Solved

Port Forwarding / NAT

Posted on 2010-11-10
28
644 Views
Last Modified: 2012-05-10
Hey All,

I'm almost embarrassed to ask this as it's a very basic question that I SHOULD know the answer to. But for some reason... I can't make it work!

I have a device on the internal network with an IP of 192.168.100.230

It's accessible via the LAN.

I don't have an STATIC IP, but here's the current IP:
http://67.55.202.192

To get around NOT having  static IP, I'm using No-IP:
http://bloomfieldwater.no-ip.org/


Requests come in on port 80.

I have a Linksys router.

I've loaded DD-WRT firmware on it for maximum control.


I've configured Port Forwarding ounder NAT / QoS as such:

App: Miox
Port From: 80
Protocol: Both
IP Address: 192.168.100.230
Port To: 80
Enable: Checked


I've turned OFF the SPI firewall under he security tab.

There are NO OTHER routers/firewalls in this mix.


I CAN see the URL / Public IP from WITHIN the network.

I can NOT see it from outside of the network.

I CAN ping the URL (and have it return the proper IP) as WELL AS ping the IP itself.


I think it has something to do with NAT / port 80. But I'm not sure how to get around it...

I've tried forwarding from a port like 5580 to port 80 -- but no luck there either.


I look forward to you pointing out my stupidity!
0
Comment
Question by:david1986
  • 18
  • 6
  • 2
  • +2
28 Comments
 
LVL 9

Expert Comment

by:vanbarsoun
ID: 34107745
It sounds like you've got things configured correctly. For Protocol choice, try selecting only TCP.

If it still fails, I would suggest trying to set up port forwarding with another device/server to see if the problem  is perhaps a defective router.
0
 

Author Comment

by:david1986
ID: 34108098
Okay. I tried setting it to JUST TCP, but no luck.

I'm pretty sure the router isn't defective...as I'm seeing it from inside their network. *When accessing using the external address*

I'm thinking it's something to do with NAT and PORT 80
0
 

Author Comment

by:david1986
ID: 34108454
ANy advice is sincerely appreciated! I'm lost :)
0
 
LVL 9

Expert Comment

by:vanbarsoun
ID: 34108465
Which model Linksys?
0
 
LVL 7

Expert Comment

by:Hatrix76
ID: 34109824
Can you ping 192.168.100.230 from the router? (I assume there is the possibility to ping in the DD-WRT image, i never used it.

I know from cisco routers that you can configure the port 80 as an administrative port, meaning that when you hit the router on port 80, that this port is used internally and not forwarded. Try to use another port (like 8080) for the administration web interface, I am pretty sure you will be able to set it.

Are Access controls or something like that active? Where you can tell who can connect from LAN or WAN on which ports to a router? (Again, a cisco thing, not sure if it applies).

Please check all this just to be sure. It's funny though that another port forward is also not working and that it seems to work from within the LAN. But this strengthen my assumption that there are some policys / restrictions on the outside port in place ...

Do you have eventually a firewall on the server you try to connect to which only allows incoming connections from LAN? It may block connections from the internet as well (As I assume the NAT is destination-nat, the source-ip of the package will be seen from the internal server as originiated from internet and not from the router).

best
0
 
LVL 3

Expert Comment

by:bijal7612
ID: 34110035
When u are using No-Ip, then for forwarding any ports use Port mapper which will help you to forward the ports internal aswell as external. This will help you to surf any port which is been forwarded
download below linkhttp://www.analogx.com/contents/download/Network/pmapper/Freeware.htm
0
 
LVL 3

Expert Comment

by:Bokis
ID: 34111100
I am wth Hatrix76.  When using Linksys, just try not to forward 80 and 8080 as those are for management. You may be able to change 8080 for remote manangement but I am not sure you can play around with 80.  To actually isolate your issue, try forwarding say, 3389 for RDP to any windows machine(that is configured for RDP) and see if it works just fine.  If that works then try and change your application/device  NOT to use port 80 and you should be good to go.
0
 

Author Comment

by:david1986
ID: 34111405
I'm afraid I can't configure the device to not use port 80.... As much as I'd like to!

Thanks for all the help so far!!
0
 

Author Comment

by:david1986
ID: 34116091
Ok. I switched to a Bufalo router and loaded Tomato on it. STILL NOT LUCK.

What the heck am I doing wrong?

I appreciate any and all help you can offer.
0
 
LVL 7

Expert Comment

by:Hatrix76
ID: 34116251
Can you ping 192.168.100.230 from the router?
0
 

Author Comment

by:david1986
ID: 34116287
Yes.
0
 

Author Comment

by:david1986
ID: 34117360
Would you like me to post the results of the PING? From the router?

I can ping from the router to the internal lan address you specified. (The address of the device)
0
 

Author Comment

by:david1986
ID: 34117401
I'm using Tomato now...

So my thought is, why can't I specify another external port to forward to the internal.

I.e. use a random port like 8832 that forwards to port 80 internally. The URL would result in something like this:

http://67.55.202.192:8832


One should THINK that would work. Is there anything else I'd need to open up besides configuring the port forwarding rule?

Thanks for all of your help!
0
 

Author Comment

by:david1986
ID: 34117464
It's gotta be somethigng to do with NAT.

I just checked a port (9211) which was a random port I attempted to forward to port 80...using a port checking tool, and here's what I got:
Error: I could not see your service on 67.55.200.78 on port (9211)
Reason: Connection refused

Notice my IP. It's different!
This is what my public IP actually is:
http://67.55.202.192



So NAT is coming into play here. What can I do guys? Remember, I've now switched routes and am using a different firmware, TOMATO.

I appreciate your advice!
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:david1986
ID: 34117481
Okay...so this is strange!
For the heck of it, I tried another port testing site.

It returned this:

Port 9211 is closed on 67.55.202.192.


Proper IP! of course the darn thing still says it's closed...
This site here: http://www.canyouseeme.org/

Retuns a different IP.... however I just checked it again, and now it's showing the right IP as well!

What would cause this?
0
 

Author Comment

by:david1986
ID: 34117505
I'm sorry for all the updates. But I need to correct myself.

This site: http://www.canyouseeme.org/

Initially returns the PROPER public IP. But AS SOON as I check for an open port, the results that are returned give me THE OTHER IP that I listed previously. (67.55.200.78)

I tested this on our router here at the office, and I don't get these mixed results. I get a consistent IP returned. Same router, same software....

I was wondering IF I was only returned with the NAT'd IP if I tried to access a port that I'd attempted to forward. That's not the case though, any port returns the NAT'd IP.
Error: I could not see your service on 67.55.200.78 on port (21)
Reason: Connection timed out


What's crazy, is in a matter of SECONDS, I setup port forwarding on our router here at the office (same router, same software) and it worked fine...
Immediately tests as forwarding port 9911 to port 80. I don't even have a service setup on port 80 for the forwarding, but it tests as open. Unlike the other site.
0
 

Author Comment

by:david1986
ID: 34117545
On my device list in Tomato, this is what I see:


Interface MAC Address IP Address Name RSSI      Quality Lease      
vlan1 00:02:5D:1B:B0:00
[oui] [static] 67.55.200.1    
br0 00:19:DB:6E:2B:90
[oui] [static] 192.168.100.100    
br0 00:05:E4:00:FD:DB
[oui] [static] 192.168.100.230    

Once again, my public IP detects as: 67.55.202.192
0
 

Author Comment

by:david1986
ID: 34117568
Sorry for the multitude of posts. I don't see an option to edit my existing one

Here's what my routing table looks like:


Destination Gateway Subnet Mask Metric Interface
192.168.100.0 * 255.255.255.0 0 br0 (LAN)
67.55.200.0 * 255.255.252.0 0 vlan1 (WAN)
127.0.0.0 * 255.0.0.0 0 lo
default 67.55.200.1 0.0.0.0 0 vlan1 (WAN)
0
 

Author Comment

by:david1986
ID: 34117723
Since we've gone through a lot of info....here's a RECAP on where I'm at:


----------------------------

What I'm attempting to accomplish is very simple, and something I've done many many times before. None the less, I've now spent 2 days messing with it and can't seem to make it work. I look forward to you pointing out my ignorance on the topic as it will certainly come as a welcome relief!

Here's my situation:
Internet Connection: Fiber-optic DSL | Internet comes directly in to WAN port on router. Dynamic IP address.

Current Router: Buffalo Air Station w/ latest version of Tomato firmware loaded.

Device to access from outside world: Has a web interface on port 80. It's accessible internally. IP: 192.168.100.230 | Device CAN BE pinged internally from router as well as web interface accessed via a computer.

Router IP: 192.168.100.1
Subnet: 255.255.255.0


I don't have an STATIC IP, but here's the current IP:
http://67.55.202.192

To get around NOT having  static IP, I'm using No-IP:
http://bloomfieldwater.no-ip.org/

-----HERE ARE MY WAN DETAILS FROM TOMATO-----
WAN
MAC Address 00:24:A5:6F:9E:95
Connection Type DHCP
IP Address 67.55.200.78
Subnet Mask 255.255.252.0
Gateway 67.55.200.1
DNS 167.142.225.3:53, 167.142.225.5:53
MTU 1500
----------------------------------------------------
Note that when I lookup my IP, I receive this:
Your IP Address is 67.55.202.192
On one site...
and on another site:
Your IP Address Is: 67.55.200.78
(My App isn't accessible through EITHER URL)

I've configured port forwarding in order to gain the access I need. Here's how I've done so: (Using Tomato)
App: Miox
Port From: 80
Protocol: Both
IP Address: 192.168.100.230
Port To: 80
Enable: Checked
-----------------------
This does not work. It's not accessible via the IP nor the URL. If I use a port checker like in this example...
I just checked a port (9211) which was a random port I attempted to forward to port 80...using a port checking tool, and here's what I got:
Error: I could not see your service on 67.55.200.78 on port (9211)
Reason: Connection refused

Notice my IP. It's different!
This is what my public IP actually is:
http://67.55.202.192
-----------------------

This site: http://www.canyouseeme.org/

Initially returns the PROPER public IP. But AS SOON as I check for an open port, the results that are returned give me THE OTHER IP that I listed previously. (67.55.200.78)

I tested this on our router here at the office, and I don't get these mixed results. I get a consistent IP returned. Same router, same software....

I was wondering IF I was only returned with the NAT'd IP if I tried to access a port that I'd attempted to forward. That's not the case though, any port returns the NAT'd IP.
Error: I could not see your service on 67.55.200.78 on port (21)
Reason: Connection timed out


--------------------
So I came up with the idea that maybe it's port 80. I went and using Tomato forwarded a random port, like 9911 to port 80 on the proper local LAN IP. (192.168.100.230)
I went to a port checker site, tested it, and it came up as blocked...
and of course wasn't accessible via this URL:
http://67.55.202.192:9911/
-or- this one...
http://67.55.200.78:9911/

What's crazy, is in a matter of SECONDS, I setup port forwarding on our router here at the office (same router, same software) and it worked fine...
Immediately tests as forwarding port 9911 to port 80. I don't even have a service setup on port 80 for the forwarding, but it tests as open. Unlike the other location that I'm trying to do this on.

Here's a few more details about the situation:
----------TOMATO DEVICE LIST ---------------
Interface MAC Address IP Address Name RSSI      Quality Lease      
vlan1 00:02:5D:1B:B0:00
[oui] [static] 67.55.200.1    
br0 00:19:DB:6E:2B:90
[oui] [static] 192.168.100.100    
br0 00:05:E4:00:FD:DB
[oui] [static] 192.168.100.230    
--------------------------


-----------TOMATO ROUTING TABLE------------
Destination Gateway Subnet Mask Metric Interface
192.168.100.0 * 255.255.255.0 0 br0 (LAN)
67.55.200.0 * 255.255.252.0 0 vlan1 (WAN)
127.0.0.0 * 255.0.0.0 0 lo
default 67.55.200.1 0.0.0.0 0 vlan1 (WAN)
----------------------------------------

I'm stumped here. I don't have a clue what could be causing this.

I truly appreciate any help and advice you can offer!
0
 
LVL 7

Expert Comment

by:Hatrix76
ID: 34118650
***
Initially returns the PROPER public IP. But AS SOON as I check for an open port, the results that are returned give me THE OTHER IP that I listed previously. (67.55.200.78)
***

How are you doing this check exactly (from which computer, on which lan, which commands, everything).

best
0
 
LVL 7

Expert Comment

by:Hatrix76
ID: 34118770
ah, i saw you mention testing with web-sites. Well, if possible, you should not do this with web-sites, do you have an ssh access to a linux box? maybe from home?

then try to use nmap or something like that for testing.

The thing is I guess you where caught by a dns caching issue, first you had IP X, you checked with Service A, then the dynamic IP changed to Y on your router and the no-ip service get's updated, and you checked again with Service A. But Service A still has your IP X cached because, they cache the IP for e.g. 5 or 10 minutes.

Normally no-ip should have a very low cache-time, a few seconds, but some DNS Servers treat everything below 300 seconds as 300 seconds cache time, which amounts to 5 minutes, I guess in this case bad timing.

I would not worry about it.

regarding the nat problem, does your router have the option to output current nat-tables or current connections? there you should see if your request reaches your box or not, I just tried nmap'ing your site and got these results:

Raimund-Sacherers-X61s:~ ray$ ping bloomfieldwater.no-ip.org
PING bloomfieldwater.no-ip.org (67.55.202.192): 56 data bytes

nmap bloomfieldwater.no-ip.org

Starting Nmap 4.62 ( http://nmap.org ) at 2010-11-12 10:03 CET
Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 2.062 seconds


Could it be that your ISP blocks incoming traffic? How are you connected to the internet, via cable-modem or ADSL connection? Who gives the WAN Address it's IP (it's DHCP assigned), what I mean is, is a cable-modem, or provider supplied device/router in front of your router?

I would talk to your internet provider and ask them If they firewall / block any incoming traffic which is not related to outgoing traffic, to be sure it's not them creating your issues.

best
0
 

Author Comment

by:david1986
ID: 34121390
Thanks for the info. I forgot to note, but I already called the ISP to verify they are not blocking port 80 incoming.
0
 

Author Comment

by:david1986
ID: 34142129
Thanks to everyone for your replies. I verified with our ISP last week during this issue that port 80  incoming IS NOT blocked. They claim they don't block it ;)?

Also, I'm pretty sure at this point that is NOT the issue.

To be safe, I've purchased a static IP.

Using the static IP, I have successfully unblocked 3389 (RDP) pointing to the one desktop on the network. This reports an OPEN PORT!

So...Under the theory that my ISP is lying to me and really IS blocking port 80, I then told 3389 to redirect to PORT 80 and to the local IP of the device I'm attempting to access.

A new test immediately resolves: CLOSED! - Timeout.


Makes me believe the local device is screwed up. EVEN THOUGH, I can ping the device from the router, and access the web interface locally.

What do you think of this theory?
0
 
LVL 7

Expert Comment

by:Hatrix76
ID: 34143172
What operating system is the local computer you attempt to connect to running?
What Software should be available on port 80? (Apache, IIS, nginx, squid ...)

You should check if there is a firewall in place. It is possible to configure the firewall that the local packages work just fine, but packages from the internet won't be accepted at port 80. As you do NAT it is most likely DNAT which rewrites the destination to the new target computer, but leaves the Source address as it is, so for the internal computer it is as if the internet knocks on the door.

Please have a look on this,

best
Ray

0
 

Author Comment

by:david1986
ID: 34145992
Thanks for the advice Ray.

The local system I'm attempting to connect to is a modular controller -- no firewalls are anything fancy whatsoever.

I'm not sure what web server it's running -- something tiny and basic I presume.
0
 
LVL 7

Expert Comment

by:Hatrix76
ID: 34146079
what kind of controller is it? can you poste the make / model?

best
0
 

Accepted Solution

by:
david1986 earned 0 total points
ID: 34254045
After all this -- turned out to be a configuration on the other companies end! No default gateway set on the modular controller.

OH MY!!!!!!!!!!!
0
 

Author Closing Comment

by:david1986
ID: 34281220
Good advice -- just wasn't the problem I was thinking.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now