Jump to content

MediaBrowser/Emby over the internet


Carneth

Recommended Posts

Carneth

Hi all,

 

just wondering if anyone can help me! I've got media browser working over the internet, just fine, with a previous wifi router... but not my current one...Or rather, it does work with my current one when the firewall is turned off.. but not when the firewall is turned on..

 

The set-up is as follows:

 

* DNS - via no-ip.org, DUC running to update the IP assigned to my no-ip sub-domain - this works fine/perfectly 

* IPv4 network within the house

* WiFi router & firewall: TP-Link TD-W8980

* Router WAN port showing the correct public IP address

* Port forwarding configured as:

 

Service Port: 8096; IP Address: mediabrowser server host IP address; Internal port: 8096; Protocol: TCP; Status: Enabled; Interface: pppoa_0_38_0d (this is the correct interface, there is only 1)

 

* IPv4 Firewall configured as:

-Deny unless explicitly enabled

 

-A set of outbound allow rules which definitely work fine (e.g. facetime has been tested, and works, with the firewall on - wow, that needs a lot of ports!)

 

(now the non-functioning rules)

 

- Rule#1 (MediaServer1)

LAN Host: MediaServer (see below)

WAN Host: Any host

Time: Any time

Action: Allow

Direction: IN

Status: Enabled

Protocol: TCP

 

MediaServer is defined as: IP Address: mediabrowser server IP address; Port; 8096

 

 

- Rule#2 (MediaServer2) <-- this rule shouldn't have been needed, and besides it doesn't work. But I put it in, in case the firewalling happened prior to the NATing

LAN Host: Ext.MediaServ (see below)

WAN Host: Any host

Time: Any time

Action: Allow

Direction: IN

Status: Enabled

Protocol: TCP

 
Ext.MediaServ is defined as: IP Address: gateway/firewall (internal) IP address; Port: 8096
 
 
So, with the firewall disabled the service works end-to-end, accessing via my public (sub-)domain... As soon as I enable it, it doesn't work... And I can't figure it out :( Even a basic www.portchecktool.com check follows the same pattern - it can connect to 8096 with the firewall off, but can't with it on..But I cannot see anything else that I can do to make it work/open the port on the firewall 
 
Please can any one help!!!!
Link to comment
Share on other sites

Beardyname

You should not have to play with the firewall this much, what happens if you only let the port forwarding on and remove those 2 firewall rules?

Link to comment
Share on other sites

Carneth

Hi, thanks for replying...

 

If I don't have the rules, it's the same symptoms. Obviously. With the firewall completely off, it works.

 

With the firewall on and with these rules, it doesn't work. With the firewall on without these rules it doesn't work - in the same way. I've also tried creating s LAN host of just the port - still doesn't work.

 

I got this working in the past. With a DLink router. And also a draytek. But this tplink is killing me!!!!!!

Link to comment
Share on other sites

Carneth

I was expecting to set port forwarding and one rule on the firewall.

 

I've tried so many different combinations of different types of rules now. Nothing seems to work except turning my firewall off -which id rather not do!

Link to comment
Share on other sites

Beardyname

I was expecting to set port forwarding and one rule on the firewall.

 

I've tried so many different combinations of different types of rules now. Nothing seems to work except turning my firewall off -which id rather not do!

 

I can only guesstimate since i I'm not familiar with the router you are using :)

 

But for me, playing with the firewall is not necessary, only the portforwarding (internet --> router --> server) since that should make sure the packets can reach their destination. I do need to allow emby on the server, but I'm guessing you are already aware of that.

Edited by Beardyname
Link to comment
Share on other sites

Carneth

It's driving me crazy.

 

I want the firewall enabled because I have actually been hacked before !

 

I'm asking people on forums dedicated to this router, and no one can figure it out.

 

The rules I've written - well, I only need one of them - should work.

Link to comment
Share on other sites

Beardyname

It's driving me crazy.

 

I want the firewall enabled because I have actually been hacked before !

 

I'm asking people on forums dedicated to this router, and no one can figure it out.

 

The rules I've written - well, I only need one of them - should work.

 

Yep i get that you want the firewall and i would not recommend turning it off, have you looked at: http://portforward.com/ and see if your router is listed and if they could provide any tips?

 

If i were you i would remove all of the config settings, just to start fresh :)

Link to comment
Share on other sites

Carneth

I've tried that :( still doesn't work. I'm gonna contact the proper support people for the router.

 

I tried the following:

 

* I wiped or firewall and port forwarding settings.

* Disabled firewall.

* www.portchecktool.con (pct) was able to connect. :) this is to be expected and of course the actual service wouldn't work at this time. Also to be expected. But. The port works.

* Enabled firewall

* tested pct - unable to connect. This is to be expected.

* added port forwarding rule.

* tested pct - unable to connect. This is probably to be expected, unless this firewall's port forwarding overrides its rules.

* added a rule to allow 8096 inbound from anywhere to the target server.

* tested pct - unable to connect. I would have expected this to work. But it didn't.

* added a rule to allow 8096 inbound from anywhere to the gateway (In case it applies firewall rules before NAT or port forward).

* tested pct - Unable to connect. Probably didn't expext this to make a difference.

* added a rule to allow 8096 on any LAN IP.

* tested pct - still unable to connect. This should have worked.

 

Arrrrggghhh

 

Gonna email proper support. And if they can't help. Buy a new router and use this guy as my guest network.

Link to comment
Share on other sites

You need to allow TCP traffic from port 8096 to port 8096 to a specific computer/ip inside your network. 
And normally the mediabrowser server installation should have created the needed windows firewall profiles.

Link to comment
Share on other sites

pir8radio

you say "added a rule to allow 8096 inbound from anywhere to the target server".  Within your router settings page does it ask for an IP of the target server or a server name, or just a checkbox/radio button next to a server name?    If its just a server name i would disable IPv6 on your server PC network card reboot and try again.

Link to comment
Share on other sites

Carneth

Normally, with networking the client Port number is a random port number, the target port is the consistent one, I.e. 8096... If you run a wire shark capture, you'll see that clients send requests from random port numbers... So restricting source IPs to 8096 shouldn't work.

 

Either way, the rules are set up as :

 

Rule #1:

 

LAN Host:

- IP Address: Media server IP address

- Port: 8096

WAN Host: Any Host (therefore any WAN IP and on any port)

Direction: IN (WAN to LAN)

Action: Allow

Time: Any time

Status: Enabled

Protocol: TCP

 

Rule #2: this was done in case the firewall performs NATing after applying the firewall rules. Which I doubt. But am getting desperate.

 

LAN Host

-IP Address: Firewall/Gateway address

-Port: 8096

WAN Host: Any Host (therefore any WAN IP and on any port)

Direction: IN (WAN to LAN)

Action: Allow

Time: Any time

Status: Enabled

Protocol: TCP

 

Rule #3

LAN Host:

- IP Address: Blank (empty, which is supposed to be any LAN host)

- Port: 8096

WAN Host: Any Host

Direction: IN

Time: Any time

Action: Allow

Status: Enabled

Protocol: TCP

 

IPv6 is disabled, already, on all hosts and the router has IPv6 disabled. All addresses are IPv4, both in terms of static assignment and firewall rules.

 

The rules are based on IP address or MAC address. I've used IP address. For some reason when using MAC addresses you cannot specify port numbers.

 

I'm only allowing TCP, I've tried to use all protocols. However, the system is HTTP which runs over TCP. However, we know that it works if I only allow TCP because the whole system works when I disable the firewall, the port forwarding only forwards TCP packets not UDP packets.

Link to comment
Share on other sites

pir8radio

Is your router restricting outbound connections?   Most residential units do not care what gets out of the router...  (what kind of router do you have?)  i assume you can ping an emby server that is not on port 80 right?  Just asking, questions seem dumb but they will eventually lead to the problem, or make you think "AH HA!".

 

I dont understand why you have rule 3 in there if 1 covers this already seems to conflict, i think your right 2 doesn't seem like it needs to be there either..  I don't see any outbound rules... for the responses from your MB server.

Link to comment
Share on other sites

Carneth

I have a TP-LINK TD-W8980 router... 

 

'dumb questions' are good, they do often lead to an answer!

 

I can ping within the LAN (to any host), but I've disabled (responses to) external pings.

 

So, yes, the firewall does support egress rules, which I have configured to allow outbound HTTP, HTTPS, and FTP .. So, it isn't allowing outbound 8096, however, the way a browser works is that it opens a TCP Socket on the ip/port combination, submits a HTTP request over that connection, keeps it open and waits for a response on that specific connection - which it then may terminate and re-establish for a later request, or it may keep open to save opening/closing repeatedly. Put it this way, the windows 8 advanced firewall on the Emby server does not allow 8096 out, but does allow 8096 in. When the TP-LINK firewall is disabled, the Emby web application works perfectly despite no out-bound 8096 allowed.

 

Of course, if the server independently tries to establish outbound connections, then, this would cause an issue. But that would still be a future issue.. I can't even open a basic inbound connection on 8096, despite having allowed it.. I'm no longer even using a web browser to browse to Emby, i'm going to www.portchecktool.com and getting it to try and open the port, and it cant.

 

You're right, rule #2 shouldn't be needed, and rules #1 & #3 make each other redundant, rule #1 should suffice.. I'm just getting desperate.. To the point where I'm trying illogical things and things I know to be incorrect, just out of desperation..

Link to comment
Share on other sites

ginjaninja

have you tried, disabling the port forwarding and firewalll rules and  enabling upnp in router & mb3......it / upnp might get lucky / know better than you?

Link to comment
Share on other sites

pir8radio

Explain your setup...    what kind of cable modem (dsl whatever) into what kind of router...  i'm just curious...  this doesnt make sense we are missing something dumb.. 

Link to comment
Share on other sites

Carneth

I agree. We gotta be missing something dumb

 

Internet comes straight into the TP-Link TD-W8980 ADSL Router with (this slightly problematic) firewall.

 

At the moment I have a flat network, once I have this stage working, I'm building a more complex back end set of networks.

 

So right now, it's a single LAN: 192.168.1.1-255.

 

* IPv6 is DISABLED on the router itself and on all hosts.

 

* All hosts are assigned static IP addresses.

 

* The media sever / Emby (plus one client) is on 192.168.1.103

 

* the media server also has a host based firewall allowing 8096 in and web browsing out. (This works)

 

* I can use various emby thick clients (iOS, WMC) around the LAN. They all successfully connect to Emby.

 

* I have set up a DNS service with no-ip.org. I've tested this and it works. Though, at the moment, to take things out of the equation for testing. I'm just using my public IP when performing tests.

 

* port forwarding rules are described above and definitely 100% work when the IPv4 firewall is disabled. I've had people externally test it as well as performing a basic check via www.portchecktool.com. The whole set-up works perfectly for inbound Internet access with the firewall disabled. (Therefore we can assume that the port forwarding and the host based firewall work)

 

* I want the firewall on my router on because not every host in my network is able to run a host based firewall. So keeping it off isn't really an option.

 

* my router does do something clever. If it detects internally (LAN) sourced requests to my public IP it bypasses the firewall - it doesn't send the request out of the LAN. So at one point I thought it was working when it wasnt. I couldn't figure out why I could connect seemingly over the net, whilst friends couldn't. Turns out my requests were never going over the net.

 

Thing is. The rules on this firewall are the same as rules on a previous one which worked and basically the same as the host based firewall which works. TP Link support have suggested that this should work and have got screen shots of all my config pages. But they have gone quiet ... I'm beginning to wonder if I have a faulty unit.

 

* there are other rules on the firewall....

 

* it's configured to deny anything unless explicitly allowed.

 

* first rule in the firewall denies outbound (LAN to WAN/Internet) HTTP(s) to a set of URLs (the firewall allows me to specify a list of URLs as a WAN Host). Tested this and it works.

 

* the next set of rules allow HTTP(s) outbound from all LAN hosts. This also works. Half the posts here from me have been posted through this rule

 

* then there's a set of FaceTime rules. My wife was complaining that I broke FaceTime. So I added these rules, and it now works.

 

* finally we come to the media browser rules as described above.

 

And this is where I'm stuck. The first media server or third media server rule should work. I would prefer the more restricted rule 1 ... But I will settle for rule number three, given that port forwarding effectively restricts anyway.

Link to comment
Share on other sites

ginjaninja

I would not have upnp enabled in mb3 config..and have a mediabrowser ruleset on firewall/port forward...one or tother...

Link to comment
Share on other sites

Carneth

Sorry. I was referring to my firewall, it has UPnP allowed on my network. I've disabled this now.

 

the UPnP on media browser works within the network perfectly. The firewall that's causing problems sits on the edge of the network controlling the WAN/LAN connection.

 

Regardless of what's happening on that firewall, everything is working perfectly within my LAN. All clients work, smart tvs, iOS and multiple dedicated HTPCs. All the inter connectivity works.

 

I'll double check that UPnP is disabled on MB, but the host based firewall is blocking it anyway. Most things are statically defined.

Link to comment
Share on other sites

dragon2611

The rules you have posted should work, unless it's expecting the external IP in the NAT rule (In the case of multiple IP's)

Link to comment
Share on other sites

Carneth

Hi there,

 

Thanks

 

Yup. I tried entering the external IP - in case that's what it was expecting (was then planning to work out a way to script an auto update of that rule!!)

 

But it will only accept LAN IP addresses for the LAN IP - fair enough. But maybe this is a bug in the firmware.

 

The TP Link forum experts are stuck and the official support team asked for screenshots yesterday and have now gone quiet - I think they're stuck too! They replied very fast to my initial (and somewhat epic) description in the original support ticket. And are now taking a while since I responded to their request.

 

I'll be posting how to get this working, should I get a response from them.

 

It may well be some silly setting somewhere. Or one check box that I've not checked. Or something. Who knows.

 

But I'm leaning increasingly towards there being a bug. I doubt that many users actually want to expose ports!! I'm going to get a new router if I haven't got this working by the end of the week though.

Link to comment
Share on other sites

bertbert72

Like everyone else, I don't see why this wouldn't work.  I've had a quick scan through the manual for this router and what you've done (bar the extra rules) looks ok.  I did notice that there seems to be a setting on the firewall page to allow packets to pass through the device even if not satisfying a particular rule.  Might be worth a shot.

 

The only other thing I can think of would be to do a factory reset on it and then manually reapply your settings - hold down the reset button for 8 to 10 seconds.  There is also an option to backup/restore the config if you wanted to do that first.

Link to comment
Share on other sites

pir8radio

what happens when you create a rule that allows everything through the firewall  like:

 

firewall -> Lan Host

lan host: any host

wan host: any host

schedule: any time

status: enabled

direction: in

protocol: all

 

If that still doesn't work it may be a firewall bug.

Edited by pir8radio
Link to comment
Share on other sites

  • 3 weeks later...
Carneth

Hey there,

 

sorry - middle of a house move.. Got sidetracked!!

 

I tried creating a rule as above, didn't work.. Getting some odd questions from TP-Link technical support... 

 

Who knows, maybe I'll get there in the end!

Link to comment
Share on other sites

  • 8 months later...
timothyaw

Hello.  I've ran into this issue on CentOS 7.2 with firewalld.  The port fowarding is working fine.  I'm using port 8092 for external.  I have that port listed in firewalld but it's a no go.  If I turn off firewalld, it works.  Unfortunately firewalld doesn't have the capability yet to log rejected packets.  So I can't see what port(s) are being rejected to add them.  And ideas on what other ports emby is using or any ideas? Thank you for your help in advance.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...