Jump to content

Double Router Port Forwarding Not Working


JulesC

Recommended Posts

Q-Droid

So, to check:

Port 8096 is forwarded on the Zyxel to port 8096 for the Emby server IP.

Emby server is running and the LAN IP and port on the dashboard matches the destination LAN IP and port forwarded on the Zyxel.

The Emby remote WAN access on the dashboard matches the WAN IP of the Zyxel and CanYouSeeMe.

You can connect to Emby locally.

 

If the above check then you might have a local firewall, Windows or security software, blocking the access. The ISP is always a possibility but less likely.

Link to comment
Share on other sites

pwhodges

Does the Zyxel have a separate firewall section in it?  In my Draytek router, I have to allow stuff through the firewall in addition to defining the port forwarding.

 

Paul

Link to comment
Share on other sites

muzicman0

I read through this in a hurry, so I might have missed something.  I believe you should have it set up like this (as has been suggested - I just wanted it all to be in 1 place):

 

ISP modem/router should be connected from a LAN port to your switch.  DHCP server should be turned on for this router.  I will make the assumption that there is no WAN port on this device, as it is probably an internal connection.

 

The Linksys router (in this scenario, actually an AP), should be connected from a LAN port to your switch (you could also connect it to a LAN port on the modem/router).  ALL router functions should be turned off.  This is typically just DHCP on consumer grade routers.  It is important that it is LAN to switch, and not WAN to switch...double check.

 

Now, you should port forward FROM your ISP modem/router directly to your Emby server.  

 

Technically, in this topology, you can have the DHCP server on either router turned on, but not both.  The above assumes you only have 1 subnet, and either 1, or no VLAN's configured.  Also, it is important to note that canyouseeme requires that the emby server be running to see it.  If it is not, you will get the error message like it's not forwarded.  So be sure that the Emby server is running when you try.

 

Hope this helps...if it muddies the waters, feel free to ignore!

 

EDIT: you also may want to configure the Linksys IP address to be in the same subnet as your main network, but be sure to set the IP address outside the DHCP range, and (obviously) don't set it to the same as the ISP modem/router device.

Edited by muzicman0
Link to comment
Share on other sites

JulesC

I read through this in a hurry, so I might have missed something.  I believe you should have it set up like this (as has been suggested - I just wanted it all to be in 1 place):

 

ISP modem/router should be connected from a LAN port to your switch.  DHCP server should be turned on for this router.  I will make the assumption that there is no WAN port on this device, as it is probably an internal connection.

 

The Linksys router (in this scenario, actually an AP), should be connected from a LAN port to your switch (you could also connect it to a LAN port on the modem/router).  ALL router functions should be turned off.  This is typically just DHCP on consumer grade routers.  It is important that it is LAN to switch, and not WAN to switch...double check.

 

Now, you should port forward FROM your ISP modem/router directly to your Emby server.  

 

Technically, in this topology, you can have the DHCP server on either router turned on, but not both.  The above assumes you only have 1 subnet, and either 1, or no VLAN's configured.  Also, it is important to note that canyouseeme requires that the emby server be running to see it.  If it is not, you will get the error message like it's not forwarded.  So be sure that the Emby server is running when you try.

 

Hope this helps...if it muddies the waters, feel free to ignore!

 

EDIT: you also may want to configure the Linksys IP address to be in the same subnet as your main network, but be sure to set the IP address outside the DHCP range, and (obviously) don't set it to the same as the ISP modem/router device.

@@muzicman0 thank you for your input. All of your assumptions are accurate.

Link to comment
Share on other sites

JulesC

So, to check:

Port 8096 is forwarded on the Zyxel to port 8096 for the Emby server IP.

Emby server is running and the LAN IP and port on the dashboard matches the destination LAN IP and port forwarded on the Zyxel.

The Emby remote WAN access on the dashboard matches the WAN IP of the Zyxel and CanYouSeeMe.

You can connect to Emby locally.

 

If the above check then you might have a local firewall, Windows or security software, blocking the access. The ISP is always a possibility but less likely.

@@Q-Droid All of your assumptions are accurate. As for Firewalls, I opened up Emby on my Windows Firewall, but it didn’t help. My Zyxel ISP Router has a Firewall. The security level is set to “Medium” (Recommended). LAN to WAN is enabled, however, WAN to LAN is NOT enabled. Just wanted to share in case it was related. Here are the details for each security level:

 

(1) LAN to WAN: Allow access to all internet services

(2) WAN to LAN: Allow access from other computers on the internet

(3) When the security level is set to "High", access to the following services is allowed: Telnet, FTP, HTTP, HTTPS, DNS, IMAP, POP3 and SMTP

 

@@pwhodges This responds to your post also. Please let me know if you have any suggestions.

 

@

Edited by JulesC
Link to comment
Share on other sites

Q-Droid

@@Q-Droid All of your assumptions are accurate. As for Firewalls, I opened up Emby on my Windows Firewall, but it didn’t help. My Zyxel ISP Router has a Firewall. The security level is set to “Medium” (Recommended). LAN to WAN is enabled, however, WAN to LAN is NOT enabled. Just wanted to share in case it was related. Here are the details for each security level:

 

(1) LAN to WAN: Allow access to all internet services

(2) WAN to LAN: Allow access from other computers on the internet

(3) When the security level is set to "High", access to the following services is allowed: Telnet, FTP, HTTP, HTTPS, DNS, IMAP, POP3 and SMTP

 

@@pwhodges This responds to your post also. Please let me know if you have any suggestions.

 

@

 

I'm not familiar with your router and the manuals available aren't very helpful. I think traffic is not getting through from WAN to LAN.

 

Take a look at this video for the same router, maybe you're doing something differently: 

Edited by Q-Droid
Link to comment
Share on other sites

pwhodges

The video describes a situation in which the port forwarding is actually working, but the site he uses for checking it fails.  I don't see how that happens.  His solution is to run a program that does the setup in a way that works - but this program is not free.  As far as I can see from the manual, the port forwarding opens a way through the firewall, so no extra configuration of the firewall is required; but you could try setting it to easy or off just to see if that makes a difference.

 

But if the port is actually open and working for your Emby clients, then why worry?  That's the check you really want to do first.

 

But if it is actually not working for you, then there is the possibility that you are behind CGN (Carrier Grade NAT, as I mentioned above), or that your ISP is blocking the port.  You could try instead of forwarding port 8096 unchanged forward 80 to 8096 and run the test on port 80.  If this works then use port 80 for external connections.

 

Paul

Link to comment
Share on other sites

Q-Droid

The video describes a situation in which the port forwarding is actually working, but the site he uses for checking it fails.  I don't see how that happens.  His solution is to run a program that does the setup in a way that works - but this program is not free.  As far as I can see from the manual, the port forwarding opens a way through the firewall, so no extra configuration of the firewall is required; but you could try setting it to easy or off just to see if that makes a difference.

 

But if the port is actually open and working for your Emby clients, then why worry?  That's the check you really want to do first.

 

But if it is actually not working for you, then there is the possibility that you are behind CGN (Carrier Grade NAT, as I mentioned above), or that your ISP is blocking the port.  You could try instead of forwarding port 8096 unchanged forward 80 to 8096 and run the test on port 80.  If this works then use port 80 for external connections.

 

Paul

 

Not quite. I posted the video so the OP could see the options for their own router. In the video the guy picks a random port to forward and without a process bound and listening on that port all tests will fail. The software is not needed but I believe it binds to the port to make sure something is listening and then runs the remote test. I completely ignored the router configuration options in the software, again not needed.

 

Good point on using other methods to test besides CanYouSeeMe. Maybe attempt a mobile connection.

 

If the OP had a CG-NAT issue then the public IP would not match the WAN IP on the router. It still doesn't rule out other blocking.

Link to comment
Share on other sites

JulesC

@@Q-Droid thanks for the video. I've seen this and supporting docs from my ISP on Port Forwarding, but still not working. I thought I had an epiphany. I realized that with the network changes I made (i.e. changing 2nd Router - Router/Wi-Fi to Bridge Mode; Access Point) the static IP address for my home server/emby server might be messed up. So I re-established the static IP address thinking this would fix it - NOT - so frustrating. 

 

I tested my Port 8096 again using: https://www.ipfingerprints.com/portscan.php and here were the results:

 

PORT               STATE               SERVICE

8096/tcp            filtered              unknown

 

Their definition for "filtered": A port is marked as "filtered" when the packets are sent to that port, however packet filtering (e.g., firewall) prevents the packets from reaching that port.

Step 1: I've changed the router firewall to "easy" first, no help. Step 2: I added 8096 to my Windows Firewall. Neither of these changes helped.

 

Sorry for this naive question, but you mentioned testing a mobile connection. How exactly would I do that - please?

 

I've sent a message to my ISP support hoping they can help. I don't believe the CGN is blocking me, but I agree that something is blocking this from working.

 

Please let me know if anyone has any other suggestions. Thanks to ALL

Edited by JulesC
Link to comment
Share on other sites

Q-Droid

The idea behind the mobile test is to access your server remotely from cellular data service, not WiFi. From a browser on the phone and navigate to http://<your public IP>:8096 to see if Emby responds. It's a longshot but no harm in trying.

Link to comment
Share on other sites

Q-Droid

I don't run Emby on Windows but can you check your firewall rule for Emby, under the Advanced tab for the Edge Traversal setting.  Others can chime in if they've had to allow Edge Traversal for Emby.

Link to comment
Share on other sites

JulesC

@@Q-Droid the mobile testing was unsuccessful. As for the Windows firewall, I’ve tried every possible configuration and rule set that I could find. Thanks for your assistance

Link to comment
Share on other sites

pwhodges

Can you confirm that Emby is actually working within your network, and that you are using port 8096 to access it there?

 

Paul

Link to comment
Share on other sites

Q-Droid

@@Q-Droid the mobile testing was unsuccessful. As for the Windows firewall, I’ve tried every possible configuration and rule set that I could find. Thanks for your assistance

 

Do the router logs show attempts to access that IP:port? The scans from ipfingerprints should have been logged.

Link to comment
Share on other sites

Happy2Play

Not the best practice, but you could drop the server in the DMZ and see if it is accessible, then remove it.  That would point to a configuration issue.

Link to comment
Share on other sites

JulesC

UPDATE: After several failed attempts (even with all the appreciated support from this group), I finally decided to try the "Port Forward Network Utilities" - https://portforward.com/store/pfconfig.cgi  (cost: $40 US dollars) and I finally got this working!!!  I'm in no way advocating for this software, but just wanted to share my results in hopes that it helps others. 

 

I have a couple more questions I was hoping you could help me with:

  1. Now that I have it working, I would like to share my movies and TV shows with my sister who is recovering from a major surgery and cancer so she has a bunch of stuff that she can watch. What are my options for providing her with access? Note: She has an Amazon Fire Stick and I'm Emby Premiere status (if that helps). 
    Is "Fire TV" app her only option? 
     
  2. From a security standpoint, does it make sense to add SSL to my Emby Server now that I've opened a port on my server? If so, what is the best approach.

Thanks again for everyone's willingness to help me.

Edited by JulesC
Link to comment
Share on other sites

JulesC

Not the best practice, but you could drop the server in the DMZ and see if it is accessible, then remove it.  That would point to a configuration issue.

 

Thanks @@Happy2Play I did try this, but still had issues.  I then removed the configuration...just in case ;)

Link to comment
Share on other sites

pwhodges

UPDATE: After several failed attempts (even with all the appreciated support from this group), I finally decided to try the "Port Forward Network Utilities" - https://portforward.com/store/pfconfig.cgi  (cost: $40 US dollars) and I finally got this working!!!  I'm in no way advocating for this software, but just wanted to share my results in hopes that it helps others. 

 

Could you see any changes in the config which showed what the program had done differently?

 

Paul

Link to comment
Share on other sites

JulesC

Could you see any changes in the config which showed what the program had done differently?

 

Paul

 

@@pwhodges The only difference that I have come across so far is that the "WAN Interface" it used was "VDSL" and I kept using "Ethernet" - since everything in my network is hardwired. Silly me that I never thought to try these other options. From the documentation I read, you would use these if you were connecting via wireless and that wasn't the case on my end.  Live and learn :(

Link to comment
Share on other sites

Q-Droid

UPDATE: After several failed attempts (even with all the appreciated support from this group), I finally decided to try the "Port Forward Network Utilities" - https://portforward.com/store/pfconfig.cgi  (cost: $40 US dollars) and I finally got this working!!!  I'm in no way advocating for this software, but just wanted to share my results in hopes that it helps others. 

 

I have a couple more questions I was hoping you could help me with:

  1. Now that I have it working, I would like to share my movies and TV shows with my sister who is recovering from a major surgery and cancer so she has a bunch of stuff that she can watch. What are my options for providing her with access? Note: She has an Amazon Fire Stick and I'm Emby Premiere status (if that helps). 

    Is "Fire TV" app her only option? 

     

  2. From a security standpoint, does it make sense to add SSL to my Emby Server now that I've opened a port on my server? If so, what is the best approach.

Thanks again for everyone's willingness to help me.

 

Fire TV and things most people have like Android/iOS phone and tablet, PC browser, etc. With Premiere on your server you users don't have to pay or unlock their apps.

 

Re: SSL/TLS - Yes! Definitely yes!  Brace yourself because you're going to get a bigger variety in recommendations for getting that setup than you did for just getting the port open.

 

 

Could you see any changes in the config which showed what the program had done differently?

 

Paul

 

I'm curious about this too.

Edited by Q-Droid
Link to comment
Share on other sites

Q-Droid

@@Q-Droid, not surprised about your SSL comment. If you have it running can you please share your approach?

 

I like to keep things simple but simple isn't always the easiest. I run Emby on Linux and I'm comfortable with OpenSSL so it's not a fit for everyone.

 

There's a pinned thread about SSL from a beginner perspective along with a some discussion about options: https://emby.media/community/index.php?/topic/81404-ssl-made-easy/?p=830347

 

My approach is:

- Register with a DDNS provider.

- Install their preferred IP updater client.

- Install an ACME client for LetsEncrypt. I use Certbot and don't know what's best and/or easiest for Windows.

- Get the certs and create the PKCS12 container for Emby.

 

I spend around 10 minutes every 3 months to update my cert so I'm not all that motivated to automate any of it or make it any more complicated.

 

There are other steps specific to getting Emby up and running with SSL. Those are covered in the linked thread and here: https://support.emby.media/support/solutions/articles/44001159601-network-hosting-settings and here: https://support.emby.media/support/solutions/articles/44001160086-secure-your-server.

 

I was guessing that you're on DSL based on your router model. What is your upload rate? Hopefully not too low or you might have been doing this for naught.

Link to comment
Share on other sites

pwhodges

@@pwhodges The only difference that I have come across so far is that the "WAN Interface" it used was "VDSL" and I kept using "Ethernet" - since everything in my network is hardwired. Silly me that I never thought to try these other options. From the documentation I read, you would use these if you were connecting via wireless and that wasn't the case on my end.  Live and learn :(

 

Ah, that was crucial - sorry I didn't think to ask you to check that.  Although your internal network is wired Ethernet, the WAN is not your network - it's the other side of the router, the connection to the outside, which is what you are configuring to let the desired connection in.

 

Paul

  • Like 1
Link to comment
Share on other sites

JulesC

@@Q-Droid thank you for the SSL resources...very helpful.

 

@@pwhodges no worries, I should have known better. In all my years in IT, that's troubleshooting 101. I've been retired too long I guess. Thanks for your help.

Edited by JulesC
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...