I have a working SSL server implementation, but the problem is that the server is visible only for devices in my local network, and can't be accessed from outside.
Is this a common problem for servers, or have I done something wrong? Could it be my Linux distribution limiting the visibility?
Best regards,
Rat
If you are behind a NAT firewall which most modem/router/switch all-in-one boxes use, then you will need to set up port forwarding on the router.
Port forwarding allows an incoming connection on a port on the WAN side of the modem/router to get forwarded to a LAN computer.
See http://portforward.com/ for help setting up port forwarding.
Related
I have set up a mosquitto-broker on my raspberry pi which I have running on my local network. I've tested this locally using the paho-mqtt package in python which is working, however I want to access this broker remotely (outside my local network).
From what I understand, the safest way to do this is to use TLS-authentication and configure mosquitto to listen on port 8883, rather than opening the un-encrypted 1883 port, where login credentials can be sniffed. This is where my problems start, as I suspect my ISP doesn't allow forwarding port 8883 to the (static) IP-address of my RPi. (Port wont open no matter what I try, and I've tried googling this specific issue.)
So my question is:
Is it possible to use another port than the default 1883 or 8883 (which my ISP hopefully allows to be opened) for accessing my locally hosted mosquitto-broker? For example one of the higher-valued ports, which I understand is not reserved for anything.
I'm imagining connecting to the broker by using my external IP-address with this port (xxx.xxx.xxx.xxx:yyyyy) and either tunneling this data to the 8883-port on the local network, or configuring mosquitto to listen on the selected port. Any tips on how I can solve this issue?
EDIT
Thanks for your answers! I just got off the phone with my ISP, and unfortunately they don't allow opening ANY ports because I live in a university dorm, so opening a different port won't work either. I guess using a cloud broker is the only option.
You can use any ports you want (or that your operating system will permit). MQTT uses certain ports by convention but is not restricted to using those ports. You're even welcome to encrypt on port 1883 if you want.
You'll need to do four things:
write the listener configuration directive correctly to use the port you want to use and make sure that you're listening on 0.0.0.0 in order to listen on all network interfaces, or the IP address of a specific network interface to listen on.
correctly configure encryption after the listener directive
ensure that the port you chose is accessible through any firewall your server may be running
properly configure any clients to use the port you configured and work with the encryption you configured
If you want to make it accessible over the Internet you'll need to open a port on your router as well.
If you do make it accessible over the Internet, please require authentication. Encryption won't stop strangers from connecting to your broker, it will just stop eavesdropping on them. Turn off allow_anonymous and set up some Mosquitto accounts.
Hi I am trying to make my router(TPlink router) to forward port by configuring it and by creating NAT virtual server or port triggering. Firstly the port doesn't open which I have checked via an online website, the port is closed. Secondly if the port does open, would I be able to access my computer or computer server or a website hosted on my wamp server externally via another network from some other place externally? I am not sure what are the things on my computer that I would be able to access from outside? How exactly am I going to do it? I am aware that I am going to use my router external ip address which I know and the port that I have associated with the ip address of the computer I am trying to access. I am just a beginner but I am really into networking. Can somebody explain the entire process please?
Your local host can be accessed from anywhere in the world.
Just use put the ip of the pc/wamp server installed pc in the DMZ Box under Forward Menu of your tp-link router & enable DMZ option.
I've been investigating networking for use in a two-player game I'm writing, and I'm still not clear on when a device must have a port forwarded in order to communicate with the outside world.
From what I've seen in other games, port forwarding is always required in order to host a server, but is not required on the client. In addition, there are other situations, such as skype (which, to my understanding is ultimately client to client), where neither end must forward a port.
So my question is, in over-the-Internet communication, when is and isn't port forwarding necessary, and what steps can i take as a developer to make it so my users don't have to worry about it? Thanks in advance!
Port forwarding is needed when a machine on the Internet needs to initiate a connection to a machine that's behind a firewall or NAT router. If the connection is initiated by the machine behind the firewall, the firewall/router automatically recognizes the reply traffic and sends it to the machine that opened the connection.
But if a packet arrives on the external interface, and it's not a part of such a connection, the router needs to know what to do with it. By default, it will reject it. But if forwarding is configured for the port, that tells it what internal machine to send it to.
Put another way: you need port forwarding if you want to run a server behind the NAT firewall/router, you don't need it if you're just running a client.
There is reason why Skype don't (not always) need manual setting of port forwarding:
When you install Skype, a port above 1024 is chosen at random as the
port for incoming connections. You can configure Skype to use a
different port for incoming connections if you wish, but if you do,
you must open the alternative port manually.
If the port chosen for incoming connections becomes unavailable, by
default ports 80 and 443 will be used as alternatives. If another
application (such as Apache HTTP server or IIS) uses these ports, you
can either configure the application to use other ports, or you can
configure Skype to not use these ports.
Port forwarding is must if you host a server.
You can use same technique as Skype...
I am not sure if there is any other option...
Port forwarding (occurs) when a NAT, firewall or some other device blocks communication on all or some ports.
To answer your question as an example, most commercial routers use NAT to allow multiple people to use the same IP(As view from the outside world) provided by ISPs. Most ISP's use NAT to allow multiple customers to use the same IP(As viewed from the outside world). To get this to work, the NAT changes the internal IP and the port number of a communication to THE(there is only one for the entire sub network) external IP and a new port number. By doing this, the router/isp/ect can tell which internal IP and port each external communication goes to.
Anytime one of the computers communicating over the internet are behind a NAT, port forwarding is required. I'm sure there are way more situations than this, and the solution to each can be quite complicated. But this covers the vast majority.
I did a test of NFS service over Cisco ASA 5505 firewall.
With normal interface default ACL, which is "permit ip any any" on inside interface (Level 100), "deny ip any any" on outside interface (level 0). NFS server is connected to outside interface. Everything works great. By look at the the packets go through, I can see inside PC call NFS server's 111 port, negotiate a port using portmap. Finished this TCP connection. Then NFS server (outside PC) use the negotiated port to connect to inside PC and transfers data. Cisco ASA firewall keep TCP states very well and "remembered" the negotiated port, thus let outside PC using this port to talk to inside PC even the outside ACL is "deny ip any any". The firewall is fully stateful, every thing is great so far.
However, as long as I connected the NFS server (outside PC) to Cisco ASA firewall using VPN. Everything changed. By look at the packets, NFS can still go through firewall and negotiate a port by portmap. While after this TCP session is over. Firewall FORGET the negotiated port and block the outside PC using negotiated port to talk back to inside PC.
With or without VPN is the only change. There is just one ACL, on inside interface, permit ip any any. The NFS server is set to can be access from any subnet. There is no NAT and no service-policies setup on this firewall.
Can anyone please explain why Cisco Firewall rules is not "stateful" anymore over VPN? Is it designed to be? What is the best way to let NFS working over VPN without open a range of dynamical ports on outside interface?
One of the strong sides on NFSv4.0 is firewall friendly. No port map required. You need only single TCP port 2049 to be opened. All operations which have have a state on the server require client to send a heard bit, which is typically ~ 90 seconds. We you is in your firewalled setup and quite happy with it.
In our network a proxy server is used to give all the clients, which are all Windows XP computers, access to the internet. Now, we want setup a Wireless LAN to allow people to connect their own mobile phones, computers, etc. to the internet. However if we simply connect a wireless access point to our network everyone has to configure the proxy server on their devices.
What can I do, that the WLAN router can act as a gateway to the internet using the proxy server?
You can NAT all the traffic destined to port 80 to a proxy machine. This is a so called forced or intercepting proxy.
For example, if you have a RouterOS router, you would simply add a rule
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp to-addresses=<proxy IP address>
If you proxy other protocols apart from HTTP, you would do the same for them changing the port.
Many proxy solutions can run in intercepting mode (such that you have a machine with two network interfaces that filter all the traffic that is coming through). See this tutorial for setting it up with Squid.
Otherwise, if you already have a proxy server you can use the solution above by placing a router or a server running the routing software between the access point and your network, for example Vyatta or Mikrotik RouterOS (commercial but pretty powerful), some open-source/freeware router/firewall distribution (pfSense, Openwall, m0n0wall, ...) or even a vanilla OpenBSD (with pf firewall) / Linux (with iptables) to achieve the desired effect.
Once you get the straight through routing in place it should be pretty straightforward to setup proxy NAT asnoted above.
You should consider applying this setting on the router that your access-point connects to for it may save you the trouble of setting up a new machine.