From what I can tell by running tcpdump on the client, the client sends a SYN to the server and then I can't see what the server does. Some of the checksums are reported as incorrect.
I am grateful to you and others who have commented for your help.
Yes, seems that no packages are returned.
Did you tried to do it on alternative port with port NAT on your router?
e.g. 8080 -> 80
This is how the nmap looks like, so there is a possibility your ISP filters port 80 ( even if they say no and clearly they seem not to on incoming).
nmap 70.178.xxx.xxx
Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-27 13:02 HKT
Nmap scan report for ip70-178-xxx-xxx.ks.ks.cox.net (70.178.xxx.xxx)
Host is up (0.21s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
25/tcp filtered smtp
80/tcp filtered http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3372/tcp filtered msdtc
1 Like
We saw earlier that OpenWrt is capturing the return SYNACK leaving the wan, so if the client doesn't see it, then it is dropped in the transit. This is an unusual block, most of the time they block the SYN.
The incorrect checksums are not to blame here.
As suggested, try another port.
1 Like
Thanks, @faser, @trendy, and psherman (as well as d687r02j8g for other suggestions). While the ISP insisted that port 80 is not blocked, clearly something is going on with it. A few days ago I tried a combination of a port-forwarding rule for 8080 on the router and a redirect with my DDNS provider and it didn't work. This time I was more persistent in experimenting with an alternative port, since several of you have now suggested that the ISP likely is filtering port 80 after all, and I got it to work through the right combination of router, server, and DDNS settings. Again, thank you for helping me!
Thanks, @faser. I'm going to try to mark this, as well as the comments by @trendy and psherman, as the solution. Would you be so kind as to edit your post to redact my public IP since it is no longer needed for testing? I'll do the same for my post that included it.
Done, but once again that doesn't make a difference. There are systems that are scanning 24x7 for open ports. So redacting the IP from here doesn't make your system saver. You need to use solutions like banIP and reverse-proxy to protect yourself (besides using https instead of http)
Understood. Thank you. I plan to switch it to https now that I know that each part of the infrastructure is working.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.