Port Forwarding for 443 and OWA

SparrowHawk

Hi All,

So my setup is:

ISP router with Static IP
Connects to my own router
Where I provide static IP to my internal equipment including a HP microserver running Exchange 2016

My problem:
ISP uses port 443 to login to their router
OWA uses port 443
--> when I try access OWA outside the network - I end up at the ISP router login page
Internally I can login in with no issues

My Solution:
Got ISP to forward random port (e.g.999 to my router) and have forwarded that port internally to port 443 on the microserver

Result:
Page displays "connection refused".
I have checked with canyouseeme.org - port 999 is open

Am I missing something - forwarding 999 to 443 inside my own network should work....I think?

If anyone can offer insight/ assistance it is much appreciated.

thanks in advance,

SH

demanufactured

Can you use a different port for OWA?

SparrowHawk

Having done an amount of research online, the general consensus is to leave OWA at 443 otherwise there may be issues. Honestly this had been my first avenue of investigation, and now trying the port forwarding route.

ED E

Why is your router presenting its GUI to WAN? Shut that **** off, its and unnecessary expansion of the attack surface.

trompele

SparrowHawk wrote: »

Having done an amount of research online, the general consensus is to leave OWA at 443 otherwise there may be issues. Honestly this had been my first avenue of investigation, and now trying the port forwarding route.

This is true, leave OWA on 443 otherwise expect lot of problems with this application.

jamesd

Ran into this a few times, I changed the port for the remote admin of the router from 443 to anoher port and then disabled it.

Kensington

I am guessing the ISP is Eir and the router is an F2000...

The port forward is hard coded (as is port 80), even if you switch it off or disable it, it's still forwarded to enable access from Eir's management system.

Can you bridge the F2000 and have your own router establish the PPPoE session for you?

SparrowHawk

thanks for the responses all. So my ISP is Imagine (LTE) and router is WVRTM-127ACN which from Google is Gemtek made.
the ISP router is locked down - so only changes can be made when I phone tech support.

The bridging option might be feasible - may give them a ring tomorrow.

Keep the suggestions coming...

Am I right in my first assumption re the port forwarding should be open?

thanks again

SparrowHawk

OK - have been doing some trouble shooting on and off over the last while. It would appear that I have an issue with my internal network, as I come across a few problems... let me clarify.

OWA -

Using my static IP, it can be accessed outside my network (tested with mobile data) using the port forwarding. Once I go onto my internal network - I get connection refused, using the static IP. I can access using the localhost/ internal IP address with no issues. I can also send receive email on internal and external networks.

Webcams
I have two webcams which has a similar scenario. Cannot be accessed with Static IP using my local network - connection refused. Once I go onto mobile data - I can access no issues.

My setup - Imagine LTE router --> Linksys EA9500 Router-->multiple devices

Troubleshooting done:
Tried with both Linksys router and server firewallls turned off
Flushed DNS

Anyone got some suggestions?

ED E

You need hairpin NAT. Stolen from elsewhere:

NAT Loopback (A.K.A. NAT Hairpinning) is generally used when you have an internal server on your LAN that hosts services on the WAN but you need to have client access via it's public IP or DNS name. An example for this would be a web or email server that is on your LAN which has the required ports forwarded directly to the gateway router, and in order to be able to access it both internally and externally you need to use a domain name or public IP.

This assumes you are running the most recent version of the stock Linksys Smart Wi-Fi firmware.

Login to the Linksys SmartWifi router page (Default IP: 192.168.1.1)
On the left-hand side of the page under the category "Router Settings" click on the "Security" tab.
On the "Firewall" tab under the category "internet Filters" there is a radio button labelled "Filter Internet NAT Redirection"
Uncheck this setting and click "Apply"
One thing to mention for this setting is that it NATs the client device IP to the routers internal IP as the source and does not NAT the client as the public IP (Client LAN IP>Router LAN IP>Server LAN IP). This is a more secure way as older routers NAT the client to public IP which essentially passes the traffic from LAN>WAN>LAN which creates a security hole that could allow traffic to be intercepted on the WAN side.

Therefore if the router LAN IP is 192.168.1.1, the client LAN IP is 192.168.1.100, and the server LAN IPis 192.168.1.200, the flow will be as follows:
192.168.1.100 (Client) NAT > 192.168.1.1 (Router) > 192.168.0.200 (Server)
There are two issues with this scenario to note:
All devices on the internal LAN will be logged as 192.168.0.1 at the server when using the public IP/DNS address, and not their correct LAN IP.
Any server services that have different access permissions on a trusted subnet (LAN) from an untrusted network (WAN) may need to have security permissions modifications to allow authentication. This is especially true in the linux environment where email and web systems may have authentication exceptions (SASL) for trusted subnets which will break client-side applications ability to negotiate an authentication mechanism when on the LAN but does not affect devices on the WAN.

SparrowHawk

Thanks for that ED E, unfortunately the Filter NAT option is not selected, firmware is stock and updated.
There is another option to enable NAT (default selected) or something referred to as Dynamic routing (RIP). I have to admit that my knowledge of networking is limited, so your help is greatly appreciated.

Rgb.ie

Are you using https:// to access the owa on 999?

Lucifer

From previous experience it seems that the Eir F2000 router does not support NAT Loopback. Have not come up with a solution to this but was considering using a different router to solve this but havnt got around to trying it.

SparrowHawk

Rgb.ie wrote: »

Are you using https:// to access the owa on 999?

Yes - using https - though have also tried http - same result

SparrowHawk

Lucifer wrote: »

From previous experience it seems that the Eir F2000 router does not support NAT Loopback. Have not come up with a solution to this but was considering using a different router to solve this but havnt got around to trying it.

My ISP is Imagine (LTE) and router is WVRTM-127ACN which from Google is Gemtek made.

Haven't reached out to Imagine as of yet, as I assumed that as the browser page is saying "connection refused" it indicates that the request is coming through the ISP router ok - and is being blocked by my Linksys router - or am I wrong?

The high horse brigade

SparrowHawk wrote: »

My ISP is Imagine (LTE) and router is WVRTM-127ACN which from Google is Gemtek made.

Haven't reached out to Imagine as of yet, as I assumed that as the browser page is saying "connection refused" it indicates that the request is coming through the ISP router ok - and is being blocked by my Linksys router - or am I wrong?

Could be either but it's most likely the imagine one. Having double NAT makes it impossible to troubleshoot without removing your own Linksys or changing it to AP mode so your imagine router is handling all traffic. Then ask imagine to open ports

SparrowHawk

Phoned Imagine this evening. Been told that there is only one setting for NAT on their router - essentially an on/ off situation, and it was already set to on.

Is there any other avenue that I can investigate?

Lucifer

One option is to access things from local addresses when on the local and the just access on the wan address when off the local network. not really ideal but will at least work.

For IP cams you could have 2 sets of cameras, one local and one wan. If you are using android, Tinycam IP camera app allows you to set the camera with the WAN address and set a home wifi network that uses a different local address when connected to that wifi network.

Lucifer

Can you bridge the imagine router and then use a router that supports NAT Loopback?

I have vodafone router and NAT Loopback works fine. I have everything set to WAN for IP cameras and all works perfect. A friend has Eir F2000 and has to access for either local or wan.

SparrowHawk

Thanks Lucifer,

I could (& currently) do use internal / external IPs when needed - but it just "bugs" me as it doesn't work as it "should"....

For the bridging - so just get Imagine to set their router to bridging mode? And see if that works? I can always go back to the current setup if it falls over....

The high horse brigade

SparrowHawk wrote: »

Thanks Lucifer,

I could (& currently) do use internal / external IPs when needed - but it just "bugs" me as it doesn't work as it "should"....

For the bridging - so just get Imagine to set their router to bridging mode? And see if that works? I can always go back to the current setup if it falls over....

Imagine won't do bridging, it's very nasty to refuse to let customers take care of their own equipment