Topic: port forward

[CharlieBrady]

So that would mean no host is allowed to access the service on that port. Maybe you should try to put  '0.0.0.0' in there for testing purposes only.

I could be wrong.

Yes, you are wrong. The "Allow Hosts" will usually be empty, which means open access. Putting 0.0.0.0 there will mean that only packets with source address 0.0.0.0 will be forwarded, and that's not a valid Source IP address.

There generally won't be any log messages associated with port forwarding problems.

The most likely causes of port forwarding problems are 1) somebody is trying to test from the LAN network (doesn't work - only WAN to LAN traffic works, which implies testing from outside the local network) or 2) the destination device doesn't have the SME server configured as its default gateway, so that reply packets don't pass through SME server.

tcpdump is the most useful tool for troubleshooting port forwarding. Verify that packets are arriving on the SME server WAN interface, verify that the ports are forwarded to the destination IP and port, and verify that reply packets return from the destination device, and verify that those packets are correctly modified and sent back to the original source.

When portforwarding is in use I think you will see entries in /proc/net/ip_conntrack. You can run /usr/sbin/iptstate to visualise the changing state of netfilter expectations.

[CharlieBrady]

You should be able to do a port forward

Go to a command prompt on the sme server & show us the output of
db domains show

Portforwarding doesn't have anything to do with the contents of the domains db.

[CharlieBrady]

have attempted your suggestions and still not working - even on the localhost, strange.

I have no idea what you mean. localhost is not involved in any way with portforwarding. Portforwarding only applies to traffic arriving from the Internet at your WAN address, which you want to be forwarded to a different IP and/or port.

If "just works". If there is a problem, it's because the destination is not configured to deal with the traffic, or is not replying properly (e.g. via the correct default gateway), or somebody doesn't understand it and is testing it wrongly.

[janet]

Portforwarding doesn't have anything to do with the contents of the domains db.

Yes I realise that Charlie, I just wanted to see if the domain is configured on that server.

[janet]

enchesss

You should be able to do a port forward

Go to a command prompt on the sme server & show us the output of
db domains show

Then as a test/experiment, then please setup this portforward

Protocol    TCP
Source Port(s)    9000
Destination Host IP Address   localhost
Destination Port(s)     80
Rule Comment    test1-9000to80
Allow Hosts

click Next & click Add

Then go to a command prompt on the sme server & show us the output of
db portforward_tcp show
db portforward_udp show

Finally then open a browser on a external device & see if
http://openworldsproject.info:9000
resolves to the Primary ibay index file

Let us know the outcome of these tests

[enchesss]

Hi Janet

# db domains show
openworldsproject.info=domain
    Content=Primary
    Description=Primary domain
    Nameservers=localhost
    Removable=no
    SystemPrimaryDomain=yes

configured port forward rule as you suggested

# db portforward_tcp show
9000=forward
    AllowHosts=
    Comment=port 9000-80 testing
    DenyHosts=
    DestHost=localhost
    DestPort=80

openworldsproject.info:9000 now resolved to primary ibay


The website https://www.grc.com also now says that the port is open

something interesting using: http://superuser.com/questions/621870/test-if-a-port-on-a-remote-system-is-reachable-without-telnet

# cat < /dev/tcp/127.0.0.1/9000
-bash: connect: Connection refused
-bash: /dev/tcp/127.0.0.1/9000: Connection refused

more curious

# nc 127.0.0.1 9000 < /dev/null; echo $?
1

So in effect - these commands say that the port is closed?

[Stefano]

now edit the rule to forward the traffic toward the internal machine and try again.. from an external machine (i.e. from WAN side)

if it doesn't work, check on the internal machine too.. maybe it's firewall or an internal rule is blocking traffic coming from WAN..

finally, double check, as Charlie suggested, that the internal server has SME IP as gateway

[enchesss]

Please see previous modified post - it still does not forward to internal host on port 9000 (or any other port) from external

[Stefano]

please DON'T edit posts, write new one.. you (generally speaking) can't expect me (genrally speaking) to RE READ all the topic

that's a bad habit.

[janet]

enchesss

openworldsproject.info:9000 now resolved to primary ibay
The website https://www.grc.com also now says that the port is open

OK that is a good result, it proves external settings are correct, & that your modem/router is not interfering, & that sme server is handling a port forward OK.

Charlie made a good point about your second server being configured to use the sme server as its gateway (rather than directly to outside or to your modem/router).
"If there is a problem, it's because the destination is not configured to deal with the traffic, or is not replying properly (e.g. via the correct default gateway)....."

Please check & correct that setting to point at sme server for Internet access.

Then configure a port forward like:
Protocol    TCP
Source Port(s)    9000
Destination Host IP Address   local LAN IP of 2nd apache server
Destination Port(s)
Rule Comment    opensim9000to9000
Allow Hosts

that is all you should need to configure for it to work.

[enchesss]

Hi Janet

It still does not work

The local server has always had the SME set as the gateway

As previously indicated - when it is set to use the modem - it works well

I have tested the ports using: http://superuser.com/questions/621870/test-if-a-port-on-a-remote-system-is-reachable-without-telnet


for the SME server:

# cat < /dev/tcp/127.0.0.1/9000
-bash: connect: Connection refused
-bash: /dev/tcp/127.0.0.1/9000: Connection refused

more curious

# nc 127.0.0.1 9000 < /dev/null; echo $?
1

to double check - testing the web port 80:

nc 127.0.0.1 80 < /dev/null; echo $?
0

says that the web port 80 is open

from the sme to LAN server:

# nc LANipaddress 9000 < /dev/null; echo $?
0

this indicates that the LAN server port 9000 is open, however the SME port 9000 is closed

So in effect - these commands say that port 9000 is still closed?

[Stefano]

the service running on lan and listening on 9000 does accept packets coming from a WAN address?

for example, in a SME in  server and gateway mode, we can have something running on port XXX but that port is available only from internal IP.. and that's not only a FW rule, but also a host.deny rule (IIRC)

so, in the end, did you check the configuration on the internal server? I don't need to know if the service is running and listening on port 9000, I (no, wait, YOU) must be sure that it's listening on port 9000 and available for any address

[CharlieBrady]

So in effect - these commands say that port 9000 is still closed?

Please take more time to read and understand the messages we are posting for you to read here.

You can only test portforwarding by connecting via the Internet to your WAN interface. This is because port-forwarding only applies for packets arriving from the Internet to your WAN interface.

Is that not clear enough for you?

port 9000 on the localhost interface shows as closed because no service is listening on it. However, if you try to access port 9000 on the WAN IP address via the WAN interface, then the connection will be port-forwarded to localhost:80, which *is* open (if/when you configured the portforwarding suggested by janet).

I told you to use tcpdump. Have you done so? We told you to check the default gateway setting on your opensim system. Have you done so? Have you checked the port 9000 is open on that system? You can use telnet, you don't need to use cat.

[enchesss]

Hi CharlieBrady

To summarise the situation

If the SME server is removed and the modem is used as a gateway - the local opensim server is accessible from the internet via NAT virtual server settings that forward port 9000 to the opensim local ip address on port 9000 in the modem. This works perfectly.

When the SME server is used as a gateway - there is no access to the opensim server via the internet (on port 9000 or 80)

there is also no access to opensim via the opensim viewer that uses port 9000 via the local network ip addresses

and also there is no access to the opensim viewer that uses port 9000 on the actual server [previously referred to as the 'localhost'] (which is a ubuntu desktop)


This may not be the SME server, however, when it is removed - things work really well.

I have examined tcpdump using -nXS from here: https://danielmiessler.com/study/tcpdump/

There is nothing obvious in the data there - not that I am sure what to look for.

The https://www.grc.com website says that port 9000 is open on the SME server

Telnet opensimserver_ip 9000

says connected

however

telnet SMEserver_ip 9000

says telnet: Unable to connect to remote host: Connection refused

from both the SME and the opensimserver



other information:

from another LAN workstation:

using web browser - http://opensim_ip

i get the apache page

using web browser - http://opensim_ip:9000

i get the opensimwebpage


using web browser - http://openworldsproject.info:9000

no access

the latter of these is also not accessible from internet - though I think it should be


regards

[enchesss]

Thank you everyone

Testing the SME server from an external IP (at a friends house) - and everything works.

Still some problems becuase no access to the opensim server is achieved locally yet

Should I label this as resolved ??

I am unable to access opensim locally at this stage - tnot a sme9 issue - though - or is it?