Skip to main content
Forum FAQ's
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This page is no longer active

close

   

For up-to-date information and comments, search the EE Community or start a new topic.

New EE Smart Hub port forwarding not working

DavidFrankland
Contributor
Contributor

‎18-06-2021 03:09 PM

I've just upgraded from ADSL to fibre, and received my EE Smart Hub today.

 

However, port forwarding is not working. When I try to access my home server using external IP address (obtained from https://www.whatsmyip.org/), the connection times out.

 

I've disabled the firewall in Home > Advanced Settings > Firewall, and I'm forwarding ports 80 and 443 to a server with a fixed IP address inside my network.

 

Running the GRC Shields UP! tool shows that all ports are Stealth, except 80 and 443 which are Open.

 

I've also (temporarily) tried enabling DMZ, and setting it to the same IP internal address. Shields UP! now shows lots of Closed ports, but several Open ports, which correspond to services running on my NAS. The connection still times out when trying to access my web server using its external IP address.

 

The hub firmware is v0.05.02.04290-EE

9 REPLIES 9
XRaySpeX
EE Community Star
EE Community Star

‎18-06-2021 03:21 PM

You should not need to disable the Firewall or enable DMZ to use port forwarding. Shields UP! is showing the expected state of these ports.

 

Can you correctly access these ports of your server using its internal private IP from within your LAN?

If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE CS: Dial Freephone +44 800 079 8586 - Option 1 for Mobile Phone & Mobile Broadband or Option 2 for Home Broadband & Home Phone

ISPs: 1999: Freeserve 48K Dial-Up > 2005: Wanadoo 1 Meg BB > 2007: Orange 2 Meg BB > 2008: Orange 8 Meg LLU > 2010: Orange 16 Meg LLU > 2011: Orange 20 Meg WBC > 2014: EE 20 Meg WBC > 2020: EE 40 Meg FTTC > 2022:EE 80 Meg FTTC SoGEA > 2025 EE 150 Meg FTTP
0 Helpful
DavidFrankland
Contributor
Contributor
In response to XRaySpeX

‎18-06-2021 03:38 PM

Yes, http://10.1.0.100/ or http://openmediavault/ show my NAS login page.

0 Helpful
mikeliuk
Ace Contributor
Ace Contributor
In response to DavidFrankland

‎18-06-2021 04:40 PM - edited ‎18-06-2021 05:40 PM

Hi @DavidFrankland ,

 

Please may you check in your router GUI what IP address is assigned to the WAN interface (this is an IP address assigned to you by the service provider)? It's possible this is different from your exit address out to the internet (as shown by the whatismyip services). It's likely you'll need a DDNS service in place to keep these in sync (unless you have a fixed IP address and are not assigned a dynamic IP address which changes from time to time).

 

Presumably 10.1.0.100 is the IP address of your NAS and not the internal LAN IP address of your router?

 

The fact you see open ports tested externally suggests you have a hope of getting this to work. Please may you attempt a connection from outside the network. For example, you can setup a WiFi hotspot, connect a laptop so that it goes out via a different IP address and then comes back in from the internet via your router.

 

In terms of the port-forwarding, usually you would have more luck with the firewall enabled and the port-forwards in place as it is usually the firewall which performs the port-forwarding. I would have expected the port-forwarding options to be greyed out if you disable the firewall on most routers.

 

I came across a similar situation in setting up a VPN where a successful connection could not be made in the internal LAN network when targeting the WAN IP address as presumably the router does not expect to route from LAN to WAN and back to LAN (aka "hairpin NAT" https://fixyacloud.wordpress.com/2020/01/27/loopback-to-forwarded-public-ip-address-from-local-netwo... or hairpinning https://en.wikipedia.org/wiki/Hairpinning). My solution for connecting internally was to have a hostname which resolved to the internal LAN IP when my client was inside my network, and have the hostname resolve to the WAN, externally facing IP when my client was outside on the internet.

-- 
Contract SIM: Plan | Data | Usage | Check Status | Abroad | Chat | SMS | APN | PM
Wired: Check Speed | Test Socket | Faults | fast.com | speedtest.net
XRaySpeX
EE Community Star
EE Community Star
In response to mikeliuk

‎18-06-2021 04:58 PM

@mikeliuk wrote:

Please may you check in your router GUI what IP address is assigned to the WAN interface (this is an IP address assigned to you by the service provider)? It's possible this is different from your exit address out to the internet (as shown by the whatismyip services).

Not possible! There is no CGNAT in operation with fixed BB.

 

@mikeliuk wrote:

a successful connection could not be made in the internal LAN network when targeting the WAN IP address as presumably the router does not expect to route from LAN to WAN and back to LAN.

That's called "Loopback" & is not usually supported. For testing purposes it's not worth doing,

If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE CS: Dial Freephone +44 800 079 8586 - Option 1 for Mobile Phone & Mobile Broadband or Option 2 for Home Broadband & Home Phone

ISPs: 1999: Freeserve 48K Dial-Up > 2005: Wanadoo 1 Meg BB > 2007: Orange 2 Meg BB > 2008: Orange 8 Meg LLU > 2010: Orange 16 Meg LLU > 2011: Orange 20 Meg WBC > 2014: EE 20 Meg WBC > 2020: EE 40 Meg FTTC > 2022:EE 80 Meg FTTC SoGEA > 2025 EE 150 Meg FTTP
DavidFrankland
Contributor
Contributor
In response to mikeliuk

‎18-06-2021 05:36 PM

The external IP address is the same in the router status page and whatsmyip.

 

10.1.0.100 is a NAS in my home network, 10.1.0.1 is the router IP address.

 

I just called a friend and asked him to try my external IP address, and it connected to my server! Then, I enabled NordVPN at home and tried the IP address and it also works!

 

It seems that if I'm coming in from "the internet", it works OK, but if I'm coming in via EE's network it times out. Strange, but I can live with that.

mikeliuk
Ace Contributor
Ace Contributor
In response to DavidFrankland

‎18-06-2021 05:37 PM

Sounds good, if you've not done so already, I would highly recommend you get that firewall back up. 😂

-- 
Contract SIM: Plan | Data | Usage | Check Status | Abroad | Chat | SMS | APN | PM
Wired: Check Speed | Test Socket | Faults | fast.com | speedtest.net
0 Helpful
DavidFrankland
Contributor
Contributor
In response to mikeliuk

‎18-06-2021 05:42 PM

I've set it back to "Default" and everything still works.

 

Thanks!

XRaySpeX
EE Community Star
EE Community Star
In response to DavidFrankland

‎18-06-2021 05:43 PM - edited ‎18-06-2021 05:43 PM

So it's working all along 🙂 .

 

@DavidFrankland wrote:

if I'm coming in via EE's network it times out. Strange, but I can live with that.

You'll have to! As I said earlier you can't use the public external IP from within your LAN. That's Loopback & not supported. You can only use the internal private IP from within the LAN.

If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE CS: Dial Freephone +44 800 079 8586 - Option 1 for Mobile Phone & Mobile Broadband or Option 2 for Home Broadband & Home Phone

ISPs: 1999: Freeserve 48K Dial-Up > 2005: Wanadoo 1 Meg BB > 2007: Orange 2 Meg BB > 2008: Orange 8 Meg LLU > 2010: Orange 16 Meg LLU > 2011: Orange 20 Meg WBC > 2014: EE 20 Meg WBC > 2020: EE 40 Meg FTTC > 2022:EE 80 Meg FTTC SoGEA > 2025 EE 150 Meg FTTP
mikeliuk
Ace Contributor
Ace Contributor
In response to DavidFrankland

‎19-06-2021 09:04 AM

Hi @DavidFrankland ,

 

Just occurred to me that I think it would be wise to double check the latest online security advice for the service you wish to expose to the internet to avoid compromise and data loss.

 

Any service exposed to the internet will either immediately or very soon be attacked (and likely frequently from that point onwards) and you should turn on and monitor the access attempts periodically (ideally setting up email alerts).

 

You should ensure the server/NAS software is up to date, and if the software is too old, it should simply not be exposed on the internet.

 

If you name the service you plan to expose to the internet, others may have relevant advice.

 

Alternatives to directly exposing services include arranging access into your private network via VPN (SOCKS5 proxy and SSH would also work, also SSH tunnels).

 

Another measure is to have a firewall capable of whitelisting public IP addresses for accessing your service port. Good luck, don't get hacked/owned! 🤓

-- 
Contract SIM: Plan | Data | Usage | Check Status | Abroad | Chat | SMS | APN | PM
Wired: Check Speed | Test Socket | Faults | fast.com | speedtest.net
0 Helpful