Calibre-Server and Port Forwarding Issues

[MontyJ]

Quote:

Originally Posted by davidfor

The screen shots look good. Or at least, they look like what I would do. But, as it isn't working, something is wrong.

The first thing I would do is connect the PC directly to the Cisco modem and set the rules to point to it. That will eliminate the ASUS router as the problem. If you still can't see anything, then it probably means the ISP is blocking the ports. Or there is a firewall on the modem blocking access.

I have done that with the Linux PC and nothing changed. My last shot is to try it with my Windows PC, where I am more comfortable knowing I can eliminate any firewall issues easier. I have Calibre setup on it with a small test library already, so am going to give it one more shot before I call the ISP and attempt to pull teeth...

Thanks for the help; I never dreamed this would turn into such a nightmare...

Monty

[MontyJ]

Just one more question...well, two, LoL. I have attached a screenshot of the netstat command, showing all (I think) all ports that are being used and their state.

If my ISP was blocking all ports, why would any of these work? And yes Dropbox as well as a ton of stuff I didn't include in the capture, is working.

Second question: If I use a VPN which is activated either on the Linux PC or in the Asus router, would that prevent any port blocking by the ISP? IE, how can they block something inside the VPN pipe that they (supposedly) cannot see?

Just trying to understand how this stuff works!

Thanks again,

Monty

[MontyJ]

Here is the screenshot, attached.

[theducks]

Does you ISP have rules against running a Web Server?
Ports 80, 808x (common www ports) might be blocked.

What about your Modem?. Does it have a firewall or are you bridging?

[PeterT]

See if http://portforward.com/help/doublero...forwarding.htm helps.

Their address 192.168.1.1 is your 192.168.0.1; their 192.168.1.5 is your 192.168.0.11; their 10.0.0.1 is your 192.168.5.15 and finally their 10.0.0.15 is your 192.168.5.168

[davidfor]

"LISTEN" means that an application on the PC is waiting for something to come in on the port. It doesn't mean anything can reach it. "ESTABLISHED" means that something has reached that port.

I'm not sure on the rest. But, some of them work by the local application initiating the connection. They can hold it open or check periodically. They might also negotiate another port to use. The ISP is usually blocking incoming ports, not outgoing, so applications that work like this will be OK.

It's also common for ISPs to block some ports, but not others. Blocking port 25 is common to help prevent spam. My ISP blocks 25 outgoing, 135, 137, 138, 139, 445 both ways and 80, 443, 22, 23, 8080, 3128 incoming. But, I can also turn that off. Another policy I have seen is to block all low numbered ports, but allow high numbers.

Something you can try is to telnet to the ports. Or run a traceroute to the port from outside. Using telnet is handy as is the simplest way of contacting the port. The traceroute can help see where the block is. Unless you know the network well, it will still be a guess, but the domain names of the devices can give a good idea of where the block happens.

And of course, are you sure the where ever you are testing from isn't blocking the port? I have access to several networks at work. They are all restricted, but one of them is almost completely closed to the outside world.

[MontyJ]

Quote:

Originally Posted by theducks

Does you ISP have rules against running a Web Server?
Ports 80, 808x (common www ports) might be blocked.

What about your Modem?. Does it have a firewall or are you bridging?

Frankly, I do not know if Megacable has rules against web servers, but I do intend to ask if I can't get this going! As for the ports, that is why I chose the 8181 port to test; it didn't seem to be used by anything well known. The Cisco Cable Modem/Router has this security page where I can change things:

SPI Protection: Default is "Low". Other settings are OFF, Medium, High. I have tried OFF, it did not help.

IPv6 Firewall Protection: ON

Filters-
Block fragmented IP packets OFF
Block Port Scan Detection OFF
IP Flood Detection OFF

Allowed Services-
"No Ports Restricted" (That is Cisco's terminology, not mine)

Block WAN Requests
Block Anonymous Internet Requests OFF (Default is ON)
----------------------------------------------------------
My LAN router is Tomato firmware based. Except for the ICMP Ping, which I do not block for this effort, everything is default:

Firewall
Respond to ICMP ping Yes (Default is No. I allow ping so the remote person helping me might be able to see a response from my system)
Limits per second-
ICMP = 1 request per second
Traceroute = 5 request per second

Enable SYN cookies = NO (Default)
Enable DSCP Fix = YES Fixes Comcast incorrect DSCP (Default)

NAT
NAT loopback = ALL (Default)
NAT target = MASQUERADE (Default)

Multicast-
Enable IGMPproxy = NO (Default)
Enable Udpxy = NO (Default)
Enable client statistics-
Max clients = 3 (Default)
Udpxy port = 4022 (Default)
--------------------------------------------------------------------

I have left things in default as much as possible.

[MontyJ]

Quote:

Originally Posted by PeterT

See if http://portforward.com/help/doublero...forwarding.htm helps.

Their address 192.168.1.1 is your 192.168.0.1; their 192.168.1.5 is your 192.168.0.11; their 10.0.0.1 is your 192.168.5.15 and finally their 10.0.0.15 is your 192.168.5.168

Yes, that is the site I have been using (I pasted the site in a previous post). And in my initial try, I set R1 up just as they have it, but set R2 up with my normal local LAN IP addresses of 192.168.5.11 (Router). Since then, I wondered if there was some conflict due to the same primary domain of 192.168.

So I went all out and changed it to their example, ie using 10.0.0.10 as my local LAN router address. The assignments are now:

Internet > R1 (192.168.0.1) > R2 (192.168.0.10) WAN IP > R2 (10.0.0.1) LAN IP > 10.0.0.100-.199 (LAN Devices)

In R1 the port forward 8181 is now set to IP 192.168.0.10 (R2 WAN/External IP)

I actually tried to put in 10.0.0.1 as the Port Forward IP, but R1 refused that, as it should have because R1 should have no knowledge of anything downstream of R2, the 10.x.x.x ranges.

And, it still does not work. R1 also has a DMZ and I have set it to 192.168.0.10, no change.

R2 has DMZ mode as well, and I set that to 10.0.0.168, which is the Linux PC LAN IP address. No change.

Thanks for the comments!

[MontyJ]

Quote:

Originally Posted by davidfor

"LISTEN" means that an application on the PC is waiting for something to come in on the port. It doesn't mean anything can reach it. "ESTABLISHED" means that something has reached that port.

I'm not sure on the rest. But, some of them work by the local application initiating the connection. They can hold it open or check periodically. They might also negotiate another port to use. The ISP is usually blocking incoming ports, not outgoing, so applications that work like this will be OK.

It's also common for ISPs to block some ports, but not others. Blocking port 25 is common to help prevent spam. My ISP blocks 25 outgoing, 135, 137, 138, 139, 445 both ways and 80, 443, 22, 23, 8080, 3128 incoming. But, I can also turn that off. Another policy I have seen is to block all low numbered ports, but allow high numbers.

Something you can try is to telnet to the ports. Or run a traceroute to the port from outside. Using telnet is handy as is the simplest way of contacting the port. The traceroute can help see where the block is. Unless you know the network well, it will still be a guess, but the domain names of the devices can give a good idea of where the block happens.

And of course, are you sure the where ever you are testing from isn't blocking the port? I have access to several networks at work. They are all restricted, but one of them is almost completely closed to the outside world.

Yea, I gotta break down and talk to the ISP and hope they will give me a straight answer.

I am a networking noob, so not sure what you mean by doing a "telnet to the ports"? Do you mean go into terminal mode on the Linux Calibre PC, then go into telnet to look at the ports?

Here is a traceroute to google.com:

traceroute google.com
traceroute to google.com (189.198.236.59), 30 hops max, 60 byte packets
1 unknown (10.0.0.1) 0.260 ms 0.497 ms 0.497 ms (R2 LAN IP)
2 192.168.0.1 (192.168.0.1) 0.719 ms 0.747 ms 0.745 ms (R1 LAN IP)
3 10.46.0.1 (10.46.0.1) 7.814 ms 7.834 ms 7.830 ms
4 10.0.44.62 (10.0.44.62) 8.982 ms 9.154 ms 9.449 ms
5 customer-GYS-static-161-9.megared.net.mx (200.52.161.9) 10.534 ms 11.029 ms 9.776 ms
6 * * *
7 * * *
8 * * *
This continues on for 30 hops with the three ***'s. No clue why this is happening

Here is the traceroute for megacable.com.mx, my ISP:

traceroute megacable.com.mx
traceroute to megacable.com.mx (200.52.196.125), 30 hops max, 60 byte packets
1 unknown (10.0.0.1) 0.231 ms 0.451 ms 0.451 ms
2 192.168.0.1 (192.168.0.1) 0.739 ms 0.769 ms 0.766 ms
3 10.46.0.1 (10.46.0.1) 6.976 ms 7.002 ms 7.674 ms
4 10.0.44.62 (10.0.44.62) 7.850 ms 11.472 ms 11.622 ms
5 customer-GYS-static-161-9.megared.net.mx (200.52.161.9) 13.289 ms 13.221 ms 13.685 ms
6 pe-gys.megared.net.mx (189.199.117.133) 12.257 ms 11.388 ms 7.758 ms
7 10.3.0.25 (10.3.0.25) 45.614 ms * 45.281 ms
8 10.3.0.13 (10.3.0.13) 45.982 ms 44.804 ms 44.738 ms
9 10.3.1.17 (10.3.1.17) 44.797 ms 44.767 ms 44.890 ms
10 10.3.0.97 (10.3.0.97) 48.897 ms 48.062 ms 48.811 ms
11 10.3.1.186 (10.3.1.186) 49.063 ms 76.262 ms 48.799 ms
12 10.3.1.42 (10.3.1.42) 45.735 ms 45.702 ms 45.654 ms
13 10.2.57.1 (10.2.57.1) 48.958 ms 10.2.57.5 (10.2.57.5) 77.822 ms 49.159 ms
14 * * *
15 portalweb.megacable.com.mx (200.52.196.125) 73.375 ms 100.201 ms 73.235 ms

I have attached a screenshot of R1 WAN/LAN setup I forgot to attach for above reply to PeterT.

[MontyJ]

A quick note. One of the port forward test sites I mentioned previously checks all these ports:

common ports
21 FTP
22 SSH
23 TELNET
25 SMTP
53 DNS
80 HTTP
110 POP3
115 SFTP
135 RPC
139 NetBIOS
143 IMAP
194 IRC
443 SSL
445 SMB
1433 MSSQL
3306 MySQL
3389 Remote Desktop
5632 PCAnywhere
5900 VNC
6112 Warcraft III

The all show up "Closed" on my detected web IP address. Same when I check 8181.

[theducks]

Moderator Notice
So far, this has been a general How To networking Topic. This does not belong here at Calibre and possibly, MR. Please wrap it up in the next few posts.

[MontyJ]

Ok, got it!

Thanks to all who helped me with this issue; your efforts are much appreciated.

To wrap it up, a (non-networking!) final question

Does the Calibre-Server work like a typical web server and allow multiple logins/users at the same time, doing their individual searching/sorting?

I realize there is only one username/password per server process, but I would hope multiple users can login and use it at the same time?

Thanks!

Monty

[theducks]

Quote:

Originally Posted by MontyJ

Ok, got it!

Thanks to all who helped me with this issue; your efforts are much appreciated.

To wrap it up, a (non-networking!) final question

Does the Calibre-Server work like a typical web server and allow multiple logins/users at the same time, doing their individual searching/sorting?

I realize there is only one username/password per server process, but I would hope multiple users can login and use it at the same time?

Thanks!

Monty

Yes

There are 'login issues" from certain devices. See the red notes on theGUI server configuration screen.

[eschwartz]

Yes, as many people as you like can connect at once.

In the new server (currently in development) you will be able to create multiple users, per-user restrictions, and some user settings I believe will even be stored.

[MontyJ]

Quote:

Originally Posted by theducks

Yes

There are 'login issues" from certain devices. See the red notes on theGUI server configuration screen.

OK, Thanks!!...What a great program Calibre is!!

Monty