notla49285 48 Posted February 7 Posted February 7 I'm at my absolute wits end with my Emby server atm. Something (probably me) has broken my remote access to my Emby server. I'm able to access it internally using the local IP and port, but no response to the outside world. My setup uses a reverse proxy on a Synology DS918+ NAS, full setup is: Emby Server running on Windows on the default port 8096 (Windows firewall allows connections in, this is configured by Emby itself on startup anyway), Emby settings: Local HTTP port number: 8096 Local HTTPS port number: 8920 Allow remote connections: Yes Public HTTP port number: 8096 Public HTTPS port number: 443 External domain: emby.mydomain.net Certificate path: [Blank] Secure connection mode: Handled by reverse proxy Synology NAS has: A reverse proxy built in which is configured to route incoming traffic on https://emby.mydomain.net:443 to http://192.168.1.21:8096 (Emby server's internal IP) Valid SSL certificate for emby.mydomain.net DDNS configured to update MyNasAlias.synology.me with my public IP address (which is correct) Synology RT2600ac router has: Port forwarding on TCP/UDP connections on port 443 through to 192.168.1.22:443 (NAS internal IP) Automatic firewall rule allowing inbound connections on 443 because of the above port forwarding (this is showing hits coming in on the router dashboard) Custom domain mydomain.net is with Namecheap and has: URL Redirect Record for "emby" to https://emby.mydomain.net CNAME Record for "emby" to MyNasAlias.synology.me I've tried: Rebooting the router, the NAS and the Emby server Changing the DNS settings in Namecheap to have an A record going direct to my public IP instead of CNAME Changing the router to route traffic directly from public 443 port to internal 8096 port on Emby server's IP Changing the NAS reverse proxy to look for incoming traffic on MyNasAlias.synology.me instead of emby.mydomain.net I've also attached some screenshots from the router, NAS and Namecheap dashboard. This setup definitely used to work, but clearly one of the parts somewhere has gone wrong.
Lessaj 467 Posted February 7 Posted February 7 What about the port forwarding on your ISP gateway? You would forward the port to your router from there, which would in turn forward to the reverse proxy.
notla49285 48 Posted February 7 Author Posted February 7 Why is port forwarding needed at ISP level if it's port 443? I've never had to configure anything with the ISP and it's been working for years?
Lessaj 467 Posted February 7 Posted February 7 Your ISP gateway is generally an all-in-one device - modem, firewall, router offering DHCP and DNS services, wifi - and is the first point of ingress for your network. If you're using it in bridge mode then that might not apply, but it's not a detail you included so I'm not sure.
notla49285 48 Posted February 7 Author Posted February 7 Yes the router is configured to port forward any inbound connections on port 443 through to the internal NAS IP address also on port 443. That's where the NAS's reverse proxy comes in, taking the traffic coming in from the router's port forwarding and, where it comes into the NAS on 443, forwards it to the Emby server on port 8096.
Lessaj 467 Posted February 7 Posted February 7 Yes I'm aware of your router forwarding details from the OP, and that seems fine to me, I'm asking about your ISP gateway. Is it in bridge mode? I don't have the ability to put my ISP gateway into bridge mode so I have to forward from there to my pfSense first (similar to your router in the network path), then I have rules on pfSense to forward to my reverse proxy. It's essentially a double NAT. Have you reviewed the details on this page and checked each of the troubleshooting steps? https://emby.media/support/articles/Connectivity.html#troubleshooting-external-connections
notla49285 48 Posted February 7 Author Posted February 7 After looking at that page: VPN - There is no VPN in use on my network Anti-Malware and Firewalls - There is an automatic allow rule on the router's firewall to allow incoming connections on 443 through to the NAS on 443, because the port forwarding has been set up, I'm actually not able to stop this allow rule because it's required for the port forwarding to work Local IP Address change - Both the NAS and the Emby server have reserved internal IP addresses at router level, even if they are set as DHCP on the devices themselves, the router allocates them the same IP and is still doing so Double NAT - There is no double NAT in use External Public IP Address change - This is automatically updated by the DDNS as shown in my configuration above Multiple Routers Double NAT - There is only one router in my house Multiple Servers - There is only one Emby server in my house ISP Blocking - None of the lines shown in tracert to 8.8.8.8 show the lines which indicate ISP blocking shown in the linked article, and the ISP has never blocked this before
Lessaj 467 Posted February 7 Posted February 7 Okay if you don't have an ISP gateway then it sounds like you have an ONT that connects to the WAN port on your router with an ethernet cable, so your router would handle the firewalling. 2 hours ago, notla49285 said: Something (probably me) has broken my remote access to my Emby server. I'm able to access it internally using the local IP and port, but no response to the outside world. Sorry I'm not really familiar with the reverse proxy setup on Synology and it's a little unclear to me from your post but did you confirm the reverse proxy is working internally? If the setup requires hostname matching to properly forward you can create a host file entry on your device so that it resolves the internal IP instead of the external IP for that hostname. Does a site like canyouseeme show the port as open? Even if hostname matching is needed for the reverse proxy to function properly the port itself would still have to show as open.
notla49285 48 Posted February 7 Author Posted February 7 I tried changing the reverse proxy and the port forwarding on the router to use 44333 instead of 443 (i.e. just any other port that wasn't being used). This seems to have partially fixed it in that I can sign in via Emby Connect on the web and see my media, dashboard, etc but can't sign in using any kind of Emby app (tried Android and a Firestick). Keeps saying server unavailable on the apps.
Q-Droid 989 Posted February 8 Posted February 8 2 hours ago, notla49285 said: URL Redirect Record for "emby" to https://emby.mydomain.net Which URL are you using to connect in the apps? Apps don't like or follow HTTP redirects so your entry above could be a problem.
notla49285 48 Posted February 8 Author Posted February 8 5 minutes ago, Q-Droid said: Which URL are you using to connect in the apps? Apps don't like or follow HTTP redirects so your entry above could be a problem. I have now removed that as that did seem to be causing issues but I still have the same problem with the apps. I'm signing in with Emby Connect, it's picking up my server's address as https://emby.mydomain.net:443 and can't connect to it at all.
Luke 42077 Posted February 8 Posted February 8 1 hour ago, notla49285 said: I have now removed that as that did seem to be causing issues but I still have the same problem with the apps. I'm signing in with Emby Connect, it's picking up my server's address as https://emby.mydomain.net:443 and can't connect to it at all. Hi, does your Emby server dashboard show the correct local and remote addresses that you wish to use?
notla49285 48 Posted February 8 Author Posted February 8 This is now fixed, I don't know if there needed to be some propagation in Emby Connect somewhere but both the apps and the web access are now working. Two changes made: Remove the URL redirect in Name cheap DNS settings which was redirecting "emby"(.mydomain.net) to "https://emby.mydomain.net" Changed the port that the NAS is listening for inbound calls on from 443 to something else (in my case 44333) - so that the router port forwards from 443 inbound through to 44333 on the NAS, and the NAS's reverse proxy takes anything incoming from 44333 and routes it through to 8096 on the Emby server. I'm guessing that maybe something was contending for 443 on the NAS? It's worked that way before though, but meh not bothered now it's ok. @Luke just FYI yes these were correct and haven't changed throughout, attached are the settings (not on the laptop atm so mobile screenshots sorry) 1 1
Q-Droid 989 Posted February 8 Posted February 8 (edited) 2 hours ago, notla49285 said: Changed the port that the NAS is listening for inbound calls on from 443 to something else (in my case 44333) - so that the router port forwards from 443 inbound through to 44333 on the NAS, and the NAS's reverse proxy takes anything incoming from 44333 and routes it through to 8096 on the Emby server. I'm guessing that maybe something was contending for 443 on the NAS? It's worked that way before though, but meh not bothered now it's ok. This is a good approach in general. There's always a chance that turnkey products like Synology can have services running on well known ports like 80, 443, etc. that would cause a conflict or unexpected results. The other reason is that going to a higher port range above 1024 doesn't need elevated privileges (root) and a standard or service account can be used to run the process. This reduces exposure if a vulnerability were exploited. Edited February 8 by Q-Droid 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now