Portforwarding issue – cannot access from outside router

port-forwarding

I'm running a server on my local PC on port 8080. I can go to a browser and do http://localhost:8080 and it works.

I'll refer to my public IP as PUBLIC_IP and private/internal as PRIVATE_IP.

In the browser (running on server PC), I can also do http://PUBLIC_IP:8080 and http://PRIVATE_IP:8080 and both work.

I set up port forwarding in the router software as:

TCP external port 8080 >> internal port 8080 to my PRIVATE_IP device.

When I go to canyouseeme.org and enter my PUBLIC_IP and 8080 – I get:

"Error: I could not see your service on PUBLIC_IP on port (8080)"

I looked at the router logs and see:

[LAN access from remote] from 52.202.215.126:55574 to INTERNAL_IP:8080

I assume 52.202.215.126 is the ip address of canyouseeme.org server.

But it seems to be using port 55574 – instead of 8080. And it also changes on each request.

That's the external port that the router sees right?

But looks like the request is getting to the router – just not to my server – getting blocked?

I've turned firewalls off.

Any help appreciated.

Here's the tcldump logs – running on the server PC – so traffic is getting to the server PC.

Fulls-Mac-mini:conf mini$ sudo tcpdump 'tcp port 8080'
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
16:08:26.451497 IP ec2-52-202-215-126.compute-1.amazonaws.com.48092 > 192.168.1.12.http-alt: Flags [S], seq 3119124296, win 26883, options [mss 1460,sackOK,TS val 298290090 ecr 0,nop,wscale 7], length 0
16:08:26.451570 IP 192.168.1.12.http-alt > ec2-52-202-215-126.compute-1.amazonaws.com.48092: Flags [S.], seq 449444859, ack 3119124297, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 683632630 ecr 298290090,sackOK,eol], length 0
16:08:27.449719 IP ec2-52-202-215-126.compute-1.amazonaws.com.48092 > 192.168.1.12.http-alt: Flags [S], seq 3119124296, win 26883, options [mss 1460,sackOK,TS val 298290340 ecr 0,nop,wscale 7], length 0
16:08:27.449751 IP 192.168.1.12.http-alt > ec2-52-202-215-126.compute-1.amazonaws.com.48092: Flags [S.], seq 449444859, ack 3119124297, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 683633624 ecr 298290340,sackOK,eol], length 0
16:08:28.453107 IP 192.168.1.12.http-alt > ec2-52-202-215-126.compute-1.amazonaws.com.48092: Flags [S.], seq 449444859, ack 3119124297, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 683634624 ecr 298290340,sackOK,eol], length 0
16:08:29.453652 IP ec2-52-202-215-126.compute-1.amazonaws.com.48092 > 192.168.1.12.http-alt: Flags [S], seq 3119124296, win 26883, options [mss 1460,sackOK,TS val 298290841 ecr 0,nop,wscale 7], length 0
16:08:29.453700 IP 192.168.1.12.http-alt > ec2-52-202-215-126.compute-1.amazonaws.com.48092: Flags [S.], seq 449444859, ack 3119124297, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 683635624 ecr 298290841,sackOK,eol], length 0

My internal IP address is 192.168.1.12

The log is a result of https://www.canyouseeme.org/ using my public ip address + 8080.

When I look at Tomcat logs access file – there's no entry. So either it's refusing connection (and not listing it in the logfile) or it's not getting to Tomcat.

Best Answer

No, the connection attempt is correct.

Each TCP packet has two ports: source and destination, which can also be called local and remote. (So the connections don't go "through" a port; instead they go from one port at the sender, to a possibly different port at the recipient.)

The 'source' port is almost always chosen at random (to ensure that each connection has a unique port pair).

The port you see specified in URLs, port-forwarding rules, etc. is almost always the 'destination' port. (This applies to both the "external" and "internal" ports when doing NAT..) You've forwarded port 8080, and CanYouSeeMe is also making a connection to port 8080 on your side – so that's perfectly fine.

Related Solutions

Networking – Access Web Server Behind Router with Same Address

As suggested in the comments to your question, you have several options:

See if you router supports NAT Hairpinning (also referred to as NAT Loopback or NAT Reflection per @DavidPostill) and whether it might need to be enabled (per @AFH).
If your router does not support hairpinning, buy a new one that does. This feature is semi-common in modern day consumer-grade routers but you will still likely want to do a bit of research before making any new purchase.
It may be possible to upgrade the router with Linux-based firmware such Tomato, DD-WRT or OpenWRT which can allow hairpinning (but this is likely a very technical endeavor).
As suggested by @SpiderPig, you can set up your own private DNS server on your internal network. This route is a bit more technical (and unnecessary if hairpinning can be enabled) but is probably the safer of the two technical solutions.

Private DNS Requirements

While there are obviously different steps for different network configurations, the principles for working around a lack of hairpinning with the last solution are the same:

Configure the external version of your domain with a DNS server that does not otherwise directly provide services for your internal version of that domain (likely DNS provided by your Registrar or 3rd-party services such as Namecheap FreeDNS).
Configure a separate DNS server (such as ISC BIND) for your internal network which handles your domain locally. That is, create an entry for your domain on that server and point it towards the correct internal web server IP. You can then have your internal computers use this local DNS server for domain resolution.

The reason this setup works is because non-internal queries are going through one (external) DNS provider (which has your public IP) while internal queries go through a second (i.e. the local DNS server with your private IP).

It is probably worth mentioning that besides "regular" domains, this option will also likely work for many "Dynamic DNS" providers as well (where the provider automatically satisfies the first requirement).

Note that both Namecheap FreeDNS and BIND are currently free and thus very cost-effective.

Basics With BIND

I going to assume that you have your domain configured with your Registrar to use DNS servers you do not control. In this instance, you likely do not need to take additional steps to meet the first requirement listed above.

Regarding the second requirement (your local network setup), I wrote a pretty thorough explanation on the basics of getting BIND working on Windows with a local domain a while back.

As for the choice of which computer to use as a local DNS server, the only real requirement is that it be ON consistently (as it will be needed for domain resolution). Outside of that stipulation, you can pretty much pick whichever computer on the network you like (even the web server itself).

Answer Notes

In my answer linked above, there are definitely a few spots you can ignore (mostly the WAMP stuff). Otherwise, the setup detailed there is the basic setup you need locally for your domain. For your situation, the few things that need to be altered are:

Substitute your own (external) domain for the "free.goodies" example domain.
Make sure any other miscellaneous items match your set up (e.g. installation paths, IP addresses, file names, rndc secret, etc.)
Make sure to uncomment the line for "forwarders" in "named.conf" (i.e. remove the hash #):
```
      forwarders { 8.8.8.8; 8.8.4.4; };
```

Note that the last item is absolutely necessary so your local network can contact non-local domains (i.e. the rest of the internet other than your domain). The specific IPs listed are functional as-is (they are Google's Public DNS servers) but you can substitute any others you like as well (including those of your ISP).

You still need to make sure to configure your local computers and router to use your local DNS server (as detailed near the end of the linked answer).

Linux Notes

If you are using Linux, you can of course choose to install files from the ISC BIND website. However, as an alternative, many distributions of Linux come with BIND already installed or available through their respective repositories.

As far as a local DNS server is concerned, there are a number of good net tutorials for different distributions. But the principle is the same -- set up a local DNS server to access your domain entirely from the local network (without needing the internet).

Caveats

Successfully accessing your domain locally will not always mean it will be accessible externally. You will always need to test external access with a network that doesn't use your router (e.g. your phone connected through its data plan).
There are some potential risks involved in running a DNS server and specifically in emulating domains with TLDs such as .com or .net. While it is possible to do so (as outlined here), you may want to consider researching any potential pitfalls.

Best Answer

Related Solutions

Networking – Access Web Server Behind Router with Same Address

Related Question