Skinny broadband and inbound TCP connection blocking?

Forums › Spark New Zealand (including Skinny and BigPipe) › Skinny broadband and inbound TCP connection blocking?

yahnz

37 posts

Geek

#289631 18-Sep-2021 16:00

On Skinny fiber.

Would like to test a little project that exposes HTTP interface on a high port (8000+).

Set up a port forwarding rule on my AP (Asus if that matters, not the stock one).

Everything works fine from inside the home network, but cannot get a connection from the outside (using my external IP address). Tried different ports, etc. There are no entries in the port forwarding log on the GW, so it seems like maybe it's not even getting that far.

Has anyone had luck running something externally accessible over TCP on Skinny bb?

1 | 2

4962 posts

Uber Geek
Inactive user

#2780289 18-Sep-2021 16:09

Why would you set up the port forward on an AP?

The port forward needs to be on whatever terminates your public IP from Skinny. So whatever device is plugged in to the ONT is your router, and that's what needs the port forward set.

Edit: wondering now if you have a double NAT situation? In which case, fix that first and you'll have a much better time.

Also, just checking, Skinny don't do CG-NAT right? I'd assume not being the Spark network. So just checking you do actually have a public IP assigned to the WAN of your router?

RunningMan

8953 posts

Uber Geek

#2780296 18-Sep-2021 16:26

Skinny & Bigpipe both using public IPv4, so won't be that. As @chevrolux says, you need the port forward on your router, not the AP.

Ge0rge

2052 posts

Uber Geek

Trusted

Lifetime subscriber

#2780311 18-Sep-2021 17:00

Where/how are you testing using your external IP address? If you are inside your network but trying to use the external address, it could be that you don't have a hairpin / loop back enabled.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2780320 18-Sep-2021 17:03

yahnz:

On Skinny fiber.

Would like to test a little project that exposes HTTP interface on a high port (8000+).

Set up a port forwarding rule on my AP (Asus if that matters, not the stock one).

Everything works fine from inside the home network, but cannot get a connection from the outside (using my external IP address). Tried different ports, etc. There are no entries in the port forwarding log on the GW, so it seems like maybe it's not even getting that far.

Has anyone had luck running something externally accessible over TCP on Skinny bb?

What kind of server is this and what kind of firewall you have on this device?

It could be that you setup the port forward correctly on your router (are you calling AP what should really be called the router?) and your device might have a firewall blocking it.

For example, Windows has network profiles - Domain, Private and Public. Some rules are set for Private only, which means they wouldn't allow Public requests - so check your firewall on the server side as well as the port forward setup.

yahnz

37 posts

Geek

#2780354 18-Sep-2021 17:20

Sorry, should have explained, the AP is the router.

Testing external access from a mobile device disconnected from the local network.

The code is currently running on a Big Sur Mac with the app being granted network permissions - I can access it from other machines on the same network. Good point though, I wonder if there is another level of permissions needed, though I expect that these requests would just come from the router IP - which should be like any other IP on the network? Maybe?

Interestingly enough the router is not seeing any inbound traffic - there is a separate port router log which remains empty. Hence my initial question about Skinny blocking inbound connections.

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2780371 18-Sep-2021 17:45

No Spark and therefore skinny do not block the port you mention, nor most ports, 25 and a handful of others are by default.

Cyril

I assume we are talking a fibre/xdsl connection here not wireless.

yahnz

37 posts

Geek

#2780571 19-Sep-2021 11:23

Do you know this because you're running a service behind a port forwarder?

Skinny doesn't do static IP's, hence I'm wondering what else might be happening.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

RunningMan

8953 posts

Uber Geek

#2780573 19-Sep-2021 11:29

Blocked ports on Spark

SMTP (Port 25)
NetBIOS (135-139)
SMB (445)
DNS Server (53) (DNS client is unblocked of course)

https://www.geekzone.co.nz/forums.asp?forumid=39&topicid=250712&page_no=1#2243183

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2780583 19-Sep-2021 12:09

Use https://www.canyouseeme.org/ to check if the port is live from the internet.

But - if this is only for testing then is port forwarding the right thing to do? Is your app secure? Would something like ngrok work better? https://ngrok.com/

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

zespri

412 posts

Ultimate Geek

Lifetime subscriber

#2780597 19-Sep-2021 13:05

michaelmurfy:

Use https://www.canyouseeme.org/ to check if the port is live from the internet.

I find it ironic, that port 80 is on the list but port 443 is not ;) (Of course I know that you can enter any, it's just a sign how the world is changing around us)

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2780687 19-Sep-2021 15:55

Use nmap it will check all ports rather than the limited set on that site.

Cyril

yahnz

37 posts

Geek

#2784118 25-Sep-2021 12:43

Just following up on this. Much tinkering later, no inbound activity whatsoever appears on ports according to the router logs.

There are other posts here suggesting strongly that Skinny uses CG-NAT, which is consistent with the above - and also suggests that unless they port-forward, there is no way to achieve this on Skinny.

Spyware

3761 posts

Uber Geek

Lifetime subscriber

#2784119 25-Sep-2021 12:48

Skinny do NOT use CG-NAT on fibre connections. And if you were connecting via the public IP address as visible in router's interface you would obviously know that they don't.

@Talkiet

Spark Max Fibre using Mikrotik CCR1009-8G-1S-1S+, CRS125-24G-1S, Unifi UAP, U6-Pro, UAP-AC-M-Pro, Apple TV 4K (2022), Apple TV 4K (2017), iPad Air 1st gen, iPad Air 4th gen, iPhone 13, SkyNZ3151 (the white box). If it doesn't move then it's data cabled.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#2784218 25-Sep-2021 16:30

Very much sounds like a configuration issue with the OP's setup.

dauckland

290 posts

Ultimate Geek

Trusted

Lifetime subscriber

#2784248 25-Sep-2021 18:45

Hi
Why not use https://ngrok.com/
Very simple way to add inbound bridge without any router hassle and also works if you can't update the routing.

Hope this helps

1 | 2