Port opening conundrum...

[tinpanalley]

For what it's worth this is in Canada with Videotron's Helix 2 modem/router.

 

I have the Helix set up in Bridge mode to give all routing to my tplink Deco M4 mesh network. 

I'm trying to run a program/app called BubbleUPnP which essentially gives me secure access from outside my home to our home music and video server (Foobar). 

I have set my router to open the appropriate ports but BubbleUPnP (and its dev) insists that if the ports are open, and Windows has those ports open on the firewall, that I should be getting access to my server. But something is stil blocking my access.

 

Can ANYone help me figure out what could be wrong? Things I can try? Questions I can answer to help me solve the problem?

(One tiny request: can we please not clog this with the comments about how this kind of access to my computer from outside leaves me exposed. Let's just park that debate to the side.)

Thank you!

[Eigenvektor]

Might be your ISP blocking access. Some close ports to protect their customers who don't know what they're doing (or to prevent people from hosting things on a non-commercial plan). Alternatively you might be sharing a public IP with multiple people (CGNAT). Check your router's external IP. Is it a public IP, or is it in a private range? (192.168.x.x, 172.16-31.x.x, 10.x.x.x)

[tinpanalley]

12 minutes ago, Eigenvektor said:

Alternatively you might be sharing a public IP with multiple people (CGNAT).

No, I'm fairly certain it's in the private range. I see 173.178...

[Eigenvektor]

2 minutes ago, tinpanalley said:

No, I'm fairly certain it's in the private range. I see 173.178...

You mean public range. It would be in a private range if it was 192.168.x.x, 172.16-31.x.x or 10.x.x.x, which would make it unreachable from the outside world.

 

Having a public IPv4 address is good, but it could still be that your ISP is blocking ports 58050/58051. How exactly have you set up port forwarding on the router?

 

It should be 173.178.x.x:5805x -> <ip-of-machine-with-bubble>:5805x. You could use something like https://www.whatismyip.com/port-scanner/ to check if the port is detected as open, while BubbleUPnP is running.

[tinpanalley]

12 minutes ago, Eigenvektor said:

You mean public range. It would be in a private range if it was 192.168.x.x, 172.16-31.x.x or 10.x.x.x, which would make it unreachable from the outside world.

 

Having a public IPv4 address is good, but it could still be that your ISP is blocking ports 58050/58051. How exactly have you set up port forwarding on the router?

 

It should be 173.178.x.x:5805x -> <ip-of-machine-with-bubble>:5805x. You could use something like https://www.whatismyip.com/port-scanner/ to check if the port is detected as open, while BubbleUPnP is running.

My router asks for this in the port forwarding...

[Eigenvektor]

3 minutes ago, tinpanalley said:

My router asks for this in the port forwarding...

Looks pretty standard. The question is, which values did you provide?

 

The internal IP should be the IP of the machine on which BubbleUPnP is running. The internal and external port should be one of the ports used by it (e.g. 58050 or 58051). I would assume you can add two rules, one for each port (click the ? next to "Need to forward multiple ports", it probably explains how). Though for security reasons it would likely make sense to only allow 58051, which should be the one providing HTTPS.

[tinpanalley]

8 minutes ago, Eigenvektor said:

The question is, which values did you provide?

For internal I was using my 192.168... 
Ports, the 58050 port, I was going to do asecond rule for 58051.

But Bubble still says, 

[Eigenvektor]

9 minutes ago, tinpanalley said:

For internal I was using my 192.168... 
Ports, the 58050 port, I was going to do asecond rule for 58051.

But Bubble still says, 

As I said initially, it's possible your ISP is blocking these ports.

 

If you have a second computer, I'd first double check that these ports are reachable from the other machine using the internal IP address of the machine running Bubble. If that isn't working, it's likely an issue with the Windows firewall that would need to be resolved first. If that is working, you know that Bubble is running and reachable, at least inside your home.

 

Double check that Bubble shows the correct public IP address (from what I can see, that should be shown above the connectivity test button). That IP should match the router's external IP.

[tinpanalley]

9 hours ago, Eigenvektor said:

the correct public IP address

Where do I get confirmation of that public ip address. Where can I find it to see if Bubble has it right? 

 

[BM813]

@tinpanalley When visiting the website whatismyipaddress.com, is the address that the website displays the same address that your router displays as its WAN IP address?

[tinpanalley]

3 hours ago, BM813 said:

@tinpanalley When visiting the website whatismyipaddress.com, is the address that the website displays the same address that your router displays as its WAN IP address?

Yes. whatismyip is the same as what Bubble calls my "Public IP address"

[tinpanalley]

7 hours ago, Eigenvektor said:

As I said initially, it's possible your ISP is blocking these ports.

 

Spoke to them today. They said, if we're putting the modem/router in Bridge mode they aren't doing anything to it at all other than handing off all control to our router. They said they dont block ports, but naturally they also can't offer help configuring our router.

[BM813]

44 minutes ago, tinpanalley said:

Yes. whatismyip is the same as what Bubble calls my "Public IP address"

Nope... Not Bubble.... I asked for router, not Bubble. 

 

First thing is to assurdley eliminate the possibility that you are not on a CGNAT from your ISP. This is easily done by comparing the two addresses:

From a laptop/desktop on your home network connected by wifi or ethernet (doesn't matter), and assuming you don't have a VPN running on the computer, compare the IP address from whatsmyipaddress to....

 

.... the WAN address your TPlink Deco says it is receiving, you'll have to log in to the router (the TPlink Deco) and look for a WAN address (not to be confused with WLAN). 

 

If they are the same you are not on CGNAT, if they are different you are on a CGNAT (pretty sure I got that right).

 

It's very possible you are not on a CGNAT, but we need to be sure before we go down a rabbit hole of troubleshooting. 

[BM813]

@tinpanalley Additionally: this link  offers some instruction from TPlink on how to check the WAN address on the Deco, see tip 1

[tinpanalley]

18 minutes ago, BM813 said:

Nope... Not Bubble.... I asked for router, not Bubble. 

 

My bad, i misspoke. And yes, the WAN from the router is the same as whatismyip.

[BM813]

Awesome! Thank you!

 

Did you install 'BubbleUPnP Server' on the machine that is hosting your media files? (emphasis on the server part)

 

And what Operating System is that machine running, windows ?

[tinpanalley]

3 minutes ago, BM813 said:

Did you install 'BubbleUPnP Server' on the machine that is hosting your media files? (emphasis on the server part)

 

And what Operating System is that machine running, windows ?

Yes, same machine.
Win 10.

Should be said, before this modem/router from my ISP I was on one of their "legacy" technicolor modems, but using the same tplink Deco mesh router. And when I would install the softwarefor BubbleUPnP, everything worked fine. Never needed to do a thing other than point the app at the program on my desktop.

[BM813]

9 hours ago, tinpanalley said:

Because if it's what shows up at whatismyip then Bubble has it wrong.

 

Can you elaborate on this?

Your following post after that, you mention that they are the same

[tinpanalley]

1 minute ago, BM813 said:

Can you elaborate on this?

Your following post after that, you mention that they are the same

Irrelevant. Ignore it.

[BM813]

@tinpanalley Well... if the only thing that has physically changed is the new modem, and the Public IP (WAN address) has been updated (if necessary) to the apps/devices to be used remotely, and no firewall rules changes have occured, and everything was working before

 

Did you try checking with the port scanner from whatsmyip , results?

[tinpanalley]

22 minutes ago, BM813 said:

and no firewall rules changes have occured.....

 

Did you try checking with the port scanner from whatsmyip , results?

I don't know that because I hadn't looked at the firewall rule before to know exactly what it was doing.

Port scanner says 58050 is closed.

I don't understand at all why this has worked for years and now it's completely not doable. I also dont get what I'm physically doing. I'm opening up ports on my Internal IP? Then what is the Public IP for? How do I open those ports?

What other program can I use to get the same access to my home desktop for music?

[BM813]

If the port scanner says it is closed then either the port forwarding is not configured correctly or something else with your setup is not allowing the configuration to run properly. I recommend following TPlink's guide on port forwarding that I linked to earlier, at least to check everything is configured as it should.

 

In simplistic terms: a firewall is like the walls of a castle, you live inside the castle and you have a gate to let traffic in and out of your castle. Imagine then the for every port there is a gate (some 65,535 gates) and at every gate/port a set of rules can be established to determine what can be let in or out. When we port forward, we are defining a rule when traffic approaches the wall from the outside (or inside) at gate 58050 (in this example) to allow traffic to be directed from outside the castle go straight to the machine hosting bubble/foobar (hence why we use the internal IP of that machine). If we didn't tell our firewall to allow the traffic through and where to direct it, the traffic would be denied entry. 

 

For the device running the bubble app outside the 'castle', that app needs to know what address to send its request to (the WAN address of your 'castle') and then your router needs to know where to direct that request inside your 'castle's' network.

 

This is a pretty simplistic take on firewalls that I hope helps some understanding of what is going on.

 

Lastly, YES absolutely there are other solutions to the issue you're having. Most notably VPN's such as wireguard, zerotier or tailscale. I personally am behind a CGNAT, so I utilize tailscale.

[tinpanalley]

6 hours ago, BM813 said:

For the device running the bubble app outside the 'castle', that app needs to know what address to send its request to (the WAN address of your 'castle') and then your router needs to know where to direct that request inside your 'castle's' network.

 

[BM813]

YES!!!

I'm so glad it's working, enjoy!

[tinpanalley]

2 hours ago, BM813 said:

YES!!!

I'm so glad it's working, enjoy!

Firstly... I need to thank you for your thorough explanation and castle analogy. That really helped me get my head around how this whole system works. In truth, I need to really spend time understanding Windows networking more. I would love to have more control over my use of my home network, my internet settings, and more and I am so good with understanding other computer elements but I'm severely lacking in networking comprehension. When internet, home network, related issues come up I'm always at a loss. I'd love to understand DNS more, how to really utilise every part of my home network, the connection settings of my Rpi Kodi install, etc and other examples so that I know exactly what home networking can do. Nevertheless, despite still wishing I could understand all the different settings in the router options, your analogy and your help went a long way towards giving me a relatable way to approach all this. So thank you for that. 

 

Understanding things better after your post, I went through the few elements that were controlling my ability to connect. Namely: the router options via the tplink app, the BubbleUPnP setup which is pretty automated and self explanatory, and the Windows Firewall settings. And you wouldn't believe what finally worked. In the Server Properties for the Inbound rule created for BubbleUPnP, you can choose which profile to apply the rule to. The only option selected was Private. I also checked Default and Public, and instantly the BubbleUPnP server page connectivity test worked. I'm not sure I get entirely why but what I gather is that only the Private profile was permitting access and that isn't the profile Bubble uses. Is that it or is it more complicated than that?