Help with External Network port mapping

[nweishar 9]

Hi guys, I noticed on my main dashboard that my remote access link includes a port at the end when in reality that is not needed.

When I went to the network tab and tried to remove the external port, it indicated it was a mandatory field. Issue is when I click the link above for Remote Access (WAN), I get a: ERR_SSL_PROTOCOL_ERROR

Ideally my Remote (WAN) access link should be: http://emby.myaddress.myds.me (no port)

Does anyone know how to fix this or if its fixable?

Thanks!

 

[GrimReaper 3308]

You have something wrong in your setup, as your remote address is http:// while you're getting SSL (https://) error. Could you share a screenshot of your network settings?

[nweishar 9]

2 minutes ago, GrimReaper said:

You have something wrong in your setup, as your remote address is http:// while you're getting SSL (https://) error. Could you share a screenshot of your network settings?

For sure, thank you!
 

Let me know where I'm going wrong! Thanks

[GrimReaper 3308]

Have you forwarded ports in your router?

[nweishar 9]

2 minutes ago, GrimReaper said:

Have you forwarded ports in your router?

Yep, here are my router settings. Top two services are for the Synology Reverse Proxy

[GrimReaper 3308]

Your server is on different subnet, those port forwards won't do anything in your current setup:

[nweishar 9]

5 minutes ago, GrimReaper said:

Your server is on different subnet, those port forwards won't do anything in your current setup:

Thanks for pointing that out! I'm using Docker and from my understanding I can't use the Host network is that correct?

I hesitated putting in the subnet for port forwarding as that sometimes changes to a new value when restarting/redeploying the container...

[GrimReaper 3308]

Maybe your initial post could've contained few more details. 

How have you mapped your host and container ports?

Anyway, @Q-Droid might have a tip or two. Post server log.

[Q-Droid 652]

To test/troubleshoot network and connectivity start local then work your way out. Use a browser to connect to http://<host LAN IP>:8097 and if that works then try http://<host LAN IP>:80 for the reverse proxy.

In the Emby network settings the public http and https ports should match your WAN ports: 80 and 443. Don't change the local port values. The secure connection mode should be "Handled by reverse proxy".

The above is assuming that your reverse proxy itself is setup correctly and I don't know what you're using for that or what Synology has built-in. If your router allows NAT-loopback connections then eventually when all is working you should be able to connect using http:// and/or https://<your domain>. Generally you'd want https only on the WAN and either redirect http or disable the port 80 forward on the router.

 

[HawkXP71 99]

In order to have url without a port, your server must be serving up data on a port that is tied to a default scheme.  Http is tied to 80, https 443, ssh 22

So in the url, when you do http://xxx.xxx.xxx its the same has http://xxx.xxx.xxx.xxx:80  

If however, its on a different nonstandard port, you MUST add the port address.  There is no work around for this.  There are three possible solutions that I have tried successfully to get around this.  Note, after getting it working, I went back to using 18096 for external and just having each website that is exposed from my LAN having a different port.

the first thing you need to get working, is being able to connect to the docker server emby server from a machine NOT on the server.  once that is done, then here are two ways that I have successfully created the an outside address without port.  The first is easy, but it has some caveats.

Lets assume the INTERNAL address is http://172.21.0.2:8096

If you ONLY have one website being served up, option one is available.  On your router's port mapping map port 80 to port 8096.  Then the external default address http://myhome.com will serve up your emby.  

The next option, is to have your firewall have 2 ports open.  Port 80 and port 18096.  Then have your apache server, do a url redirect to the 18096 for all ip address outside the LAN.

This is how DSM and other server manager systems, start out on 80 and move to 5001.  The problem is DSM (and other NAS boxes) use this in their default server, and they own port 80.  

So what I do, map their port 80 to port 8080 on the firewall.  Then map port 80 on the firewall to port 8080 on the NAS, port 8080 

Then if you use the base/default url, you get emby, and if you want the synology server, you use 8080.

The third option is much more complex, I use an apache server to check the portand route the data to the correct server.  so http://nas.myhome.com goes to the default DSM url, of http://:80,  http://emby.myhome.com goes to the http://internal:8096 etc etc.

You still have to do the port swap of option 2.

You have to have full control over a apache server on your server.  Then using a subnet you can map the subnet to host from the emby internal server.  This is a pain to get working, but it can be done. 

Then the website you could use http://emby.myhome.com or http://otherserver.myhome.com  it can work, but it takes some googling and work.

 

 

Edited February 2, 2023 by HawkXP71

[nweishar 9]

8 hours ago, GrimReaper said:

Maybe your initial post could've contained few more details. 

How have you mapped your host and container ports?

Anyway, @Q-Droid might have a tip or two. Post server log.

My bad, sorry about that. Was on the train into work and was trying to get it in before arriving. Thanks for your help!

[nweishar 9]

5 hours ago, Q-Droid said:

To test/troubleshoot network and connectivity start local then work your way out. Use a browser to connect to http://<host LAN IP>:8097 and if that works then try http://<host LAN IP>:80 for the reverse proxy.

In the Emby network settings the public http and https ports should match your WAN ports: 80 and 443. Don't change the local port values. The secure connection mode should be "Handled by reverse proxy".

The above is assuming that your reverse proxy itself is setup correctly and I don't know what you're using for that or what Synology has built-in. If your router allows NAT-loopback connections then eventually when all is working you should be able to connect using http:// and/or https://<your domain>. Generally you'd want https only on the WAN and either redirect http or disable the port 80 forward on the router.

 

Thanks! I'm no expert (or even beginner really) when it comes to networking. I updated the external secure port to 443 and external http to 80 (setting reverse proxy as you mentioned) and it works great. Thanks you very much!

[Q-Droid 652]

Now that you have it working you might also want to clean up the other ports forwarded on your router. You don't need the Emby ports 8097 and 8930 exposed on the WAN and in your current config port 8930 is not active.

[nweishar 9]

1 hour ago, Q-Droid said:

Now that you have it working you might also want to clean up the other ports forwarded on your router. You don't need the Emby ports 8097 and 8930 exposed on the WAN and in your current config port 8930 is not active.

Completely concur. Thank you very much!