External Domain and Local Redirect

[CorpusColossus 10]

This is a noob question, so I appreciate your patience in hearing me out on this! I'm a recent Plexile and am pretty new to Emby and its inner workings.

 

I've searched the forums and have found bits and pieces of conversations that I think relate to what I'm trying to do. But honestly, I'm relatively new to networking and very new to web hosting and so I am struggling to even find the right keywords to search on DuckDuckGo.... Any advice or links to resources are appreciated!

 

I have my Emby server set up on a box on my local network. I have https://www.mydomain.com pointing to my home IP via a Dynamic DNS service. I have a cron job that updates the DDNS service via an HTTP GET call every morning at 2am and on every reboot. I have my router forwarding port 443 to the local IP and port of my Emby box. SSL Certificate works and handshakes happen.

 

My problem is that I want to use https://www.mydomain.com on all of my devices--devices on my local network, devices on outside the network, and devices that may be on either (e.g., my phone when I'm out of the house). I can do this, but I am noticing that even if I am on my local network with a device connected to https://www.mydomain.com, it is treated as if it is not on the local network. This triggers any applicable upload rate limiting and other external network-related things. This is very easy to check in my case because I can download a file while connected to 192.168.1.x:8096 and get gigabit speeds, but if I download the same file while still on the local network but connected to https://www.mydomain.com I get download speeds of ~1mbps.

 

I feel like there's got to be a way to create a "shortcut" to my Emby server if I am on the local network, rather than sort of looping out to the Internet and then back into my house (which I think is what's happening). What is this called? I've read some threads on reverse proxies, but my understanding is that these do something else. Is there a way to basically tell my router that anytime a device connected to it tries to connect to https://www.mydomain.com to instead go to 192.168.1.x:8096?

[randomevents 38]

Depending on the complexity of your network setup, you should see if you can setup a hairpin NAT in your router. It used to just be that your could set up local dns on your network, but the mobile providers (or at least Google) changed their setups so that it was always external DNS preferred. Man that was an annoying weekend when that happened to me.

[mastrmind11 722]

I thought most modern routers handled loopback out of the box.

[randomevents 38]

I thought most modern routers handled loopback out of the box.

 

The OP's might be setup and it's not handling it in a fantastic way or it's not setup at all. It's worth checking. It be great if they had a dns server on their LAN, but it sounds like they'll have to resort to modifed HOSTS entries

[CorpusColossus 10]

Thanks folks, I'll look into a hairpin NAT.

 

I have a Netgear Nighthawk AC1900 but have never come across anything related to "loopback" in the router settings. With my old Plex installation this did seem to "just work".

 

@@randomevents what makes you think a local DNS wouldn't work? I hadn't thought of this before and am curious what you think. What would that look like? Router uses local machine for DNS, that machine redirects to an external DNS with the exception of mydomain.com?

 

Do most people not have this problem? Or are they satisfied with using two different addresses depending on where they are?

[randomevents 38]

I just assumed you didn't have a dns server because you hadn't used it already. Loopback/hairpin and dns server is my setup

[mastrmind11 722]

 

Do most people not have this problem? Or are they satisfied with using two different addresses depending on where they are?

Personally all my local stuff is set to use the internal IP, external stuff all point to my domain w/ SSL.  The devices all remember their settings, so it's not like you have to keep entering the connection info each time you want to watch something.

[CorpusColossus 10]

Personally all my local stuff is set to use the internal IP, external stuff all point to my domain w/ SSL.  The devices all remember their settings, so it's not like you have to keep entering the connection info each time you want to watch something.

 

Makes sense. In my case it's for the phones and laptops that cross the network boundary fairly often.

 

I'll look into a local DNS--hopefully the arrangement I described above isn't insane.

Edited October 10, 2017 by CorpusColossus

[mastrmind11 722]

Makes sense. In my case it's for the phones and laptops that cross the network boundary fairly often.

 

I'll look into a local DNS--hopefully the arrangement I described above isn't insane.

For that use case, I'm fairly certain that the Emby client will try local address first and fall back to the external domain name you specify on the admin page if the local address is unreachable.  @@Luke @@ebr correct me if I'm wrong.

[CorpusColossus 10]

Still having this issue. Below is some additional information, maybe something will stand out for those who are more knowledgeable. Also happy to provide logs after a particular series of events if that is helpful.

 

Server:Dashboard

In-Home (LAN) access: http://192.168.1.2:8096

Remote (WAN) access: https://www.mydomain.com:443

 

Expert:Advanced

Local http port number: 8096

Local https port number: 8920

Public http port number: 8096

Public https port number: 443 (router is forwarding port 443 to 192.168.1.2:8920)

External domain: www.mydomain.com

Custom ssl certificate path: /opt/www_mydomain_com.pfx

Require https for external connections [checked]

Enable automatic port mapping [checked]

Edited October 19, 2017 by CorpusColossus

[Luke 42077]

@@CorpusColossus what issue are you having?

[Swynol 375]

you need to use something called static-hostname mapping

some routers support it, i would imaging pfsense, sophosUTM etc do. I use unifi and that definitely works. 

 

So with me if i go to my domain name internally on my LAN emby.mydomain.com then my rule for static hostname forwards it to my local IP address of my emby server. 

 

If your router doesnt support it, the only other way i can think to do it on a Windows device is to add the entry in the hosts file. 

 

 

 

Still having this issue. Below is some additional information, maybe something will stand out for those who are more knowledgeable. Also happy to provide logs after a particular series of events if that is helpful.

 

Server:Dashboard

In-Home (LAN) access: http://192.168.1.2:8096

Remote (WAN) access: https://www.mydomain.com:443

 

Expert:Advanced

Local http port number: 8096

Local https port number: 8920

Public http port number: 8096

Public https port number: 443 (router is forwarding port 443 to 192.168.1.2:8920)

External domain: www.mydomain.com

Custom ssl certificate path: /opt/www_mydomain_com.pfx

Require https for external connections [checked]

Enable automatic port mapping [checked]

 

If your public HTTPS port is bound to 443, you dont need to forward 8920 to your emby server. all requests to your router will come on 443, so you need to forward 443 to your emby box.

[Swynol 375]

Thanks folks, I'll look into a hairpin NAT.

 

I have a Netgear Nighthawk AC1900 but have never come across anything related to "loopback" in the router settings. With my old Plex installation this did seem to "just work".

 

@@randomevents what makes you think a local DNS wouldn't work? I hadn't thought of this before and am curious what you think. What would that look like? Router uses local machine for DNS, that machine redirects to an external DNS with the exception of mydomain.com?

 

Do most people not have this problem? Or are they satisfied with using two different addresses depending on where they are?

 

When you browsed to plex did you use plex.tv or your own domainname? i run both plex and emby side by side. 

 

If i have no static host mapping for plex and i use my domain name it goes external to come back in. If i use a staric host map then it stay internally. If i use plex.tv then it initially goes external to find your local address and then only uses local. Its similar to emby connect, even though you go to an external address it then knows to use your local IP internally. 

 

Some routers support you adding your own DNS entry which should do what you want also, aslong as your device are set to use your router as a DNS server

Edited October 19, 2017 by Swynol

[Luke 42077]

Great info,thanks @@Swynol.

[CorpusColossus 10]

When you browsed to plex did you use plex.tv or your own domainname? i run both plex and emby side by side.

 

When I ran Plex, authentication happened through plex.tv, and I had not set up my own domain yet. But like you said, it would initially go external to find the local address, then it would use the local address succesfully.

 

If your public HTTPS port is bound to 443, you dont need to forward 8920 to your emby server. all requests to your router will come on 443, so you need to forward 443 to your emby box.

 

My public HTTPS port is 443, while the internal emby HTTPS port is 8920. The router is forwarding activity on port 443 to the emby box at 192.168.1.2:8920. I think this is what I want. It's the only configuration that actually works, so I took that as a good sign

 

 

you need to use something called static-hostname mapping

 

 

I'm looking into this, but the only thing I see in my router settings are "Static Routes", but after some reading I don't think this is what I need. Thoughts @@Swynol?

 

The more I read the more I think NAT loopback/hairpinning is what I need. I'm kind of surprised it's not working on the Netgear Nighhawk router.

[Swynol 375]

Ye so with Plex because you used Plex.tv it kind of configured everything for you. Its similar if you use emby connect.

 

 

With the ports, either way is fine. Its down to personal preference and dependent on what other services you run on your emby box. So yes if its working then thats good. Just as an example with mine i forward 443 on my router to 443 on my server. NGINX reverse proxy sees the traffic on 443 and then translates it to http://127.0.0.1:8096. 

 

You normally only get static hostname mapping on enterprise routers. i've rarely seen it else where. (I think the custom firmware for the Nighthawk might have it, merlin firmware) Static routes is something different and not what you need.

 

NAT loopback, hairpinning and DNAT are all the same thing. I've personally not used this for this purpose. Normally using loopback means that if you are sending data from say 192.168.0.10 to 192.168.0.20 on port 443 then the data goes from 192.168.0.10 to the router. The router has a DNAT rule on port 443 which then sends the data back to 192.168.0.20 but coming from your external WAN address eg 109.10.10.10. So then 192.168.0.20 sees the data coming from 109.10.10.10.

 

So - i've never used loopback with a domain name only IP address. Also In theory if you have a switch then its ARP tables probably already have an entry for both 192.168.0.10 and 192.168.0.20 in it, this means that any data going from the 2 IPs doesnt go through the router therefore it doesnt see the DNAT rule. Again this is generally on enterprise equipment.

 

So i googled the router and came across Netgears own support page that states a few times that their is an option for NAT loopback however people have had issues getting it to work. Looks like you need to configure the external port and internal port to be the same otherwise it doesnt work. So your probably better off changing your emby server to use port 443 instead of 8920. You will need to change it in emby under advanced, change both local HTTPS port and Public HTTPS to 443, restart the server. then create a loopback for port 443. and change your port forward to forward external 443 to internal  (embyserver IP):443. 

 

what OS are you using for Emby server? if its windows 10 you can check which port EMby is using in Resource Manager > Network Tab > Listening Ports emby should be in the list on port 443.

 

Hope i havent confused you even more. 

 

here are the pages i looked at

 

https://community.netgear.com/t5/Nighthawk-WiFi-Routers/NightHawk-X8-R-D-8500-Does-it-support-NAT-loopback-Hairpin/td-p/1283560

 

https://community.netgear.com/t5/Wireless-N-Routers/NAT-Loopback/td-p/398768

Edited October 20, 2017 by Swynol

[CorpusColossus 10]

Wow, thanks for all the info @@Swynol! This makes a lot of sense to me.

 

It's strange that the NAT loopback would only work if the ports matched up, but it's worth a shot. Unfortunately, the moment I set the local and public HTTPS ports on Emby to 443 (and restart the service), I am unable to access Emby in any way! Not externally, not internally via https://192.168.1.2:443, not even internally on the HTTP port! (192.168.1.2:8096)

 

This was really surprising, and the only way I can recover from this is by manually setting the <HttpsPortNumber> field back to 8920 in the /var/lib/emby-server/config/system.xml configuration file and restarting the service.

 

I can set the HTTPS port to other ports besides the default 8920 and it works just fine. There's just something about port 443 that seems to brick Emby. Am I backing into another problem here that needs to be solved first?

 

what OS are you using for Emby server?

 

My Emby server is running on Ubuntu 16.04.

[Swynol 375]

Do you have any other web services running on your server? Reverse proxy or website etc? Something else must be using port 443.

 

Another test might be to port forward 8920 to 8920 on your router, set up the NaT loop back on port 8920. Then try your domain name again. Https://emby.domain.com:8920 just to see if the loop back would work

 

 

Sent from my iPhone using Tapatalk

[CorpusColossus 10]

Finally got around to trying this.

 

When forwarding port 8920 to 8920, the NAT loop back doesn't work either. I'm tracking TCP connections on the Emby server with tcptrack. Connections from an Emby client on the LAN appear to the server as coming from the WAN. I have a feeling that NAT loop back just isn't supported on my router (Netgear Nighthawk AC1900). It seems like a lot of consumer-grade routers don't support this. I'll try my luck with Netgear support and maybe start looking into purchasing a new router that does support NAT loop back.

 

So, it sounds like with Emby Connect, when an Emby client logs in it receives the local address and external address of the Emby server. It will then try to connect via local address and if that fails, connect via the external address. That seems to be how local streaming happens in that case.

 

Is it possible for this check to happen without Emby Connect? For example, an Emby client connects via the external server address directly, receives the local address, tries to connect via the local address, and if it is successful, continue on that connection? Would this be a new feature? If NAT loop back really is rarely supported on consumer routers, this could be a very useful feature.

[Luke 42077]

We already do that, yes.

[Swynol 375]

ye from what i read on the forums alot of people seem to have issues with Nat loopback. might be worth getting in touch with Netgear support. 

 

if you decided to replace the router then i highly recommend unifi USG or build your own pfsense/sophosUTM box. however with both options you will still need a DSL modem as the former are both routers only.

 

sorry we havent managed to get this working. I know how frustrating this is as i use this method at home for all my connections and would be a pain without it.

[CorpusColossus 10]

We already do that, yes.

 

Hmm, well now I'm wondering why it isn't working in my case... so if the Emby client (upon login) receives https://www.mydomain.com:443 as the external address, will it receive https://192.168.1.2:8920 as the internal address? If it tries to use https://192.168.1.2:8920, will it fail since my SSL cert is tied to mydomain.com? I get the ol' "Your connection is not secure" message with this address in my browser. Perhaps this is what is happening?

 

ye from what i read on the forums alot of people seem to have issues with Nat loopback. might be worth getting in touch with Netgear support. 

 

if you decided to replace the router then i highly recommend unifi USG or build your own pfsense/sophosUTM box. however with both options you will still need a DSL modem as the former are both routers only.

 

sorry we havent managed to get this working. I know how frustrating this is as i use this method at home for all my connections and would be a pain without it.

 

No worries, thanks for all the info--it has been very enlightening. We'll see what Luke says about the above.

[Luke 42077]

Hmm, well now I'm wondering why it isn't working in my case... so if the Emby client (upon login) receives https://www.mydomain.com:443 as the external address, will it receive https://192.168.1.2:8920 as the internal address? If it tries to use https://192.168.1.2:8920, will it fail since my SSL cert is tied to mydomain.com? I get the ol' "Your connection is not secure" message with this address in my browser. Perhaps this is what is happening?

 

 

No worries, thanks for all the info--it has been very enlightening. We'll see what Luke says about the above.

 

Not exactly. If the user connects to your server by putting your external address in the browser address bar, then it will always use that address.

 

However, if they use the online web app at http://app.emby.media, or any installed Emby app, then it will work.

[Swynol 375]

it should receive http://192.168.1.2:8096 as internal address. well in my case it does.

 

on your server dashboard what is the internal and external address displayed?

[CorpusColossus 10]

Yes, the In-Home (LAN) address shows as http://192.168.1.2:8096 in the dashboard. But given Luke's comment, it sounds like this local redirect is not possible unless users go through Emby Connect. @@Swynol are you saying you get the local redirect even when you login directly via your domain address (i.e. https://www.mydomain.com)?