How to port forward to my Jellyfin server?

apoorv569 · March 17, 2021, 5:07pm

Output of iptables-save -c -t nat

# Generated by iptables-save v1.8.3 on Wed Mar 17 17:04:38 2021
*nat
:PREROUTING ACCEPT [2860:167017]
:INPUT ACCEPT [411:31851]
:OUTPUT ACCEPT [342:23638]
:POSTROUTING ACCEPT [2:236]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[2860:167017] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[1029:109625] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[1831:57392] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[820:74181] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[818:73945] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.240/32 -p tcp -m tcp --dport 8096 -m comment --comment "!fw3: Jellyfin-Server (reflection)" -j SNAT --to-source 192.168.1.1
[1029:109625] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d ----/32 -p tcp -m tcp --dport 8096 -m comment --comment "!fw3: Jellyfin-Server (reflection)" -j DNAT --to-destination 192.168.1.240:8096
[818:73945] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[818:73945] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[818:73945] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[1831:57392] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8096 -m comment --comment "!fw3: Jellyfin-Server" -j DNAT --to-destination 192.168.1.240:8096
[1831:57392] -A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Wed Mar 17 17:04:38 2021

iplaywithtoys · March 17, 2021, 5:11pm

Try using an external scanning service instead. Two useful ones which I use regularly are grc.com's ShieldsUP! - https://www.grc.com/x/ne.dll?bh0bkyd2 - and pentest-tools.com's Online Port Scanner - https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap

Be aware that grc.com takes a particularly histrionic approach with its reporting; it will scream an "OMG THE SKY IS FALLING!" failure report if it detects an open port. Of course, if you want that port to be open, then it's not a failure.

apoorv569 · March 17, 2021, 5:18pm

https://www.grc.com/x/ne.dll?bh0bkyd2 reports

THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!

and https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap reports only one port open which is not for Jellyfin. When I do a nmap scan it shows 4-5 ports open.

iplaywithtoys · March 17, 2021, 5:21pm

By default, GRC scans the first 1024 ports. If you want to scan a higher port number, you need to specify the port manually.

As for pentest-tools, my apologies. I'd forgotten that the custom port number probe requires an account; it's not part of the free scan. Sorry about that.

apoorv569 · March 17, 2021, 5:29pm

iplaywithtoys · March 17, 2021, 5:33pm

Hmm. That's pretty conclusive.

By any chance, is there another router/firewall in the way? Maybe one which you don't have control over?

Does the IP address shown by ifconfig.co match the IP address shown on OpenWRT's status page?

pavelgl · March 17, 2021, 5:39pm

Please check the firewall of host 192.168.1.240. If there is a firewall rule rejecting/dropping incoming traffic outside the lan, the port scanner should not show port 8096 as open.

apoorv569 · March 17, 2021, 5:44pm

The laptop that I'm hosting the server on had already installed UFW but I have allowed port 8096/tcp on it. Do I need to make some other changes as well?

trendy · March 17, 2021, 5:45pm

There are no hits, nothing reached the firewall. Check your internet provider that they don't block something.

iplaywithtoys · March 17, 2021, 5:51pm

OpenWRT has an optional tcpdump package which may help here.

If you set tcpdump to listen to the WAN interface on port 8096, it should produce some output if you do another external port scan.

If it does, then you know the incoming traffic is reaching your router, and you can then direct your troubleshooting at your router and your internal network.

If it doesn't, then you know that the incoming traffic isn't reaching your router. Depending on the reason why not, it may be something you can correct, or it may be out of your control.

apoorv569 · March 17, 2021, 6:11pm

I have installed tcpdump, how to set it to listen to port 8096?

iplaywithtoys · March 17, 2021, 6:49pm

Identify which interface is your WAN interface. On my test installation here it's eth1 - yours may be different.

Then issue the command tcpdump -ni <interface> port 8096

Replace <interface> with the name of your WAN interface. For example, on mine it would be tcpdump -ni eth1 port 8096.

apoorv569 · March 17, 2021, 7:42pm

I ran this command, and tried connecting to my public IP with port 8096 in Jellyfin app from my phone over LTE, and it did not throw any output.

iplaywithtoys · March 17, 2021, 7:47pm

In which case, I can only refer you back to this post: How to port forward to my Jellyfin server? - #10 by iplaywithtoys

Also this post: How to port forward to my Jellyfin server? - #13 by trendy

If nothing's hitting your WAN interface, then there's a good chance that something else might be blocking the incoming traffic.

eduperez · March 17, 2021, 9:43pm

Do you have a public IP address on your WAN interface?

apoorv569 · March 18, 2021, 5:06am

How to check that?

eduperez · March 18, 2021, 6:53am

To preserve your privacy, shw us the first two octets of your WAN address.

iplaywithtoys · March 18, 2021, 7:34am

Look at the status page which is shown when you first sign into the router. There's a section called "Network". Inside that section there's an entry called "IPv4 Upstream". Here's a (redacted) screenshot of what mine looks like.

apoorv569 · March 18, 2021, 8:39am

I'm not sure what I can show, but here is what is looks like on my side,
2021-03-18_14-08

Which field am I looking for here?

iplaywithtoys · March 18, 2021, 8:42am

You're looking for the Address and Gateway fields... without the complete redaction.

Do you have a private IP address or a public IP address shown there? Does it match what you can see from any of the myriad "what is my IP address" websites out there?