New Member
Posts: 5
Registered: ‎02-14-2018
Accepted Solution

Edgerouter X port forwarding issues

[ Edited ]

I recently purchased a domain name and am trying to get my Edgerouter X to allow me to remotely access my Zoneminder server, but port forwarding does not seem to be working at all.  I have finally been able to get into my router remotely and have the ddns working properly, however I cannot seem to get any deeper into my network.

 

- I am currently running 1.9.7+hotfix.4

- I have switched modems a few times recently, but believe I currently am using an ARRIS SURFboard SBG6580

- Port forwarding does not seem to be creating the correct rulesets in the firewall.  Unless I manually edit the rules (as I have done in the Wan_Local) the ports remain closed.  Once I apply the rules to the ports, I can then view them remotely.  This is the only way that I have been successful getting into the router

- I have tried manually setting the forwarding using DNat and have no luck their either.

- Zoneminder can be accessed from inside my network using the specified ip address that I have pointed the ER-X to.

- A Netstat on Zoneminder shows it to be listening on 80 & 22.

 

This shouldn't be so hard to get functioning, but I have read hours of forum postings, and spent a lot of time trouble shooting this set-up.  At this point I am very frustrated with this Ubiquity product and am hoping some fresh eyes may see something I have not.

 

Configuration:

Spoiler
removed

Accepted Solutions
SuperUser
Posts: 8,724
Registered: ‎01-05-2012
Kudos: 2308
Solutions: 1162

Re: Edgerouter X port forwarding issues

Could you try, on the edgerouter

sudo tcpdump -ni eth0 port 1006

Then connect from outside, http://yourddns:1006, if you see packets hittting your wan interface, try

sudo tcpdump -ni switch0 host xxx.xxx.x.6 and port 80

Where xxx.xxx.x.6 is the acual ip address of the ZoneMinder, then connect again from outside http://yourddns:1006 ..

Do you see packest forwarded out by switch0 ? If yes, on the ZoneMinder, the default-gateway is the correct one ? Does the ZoneMinder respond to connections from remote networks ?

View solution in original post


All Replies
Established Member
Posts: 1,917
Registered: ‎03-02-2016
Kudos: 472
Solutions: 150

Re: Edgerouter X port forwarding issues

[ Edited ]

The port forward wizard is only for configuring ports to be forwarded to devices on your LAN, not the router itself.

 

To remotely access the router via the Internet, modify the WAN_LOCAL firewall.

 

I see you're trying to access the router GUI via the internet. Forget the http port and just use the https port. The router will try to redirect you to https if you connect via http.

 

I strongly advise against making the router accessible on the internet like this unless you either configure a restriction on the IPs allowed to connect or configure a long username and complex password. Best approach is to only allow something like ssh or vpn, and, if you choose ssh, disable password authentication and use keypairs.

 

You are still unable to access ZoneMinder at http://your-DDNS:10006? What about using your IP directly? Are you sure your DDNS name is configured correctly?

 

Also there's no need to expose port 53 to the internet...that's your router's DNS server. And DNSmasq is not configured to listen on that interface anyway.

Highlighted
SuperUser
Posts: 8,724
Registered: ‎01-05-2012
Kudos: 2308
Solutions: 1162

Re: Edgerouter X port forwarding issues

Your switch0 has address xxx.xxx.x.2 as ip address, and your port-forward rules, forward to address xxx.xxx.x.2 ... is the ER-X itself, or there is something hidden ?
In first case, you have to add firewall rules in WAN_LOCAL, nothing to do with port-forward..

Cheers,

jonatha

New Member
Posts: 5
Registered: ‎02-14-2018

Re: Edgerouter X port forwarding issues

[ Edited ]

@redfivewrote:

Your switch0 has address xxx.xxx.x.2 as ip address, and your port-forward rules, forward to address xxx.xxx.x.2 ... is the ER-X itself, or there is something hidden ?
In first case, you have to add firewall rules in WAN_LOCAL, nothing to do with port-forward..

Cheers,

jonatha



Shouldn't Rule 4 open up correct port & IP combo though:

 

rule 4 {
description "Zoneminder GUI"
forward-to {
address xxx.xxx.x.6
port 80
}
original-port 10006
protocol tcp_udp

New Member
Posts: 5
Registered: ‎02-14-2018

Re: Edgerouter X port forwarding issues

The port forward wizard is only for configuring ports to be forwarded to devices on your LAN, not the router itself.

 

To remotely access the router via the Internet, modify the WAN_LOCAL firewall.

 

That does explain a little.  That helps with why modifiying the Wan_Local rule set allows me access.

 

I see you're trying to access the router GUI via the internet. Forget the http port and just use the https port. The router will try to redirect you to https if you connect via http.

 

I strongly advise against making the router accessible on the internet like this unless you either configure a restriction on the IPs allowed to connect or configure a long username and complex password. Best approach is to only allow something like ssh or vpn, and, if you choose ssh, disable password authentication and use keypairs.

 

I plan to eventually move to a VPN, but want to get things working first.

 

You are still unable to access ZoneMinder at http://your-DDNS:10006? What about using your IP directly? Are you sure your DDNS name is configured correctly?

 

Yes no access through 10006 with DDNS or with my public:10006.  DDNS will allow me into the router GUI with my current settings, just can not get further into network, so I believe everything is set up correctly there.

 

Also there's no need to expose port 53 to the internet...that's your router's DNS server. And DNSmasq is not configured to listen on that interface anyway.

 

Thanks, I will disable that as I had previously noticed no change with it open or closed.

SuperUser
Posts: 8,724
Registered: ‎01-05-2012
Kudos: 2308
Solutions: 1162

Re: Edgerouter X port forwarding issues

Could you try, on the edgerouter

sudo tcpdump -ni eth0 port 1006

Then connect from outside, http://yourddns:1006, if you see packets hittting your wan interface, try

sudo tcpdump -ni switch0 host xxx.xxx.x.6 and port 80

Where xxx.xxx.x.6 is the acual ip address of the ZoneMinder, then connect again from outside http://yourddns:1006 ..

Do you see packest forwarded out by switch0 ? If yes, on the ZoneMinder, the default-gateway is the correct one ? Does the ZoneMinder respond to connections from remote networks ?

Established Member
Posts: 1,917
Registered: ‎03-02-2016
Kudos: 472
Solutions: 150

Re: Edgerouter X port forwarding issues


@nmk_61802wrote:

 

 

I plan to eventually move to a VPN, but want to get things working first.

 

You are still unable to access ZoneMinder at http://your-DDNS:10006? What about using your IP directly? Are you sure your DDNS name is configured correctly?

 

Yes no access through 10006 with DDNS or with my public:10006.  DDNS will allow me into the router GUI with my current settings, just can not get further into network, so I believe everything is set up correctly there.

 

 


I mean, exposing the router's GUI to the internet is totally separate from VPN and won't get you any closer to it.

 

As for the port forwarding, see if the router is generating the firewall rules:

 

sudo iptables -L UBNT_PFOR_FW_RULES

Should show you a couple of forwarding rules - post the output if you're uncertain.

 

Else, are you sure ZoneMinder is set to allow connections from outside the LAN?

New Member
Posts: 5
Registered: ‎02-14-2018

Re: Edgerouter X port forwarding issues

[ Edited ]

@redfivewrote:

Could you try, on the edgerouter

sudo tcpdump -ni eth0 port 1006

Then connect from outside, http://yourddns:1006, if you see packets hittting your wan interface, try

sudo tcpdump -ni switch0 host xxx.xxx.x.6 and port 80

Where xxx.xxx.x.6 is the acual ip address of the ZoneMinder, then connect again from outside http://yourddns:1006 ..

Do you see packest forwarded out by switch0 ? If yes, on the ZoneMinder, the default-gateway is the correct one ? Does the ZoneMinder respond to connections from remote networks ?


Was not home last night to test, but ended up  ssh'ing into zoneminder thru the routers cli.  Packets were being recieved by the Zoneminder server.  The default-gateway was set to my old address prior to reconfiguring the system a year ago.  Thanks for the suggestion, can now access the server from the outside.

 

Figured it had to be something simple, but sure caused alot of frustration