Problems with port forwarding to IIS behind a router

[Bigwill99]

Sorry, this is long, but I wanted to include all of the details.
Basically, I was able to use an http and ftp server with IIS, but now I
can't since I started using a router. Here are all of the fine details.

I have an http and ftp server set up on my personal computer and have
been using it successfully for a few years. I just got a router. (a
TRENDnet TEW-432BRP)

I've successfully set up the router (address 192.168.1.1) and connected
my PC (192.168.1.100).
I'm also able to connect my laptop (192.138.1.101) to the internet
using the wireless connection. So, all of that is working fine. I can
surf websites, IM, send email etc, no problem.

However, I have an HTTP and FTP server on the 192.168.1.100 box, and I
can't get it to work when I enter my external IP. Here's what I've
tried so far:

- Enabled port forwarding on port 80 for http and port 21 for ftp to
192.168.1.100. I've checked IIS and these are the ports that I was
using successfully before.
- Cloned the MAC address of my network card on my router so now the
router and network card appear to have the same MAC address.
- I've checked the firewall rules in my router settings and they were
automatically set up by my router when I enabled FTP and HTTP port
forwarding to allow traffic on those ports.

But, when I type in my external IP address, I'm getting Cannot find
server or DNS Error

- IIS is still working fine, because if I type 192.168.1.100 in for the
web site address on the local machine, I'm able to access my website
internally.
- I've even tried changing the port forwarding settings to forward port
80 to 192.168.1.1 (my router) and when I type in my external IP address
in the address, it successfully displays my Router's administration
page. So, this tells me that my port forwarding is not at fault.
- I know my ISP doesn't block port 80 and 21 because I was using these
successfully before the router.
- The only other "clue" I have is that I'm not able to ping
192.168.1.100 from 192.168.1.101 or view the web site internally by
typing the local LAN IP in the address. (I'm not great on networking,
so I'm not sure if this is even expected) However, there is a ping test
in the router settings, and I'm able to successfully ping 192.168.1.100
from the router.
- Any ideas on what else I might be able to check? Any help would be
greatly appreciated.

 

[Daniel Crichton]

Bigwill99 wrote on 30 Nov 2006 07:51:33 -0800:

But, when I type in my external IP address, I'm getting Cannot find
server or DNS Error

This is your mistake. It won't work from inside your router - it'll only
work from outside the router. It's a feature of most routers - packets
received on an interface will not be sent back to the same interface, even
if there are forwarding rules in place.

To test your configuration you will need to get someone else outside your
router to test it for you, or find a proxy server outside of your router
that you can use to make the requests through.

Dan

 

[Daniel Crichton]

In addition to my other reply, see notes inline below.

Bigwill99 wrote on 30 Nov 2006 07:51:33 -0800:

Sorry, this is long, but I wanted to include all of the details.
Basically, I was able to use an http and ftp server with IIS, but now I
can't since I started using a router. Here are all of the fine details.

I have an http and ftp server set up on my personal computer and have
been using it successfully for a few years. I just got a router. (a
TRENDnet TEW-432BRP)

I've successfully set up the router (address 192.168.1.1) and connected
my PC (192.168.1.100).
I'm also able to connect my laptop (192.138.1.101) to the internet
using the wireless connection. So, all of that is working fine. I can
surf websites, IM, send email etc, no problem.

How is your laptop configured? Are you using a netmask of 255.0.0.0 ? Is
your router and other machines all using the same netmask?

However, I have an HTTP and FTP server on the 192.168.1.100 box, and I
can't get it to work when I enter my external IP. Here's what I've
tried so far:

- Enabled port forwarding on port 80 for http and port 21 for ftp to
192.168.1.100. I've checked IIS and these are the ports that I was
using successfully before.

This should work.

- Cloned the MAC address of my network card on my router so now the
router and network card appear to have the same MAC address.

Why did you do that?

- I've checked the firewall rules in my router settings and they were
automatically set up by my router when I enabled FTP and HTTP port
forwarding to allow traffic on those ports.

But, when I type in my external IP address, I'm getting Cannot find
server or DNS Error

As in my other reply, this is expected.

- IIS is still working fine, because if I type 192.168.1.100 in for the
web site address on the local machine, I'm able to access my website
internally.
- I've even tried changing the port forwarding settings to forward port
80 to 192.168.1.1 (my router) and when I type in my external IP address
in the address, it successfully displays my Router's administration
page. So, this tells me that my port forwarding is not at fault.

All this does is show that the forwarding works when pointed at the router
(and so there is no interface to same interface traffic attempts).

- I know my ISP doesn't block port 80 and 21 because I was using these
successfully before the router.
- The only other "clue" I have is that I'm not able to ping
192.168.1.100 from 192.168.1.101 or view the web site internally by
typing the local LAN IP in the address. (I'm not great on networking,
so I'm not sure if this is even expected) However, there is a ping test
in the router settings, and I'm able to successfully ping 192.168.1.100
from the router.

If you can't ping 192.168.1.100 from 192.168.1.101 then that's a problem.
Are you running any sort of firewall software on the PC at 192.168.1.101
that could be blocking packets from 192.168.1.100?

- Any ideas on what else I might be able to check? Any help would be
greatly appreciated.

Dan

 

[Bigwill99]

Thanks Dan
Unfortunately, I had someone outside the network attempt to visit my
external address as well, with the same results. I read that this could
be the problem in another post.

 

[Bigwill99]

My replies are inline below following ***>>***

In addition to my other reply, see notes inline below.

Bigwill99 wrote on 30 Nov 2006 07:51:33 -0800:


How is your laptop configured? Are you using a netmask of 255.0.0.0 ? Is
your router and other machines all using the same netmask?

***>>*** All pieces use netmask 255.255.255.0 - Incidentally, I have no
idea what a network mask does. I just see that it is very often
255.255.255.0. They were all set to this by default, so I didn't change
that setting.

This should work.



Why did you do that?

***>>*** I read in a post that this could be a potential solution. I
later found that it relates more to the DHCP and assigning the IP
address. On the bright side, I can switch my internet connection from
my router directly to my network card now without having to
release/renew.

As in my other reply, this is expected.

***>>*** I get this error when attempting to access externally as well.

All this does is show that the forwarding works when pointed at the router
(and so there is no interface to same interface traffic attempts).

***>>*** I had my external user attempt to hit my IP address when I had
forwarding directed to my router's IP. He was able to successfully hit
my router's "home page". But, when I switched the forwarding back to
192.168.1.100, he recieved the error noted above.

If you can't ping 192.168.1.100 from 192.168.1.101 then that's a problem.
Are you running any sort of firewall software on the PC at 192.168.1.101
that could be blocking packets from 192.168.1.100?

***>>*** There is no firewall on the laptop (192.168.1.101). It is my
work machine, so they have a network firewall there. On that note, I'm
able to log in through the wireless connection, connect to my work's
VPN, and use my work applications ok. So I don't think I'm having any
communication problems on that machine.

Dan

***>>*** Thanks for your help with this.

Fred.

 

[Daniel Crichton]

Bigwill99 wrote on 30 Nov 2006 09:39:57 -0800:

My replies are inline below following ***>>***



***>>*** All pieces use netmask 255.255.255.0 - Incidentally, I have no
idea what a network mask does. I just see that it is very often
255.255.255.0. They were all set to this by default, so I didn't change
that setting.

I'm amazed that the laptop works - with a netmask of 255.255.255.0 it should
not be able to talk to the router IP of 192.168.1.1, as they are effectively
on different networks - the netmask defines the network portion of the IP
address, and to successfully pass packets back and forth without any other
proxy or router between the hardware they both need to use the same network,
your router network is 192.168.1 and your laptop is 192.138.1, so it should
not work. I'm guessing that the address you tuped for the laptop is
incorrect and is actually 192.168.1.101.

***>>*** I read in a post that this could be a potential solution. I
later found that it relates more to the DHCP and assigning the IP
address. On the bright side, I can switch my internet connection from
my router directly to my network card now without having to
release/renew.

So long as your router only clones the MAC on it's external interface it
shouldn't cause a problem, but if it clones on the internal interface then
it could well be intercepting packets destined for the server machine
itself, hence causing problems. I'd never suggest cloning a MAC unless you
had only a single machine and the ISP locks itself to a single MAC (such as
Blueyonder/Telewest in the UK used to require) and so adding a router would
not work if the modem was already locked to the PC NIC MAC.

***>>*** I get this error when attempting to access externally as well.

This indicates that the forwarding is not working, or the response packets
are not coming back.

***>>*** I had my external user attempt to hit my IP address when I had
forwarding directed to my router's IP. He was able to successfully hit
my router's "home page". But, when I switched the forwarding back to
192.168.1.100, he recieved the error noted above.

Is your router management page being served from port 80? Personally I'd
dump that router - allowing forwarding of a an external connection to it's
own internal management interface is a security risk, and obviously an easy
one to set up.

***>>*** There is no firewall on the laptop (192.168.1.101). It is my
work machine, so they have a network firewall there. On that note, I'm
able to log in through the wireless connection, connect to my work's
VPN, and use my work applications ok. So I don't think I'm having any
communication problems on that machine.

OK, so the netmask problem from above is answered - you mistyped the laptop
IP address. Still, the fact that the ping is failing is bad. Are you sure
that there is no firewall on the machine on 192.168.1.100? If there is that
would explain everything, as it would block all ping and connection attempts
from any other IP, and so explain why nothing appears to work except locally
on that machine.

***>>*** Thanks for your help with this.

I'll do my best to keep helping. I've been running servers since 1994 in a
wide variety of setups, so hopefully I'll find something that works

Dan

 

[Bigwill99]

Bigwill99 wrote on 30 Nov 2006 09:39:57 -0800:


I'm amazed that the laptop works - with a netmask of 255.255.255.0 it should
not be able to talk to the router IP of 192.168.1.1, as they are effectively
on different networks - the netmask defines the network portion of the IP
address, and to successfully pass packets back and forth without any other
proxy or router between the hardware they both need to use the same network,
your router network is 192.168.1 and your laptop is 192.138.1, so it should
not work. I'm guessing that the address you tuped for the laptop is
incorrect and is actually 192.168.1.101.


So long as your router only clones the MAC on it's external interface it
shouldn't cause a problem, but if it clones on the internal interface then
it could well be intercepting packets destined for the server machine
itself, hence causing problems. I'd never suggest cloning a MAC unless you
had only a single machine and the ISP locks itself to a single MAC (such as
Blueyonder/Telewest in the UK used to require) and so adding a router would
not work if the modem was already locked to the PC NIC MAC.


This indicates that the forwarding is not working, or the response packets
are not coming back.


Is your router management page being served from port 80? Personally I'd
dump that router - allowing forwarding of a an external connection to it's
own internal management interface is a security risk, and obviously an easy
one to set up.


OK, so the netmask problem from above is answered - you mistyped the laptop
IP address. Still, the fact that the ping is failing is bad. Are you sure
that there is no firewall on the machine on 192.168.1.100? If there is that
would explain everything, as it would block all ping and connection attempts
from any other IP, and so explain why nothing appears to work except locally
on that machine.


I'll do my best to keep helping. I've been running servers since 1994 in a
wide variety of setups, so hopefully I'll find something that works

Dan

Yes, sorry, that was just a typo on the 192.138.1.101.

I'll double check that there is definately no firewall issue happening
on the server machine, but I'm 99% certain of it. However, the
microsoft security centre keeps on trying to force its way in, so maybe
it has turned something on that I'm not aware of. If that was the issue
though, I'd think it should have been causing the same issues before I
introduced the router. But, it was working fine before.

I'll also check the logs and see if I can find any incoming requests to
my server to help narrow down whether its the incoming request not
getting recieved, or if it just can't send back a response.

The Router's internal MAC is still unique. I can see it on the
diagnostic settings. I'll change it back to the original setting in the
cloning so that the cloned MAC and the internal MAC are the same so I
know that this isn't causing an issue.

 

[Daniel Crichton]

Bigwill99 wrote on 1 Dec 2006 07:31:50 -0800:

I'll double check that there is definately no firewall issue happening
on the server machine, but I'm 99% certain of it. However, the
microsoft security centre keeps on trying to force its way in, so maybe
it has turned something on that I'm not aware of. If that was the issue
though, I'd think it should have been causing the same issues before I
introduced the router. But, it was working fine before.

Could be a coincidental change.

I'll also check the logs and see if I can find any incoming requests to
my server to help narrow down whether its the incoming request not
getting recieved, or if it just can't send back a response.

The Router's internal MAC is still unique. I can see it on the
diagnostic settings. I'll change it back to the original setting in the
cloning so that the cloned MAC and the internal MAC are the same so I
know that this isn't causing an issue.

If the internal MAC is not the same as the other machine then you could just
leave it as is for now as it shouldn't cause a problem. When the laptop or
the other PC attempts to ping or connect to it the router is "out of the
loop" anyway unless it has some sort of proxy server that they are both
connecting through, so I'm pretty sure you'll find that the XP firewall has
become enabled on the server machine. Also check the TCP/IP settings on that
machine in case something is messed up in the netmask or gateway settings,
but if this had happened then I'd expect the server machine to not be able
to connect to anything other than itself.

Dan

 

[Bigwill99]

Bigwill99 wrote on 1 Dec 2006 07:31:50 -0800:


Could be a coincidental change.


If the internal MAC is not the same as the other machine then you could just
leave it as is for now as it shouldn't cause a problem. When the laptop or
the other PC attempts to ping or connect to it the router is "out of the
loop" anyway unless it has some sort of proxy server that they are both
connecting through, so I'm pretty sure you'll find that the XP firewall has
become enabled on the server machine. Also check the TCP/IP settings on that
machine in case something is messed up in the netmask or gateway settings,
but if this had happened then I'd expect the server machine to not be able
to connect to anything other than itself.

Dan

You were exactly right, Windows Firewall was turned on. Must have
happened as a concidence the same time I installed the router. Perhaps
windows updates ran and turned it on or something.
In any case, its working great now. Thanks a lot for all of your
advice. Although the the final solution shouldn't have required all the
trouble, I learned a couple of things a long the way just the same.