How to port forward to my Jellyfin server?

apoorv569 · March 17, 2021, 3:51pm

I have installed Jellyfin server on a old laptop, I want to access it from outside my home network, I tried forwarding port 8096 to the old laptop that I installed Jellyfin on, which is the default port for Jellyfin, but I cannot seem open that port. If I add the configuration to forward that port in LuCI, and do a nmap scan from my PC, of my public IP, port 8096 does not appear. What am I missing here?

eduperez · March 17, 2021, 4:01pm

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

Also, port scans from inside your network (even if you use the external IP address), are not reliable. Better use an external scan service, or some app on your phone.

apoorv569 · March 17, 2021, 4:43pm

Where I am putting ---- it means sensitive information or stuff that I'm unsure if I should share or not..

Output for cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '----'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr '----'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'pppoe'
	option password '----'
	option ipv6 'auto'
	option username '----'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option reqaddress 'try'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

Output for cat /etc/config/firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config redirect
	option dest_port '8096'
	option src 'wan'
	option name 'Jellyfin-Server'
	option src_dport '8096'
	option target 'DNAT'
	option dest_ip '192.168.1.240'
	option dest 'lan'
	list proto 'tcp'

trendy · March 17, 2021, 4:59pm

Have you restarted firewall? Post also iptables-save -c -t nat

apoorv569 · March 17, 2021, 5:07pm

Output of iptables-save -c -t nat

# Generated by iptables-save v1.8.3 on Wed Mar 17 17:04:38 2021
*nat
:PREROUTING ACCEPT [2860:167017]
:INPUT ACCEPT [411:31851]
:OUTPUT ACCEPT [342:23638]
:POSTROUTING ACCEPT [2:236]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[2860:167017] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[1029:109625] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[1831:57392] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[820:74181] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[818:73945] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.240/32 -p tcp -m tcp --dport 8096 -m comment --comment "!fw3: Jellyfin-Server (reflection)" -j SNAT --to-source 192.168.1.1
[1029:109625] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d ----/32 -p tcp -m tcp --dport 8096 -m comment --comment "!fw3: Jellyfin-Server (reflection)" -j DNAT --to-destination 192.168.1.240:8096
[818:73945] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[818:73945] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[818:73945] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[1831:57392] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8096 -m comment --comment "!fw3: Jellyfin-Server" -j DNAT --to-destination 192.168.1.240:8096
[1831:57392] -A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Wed Mar 17 17:04:38 2021

iplaywithtoys · March 17, 2021, 5:11pm

Try using an external scanning service instead. Two useful ones which I use regularly are grc.com's ShieldsUP! - https://www.grc.com/x/ne.dll?bh0bkyd2 - and pentest-tools.com's Online Port Scanner - https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap

Be aware that grc.com takes a particularly histrionic approach with its reporting; it will scream an "OMG THE SKY IS FALLING!" failure report if it detects an open port. Of course, if you want that port to be open, then it's not a failure.

apoorv569 · March 17, 2021, 5:18pm

https://www.grc.com/x/ne.dll?bh0bkyd2 reports

THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!

and https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap reports only one port open which is not for Jellyfin. When I do a nmap scan it shows 4-5 ports open.

iplaywithtoys · March 17, 2021, 5:21pm

By default, GRC scans the first 1024 ports. If you want to scan a higher port number, you need to specify the port manually.

As for pentest-tools, my apologies. I'd forgotten that the custom port number probe requires an account; it's not part of the free scan. Sorry about that.

apoorv569 · March 17, 2021, 5:29pm

iplaywithtoys · March 17, 2021, 5:33pm

Hmm. That's pretty conclusive.

By any chance, is there another router/firewall in the way? Maybe one which you don't have control over?

Does the IP address shown by ifconfig.co match the IP address shown on OpenWRT's status page?

pavelgl · March 17, 2021, 5:39pm

Please check the firewall of host 192.168.1.240. If there is a firewall rule rejecting/dropping incoming traffic outside the lan, the port scanner should not show port 8096 as open.

apoorv569 · March 17, 2021, 5:44pm

The laptop that I'm hosting the server on had already installed UFW but I have allowed port 8096/tcp on it. Do I need to make some other changes as well?

trendy · March 17, 2021, 5:45pm

There are no hits, nothing reached the firewall. Check your internet provider that they don't block something.

iplaywithtoys · March 17, 2021, 5:51pm

OpenWRT has an optional tcpdump package which may help here.

If you set tcpdump to listen to the WAN interface on port 8096, it should produce some output if you do another external port scan.

If it does, then you know the incoming traffic is reaching your router, and you can then direct your troubleshooting at your router and your internal network.

If it doesn't, then you know that the incoming traffic isn't reaching your router. Depending on the reason why not, it may be something you can correct, or it may be out of your control.

apoorv569 · March 17, 2021, 6:11pm

I have installed tcpdump, how to set it to listen to port 8096?

iplaywithtoys · March 17, 2021, 6:49pm

Identify which interface is your WAN interface. On my test installation here it's eth1 - yours may be different.

Then issue the command tcpdump -ni <interface> port 8096

Replace <interface> with the name of your WAN interface. For example, on mine it would be tcpdump -ni eth1 port 8096.

apoorv569 · March 17, 2021, 7:42pm

I ran this command, and tried connecting to my public IP with port 8096 in Jellyfin app from my phone over LTE, and it did not throw any output.

iplaywithtoys · March 17, 2021, 7:47pm

In which case, I can only refer you back to this post: How to port forward to my Jellyfin server? - #10 by iplaywithtoys

Also this post: How to port forward to my Jellyfin server? - #13 by trendy

If nothing's hitting your WAN interface, then there's a good chance that something else might be blocking the incoming traffic.

eduperez · March 17, 2021, 9:43pm

Do you have a public IP address on your WAN interface?

apoorv569 · March 18, 2021, 5:06am

How to check that?