remote port mapping question

[justinrh 260]

Looking at the network admin page, I have:

    Local http port number: 8096
    Public http port number: 8097

The question is, if I configure my router to map external 8097 to server (internal) 8097, should I then be able to connect to Emby from the WAN?

I'm able to connect only if I map 8097 to 8096, which would match the strict interpretation of the remote port helper text "The public port number that should be mapped to the local http port".  Then the question becomes, what is the purpose of configuring a public port?  (Even the Emby documentation says to map the local port # to the local port #.)

Edited September 21, 2021 by justinrh

[Bingie 99]

Mine is 8096 for lan and 8920 for wan.

You want 2 different ones.  The local one is not encrypted, really easy to setup by default, for local management.

If you do want to access your Emby server over the Internet, then it takes a bit more work to setup.  You definitely want it on a secure port, which is why you need a separate port # running on the Emby server.

If you are remotely connecting to the unencrypted port over the WAN, then everybody between remote you and your server can see, record and log your every keystroke, including all of your passwords.  You do NOT want to access the local port over the WAN.  Huge security no no.

[Luke 42080]

Quote

The question is, if I configure my router to map external 8097 to server (internal) 8097, should I then be able to connect to Emby from the WAN?

Actually no, because it looks like your local port is 8096, so you should forward 8097 to 8096.

[Luke 42080]

Quote

(Even the Emby documentation says to map the local port # to the local port #.)

Where does it say this? 

@cayars

[Luke 42080]

Quote

Then the question becomes, what is the purpose of configuring a public port?

To make Emby Server aware of it so that it knows what your remote connection url should be.

[Carlo 4561]

Let's see if I can try to make this simpler to understand at a high level.

Keep in mind Emby listens on 2 ports.  One is the non-SSL port and one is the SSL port (http vs https).
There are no different ports for local vs remote.

Emby will always listen to the ports defined as local.  The ports setup as remote are used to modify the URL handed back to the remote client (based on IP).

So when you setup port forwarding on the router of 8097 to Emby 8096 it's functional because Emby is listening on 8096.

If the IP is local the URL returned will use 8096 but if the IP is remote the URL will be returned with a port of 8097.  This of course is the port the router is listening to but forwards it to Emby on port 8096.

It's just a little trick to allow you to run Emby with default ports (8096 & 8920) on multiple computers on your network while being able to setup multiple port forwards all with different WAN ports.

Does that help?

[justinrh 260]

12 hours ago, Luke said:

Where does it say this? 

@cayars

@Luke Remote Setup : Emby

"You will need to forward TCP Port 8096 on your router to port 8096 on the Emby Server machine. Do the same for port 8920 as well (if using SSL)."

[justinrh 260]

9 hours ago, cayars said:

Does that help?

@cayars Yes, it helps much.  You confirmed that Emby does not listen on the public ports.  But I'm still not clear on the advantage of having public ports - I can port forward the local port #s and both WAN and LAN connections work.  I don't even have to turn on "Allow remote connections to this Emby Server" and it works, right?

Since I can port forward <any port # I want> to the local port Emby listens to, why does Emby have this 'remote connection' configuration?  Luke says it modifies the URL, but why is that needed if it works w/o any remote configuration?

[Carlo 4561]

Yes, setup for remote is optional.

If you have a single Emby Server installed in your network you just do port forwarding of 8096->8096 and/or 8920->8920.  You only need to change the WAN side if you're forwarding to multiple Emby Servers or have some other reason you need to use a different port.

When Emby sends a message back out to the client it MUST send the remote port (if different than local). This way the client or browser knows to send back using that port.  Otherwise it would send back to 8096 as an example when you have the router set to forward from 8097.

This "mix-match" of IP is a more advanced topic that won't apply to 99% of users. But someone like me with a production and test Emby System needs this to allow people to test against my test server.  Hope that makes sense.

[justinrh 260]

Well, as far as I can see, the only reason to ever need to use the remote config is so you can have a publicly recognized TLS cert.  I can forward port 4444 (just made that up) to 8096 (or 8920) and it still works.  The initiating device (browser in my case) already has the ext port built in to the URL, so the packets and router tracks the two devices and ports, right?.

Cayars, couldn't you do the same thing with your two servers w/o remote config by something like:
ext port 8000 -> int port 8090 to 192.168.1.100 (prod server)
ext port 8001 -> int port 8091 to 192.168.1.101 (test server)

Maybe I'm dunce about this, but I'd like to know the use case(s) were remote config are actually required.

[Carlo 4561]

Not unless I wanted to change the local ports to 8090 and 8091 which I would not want to do as I'm used to always using 8096 locally.

I'd have to use these settings in Emby: 8090 local and 8000 remote on machine 1
I'd have to use these settings in Emby: 8091 local and 8001 remote on machine 2

I don't see much use in that but it could be done on some platforms.

On some OS the ports are part of the install/package like on Synology so you can't easily change the local port 8096 to something else.  The web UI in Network settings won't even show you those fields.