Carneth 12 Posted March 29, 2015 Posted March 29, 2015 Hi all, just wondering if anyone can help me! I've got media browser working over the internet, just fine, with a previous wifi router... but not my current one...Or rather, it does work with my current one when the firewall is turned off.. but not when the firewall is turned on.. The set-up is as follows: * DNS - via no-ip.org, DUC running to update the IP assigned to my no-ip sub-domain - this works fine/perfectly * IPv4 network within the house * WiFi router & firewall: TP-Link TD-W8980 * Router WAN port showing the correct public IP address * Port forwarding configured as: Service Port: 8096; IP Address: mediabrowser server host IP address; Internal port: 8096; Protocol: TCP; Status: Enabled; Interface: pppoa_0_38_0d (this is the correct interface, there is only 1) * IPv4 Firewall configured as: -Deny unless explicitly enabled -A set of outbound allow rules which definitely work fine (e.g. facetime has been tested, and works, with the firewall on - wow, that needs a lot of ports!) (now the non-functioning rules) - Rule#1 (MediaServer1) LAN Host: MediaServer (see below) WAN Host: Any host Time: Any time Action: Allow Direction: IN Status: Enabled Protocol: TCP MediaServer is defined as: IP Address: mediabrowser server IP address; Port; 8096 - Rule#2 (MediaServer2) <-- this rule shouldn't have been needed, and besides it doesn't work. But I put it in, in case the firewalling happened prior to the NATing LAN Host: Ext.MediaServ (see below) WAN Host: Any host Time: Any time Action: Allow Direction: IN Status: Enabled Protocol: TCP Ext.MediaServ is defined as: IP Address: gateway/firewall (internal) IP address; Port: 8096 So, with the firewall disabled the service works end-to-end, accessing via my public (sub-)domain... As soon as I enable it, it doesn't work... And I can't figure it out Even a basic www.portchecktool.com check follows the same pattern - it can connect to 8096 with the firewall off, but can't with it on..But I cannot see anything else that I can do to make it work/open the port on the firewall Please can any one help!!!!
Beardyname 197 Posted March 29, 2015 Posted March 29, 2015 You should not have to play with the firewall this much, what happens if you only let the port forwarding on and remove those 2 firewall rules?
Carneth 12 Posted March 29, 2015 Author Posted March 29, 2015 Hi, thanks for replying... If I don't have the rules, it's the same symptoms. Obviously. With the firewall completely off, it works. With the firewall on and with these rules, it doesn't work. With the firewall on without these rules it doesn't work - in the same way. I've also tried creating s LAN host of just the port - still doesn't work. I got this working in the past. With a DLink router. And also a draytek. But this tplink is killing me!!!!!!
Carneth 12 Posted March 29, 2015 Author Posted March 29, 2015 I was expecting to set port forwarding and one rule on the firewall. I've tried so many different combinations of different types of rules now. Nothing seems to work except turning my firewall off -which id rather not do!
Beardyname 197 Posted March 29, 2015 Posted March 29, 2015 (edited) I was expecting to set port forwarding and one rule on the firewall. I've tried so many different combinations of different types of rules now. Nothing seems to work except turning my firewall off -which id rather not do! I can only guesstimate since i I'm not familiar with the router you are using But for me, playing with the firewall is not necessary, only the portforwarding (internet --> router --> server) since that should make sure the packets can reach their destination. I do need to allow emby on the server, but I'm guessing you are already aware of that. Edited March 29, 2015 by Beardyname
Carneth 12 Posted March 30, 2015 Author Posted March 30, 2015 It's driving me crazy. I want the firewall enabled because I have actually been hacked before ! I'm asking people on forums dedicated to this router, and no one can figure it out. The rules I've written - well, I only need one of them - should work.
Beardyname 197 Posted March 30, 2015 Posted March 30, 2015 It's driving me crazy. I want the firewall enabled because I have actually been hacked before ! I'm asking people on forums dedicated to this router, and no one can figure it out. The rules I've written - well, I only need one of them - should work. Yep i get that you want the firewall and i would not recommend turning it off, have you looked at: http://portforward.com/ and see if your router is listed and if they could provide any tips? If i were you i would remove all of the config settings, just to start fresh
Carneth 12 Posted March 30, 2015 Author Posted March 30, 2015 I've tried that still doesn't work. I'm gonna contact the proper support people for the router. I tried the following: * I wiped or firewall and port forwarding settings. * Disabled firewall. * www.portchecktool.con (pct) was able to connect. this is to be expected and of course the actual service wouldn't work at this time. Also to be expected. But. The port works. * Enabled firewall * tested pct - unable to connect. This is to be expected. * added port forwarding rule. * tested pct - unable to connect. This is probably to be expected, unless this firewall's port forwarding overrides its rules. * added a rule to allow 8096 inbound from anywhere to the target server. * tested pct - unable to connect. I would have expected this to work. But it didn't. * added a rule to allow 8096 inbound from anywhere to the gateway (In case it applies firewall rules before NAT or port forward). * tested pct - Unable to connect. Probably didn't expext this to make a difference. * added a rule to allow 8096 on any LAN IP. * tested pct - still unable to connect. This should have worked. Arrrrggghhh Gonna email proper support. And if they can't help. Buy a new router and use this guy as my guest network.
M_L 0 Posted March 30, 2015 Posted March 30, 2015 You need to allow TCP traffic from port 8096 to port 8096 to a specific computer/ip inside your network. And normally the mediabrowser server installation should have created the needed windows firewall profiles.
pir8radio 1302 Posted March 31, 2015 Posted March 31, 2015 you say "added a rule to allow 8096 inbound from anywhere to the target server". Within your router settings page does it ask for an IP of the target server or a server name, or just a checkbox/radio button next to a server name? If its just a server name i would disable IPv6 on your server PC network card reboot and try again.
Carneth 12 Posted March 31, 2015 Author Posted March 31, 2015 Normally, with networking the client Port number is a random port number, the target port is the consistent one, I.e. 8096... If you run a wire shark capture, you'll see that clients send requests from random port numbers... So restricting source IPs to 8096 shouldn't work. Either way, the rules are set up as : Rule #1: LAN Host: - IP Address: Media server IP address - Port: 8096 WAN Host: Any Host (therefore any WAN IP and on any port) Direction: IN (WAN to LAN) Action: Allow Time: Any time Status: Enabled Protocol: TCP Rule #2: this was done in case the firewall performs NATing after applying the firewall rules. Which I doubt. But am getting desperate. LAN Host -IP Address: Firewall/Gateway address -Port: 8096 WAN Host: Any Host (therefore any WAN IP and on any port) Direction: IN (WAN to LAN) Action: Allow Time: Any time Status: Enabled Protocol: TCP Rule #3 LAN Host: - IP Address: Blank (empty, which is supposed to be any LAN host) - Port: 8096 WAN Host: Any Host Direction: IN Time: Any time Action: Allow Status: Enabled Protocol: TCP IPv6 is disabled, already, on all hosts and the router has IPv6 disabled. All addresses are IPv4, both in terms of static assignment and firewall rules. The rules are based on IP address or MAC address. I've used IP address. For some reason when using MAC addresses you cannot specify port numbers. I'm only allowing TCP, I've tried to use all protocols. However, the system is HTTP which runs over TCP. However, we know that it works if I only allow TCP because the whole system works when I disable the firewall, the port forwarding only forwards TCP packets not UDP packets.
pir8radio 1302 Posted March 31, 2015 Posted March 31, 2015 Is your router restricting outbound connections? Most residential units do not care what gets out of the router... (what kind of router do you have?) i assume you can ping an emby server that is not on port 80 right? Just asking, questions seem dumb but they will eventually lead to the problem, or make you think "AH HA!". I dont understand why you have rule 3 in there if 1 covers this already seems to conflict, i think your right 2 doesn't seem like it needs to be there either.. I don't see any outbound rules... for the responses from your MB server.
Carneth 12 Posted March 31, 2015 Author Posted March 31, 2015 I have a TP-LINK TD-W8980 router... 'dumb questions' are good, they do often lead to an answer! I can ping within the LAN (to any host), but I've disabled (responses to) external pings. So, yes, the firewall does support egress rules, which I have configured to allow outbound HTTP, HTTPS, and FTP .. So, it isn't allowing outbound 8096, however, the way a browser works is that it opens a TCP Socket on the ip/port combination, submits a HTTP request over that connection, keeps it open and waits for a response on that specific connection - which it then may terminate and re-establish for a later request, or it may keep open to save opening/closing repeatedly. Put it this way, the windows 8 advanced firewall on the Emby server does not allow 8096 out, but does allow 8096 in. When the TP-LINK firewall is disabled, the Emby web application works perfectly despite no out-bound 8096 allowed. Of course, if the server independently tries to establish outbound connections, then, this would cause an issue. But that would still be a future issue.. I can't even open a basic inbound connection on 8096, despite having allowed it.. I'm no longer even using a web browser to browse to Emby, i'm going to www.portchecktool.com and getting it to try and open the port, and it cant. You're right, rule #2 shouldn't be needed, and rules #1 & #3 make each other redundant, rule #1 should suffice.. I'm just getting desperate.. To the point where I'm trying illogical things and things I know to be incorrect, just out of desperation..
ginjaninja 570 Posted March 31, 2015 Posted March 31, 2015 have you tried, disabling the port forwarding and firewalll rules and enabling upnp in router & mb3......it / upnp might get lucky / know better than you?
Carneth 12 Posted March 31, 2015 Author Posted March 31, 2015 UPNP is enabled It's even identified media browser - quite how I don't know! but it has!
pir8radio 1302 Posted March 31, 2015 Posted March 31, 2015 Explain your setup... what kind of cable modem (dsl whatever) into what kind of router... i'm just curious... this doesnt make sense we are missing something dumb..
Carneth 12 Posted April 1, 2015 Author Posted April 1, 2015 I agree. We gotta be missing something dumb Internet comes straight into the TP-Link TD-W8980 ADSL Router with (this slightly problematic) firewall. At the moment I have a flat network, once I have this stage working, I'm building a more complex back end set of networks. So right now, it's a single LAN: 192.168.1.1-255. * IPv6 is DISABLED on the router itself and on all hosts. * All hosts are assigned static IP addresses. * The media sever / Emby (plus one client) is on 192.168.1.103 * the media server also has a host based firewall allowing 8096 in and web browsing out. (This works) * I can use various emby thick clients (iOS, WMC) around the LAN. They all successfully connect to Emby. * I have set up a DNS service with no-ip.org. I've tested this and it works. Though, at the moment, to take things out of the equation for testing. I'm just using my public IP when performing tests. * port forwarding rules are described above and definitely 100% work when the IPv4 firewall is disabled. I've had people externally test it as well as performing a basic check via www.portchecktool.com. The whole set-up works perfectly for inbound Internet access with the firewall disabled. (Therefore we can assume that the port forwarding and the host based firewall work) * I want the firewall on my router on because not every host in my network is able to run a host based firewall. So keeping it off isn't really an option. * my router does do something clever. If it detects internally (LAN) sourced requests to my public IP it bypasses the firewall - it doesn't send the request out of the LAN. So at one point I thought it was working when it wasnt. I couldn't figure out why I could connect seemingly over the net, whilst friends couldn't. Turns out my requests were never going over the net. Thing is. The rules on this firewall are the same as rules on a previous one which worked and basically the same as the host based firewall which works. TP Link support have suggested that this should work and have got screen shots of all my config pages. But they have gone quiet ... I'm beginning to wonder if I have a faulty unit. * there are other rules on the firewall.... * it's configured to deny anything unless explicitly allowed. * first rule in the firewall denies outbound (LAN to WAN/Internet) HTTP(s) to a set of URLs (the firewall allows me to specify a list of URLs as a WAN Host). Tested this and it works. * the next set of rules allow HTTP(s) outbound from all LAN hosts. This also works. Half the posts here from me have been posted through this rule * then there's a set of FaceTime rules. My wife was complaining that I broke FaceTime. So I added these rules, and it now works. * finally we come to the media browser rules as described above. And this is where I'm stuck. The first media server or third media server rule should work. I would prefer the more restricted rule 1 ... But I will settle for rule number three, given that port forwarding effectively restricts anyway.
ginjaninja 570 Posted April 1, 2015 Posted April 1, 2015 I would not have upnp enabled in mb3 config..and have a mediabrowser ruleset on firewall/port forward...one or tother...
Carneth 12 Posted April 1, 2015 Author Posted April 1, 2015 Sorry. I was referring to my firewall, it has UPnP allowed on my network. I've disabled this now. the UPnP on media browser works within the network perfectly. The firewall that's causing problems sits on the edge of the network controlling the WAN/LAN connection. Regardless of what's happening on that firewall, everything is working perfectly within my LAN. All clients work, smart tvs, iOS and multiple dedicated HTPCs. All the inter connectivity works. I'll double check that UPnP is disabled on MB, but the host based firewall is blocking it anyway. Most things are statically defined.
dragon2611 29 Posted April 1, 2015 Posted April 1, 2015 The rules you have posted should work, unless it's expecting the external IP in the NAT rule (In the case of multiple IP's)
Carneth 12 Posted April 1, 2015 Author Posted April 1, 2015 Hi there, Thanks Yup. I tried entering the external IP - in case that's what it was expecting (was then planning to work out a way to script an auto update of that rule!!) But it will only accept LAN IP addresses for the LAN IP - fair enough. But maybe this is a bug in the firmware. The TP Link forum experts are stuck and the official support team asked for screenshots yesterday and have now gone quiet - I think they're stuck too! They replied very fast to my initial (and somewhat epic) description in the original support ticket. And are now taking a while since I responded to their request. I'll be posting how to get this working, should I get a response from them. It may well be some silly setting somewhere. Or one check box that I've not checked. Or something. Who knows. But I'm leaning increasingly towards there being a bug. I doubt that many users actually want to expose ports!! I'm going to get a new router if I haven't got this working by the end of the week though.
bertbert72 14 Posted April 1, 2015 Posted April 1, 2015 Like everyone else, I don't see why this wouldn't work. I've had a quick scan through the manual for this router and what you've done (bar the extra rules) looks ok. I did notice that there seems to be a setting on the firewall page to allow packets to pass through the device even if not satisfying a particular rule. Might be worth a shot. The only other thing I can think of would be to do a factory reset on it and then manually reapply your settings - hold down the reset button for 8 to 10 seconds. There is also an option to backup/restore the config if you wanted to do that first.
pir8radio 1302 Posted April 2, 2015 Posted April 2, 2015 (edited) what happens when you create a rule that allows everything through the firewall like: firewall -> Lan Host lan host: any host wan host: any host schedule: any time status: enabled direction: in protocol: all If that still doesn't work it may be a firewall bug. Edited April 2, 2015 by pir8radio
Carneth 12 Posted April 17, 2015 Author Posted April 17, 2015 Hey there, sorry - middle of a house move.. Got sidetracked!! I tried creating a rule as above, didn't work.. Getting some odd questions from TP-Link technical support... Who knows, maybe I'll get there in the end!
timothyaw 0 Posted December 24, 2015 Posted December 24, 2015 Hello. I've ran into this issue on CentOS 7.2 with firewalld. The port fowarding is working fine. I'm using port 8092 for external. I have that port listed in firewalld but it's a no go. If I turn off firewalld, it works. Unfortunately firewalld doesn't have the capability yet to log rejected packets. So I can't see what port(s) are being rejected to add them. And ideas on what other ports emby is using or any ideas? Thank you for your help in advance.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now