PDA

View Full Version : Port forwarding to access my home web server



chiefnz
22-03-2016, 06:26 PM
Ok so I am running a CentOS 7 based webserver at home.

Nothing fancy just serving up a simple website... for now but more complexity to come later.

The trouble I'm having now is that I cannot seem to get port forwarding working on my modem which to be frank is the standard Vodafone POS Huawei HG659 unit.

So here's the guts of things:


I have a static IP address supplied by Vodafone.
I can get to the router login via the provided static IP address.
The server has a static IP on the local network.
I've set up the following port forward rule.

Mapping name: "mywebserver"
Application: WebServer(HTTP)
Internal Host: Set to the server's ethernet connection. Note there is no way to set this by MAC or IP address on the modem just a drop down selection menu listing all the devices currently connected to the modem.

I've pretty much "allowed" all http/https traffic through the firewall on the webserver.... probably a bit risky but given I am only getting as far as the modem login screen probably not a major issue right now.


DisclaimerI am looking at potentially getting a new modem with a little more "Smarts" this the current POS I have but before I go forking out $150+ for new router I want to be absolutley sure this will not work on the modem I have.
I am aware others have gotten it to work... but just about all the posts I've read the same people went ahead and bought a new router anyways so not much of a benchmark to be fair.

Any advice would be helpful.

Thanks in advance.

fred_fish
22-03-2016, 08:12 PM
Are you trying to connect from outside your LAN?
Turn off the routers web control panel on the external interface!

CYaBro
22-03-2016, 08:22 PM
Yea you shouldn't be able to access the router from the internet side!
However if you are testing from your internal network then you will have issues, you need to be able to test from another internet connection.

chiefnz
22-03-2016, 09:01 PM
Are you trying to connect from outside your LAN?
Yes I've been testing access from my tablet via 3G/4G mobile broadband - no dice!


Turn off the routers web control panel on the external interface!
Forgive my ignorance but any ideas on how to do this? I've been through all the menu options and there is nothing blatantly obvious that allows me to do this?


On another note... given this issue and the future need for some more "advanced" networking needs (VPN, FTP etc.) I'm looking at getting a new modem... any suggestions?

I've been looking at a few Draytek, DLink, Netgear and Asus models.

I need something with the following...

VDSL/VDSL2+ etc and UFB capable.
SPI firewall
NAT/port forwarding
VPN (would be nice but not essential... at this stage)
FTP/SAMBA etc.
Dual band WiFi providing 802.11b/g/n/a/ac etc.
At least 4 Gb ports plus 1 for WAN (UFB)
USB ports optional but would be nice to have.

Thanks for the replies.

Cheers.

fred_fish
22-03-2016, 09:24 PM
I've got one I'm just using as a wireless AP & Gb switch so can't test from "outside", but it looks like the web control panel is only available on the LAN side anyway - my guess is your tablet is still using wireless, so port 80 on your router address is serving it's own page.
How exactly are you addressing it?
Can you connect directly to your server (by LAN IP or name) and get your webserver?

Edit: You probably don't need a new router, if you're running CentOS anyway, just use that to provide your VPN, FTP, whatever services you want.

Edit: doesn't the 659 hit all those specs anyway?

pcuser42
22-03-2016, 10:09 PM
I feel your pain, that router is a pile of garbage and we can't replace it because the landline won't work. :annoyed:

However I have managed to forward several ports, make sure port 80 (specifically) is open on the server too.

Also, if you're trying to access the server with HTTPS, that's a different port that will take you to the router page by default.

Kame
23-03-2016, 01:03 AM
Hi chiefnz,

Check that you are allowed to do this, ISP may be blocking.

I would assume your port forwarding rules sound correct.

I do not know how you serve your files, what location do they reside in?


Firewall maybe interferring:

Test method not best, is turn your firewall off.

#systemctl stop firewalld
#systemctl disable firewalld

We will turn it on when things are all working and create the right rules for it.

I would turn off SELinux too unless you know how to make policies for it, although httpd ones do exist, just making sure the directory is correct can be troublesome too, usually again I set this up after I have my web server running correctly.

vi /etc/selinux/config

change line to say SELINUX=disabled
and reboot your computer.

So what web server are you running? Did this help? We may need to view logs to see if theres any hints. Another test you could try is telnet, nc, wget to see a more verbose reason why outside connections aren't happening.

Unfortunately, I'll forever be writing it from my phone, so I'll try and return when I am behind a computer.

Cheers,

KK

chiefnz
23-03-2016, 10:04 AM
I've got one I'm just using as a wireless AP & Gb switch so can't test from "outside", but it looks like the web control panel is only available on the LAN side anyway - my guess is your tablet is still using wireless, so port 80 on your router address is serving it's own page.
How exactly are you addressing it?
Can you connect directly to your server (by LAN IP or name) and get your webserver?

Edit: You probably don't need a new router, if you're running CentOS anyway, just use that to provide your VPN, FTP, whatever services you want.

Edit: doesn't the 659 hit all those specs anyway?



I defintely have WiFi disabled on the tablet and using mobile broadband.
I am using the static IP provided to me by my ISP (Vodafone). Strangest thing is that even if I use http://myipaddress it always translates to https? Even if I did http://myipaddress:80 I still get the https link.
The 659 does have all those specs but in all honesty it is quite frankly a "consumer" based product and I'd like something with a little more smarts and advanced features.




I feel your pain, that router is a pile of garbage and we can't replace it because the landline won't work. :annoyed:

However I have managed to forward several ports, make sure port 80 (specifically) is open on the server too.

Also, if you're trying to access the server with HTTPS, that's a different port that will take you to the router page by default.




Amen to the router being a POS.
Server definitely has firewalld configured to allow http/s traffic through as I can access it from any device on the LAN.
Even if I did http://myipaddress:80 I still get the https link.



Hi chiefnz,

Check that you are allowed to do this, ISP may be blocking.

I would assume your port forwarding rules sound correct.

I do not know how you serve your files, what location do they reside in?


Firewall maybe interferring:

Test method not best, is turn your firewall off.

#systemctl stop firewalld
#systemctl disable firewalld

We will turn it on when things are all working and create the right rules for it.

I would turn off SELinux too unless you know how to make policies for it, although httpd ones do exist, just making sure the directory is correct can be troublesome too, usually again I set this up after I have my web server running correctly.

vi /etc/selinux/config

change line to say SELINUX=disabled
and reboot your computer.

So what web server are you running? Did this help? We may need to view logs to see if theres any hints. Another test you could try is telnet, nc, wget to see a more verbose reason why outside connections aren't happening.

Unfortunately, I'll forever be writing it from my phone, so I'll try and return when I am behind a computer.

Cheers,

KK



I'm using the standard location -/var/www/html
Even with SElinux disabled I still get the same problem i.e. the gateway home page. Getting to the website via internal network actually worked before I disabled SELinux.
I do suspect this is ISP related as they are able to push firmware updated to the modem.... though having said that they'd probably use something like SSH/SFTP but given what I've seen from other ISP's it wouldn't surprise me if they were using https to update the firmware etc.
Using the standard Apache webserver which comes with CentOS 7 (15.11 build)


I'm going to go modem shopping later and see what I can pick up.

Thanks for all the replies... even though it's not working I'm quite happy that I have performed most if not all of the suggestions provided so tick box for troubleshooting knowledge. :)

Cheers,

1101
23-03-2016, 10:27 AM
I feel your pain, that router is a pile of garbage ......

.....garbage for anything but basic/home usage :)
OK for most people who will never port forward/DMZ etc

Is the wifi on it as bad as many claim ?

I found (on 2 of those) some ports simply will not actually forward, even DMZ some ports stay blocked
I'd bet that since its designed to allow the ISP's help desk easy access to it, to check settings etc, perhaps some ports will be assigned for the ISP's back door
in their custom firmware .

pcuser42
23-03-2016, 12:58 PM
Aah, you're being redirected to HTTPS - you might have to disable remote management in the router, but I can have a look when I get home and see what else I can find that might help. :) Another thought, clear the cache on the browser you're trying to access the server from. Port 8080 (IIRC) is reserved but port 80 isn't. Otherwise my server would be useless ;)

Kame
23-03-2016, 05:33 PM
Since you can access the web interface from the internet, which is definitely a bad move, maybe that is the ISPs remote access, as you say they can push updates, maybe web and ssh is accessible to them. It could also mean your 3g/4g is still on their network.

To access it from internal networked computers from the outside, use web proxy services, anonymous proxies, etc, its how I normally test.

Maybe change apache to listen on a different port, or use ip masquerade and port forwarding. This way you can direct external connections to a different port for your server.

Changing the port that it listens on, would be changing the httpd.conf file, or to do ip masquerade and port forwarding, you will need your firewall on and perform

#firewall-cmd --zone=public --add-masquerade --permanent
#firewall-cmd --zone=public --add-forward-port=port=8888:proto=tcp:toport=80 --permanent

This depends on your zone being public,in this example I use port 8888 and forward it to port 80, means I dont have to change httpd to listen on a different port. You would then port forward tcp connections on the router for port 8888 to your server.

Cheers,

KK

chiefnz
23-03-2016, 05:54 PM
SUCCESS!!! Well as a matter of speaking...Dare I say I've struck a blow to the big "ISP's provide $hitty modems" club.

So I went out and bought a TP-Link TD-W9980 N600 Wireless Dual Band Gigabit VDSL2 Modem Router as well as a D-Link DGS-1100-05 5-port managed switch (not a requirement for my isssue but I was wanting something similar for a while now.)

Anyways long story short. Setup the modem and associated WLAN configs etc. added a rule to the DMZ config and BAM I can access my webserver on the first try!!! :punk

firewalld is enabled with an allow rule for http/https and SELinux is enabled. I just need to review the firewalld config as I'm not sure exactly where the allow rule should be. I'm thinking DMZ perhaps or is it external. Networking isn't my strong suit but the desire to learn is there.

Thanks again for all the advice. I will have a play with the firewall and see how I get on. Please feel free to drop some knowledge on what the firewall rule should be.

Cheers,

chiefnz
23-03-2016, 07:25 PM
Ok so the theory that using a 3G/4G connection on the Vodafone network will not work is now proven. I can access the web server using my SPARK mobile but cannot get to it if I use my tablet which is running on the Vodafone network. I'm not too sure if there is any "sense" behind this or if I'm in fact doing something wrong I've asked a friend to see if he can access the server from his home but have not heard back as yet.

I have now changed the firewall settings only enabling http/https on the DMZ tab, all other "zones" are at their defaults and none of them have http/https ticked. I assume this is correct but if not please let me know.

Cheers.

fred_fish
23-03-2016, 08:18 PM
Sounds dubious - still think you are either using your wifi or seeing a cached page.

chiefnz
24-03-2016, 02:45 PM
Sounds dubious - still think you are either using your wifi or seeing a cached page.

Everything seems to be working ok now from vodafone and non-vodafone networks... mobile and terrestrial connections.

I seemed to have disabled Internet access from the server so next step is to figure out how to get this going.

Cheers,