Posted: Fri Aug 30, 2019 14:14 Post subject: Port 80/443 help from external access
Hey there,
I happened apon a netgear running DD-WRT v24-sp2 (04/18/14) std
(SVN revision 23919)
loving it, but im running into an issue port forwarding via 80/443 i have a domain pointing at my public ip.
When inside my lan using the domain routes through to my webserver fine even ssl works same with public ip, but when i try from outside the lan i am left with a timeout.
I tried running iptables -L to see any obvious droping or filtering of TCP 80/443 but i could not see anything though im not a huge expert at ip firewall rules.
i stumbled across this https://wiki.dd-wrt.com/wiki/index.php/Port_Forwarding_Troubleshooting so i decided to try nmap, when inside the lan i get both tcp and udp as open for my public ip but when i try from outside i get TCP as filtered and UDP as open/filtered, searching around this suggests there is some sort of hardware firewall or isp interception?
I got my ISP to confirm twice that they had indeed unblocked these ports as they do block them by default, and i dont run any hardware firewall other than i suppose whatever is on this dd-wrt?
Is there anything else obvious i have missed here?
i know this has been asked a bunch, but i feel like it still might be the isp, so i thought id get some advice
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Fri Aug 30, 2019 14:41 Post subject:
I think perhaps the best way to setup a publicly-accessible web host of any sort is to place it in your DMZ, and configure a separate firewall on said host. DMZ bypasses the firewall filtering in DD-WRT.
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Sat Aug 31, 2019 14:02 Post subject:
phyzical wrote:
Thanks! DMZ mode allowed access through from the outside.
So does that mean there's probably something on the router dropping the requests?
Most likely, as those ports are reserved for remote administration of the router. The firewall will allow packets out to those ports for web surfing, but it won't allow you to connect to them on the WAN interface usually, as best I understand it.