Port forwarding issue (maybe)?

I have a TP-Link 150M router that is our gateway.

If I forward port 3389 to .128 I can remote into .128.  CanYouSeeMe.org shows 3389 open.

If I disable this entry then CanYouSeeMe.org reports 3389 as closed and I cannot remote into it.

I am looking to forward port 80, 3011 and 1911 to an A/C controller.  The A/C people state that they cannot hit their controller.

CanYouSeeMe.org shows 80, 3011 and 1911 as closed.  I thought that perhaps this was due to a configuration on their controller.  So I set up IIS on a spare server and http:\\localhost (from that spare server) brings up the iis7 page.  I then forwarded port 80 to that new server and CanYouSeeMe.org still shows 80 closed.

Any idea as to what is going on?  I need to open 80, 3011 and 1911.  ISP doesn't block anything.
Sheldon LivingstonConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

andreasSystem AdminCommented:
next test: forwar ports 3011 and 1911 to port 80 of the new server and test with canyouseeme if it is open now.

If yes, then port 80 seems to be blocked somewhere.
Sheldon LivingstonConsultantAuthor Commented:
3011 and 1911 fail as well.
Guy LidbetterCommented:
First off.. can you access the ports on that controller from within your network?
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

andreasSystem AdminCommented:
Is the HOST firewall for the newly set up server OFF?
Sheldon LivingstonConsultantAuthor Commented:
No idea Guy.... not an A/C guy...

Let's pretend the issue is just trying to get CanYouSeeMe.org see 80, 3011 and/or 1911 as open.  

For example, if I can forward these ports somewhere and show them as open then I can defer this whole issue to the A/C people.  

As it stands now it looks like we are blocking these ports.
Sheldon LivingstonConsultantAuthor Commented:
andreas... yes, I completely turned off the firewall.
andreasSystem AdminCommented:
Can you forward 3389 (RDP) to thge server machine and use it from outside?
Guy LidbetterCommented:
OK, start with this. You cannot get CanYouSeeMe.org to see it, if it's not configured or accessible internally first....

We already know the forwarding works because of the 3389 rule. They block this looooong before they block 80...
So, On a computer that is on the same network as the A/C controller... Try these in order:

Telnet <IP address of controller> 80

Open in new window

Telnet <IP address of controller> 3011

Open in new window

Telnet <IP address of controller> 1911

Open in new window


If these fail then the controller is not configured for the network and the port forward wont work.

If they work, we can start looking at further possible issues.
andreasSystem AdminCommented:
Double Check IP config of Server

especially

IP (unique), Netmask (same as router) Gateway (router IP).

And the port forward on the router to the IP of the server itself. (typo)
Sheldon LivingstonConsultantAuthor Commented:
andreas:  I forwarded 3389 to the server and I can connect and 3389 shows open while 80 (also not forwarded to the server) appears closed.  

IP config of Server looks good.
Sheldon LivingstonConsultantAuthor Commented:
Guy:  Telnetting to the server, port 80 failed, as did telentting 80, 3011 and 1911 to the controller.
Sheldon LivingstonConsultantAuthor Commented:
Guy:  I forgot that I had disabled WWW on the new server.  I re-enabled WWW and telnet does not fail.  Not sure what telnet is doing (blank screen), but it is not failing.
Sheldon LivingstonConsultantAuthor Commented:
Guy:  Although telnet is not failing, CanYouSeeMe still shows 80 as closed.
Guy LidbetterCommented:
Blank screen is a successful connection, otherwise the attempt will just time out and say "....Could not open connection....: Connect Failed"

Just to be clear, the port forward needs to be to the server not the controller?

you said
Guy:  Telnetting to the server, port 80 failed, as did telentting 80, 3011 and 1911 to the controller.

If you cannot connect to the controller internally, and the controller is what the A/C company need access to (not the server), then the controller is not configured for net management.

P.S. What is the controller? A Device or Server? if a server, what OS is it running on?
Sheldon LivingstonConsultantAuthor Commented:
Guy:  I was trying to make a point about not being able to telnet port 80 on the server... then I realized that I had stopped WWW on the server.

The A/C controller is a device that they had set up.

The port forwarding needs to be to their device.

Does "then the controller is not configured for net management" mean that a "Connect Failed" doesn't necessarily mean that they configured their device incorrectly?
andreasSystem AdminCommented:
can you internally pimng the ip adress of the a/c controller?
Sheldon LivingstonConsultantAuthor Commented:
Cannot ping the controller... or any other computer.
andreasSystem AdminCommented:
after ping the a/c controller, is there a MAC address in the ATP-Table of the pinging machine?

can get ARP table with arp -a in an administrator CMD. (run as asministrator) and then arp -a then you should see a mac address for the a/c controllers IP.

If not the a/c controller might have WRONG ip config.

What other Computers you cannot ping? Windiws systems? IF yes im guessing the firewall is on for the other Computers blocking pings.
Guy LidbetterCommented:
Hi Classnet...

The only way you would not be able to ping any computer at all is if your router is preventing ICMP traffic.
By default, this is allowed and is usually only disabled for specific devices (Firewalls) to prevent device discovery using a ping or tracert to get device info.
I would be highly surprised if ICMP is being blocked at the end point (User Computers\servers using windows firewall or AV firewall)
This then means there is probably a firewall between the A/C and the router which is filtering\blocking the traffic.

First off, I would want to confirm the network settings the A/C company configured for the Device. You need to be 100% positive the IP Address, Subnet and Gateway are configured correctly, Or if the device is setup with DHCP, you need to make sure you reserve that IP for that device to prevent your port forward from dying at some point.

Secondly, you need to look at what is filtering your traffic. Not being able to ping ANY device internally  is a troubleshooting nightmare.

Thirdly, You need to ensure any firewalls that are internal are allowing Ports 3011 and 1911. We know port 80 is allowed because you connected to the server.

I hope this helps a bit... but we can get there!
andreasSystem AdminCommented:
Windows firewall will block pings fore sure if you set security zone of home network to public. Many people do this.
Guy LidbetterCommented:
Oh wait... this is a home system? well that's different! hahaha I just assumed it was a corporate network...

In that case... the device is almost certainly not configured properly for your network. Could you let me know what A/C device it is?
Sheldon LivingstonConsultantAuthor Commented:
This is a corporate environment.  

It sounds like it is being suggested that there is, somewhere, another firewall in play here.

How come CanYouSeeMe shows port 3389 open or closed depending on whether I enable or disable the forwarding rule on the TP-Link?
Guy LidbetterCommented:
OK, so it is corporate...

3389 is the default RDP port to remote onto a server, if you blocked this you would not be able to log remotely onto anything, so I would be shocked if that is blocked. Has this redirect been setup to point to the server or controller?

The same with port 80, normal http, and we know this works because you tested it on the server.

So lets forget port 80 and 3389 on the server and start concentrating on the A/C controller.

If the controller is correctly configured, and ther is no additional firewall in the way... the telnet tests above would work.

So 2 scenarios exist:
1. The controller is not properly configured.
2. There is a firewall somewhere blocking access to the controller.

So some questions:
1. What A/C is this so I can lookup the controller, and get some more info.
2. Do you have a network resource or diagram that you can reference, to find out how your network ties together, or would be able to identify any devices that would cause this issue?

The simple fact is this.

If the controller is setup correctly and there are no firewalls in the way, the controller would essentially be plugged directly into the router, and there would be no issue. This is clearly not the case.

Can you confirm the configuration of the device and ensure it matches up with your network settings?
Guy LidbetterCommented:
Going back to your request on making CanYouSeeMe.org see 80, 3011 and/or 1911 as open.

On your server: create 2 new websites: Site1 and Site2 (using default application pool is fine, just create a folder for each in inetpub\wwwroot).
Set one to use Port 3011 and the other to use 1911. (If you need help with this just ask, but you can set this when creating the site)

So you should have 3 sites
default :  Port 80
Site 1: Port 3011
Site 2: Port 1911
Once done, run these in a admin cmd window

Netstat -an | find "3011"

Open in new window

Netstat -an | find "1911"

Open in new window


If they both provide something like the below you're set to test redirection:
TCP  0.0.0.0:3011      0.0.0.0:0      Listening
and
TCP  0.0.0.0:1911     0.0.0.0:0      Listening

Now just make sure you have 3 rules redirecting these ports to the test server.

Regards

Guy
Sheldon LivingstonConsultantAuthor Commented:
Guy...

The ISP doesn't block anything.  My assumption was that since CanYouSeeMe would show port 3389 as open or closed, depending on whether I enabled or disabled the forwarding rule, that the TP-Link was the only thing that could be blocking ports.

We should not forget 80... CanYouSeeMe shows 80 as closed.  Additionally if I setup the webserver I get nothing trying to hit it from the outside.

Thus...  "and there are no firewalls in the way" is key here.  How would I find out if there is a Firewall in place?
Guy LidbetterCommented:
Just follow the website creation above....

I forgot to tell you to run these in an admin cmd window  just after you create the websites, before you run the netstat queries... they will open the windows firewall for these ports.

netsh advfirewall firewall add rule name="Open Port 3011" dir=in action=allow protocol=TCP localport=3011

Open in new window

netsh advfirewall firewall add rule name="Open Port 1911" dir=in action=allow protocol=TCP localport=1911

Open in new window


This will definitely let us know if there is something blocking as we already know 80 worked from here.
Sheldon LivingstonConsultantAuthor Commented:
I get exactly what you show... 0.0.0.0, etc.
Guy LidbetterCommented:
Great, then configure the redirections and see if  CanYouSeeMe reports as open.
Sheldon LivingstonConsultantAuthor Commented:
Nice...

So, 1911 and 3011 show as open.  80 still closed.  I assume that if I did the netsh (opened the port of the server FW) that 80 would be ok.

So, this sounds like an issue with the A/C controller configuration.  Not any Firewall issues.  Correct?
Guy LidbetterCommented:
Sounds like it! Looks like its pretty well pinpointed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sheldon LivingstonConsultantAuthor Commented:
Thank you so much Guy!
Guy LidbetterCommented:
Pleasure! Told you we would get there!
Sheldon LivingstonConsultantAuthor Commented:
:-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.