

Remember the old saying, You can lead a horse to water, but you cannot make it drink !

[CharlieBrady]

Maybe you would be better off putting opensim onto sme server or perhaps proxy passing the whole domain to the second server, see FAQ for proxy pass.

Proxy pass only works for http and https traffic. AFAIK, opensim isn't http.

[CharlieBrady]

The opensim server is accessible from the internet ...

Which means that port forwarding is working, and you have been wasting our time...

[enchesss]

Well - if I have been wasting your time - then I apologise for that

However - my concern is that there is still no way to demonstrate that I have been wasting your time because that comment implies that I have purposely sought to distract you - or - recklessly provided you with wrong information. Which I have not.

In fact - I have diligently followed your instructions - and still have several issues that will prevent the use of a SME server from being used because no solution has been provided.

If the port forwarding settings in the SME server-manager behaved as the port forwarding settings in the router - then there would be no problem, but they do not.

If your time has been wasted then - sorry - but I do not have a working solution - so maybe we can all benefit from learning how to fix it - otherwise - I can just return to the modem

[Daniel B.]

You should just have started with the fact that the port forwarding is working (because access is working from the outside). Now, it looks like you expect portforwarding to work also from the LAN, but this shouldn't be needed. As expained, it was working before 'cause your modem has a NAT reflection mecanism, which is not the same as NAT (and IMHO, it was more working by accident than by design). A solution has been provided: from the LAN, clients should point directly to the internal machine running the opensim server, instead of pointing at the SME server itself. You can do this either by changing the IP to the internal one, or by using a DNS name which, from the oustide, resolves to the SME Server's WAN IP (that it'll pass through the port forwarding), and, from the inside, resolve directly to the opensim server's LAN IP

[CharlieBrady]

A solution has been provided: from the LAN, clients should point directly to the internal machine running the opensim server, instead of pointing at the SME server itself. You can do this either by changing the IP to the internal one, or by using a DNS name which, from the oustide, resolves to the SME Server's WAN IP (that it'll pass through the port forwarding), and, from the inside, resolve directly to the opensim server's LAN IP

This is a standard solution, called split horizon DNS.

https://en.wikipedia.org/wiki/Split-horizon_DNS

You configure opensim.your.domain in SME server for the LAN to use, and in your external DNS for Internet users to use. The former points to your LAN opensim server, and the latter to your SME server WAN address.

[enchesss]

Hi Daniel

Sorry for the confusion - however It was not possible to start with the fact that port forwarding is working because this was not evident until I went to another network/ premises and opensim is/ was not accessible from any workstation on the local LAN - leading to incorrect conclusions about the problem.

Attempts have been made at both of the suggestions that you provide and unfortunately they do not work.

Placing the internalip in the address bar for the opensim viewer results in connection refused

Setting up a DNS name has not been successful either because of a lack of knowledge about how to do it.

Thanks for your suggestions

I am reading about some similar experiences with others - but again they are stuck too and have not resolved the issue

It is not an easy one

If as you suggest - the router has extra capabilities with NAT reflection then that is new to me.

you may be right - that it was working by mistake - however the router has been set up like this on purpose for remote shell and opensim access. So an accident is unlikely - though considered.

[CharlieBrady]

Placing the internalip in the address bar for the opensim viewer results in connection refused

If you mean by "internalip" the LAN IP address of the SME server, then this is not surprising, since SME server is not running opensim. You should be using the opensim server's IP address. And if that's not working, then I have no idea why not, but it probably has nothing to do with the SME server.

If as you suggest - the router has extra capabilities with NAT reflection then that is new to me.

That would be new to me too. But I know nothing about your router or what was happening when things were apparently working.

[CharlieBrady]

Sorry for the confusion - however It was not possible to start with the fact that port forwarding is working ...

And yet you were prepared to start with this (false) statement:

  The port forwarding settings in the server manager are not working.

If instead of that statement, you had started with "I am trying to do X, but instead of seeing Y I see Z", then you wouldn't have wasted your time and ours.

Please read this excellent essay:

http://www.chiark.greenend.org.uk/~sgtatham/bugs.html

[enchesss]

Hi CharlieBrady

Following your advice:

a new hostname was added in the server-manager console called opensim

the result is:

opensim.openworldsproject.info

It is set to resolve local and points to the opensim server ip address on the local network

the internet dns sub domain has also been set up:

opensim.openworldsproject.info

and this points to the SME server WAN address

The opensim server html is accessible via opensim.openworldsproject.info:9000 externally (from outside the LAN - a friends house) - but not internally on the local LAN

The result is the same as before - access from the internet but not locally (PROBLEM 1)



Also (as stated before)

access to the opensim server's web error page (that says "Ooops The page you requested has been obsconded with by knomes. Find hippos quick!") on port 9000 via a web browser can be achieved locally with an ip address, however

the localip address does not work in the opensim viewer and says connection refused while completing a region handshake (PROBLEM 2)

Do you think that the two problems are related?

 



 

[CharlieBrady]

The opensim server html is accessible via opensim.openworldsproject.info:9000 externally (from outside the LAN - a friends house) - but not internally on the local LAN

The result is the same as before - access from the internet but not locally (PROBLEM 1)

That sounds like your client system (where you are running the browser) is using Internet DNS servers for name resolution, rather than using SME server.

the localip address does not work in the opensim viewer and says connection refused while completing a region handshake (PROBLEM 2)

I know nothing about opensim viewers or region handshakes or whatever protocols they are using. This is an opensim problem, and you'll need opensim knowledgeable people to troubleshoot.

[Stefano]

ok..

@all: please be polite

to OP:
- please remember we don't know anything about your server, setup, environment nor we see your screen.. so, you are our eyes and you can't expect us to understand what you mean; please be verbose, give all the needed info
- please remember this is a forum, not an helpdesk.. we (all of us) try to help everybody doing our best to help

@all, finally: please stop being unpolite, keep the topic IT or it will be locked, thank you

[ReetP]

Enchess,

Please note that the people here are all volunteers and will do their best to help you. Most are mighty experienced and knowledgeable, and have been working on and administering SME and Linux servers for many many years. Charlie was one of the original coders at esmith and has probably forgotten more than the rest of us know !

As has been pointed out, none of us can see your actual hardware. We can only go methodically through the issues and eliminate them bit by bit.

They do not ask questions just to entertain you or annoy you - they are trying to get to the root cause of the issue so they can help you (it was you who came asking for help remember), and their IS a method in all this, as I have learned myself. Making guesses or assumptions (Ass U Me etc) is the surest way to annoy people and waste their time chasing ghosts. You have to be logical and methodical.

FWIW I think you are misunderstanding something fundamental here that has been explained. Your SME box will ONLY forward packets that are destined to go out of the network LAN -> WAN or come in to the network WAN -> LAN. It won't affect ANYTHING that passes locally on your LAN e.g. LAN -> LAN

You can check that by disconnecting the SME server from your switch and then trying to connect to your opensim box or a.n.other box on your LAN using it's IP (ping first to make sure they respond). If they do not respond, you have a different issue, and it is not a problem with the SME box.

The only thing that the SME box may try and do NOW is resolve the DNS for you since you set up the domain names on it. However, what DNS settings do the clients use ? If they are set to say use Google, they will ignore anything that SME tries to tell them.

What happens on a desktop if you try and ping the opensim box. What IP gets returned ?

a new hostname was added in the server-manager console called opensim

the result is:

opensim.openworldsproject.info

It is set to resolve local and points to the opensim server ip address on the local network

the internet dns sub domain has also been set up:

opensim.openworldsproject.info

Are you sure that is correct ?

Me making a few assumptions...

Your SME box is called smeserver.mydomain.com on your network say 192.168.100.1

Your opensim box is called opensim.mydomain.com 192.168.100.2

In the Hostnames settings of your SME you should have one host called opensim pointing to the local IP of the opensim box - 192.168.100.2

(Your portforward (for traffic WAN -> LAN) should be pointing at 192.168.100.2. But we believe that is working correctly.)

You should then be able to LOCALLY resolve the opensim box (assuming the desktops use SME for DNS queries)

I do not think you need a 'subdomain' anywhere on SME.

It will help if you can post some idea of your network layout and IP address ranges, domain settings etc. so we can visualise what is going on.

B. Rgds
John

President, Koozali Foundation

[enchesss]

Hi John

Everyone's help is appreciated greatly (and respected). Regarding your queries:

The main difficulty is figuring out why the local LAN access to the opensim server works [via http://openworldsproject.info:9000] in the opensim viewer [kokua] when a modem router is used but not when the SME is used.

Using the SME server - external access to the opensim server has been achieved via port forwarding using kokua and the address openworldsproject.info:9000 - something that was not evident from behind the SME

This was not evident from behind the SME on the local LAN because the opensim viewer does not work from LAN clients using these suggested addresses:

opensim_IPADDRESS:9000
openworldsproject.info:9000
opensim.openworldsproject.info:9000
external_IPADDRESS:9000

hence the initial concern about there being a problem with port forwarding.

It is not clear to me what the actual problem is - however - when doing

check that by disconnecting the SME server from your switch

a modem/ router replaces the SME as a gatweay (with port forwarding configured) and access from internal LAN and external internet clients to the openworldsproject:9000 is working

If this is a DNS issue - testing the clients to use the SME as the DNS nameserver has not helped despite adding "opensim" as a hostname

e.g. in Hostnames and addresses:

opensim.openworldsproject.info    Local    opensim_IPADDRESS         opensim    Modify    Remove

What happens on a desktop if you try and ping the opensim box. What IP gets returned ?

[root@openworldsprojectserver ~]# ping opensim.openworldsproject.info
PING opensim.openworldsproject.info (opensim_IPADDRESS) 56(84) bytes of data.
64 bytes from opensim.openworldsproject.info (opensim_IPADDRESS): icmp_seq=1 ttl=64 time=0.911 ms
64 bytes from opensim.openworldsproject.info (opensim_IPADDRESS): icmp_seq=2 ttl=64 time=1.15 ms


If it is a dns issue - hopefully it can be fixed -

Should it be marked as resolved/ renamed - more clarity provided in the name?

Hope this helps and finds you well

[ReetP]

Without knowing anything about opensim I think you are chasing ghosts with SME/routers.

My suggestion would be to disconnect both the SME server and any other internet access from your switch and then figure out why your opensim server is refusing access from local LAN clients as that is most likely where your issue lies.

Connecting from outside (WAN->LAN) clearly works and the SME box is doing what it was designed to do and the port forwarding seems to be working OK.

However, the SME box will NOT affect ANYTHING on your local LAN barring DNS queries. The fact opensim appears to work with your router is most likely a red herring and as previously suggested, you probably 'got lucky' and the router is doing something it probably shouldn't be

If your opensim box is set up correctly you should be able to disconnect ALL outside access and connect using a local IP from a local client. If you can't (which seems to be the case) then the issue is with opensim and not SME.

So my suggestion is disconnect SME from your switch, do not connect any other device such as a router so as to make sure you isolate the issue to the LAN, and then figure out what opensim is doing by accessing it solely with its IP address. Have you checked the opensim logs ?

If you can't access it with 192.168.10.31:9000 then it is opensim or possibly the client that has the issue, and that is where you should be looking.

Once you can do that I think you will be able to connect up SME and it all will work fine.

At a quick glance here http://opensimulator.org/wiki/Network_Settings I suggest you look at your network settings as that is the most likely source of issues.

HTH

B. Rgds
John

President, Koozali Foundation

[janet]

enchesss

Just checked access to your opensim site (from externally obviously on  a Android phone).

Using either
http://openworldsproject.info:9000/
Or
http://opensim.openworldsproject.info:9000/

I get:

Ooops!
The page you requested has been obsconded with by knomes. Find hippos quick!
If you are trying to log-in, your link parameters should have: "-loginpage http:///?method=login -loginuri http:///" in your link

That seems to be similar/same as the error you receive when you say you try local access to your opensim server (via I assume the hostname setup on sme server).

If both external access & internal access give a same/similar message, then perhaps there is some additional configuration required in opensim itself, as per the suggestion given in the error message.

I know nothing about opensim & the viewers etc, so cannot help or suggest further re what to configure in opensim or the viewer.

Google is your friend, and/or an opensim experienced user forum may be a good place to ask.

[janet]

enchesss

It appears to be a default web page.
http://opensim-users.2152040.n2.nabble.com/Default-OpenSim-web-page-td5435053.html

If so then access appears to be working (for both external & internnal).

Maybe you need to read more about using opensim.

enchesss

Just checked access to your opensim site (from externally obviously on  a Android phone).

Using either
http://openworldsproject.info:9000/
Or
http://opensim.openworldsproject.info:9000/

I get:

Ooops!
The page you requested has been obsconded with by knomes. Find hippos quick!
If you are trying to log-in, your link parameters should have: "-loginpage http:///?method=login -loginuri http:///" in your link

That seems to be similar/same as the error you receive when you say you try local access to your opensim server (via I assume the hostname setup on sme server).

If both external access & internal access give a same/similar message, then perhaps there is some additional configuration required in opensim itself, as per the suggestion given in the error message.

I know nothing about opensim & the viewers etc, so cannot help or suggest further re what to configure in opensim or the viewer.

Google is your friend, and/or an opensim experienced user forum may be a good place to ask.

[enchesss]

Thanks Janet

Please close this thread.

John (ReetP) has suggested that removing the sme and router for testing is the place to start

The messages that you have seen is because the sme has been removed

Apologies for the confusion.

Will check the opensim groups too - but at least as you say - it is working now.

OpenSim is working internally and externally - verified using the TPLINK TD-W8960N router.

Settings are in the:

NAT -- Virtual Servers Setup - it says

Virtual Server allows you to direct incoming traffic from WAN side (identified by Protocol and External port) to the Internal server with private IP address on the LAN side.
The Internal port is required only if the external port needs to be converted to a different port number used by the server on the LAN side.
A maximum 32 entries can be added manually.
A maximum 64 entries can be added by UPnP clients.
 
Server Name    External Port Start    External Port End    Protocol    Internal Port Start    Internal Port End    Server IP Address    WAN Interface    Status    Enable/Disable    Edit    Remove
virtualworlds    9000    9050    TCP/UDP    9000    9050    opensimip    ppp0.2    Enabled
 

[ReetP]

Thanks Janet

Please close this thread.

John (ReetP) has suggested that removing the sme and router for testing is the place to start

Best place to start. If opensim does not work correctly on your LAN with ip adresses then it is misconfigured and you need to understand why.

Will check the opensim groups too - but at least as you say - it is working now.

OpenSim is working internally and externally - verified using the TPLINK TD-W8960N router.

Have you tested with IPs and with SME and the router disconnected ?

If not then you haven't actually fixed the problem, just gone back to where you were before !

NAT -- Virtual Servers Setup - it says

And port forwarding in SME would do exactly the same thing.

Did you actually test as I suggested ?

B. Rgds
John

[enchesss]

Hi John,

Sorry for the delay

Have you tested with IPs and with SME and the router disconnected

Thank you and your suggestion does reproduce the issue and there is no access to opensim when the modem/ router is unplugged from the network

the clients can ping the opensim server and see the web browser error page at http://opensimip:9000

For opensim there is a regions file where the external ip address has to be configured - I will pursue this

BR

[enchesss]

Hopefully, this is the problem:

http://opensimulator.org/wiki/FAQ

Connecting to OpenSimulator

I've set up my OpenSimulator server and it looks like the login works but the client hangs on 'connecting to region' ... etc ... then you probably don't have a router that supports NAT loopback ...

I need to set up SME to do this if possible -- and hopefully this can be done using the dns solution provided earlier

[Stefano]

first of all, let me say that usually a client machine should not connect to another internal client using WAN address.. that's bad..

in any case, as you already found, you need NAT loopback working on SME.. I think you can achieve it with a custom template..

you'd find the right IPTABLES syntax and then adapt it; find them, try them directly.. if they work properly, let's work on a custom fragment/template

Charlie and others: I'm not a iptables guru and I've no experience with them.. if OP find the right rules, would you mind to help him?
TIA

[enchesss]

Hi Stefano,

Using IPTABLES to create a template for NAT Loopback would be great.

Just a thought though ...

Would it be better to direct focus on getting mono (and opensim) to run on the SME.

This would be a better solution for most people because they could then just use SME instead of two servers - and the NAT loopback would not be needed.

The Mono contribs links do not work.

There are some CentOS packages

http://www.mono-project.com/docs/getting-started/install/linux/

- but am not sure about their installation re: breaking SME in the process


Also - it would be good to run the mono instant of opensim in an ibay ??? Is this possible?


I am also working on an IPTABLES/ Masq solution.

Please be aware that atm the router is being used until opensim can temporarily be moved off site to work on the SME

Regards

[enchesss]

Hi Stefano,

Using IPTABLES to create a template for NAT Loopback would be great.

Just a thought though ...

Would it be better to direct focus on getting mono (and opensim) to run on the SME.

This would be a better solution for most people because they could then just use SME instead of two servers

however NAT loopback will still be an issue and as you say:

first of all, let me say that usually a client machine should not connect to another internal client using WAN address.. that's bad..

the NAT loopback would still be needed because opensim requires it.

Is there any way around this - if opensim is running on the sme?

e.g. by using a proxy (or DNS) to force the LAN clients to resolve the external ip to local sme ip from LAN?


To run opensim on the SME - mono is needed
 
The Mono contribs [http://wiki.contribs.org/Mono] links do not work.

There are some mono CentOS packages

http://www.mono-project.com/docs/getting-started/install/linux/

- but am not sure about their installation re: breaking SME in the process


Also - it would be good to run the mono instant of opensim in an ibay ??? Is this possible?


I am also working on an IPTABLES/ Masq solution. Using the information from here:

http://opensimulator.org/wiki/NAT_Loopback_Routers


Please be aware that atm the router is being used until opensim can temporarily be moved off site to work on the SME

Regards

[CharlieBrady]

Using IPTABLES to create a template for NAT Loopback would be great.

What is "Nat loopback"?

[enchesss]

http://opensimulator.org/wiki/NAT_Loopback_Routers

[CharlieBrady]

http://opensimulator.org/wiki/NAT_Loopback_Routers

I don't see a definition or description there. Nor do I see why you would want or need it if you have split horizon DNS.

[enchesss]

The definition or description is under the heading:

Linux specific solutions

SETTING UP A LINUX COMPUTER TO ACT AS A ROUTER

this is the 3rd last heading on the page

[CharlieBrady]

The definition or description is under the heading:

Linux specific solutions

No, that is just an iptables script. It's neither a description, nor a definition. It's a tautology to say that the script is a definition.

[Stefano]

@Charlie

https://en.wikipedia.org/wiki/Network_address_translation#NAT_loopback

[ReetP]

Blimey stefano.. your're getting brave!

[Stefano]

only older but not wiser, my friend

[sorry, I edited your post, Reetp, my fault.. ]

[ReetP]

Hehehe..

As they say...

It is a wise man who has second thoughts first

[CharlieBrady]

https://en.wikipedia.org/wiki/Network_address_translation#NAT_loopback

Thanks. Sounds like it could be a useful enhancement to port-forwarding.

[enchesss]

What type of tautology?
https://en.wikipedia.org/wiki/Tautology

Would it be logical or truthful to suggest adding a toggle switch in the server-manager console that implements an nftables route or masq or iptables script?

https://en.wikipedia.org/wiki/Nftables

or just a philosophically sound suggestion?

[ReetP]

Would it be logical or truthful to suggest adding a toggle switch in the server-manager console that implements an nftables route or masq or iptables script?

or just a philosophically sound suggestion?

Sound but has to be balanced with practicality... I haven't seen people clamouring for this as a feature... !

First we use iptables, not nftables

Next, as the FAQ at Opensim says :

"Many DSL routers/modems prevent loopback connections as a security feature."

So it may be opening you up to other issues. I think personally I'd ask Opensim to change their code, but hey ho.

Finally there is an example script for iptables rules at opensim - DON'T use it on SME as you will break your firewall. This is a guide so you can see the sort of rules that need templating to make it work. And then you need to write a server panel entry for it....

Code: [Select]

#!/bin/bash
#
# vvvvv - Fix these! - vvvvv
IPTABLES=/usr/sbin/iptables
LAN_NETWORK=192.168.0.0/24
SERVER_IP=192.168.0.2
INTERNET_IP=100.100.100.100
REMOTING_PORT=8895
REGION_PORT=9000
# ^^^^^ - Fix these! - ^^^^^
 
# First, the Destination NAT, anything going to the external address on our ports, we redirect to the server
# Note, if you have a double NAT running and this router doesn't actually have the internet IP address, you'll
# need another set of PREROUTING-DNAT lines with the --destination (-d) set to the internet facing private address
$IPTABLES -t nat -I PREROUTING -d $INTERNET_IP -p tcp --dport $REMOTING_PORT --jump DNAT --to-destination $SERVER_IP
$IPTABLES -t nat -I PREROUTING -d $INTERNET_IP -p udp --dport $REGION_PORT --jump DNAT --to-destination $SERVER_IP
$IPTABLES -t nat -I PREROUTING -d $INTERNET_IP -p tcp --dport $REGION_PORT --jump DNAT --to-destination $SERVER_IP
 
# Second, the Source NAT, we need this so that returning packets to our LAN clients go back through the router first,
# otherwise, the server will try to talk directly to the client and the client will reject them
$IPTABLES -t nat -I POSTROUTING -s $LAN_NETWORK -d $SERVER_IP -p tcp --dport $REMOTING_PORT --jump SNAT --to-source $INTERNET_IP
$IPTABLES -t nat -I POSTROUTING -s $LAN_NETWORK -d $SERVER_IP -p udp --dport $REGION_PORT --jump SNAT --to-source $INTERNET_IP
$IPTABLES -t nat -I POSTROUTING -s $LAN_NETWORK -d $SERVER_IP -p tcp --dport $REGION_PORT --jump SNAT --to-source $INTERNET_IP
Sounds like we need Stephane on the job

Yes, it might be nice to have, but the security implications need to be considered as we don't mess with firewalls lightly. It will also take a bit of coding to implement and we don't have a massive amount of resources to dedicate to a request that seems a bit of a one off.

You are more than welcome add a NFR bug, and to code it yourself

B. Rgds
John

[ReetP]

Also found this as a reference :

http://rocky.eld.leidenuniv.nl/html/ (Downloads)

https://github.com/arnova/aif/blob/master/share/arno-iptables-firewall/plugins/20nat-loopback.plugin

[CharlieBrady]

What type of tautology?
https://en.wikipedia.org/wiki/Tautology

I guess I meant 'circular definition'. What does the script do? "NAT loopback". What is "NAT loopback"? It's what the script does.

But we have an independent definition now, and it should like it could be added without breaking anything we have right now, and would be a good addition. But we would need to understand this "security feature" comment before we go there.

[CharlieBrady]

So it may be opening you up to other issues. I think personally I'd ask Opensim to change their code, but hey ho.

I agree that this is a bug in opensim. It should "just work" - not depend on some obscure feature of a router which is unlikely to be present and working.

[Stefano]

"Many DSL routers/modems prevent loopback connections as a security feature."

and that's the way things should work..

[Stefano]

Yes, it might be nice to have, but the security implications need to be considered as we don't mess with firewalls lightly. It will also take a bit of coding to implement and we don't have a massive amount of resources to dedicate to a request that seems a bit of a one off.

I think that it should not be a SME's feature.. this is a kinda of customization one user needs to make something work.

security first of all.. one of the first FW rules I learnt was that a firewall have to block any request done from a private IP coming on the public interface..

things should work just playing with dns.. and, for sure, we should not add a feature to bypass sw bugs; this is why we have "templates-custom" tree, templates and fragments..

[CharlieBrady]

security first of all...

Yes, but we need to understand what the security risk is.

I think I can see what that is here. With port-forwarding as we have now, the destination server always sees the true origin (source IP) of the connection. With 'NAT loopback', systems on the LAN will be able to connect to the destination server either directly, or via the forwarded port (WAN IP of the SME server). But in the latter case, the destination server will not see the real source IP of the connection. They won't be able to log which system on the LAN is connecting, or make access control decisions based on the real source IP.

[guest22]

One case only in over a decade does not sound to me as worth the trouble and security risk.


It does not add anything substantial to SME Server, and I think we better focus on the release of 8.x and 9.x, and the queue of existing bugs and NFR's.

[CharlieBrady]

One case only in over a decade does not sound to me as worth the trouble and security risk.

It's not really just one case. There have been multiple posts of people saying that port forwarding doesn't work, because when they try to access the forwarded port from inside the LAN it "doesn't work". Those confusions wouldn't have been seen if this feature had been implemented.

I'm just clarifying, not advocating for the feature.

[Stefano]

It's not really just one case. There have been multiple posts of people saying that port forwarding doesn't work, because when they try to access the forwarded port from inside the LAN it "doesn't work". Those confusions wouldn't have been seen if this feature had been implemented.

if so, we should improve either the documentatio, the FAQ and (preferably) the server-manager panel

[guest22]

Having/hosting SME servers and services requires a basic understanding of networking. Nothing just 'works' or 'doesn't work'. SME Server will never be a Chrystal sphere.

Maybe sometimes we are victim of our own simplicity and success...