Ok. so I have tried and tried to host a webserver behind my router, to provide webpages externally,but cannot get this to work.
I have added the following rule in NAT
when someone tries to access my webserver externally I see the packets increasing, but always comes back with no response.
My webserver is on the general hotspot port and uses dhcp from the same pool, but the specific server is set to bypass the hotspot so has full access to the internet.
I have also tried to connect my webserver to my internet facing router via VPN and changing the nat rule to re-direct to the new assigned IP address.
everytime no connection can be made. can anyone spot any obvisous mistakes.
my server notes requests but cant provide web-pages externally. I have checked my web server and everything is fine.
This would be significantly easier if you moved the server outside of the Hotspot. If you can’t do that, post more of your configuration (hotspot and firewall at least).
Its going to be difficult to move the webserver off the phisical hotspot port as it’s remotely connected to the router and the access point its connected to is shared by hotspot users.
this is why i tried using a vpn to connect to the router, but maybe there was further config i missed.
Thanks for the code, and thanks for editing the code for me, but can u explain the above two lines? as i’m not quite sure what they mean and if there ok as they are?
will this improve my webserver issue?
whats the primary difference in the mangle edit?
Sorry I forgot to annotate those lines. Replace the dst-address in those with the networks on Telefonica1 and Telefonica2 respectively.
The mangle rules I posted account for incoming connections that are dst-nat’d and make sure that the PCC rules in prerouting don’t send replies to the requests out the wrong WAN interface, which would account for the rules counting packets and the web server seeing the request but the client being unable to load the page.
Example: You’d have a request from an external client coming in Telefonica2. The rules count packets and the web server replies. But the reply from the webserver gets assigned Telefonica1 in the prerouting PCC rules and goes out the wrong WAN interface, and is now carrying the public IP of Telefonica1 due to NAT. The client gets the reply but discards it because it never asked that IP for the web page.
would it matter if both telefonica connections have the same gateway and dynamacally assigned addresses?
he Network/Gateway for the telefonica connections is always 192.168.153.1 and the ip address are two external addresses.
ok. so I adjusted the mangle to the new suggested version, upgraded my router to 4.2 and still no success.
I’ve tried completly removing the mangle and only enabling one interface, still as soon as I enable to dst-nat to redirect to my internal IP where the webserver is hosted I get an error from internet-side clients saying unable to connect.
So does this mean it’s an issue with hosting my webserver on the same port as my hotspot? can this be bypassed and corrected? or is the only way to shift my http server off the hotspot and assign it to a new port?
Shouldn’t be, but try moving the webserver to port 81 and forwarding that port instead.
Have you also ruled out that your provider is simply blocking port 80 inbound? If you move the web server directly onto a provider circuit, can you reach it then?
Thanks THG, i’ll give that a try in the morning. Can you explain the reason behind leaving the ports as 0-65535 and not specifing 80?
Its just so I understand a little more, and hopefully others might learn, rather than just correcting it. thanks
Most of the connections made in TCP/IP follow a standard form. The client machine picks a random port between 1024 and 65535 (known as an “ephemeral” port), the packets are then sent to the server with a fixed known port that is below 1024. The client then send a port command to inform the server to use the ephemeral port as the destination to send data.
In your case the inbound packet will be directed to the Web server and have a destination to TCP port 80. The client source port will be some random port between 1024 and 65535.
I hope that will clarify why the reply destination port cannot be fixed to port 80.