Topic: [Solved] Cannot serve SME website with new Uverse ISP

[LANMonkey]

For years now I have been serving a website from a basic DSL account.  I recently switched to AT&T's Uverse service.  They sent me their own gateway modem/router and I set up the firewall to pass website traffic (HTTP service) to my SME host server.

I have tested the website by trying to access the IP address alone, like  ABC.DEF.GHI.JKL (with letters indicating the numbers of my IP address for purposes of this post).  I can't get the website.  I haven't yet changed the URL to point to that IP address.  I can access the website using the LAN address, 192.168.etc.etc.  I can also access the admin and webmail pages locally.

Shouldn't I be able to access the website using the IP address?  What else could be going wrong?  Is there perhaps a new dialog going on in the gateway that SME doesn't like?  How could I troubleshoot what is going on? 

[janet]

From a workstation browser that is behind your sme server & firewall, go to
https://www.grc.com
& select to do a full port scan.
That should indicate whether ports are being blocked somewhere.

[LANMonkey]

From a workstation browser that is behind your sme server & firewall, go to
https://www.grc.com
& select to do a full port scan.
That should indicate whether ports are being blocked somewhere.

Sounds like a good idea, but I don't see a link to anyplace to do a port scan.  Could you provide a direct link?

[janet]

You need to look harder, it's in small print
Click the ShieldsUp link
Try here
https://www.grc.com/x/ne.dll?bh0bkyd2
& then click proceed
There was a reason to start you at the beginning so you would read all about it etc.

[LANMonkey]

Well, I did a scan of the first 1056 ports and all were in stealth mode except port 80 which was blocked.  So I guess that is my problem.

I assume my solution is to change the port my HTTP server listens to and point my domain to that port.  Pointing the domain to that port on my IP address doesn't sound too complicated.  I think I recall seeing the option in DNS my service.

But I depend on the SME's server to run the server.  How do I change the port so that my website can bypass the block without fouling my administrative sites?

[Jean-Philippe Pialasse]

I are some possible problem there:
- AT&T blocking the port 80, which with a quick internet research does not seems the case
- you did the port transfer wrongly, maube this helps : https://www.youtube.com/watch?v=8WhvC6M-Ivw
- you try to access your external Ip from inside the LAN, port forwarding only work from outside


mostly you do not have anything to do at the SME level, your problem is really to understand and configure the modem. you can use any entering port and forward it to the SME IP adress and port 80. But if you do not use port 80 on internet side, nobody but you will know how to access to your site.

Last thought, did you kept your SME as server gateway mode or did you convert it to server only ?

if the answer is the first, then you must be aware of the double NATing and that your two LANs ( SME LAN and ROUTER LAN should have different adressing)

[janet]

LANMonkey

So now you have to determine where port 80 is blocked eg your ISP, or maybe your router (ie not forwarding the port correctly).

Please answer the queries posed by JPP.

Personally I would guess your ISP is blocking port 80 as they do not (or may not) allow web hosting. I suggest you ask your new ISP if they block ports & tell them about the port scan result.

[LANMonkey]

I are some possible problem there:
- AT&T blocking the port 80, which with a quick internet research does not seems the case

I am not sure what you saw on the internet, but I did a Google search of "Does AT&T block port 80" and got many hits that suggest it does block port 80.  That's my conviction at this point, that AT&T blocks port 80 outside my gateway.

- you did the port transfer wrongly, maybe this helps : https://www.youtube.com/watch?v=8WhvC6M-Ivw

I hadn't yet tried port forwarding, I only opened the firewall for that port and directed that traffic  to the static local address of my SME server.

- you try to access your external Ip from inside the LAN, port forwarding only work from outside

As I said in my first post, I can access the website from inside the LAN using the local static address of the SME server.

mostly you do not have anything to do at the SME level, your problem is really to understand and configure the modem. you can use any entering port and forward it to the SME IP adress and port 80. But if you do not use port 80 on internet side, nobody but you will know how to access to your site.

Using your posted YouTube video, I did manage to set up something like an actual port forward from 8080 to 80, but I am still not getting the website using http://ABC.DEF.GHI.JKL:8080.  When and if I can get this going, I can apply my DNS to use port 8080 for my URL.

Last thought, did you kept your SME as server gateway mode or did you convert it to server only ?

No, with the previous ISP, the SME server was not a gateway, it was inside the LAN.

So as it stands, I have tried applying forwarding in my AT&T Gateway and I still can't reach the website using http://ABC.DEF.GHI.JKL:8080

There are some peculiarities in my Gateway device.  It sees my SME server as unknown000F1FE9A41D and if I try to disable the firewall for this device, I get an error, "It is not allowed to remove the firewall protection on the private device:unknown000F1FE9A41D."  Also, I cannot select my static local IP address twice in the Firewall settings, only the device unknown000F1FE9A41D can be selected.  I wonder if I remove the static IP address, I might see some changes.

[Jean-Philippe Pialasse]

I am not sure what you saw on the internet, but I did a Google search of "Does AT&T block port 80" and got many hits that suggest it does block port 80.  That's my conviction at this point, that AT&T blocks port 80 outside my gateway.

the key word here is ***suggest***
I only saw people battleing with not knowing how to do a correct port forwarding and no post confirming that the provider DO enforce a blocking on some port and stating which... If you want to know and be sure, you only have to call them instead of assuming.

I hadn't yet tried port forwarding, I only opened the firewall for that port and directed that traffic  to the static local address of my SME server.
As I said in my first post, I can access the website from inside the LAN using the local static address of the SME server.

Well you should have started there as deactivating firewall could mean a lot of different things and some are not what you want.

And yet you still are not answer the most important question from where are you trying to access your SME using the external ip adress of your connexion (with or without change of port).

Using your posted YouTube video, I did manage to set up something like an actual port forward from 8080 to 80, but I am still not getting the website using http://ABC.DEF.GHI.JKL:8080.  When and if I can get this going, I can apply my DNS to use port 8080 for my URL.

Answer the previous question, and call your isp to know if they block port, you are putting the horses behind the cart.

No, with the previous ISP, the SME server was not a gateway, it was inside the LAN.

So as it stands, I have tried applying forwarding in my AT&T Gateway and I still can't reach the website using http://ABC.DEF.GHI.JKL:8080

Again from where ?

Because to answer again to your last question of your first post, no you are not supposed to access to your website using your isp provided ip, if you do this from inside your lan....

There are some peculiarities in my Gateway device.  It sees my SME server as unknown000F1FE9A41D and if I try to disable the firewall for this device, I get an error, "It is not allowed to remove the firewall protection on the private device:unknown000F1FE9A41D."  Also, I cannot select my static local IP address twice in the Firewall settings, only the device unknown000F1FE9A41D can be selected.  I wonder if I remove the static IP address, I might see some changes.

I can only tell you to carrefully read the manual of your router, and again this is surelly not what you want to do.

[LANMonkey]

the key word here is ***suggest***
I only saw people battleing with not knowing how to do a correct port forwarding and no post confirming that the provider DO enforce a blocking on some port and stating which... If you want to know and be sure, you only have to call them instead of assuming.

I have contacted support for Uverse and AT&T and support is not too good.  I managed to get a direct answer to the question, "Please answer yes or no. Does AT&T block access to my website on my internet connection?"  The answer was "No".  But they would not actually articulate a response proclaiming whether or not it was possible to serve a website from my connection.  Either they were dodging the subject or they did not know what I was talking about.  I have contacted them three times with this issue so far and was passed around two to three times on each contact.

Well you should have started there as deactivating firewall could mean a lot of different things and some are not what you want.

I'm not sure what you mean by this.

And yet you still are not answer the most important question from where are you trying to access your SME using the external ip adress of your connexion (with or without change of port).
....
Again from where ?

Because to answer again to your last question of your first post, no you are not supposed to access to your website using your isp provided ip, if you do this from inside your lan....

I am sitting at a computer on the same LAN that hosts the SME server.  I have never had any problems using the URL or IP address of my connection reaching the SME server routing through the internet.  I can also ping the URL and get the IP connection address since I have changed the IP the URL points to.  I have been able to use the connection IP address, the local LAN address and the internet DNS served URL to reach my website in the past.  What other way can I test whether the site is functioning or not?  I shouldn't have to go to a computer off my LAN to check to see if the website is working on the internet.

From a workstation browser that is behind your sme server & firewall, go to
https://www.grc.com
& select to do a full port scan.
That should indicate whether ports are being blocked somewhere.

Since I have opened up the firewall in my gateway to port 80 and I still see it blocked using ShieldsUp, shouldn't I be able to assume that port 80 is being blocked by AT&T?

I posted this problem here thinking that there was an issue with my SME server.  Thanks to all for posting your suggestions.  I will listen to any more whether it has anything to do with the SME server or not.

[michelandre]

Hi LANMonkey,

If you try to access your site with a local browser, it is the SME server that will answer the request without going to any DNS. It will look into /etc/hosts and find your domain name in it.

Try to install TOR browser. The requested domain goes through to the external TOR proxy, not to your server.

There are some people in this forum who don't like TOR. You can install it in a virtual machine if you like then, destroy the VM.

I alway use TOR to check my server connection.

Michel-Andre

[janet]

LANMonkey

I would phone your ISP again & ask for escalated support, that way you might get to talk to an engineer who actually knows what is going on.
The first level support personnel you have already spoken to are usually just reading from a scripted page, so cannot help if the question is out of scope.
Make sure you tell them about the port scan result ie that port 80 shows as blocked & ask if can they tell you where it is blocked, ie is it them ?

Re not accessing WANIP:8080, did you actually do a scan on other ports above port 1095, you have not yet proven whether port 8080 is open.
 
As pointed out to you (assuming 8080 is available), other Internet users will have to append 8080 to your URL to gain access, which may not be practical or desirable.

Worst case scenario is have you considered going back to your old ISP ?..... or one that supports all ports in & out.

No, with the previous ISP, the SME server was not a gateway, it was inside the LAN.

So do you mean the SME server is now is server only mode ?

[LANMonkey]

....

So do you mean the SME server is now is server only mode ?

The SME server was in server only mode before and after the change in ISP.

Here is something peculiar.

I tested 8080 with ShieldsUp and found that is was closed.  So, as a test I tried another arbitrary port 80AB. (Letters indicate some numbers.) First I scanned 80AB to see if was open.  It was found to be in Stealth mode.  So then I went to my gateway Firewall settings and opened port 80AB and pointed it to port 80 on my SME server.  Then I went back to ShieldsUP and tested port 80AB and found that it is now closed.  I did another test, I tested two arbitrary port numbers ABCD, EFGH with ShieldsUp and found them both to be in stealth mode. (The first actually went to some service.)  Then I went to my gateway Firewall settings and opened ABCD and directed it to EFGH on my SME server.

I went back to ShieldsUp and again tested ABCD and now it is closed.  For some reason, the act of opening a port is causing it to be closed to the internet.

One last test.  With ShieldsUp I tested ABCX (Again the letters indicate numbers.) and also found this in stealth mode.  I went into my gateway Firewall settings and opened port ABCX and directed to it port 80 on the workstation machine I am using now (It has no HTTP server).  I went back to ShieldsUp and tested ABCX and now it is open!

So the problem is narrowed down to SME server.  Is it a problem with SME internal settings?  Or is it a gateway problem?  I suspect the static IP address I have for SME could be the problem.  I will fool around some more and report back.

Any ideas anyone?

[LANMonkey]

Here is some more clues.

DURING ALL OF THE ABOVE TESTS, THE SME SERVER WAS SHUT DOWN, IT WAS NOT EVEN ON.  When I do all the tests with 8080, 80AB, ABCD with SME on I still don't find anything open, it is in stealth mode and I still can't reach the website.  I suspect that in the previous tests where I found the port closed SME was also shut down.

But I do see that the favicon I have for the website is showing up in the browser.  So, I am reaching the host machine, but for some reason the website is not being served.  It must be SME.

[Jean-Philippe Pialasse]

Can you access your SME using its local IP on the LAN and serve the webpages using a browser ?

If yes then the problem is not SME.

port forwarding only work from the outside or wan side of a router. Again you can not hit your sme with externalIP:whateverport from inside your lan... This is simply a limitation of NAT, it is impossible to do , see this thread https://supportforums.cisco.com/discussion/11262681/nat-port-forward-doesnt-work-inside-lan as an example. As long as you do not understand this, you will not be able to go further.

If you want to test your connection port forwarding you will have to do this from outside with your phone connection ( not connected with wifi on your lan of course) or from elsewhere. All test you do from inside will fail and end up in a loop.


This will be the same with your domain name unless:
- your sme has the domain defined as local and act as dhcp for all your computer
- your router act as dhcp server for lan and is evolved to handle split dns and point the domain to your sme ( not probable)
- you defined your local sme ip as associated to your domain on all hosts files of all your computer

But again from inside you wiill be able to access to you sme with port 80 only for webserver, unless you also define in the sever manager a port forward 8080 to 80 on localhost, which is for the moment as useless as creating on your modem router  the forward of 8080  to 80 fo the lan ip of your sme.


The only step you should try from now are:
- as told by Janet, contact your ISP to have the level 2 support so they will be able to answer technical question rather than having somebody reading a script.
- only do a port forward on your modem router from 80 to 80 direct to the LAN IP of your SME, Then go outside of your lan, and try to connect from outside to your internet ip on port 80 with sme on and its ip being the same as given in the router for port forwarding.