Can only access on the LAN (Ports forwarded+DMZ, ISP says not blocked)

Zinkie · October 9, 2017, 1:02pm

ENGLISH VERSION (la version Française est ci-dessous):

Hey there,
My Yunohost has been running very nicely, until recently I moved from a reseller of our local ISP to our local ISP directly. When I did, they replaced our modem. Now I’m having the classic issue where machines on the LAN can access the site and others can’t. Here’s the twist, though.

The ISP says that they don’t block any ports and this portscan utility says the ports are open and can even report the version of Nginx and Wordpress I’m running.

When I try to open the site up with my browser though, on a device outside the LAN, it just times out and Yunoports shows the ports as being closed (contradicting the other port scan).

My modem has the Yunohost VM on a static LAN IP address, and in the DMZ. For good measure I also have ports 80 and 443 set to redirect there. The only thing that I’m not sure about is the modem doesn’t just have a section for which ports to forward, but both an “internal” port range and an “external” port range.

Still, the portscan shows the ports as open, but… I’m still not seeing the site unless I’m on the LAN.

Any ideas?

VERSION FRANÇAISE (the English Version is above):

Mes excuses pour les erreurs françaises. Cette traduction est par est un Google Translate:

Héy,
Mon Yunohost fonctionne très bien, jusqu’à récemment, je suis passé d’un revendeur de notre FAI local à notre FAI local directement. Quand j’ai fait, ils ont remplacé notre modem. Maintenant, j’ai le problème classique où les machines sur le LAN peuvent accéder au site et d’autres ne le peuvent pas. Voici la torsion, cependant.

L’ISP dit qu’ils ne bloquent pas les ports et un utilitaire portscan en ligne dit que les ports sont ouverts et peuvent même signaler la version de Nginx et Wordpress que je cours.

Lorsque j’essaie d’ouvrir le site avec mon navigateur, sur un périphérique en dehors du réseau local, il expire et Yunoports affiche les ports fermés (en contradiction avec l’autre scan de port).

Mon modem a la VM Yunohost sur une adresse IP LAN statique, et dans la DMZ. Pour faire bonne mesure, j’ai également les ports 80 et 443 mis à rediriger là. La seule chose dont je ne suis pas certain, c’est que le modem ne dispose pas seulement d’une section pour les ports à transmettre, mais aussi d’une portée de port «interne» et d’une portée de port «externe».

Pourtant, le portscan montre les ports comme ouverts, mais … Je ne vois toujours pas le site sauf si je suis sur le LAN.

Des idées?

gannonwoto · October 9, 2017, 9:01pm

I think your problem is Hairpinning

So, I think the easiest way is to have a local DNS. To match your domain name to the private address of your Yunohost.

Maybe you can first test by filling this correspondence in the hosts file of your machine.

For windows, the file is : C:\Windows\System32\drivers\etc\hosts

and linux is /etc/hosts.

It must be modified as an administrator.

You can see this subject for exemple.

There are other, but they are only in French …

Zinkie · October 10, 2017, 8:18am

Thanks for your response @gannonwoto Now, I know very little about hairpinning, but from the description in the Yunohost docs it says:

“If the server is accessible from outside your local network, but unreachable with its domain name on the local network, then your router probably lacks hairpinning.”

My problem is the reverse. I can’t access the server from outside the LAN, but I can access it from within the LAN. (Although the internal LAN access works because I already pointed /etc/hosts to the correct internal IP address).

My router also has a section in Port Forwarding for both internal ports and external ports, so wouldn’t this imply that it does have hairpinning?

madmaxlamenace · October 10, 2017, 5:01pm

Hello,Did you try to access from outsider :
1: using your public IP adress ? You have a problem with your isp or your router
2: using your domain name ? You have a DNS problem.

gannonwoto · October 10, 2017, 5:10pm

excuse me, I had misread your message.

Your Yunohost VM is in DMZ, right ?
So for me, you do not need to redirect ports 80 and 433 since by default all the traffic is redirect to the machine that is in DMZ.
At least it is the case with the “boxes” that we have in france, for the real routers I never asked myself this question (I did not need it) but I think this is the case for all routers.

We must know if there is not one of your network equipment that appropriated ports 80 and 443 with the UPnP (if your router is compatible).

Zinkie · October 14, 2017, 3:26pm

Ah! I just realized that I made a silly mistake. I tried accessing the site on my phone to test if it was available outside the LAN, but I was tired and forgot to disconnect my phone from the WiFi. I found that when I actually did this that the site is accessable outside the LAN just not inside it.

So I guess that narrows it down to a hairpinning issue on the router?

EDIT: Yep. Looks like it was a hairpinning issue, which I solved by editing /etc/hosts on all the local machines, and by turning off wifi on my phone.