BBB only accessible from outside, but not from within the network where the server runs

[Dirk Feeken]

I have a running BBB (audio,video, everything works) but I can access it only from outside of my network. The HTTP/HTTPS ports are accessible from the outside only after the BBB installation. Why?

I've installed a fresh Ubuntu 16.04 server

FQDN is available, something like: bbb.dirksdomain.de

Its "A record" is pointing to the ext IP of my Router(NAT), e.g.: 84.85.86.87

Internal IP is something like: 192.168.10.10 

Firewall of the router allows port forwarding for 80,443, 22 and the needed UDP ports

*Before* I installed BBB I checked with netcat that the server gets the requests on all open ports from within my home network and from the outside. When calling from the outside the netcat test works with the external IP and the FQDN (but not with the internal IP, of course), when tested from within my network it works with external, internal IP and the FQDN as expected.

But after the installation of BBB with the installer script, it is not possible to reach the server from *within*my network with the FQDN or external IP (of my router) anymore. even when BBB and nginx is not running and ufw disabled a test with netcat does still work from outside of my network (so firewall and port forwarding still works) but not from within. Even nmap does not show the ports 80 and 443 from within, only from outside ma network.

I started on the BBB server:

> netcat -l 443

Check with Mac from outside my network:

ping bbb.dirksdomain.de -> ok

netcat bbb.dirksdomain.de 443 -> ok

netcat  84.85.86.87 443 -> ok

netcat 192.168.10.10 443 -> fails as expected

nmap -PN bbb.dirksdomain.de
PORT     STATE    SERVICE
80/tcp   filtered http
443/tcp  filtered https
5060/tcp open     sip
...

Check with Mac from inside my network:

ping bbb.dirksdomain.de -> ok

netcat bbb.dirksdomain.de 443 -> fails

netcat  84.85.86.87 443 -> fails

netcat 192.168.10.10 443 -> ok

nmap -PN bbb.dirksdomain.de
PORT     STATE    SERVICE
5060/tcp open     sip

Therefore if BBB runs, users from outside can work, including screen sharing, video and audio, but I can't even reach the server (time out in chrome) from within the network where the server runs. Is this intended? And how can I enable it?

I can still reach the server with the internal IP address, so an entry in /etc/hosts on every client Mac at home is a work around, but a rather dirty one. Which setting forbids the access from within my network over the FQDN? (It's not the router. Another machine I've set up for tests with apache works with the same FQDN over the same router).

regards,

Dirk

[Philipp Memmel]

It looks like your router isn't doing NAT reflection which makes it
impossible to access your bbb server via his public ip from inside your
local network.

Possible solutions:
- enable NAT reflection on your router
- setup a local dns server and hardcore your bbb hostname to your local ip
- use hosts files in your local network

First option requires your router to support NAT reflection. For second
option: If you can setup an own dns server on your router and add manual
entries depends on your router firmware. Have a look at your router
manual to find out, what it supports.

Third option is the fallback way. Not great, but only possible solution IMO.

Regards

Pypo

> Check with Mac from *outside* my network:

> ping bbb.dirksdomain.de -> ok
> netcat bbb.dirksdomain.de 443 -> ok
> netcat  84.85.86.87 443 -> ok
> netcat 192.168.10.10 443 -> fails as expected
>
> nmap -PN bbb.dirksdomain.de
> PORT     STATE    SERVICE
> 80/tcp   filtered http
> 443/tcp  filtered https
> 5060/tcp open     sip
> ...
>

> Check with Mac from *inside* my network:

> ping bbb.dirksdomain.de -> ok
> netcat bbb.dirksdomain.de 443 -> fails
> netcat  84.85.86.87 443 -> fails
> netcat 192.168.10.10 443 -> ok
>
> nmap -PN bbb.dirksdomain.de
> PORT     STATE    SERVICE
> 5060/tcp open     sip
>
>
>
> Therefore if BBB runs, users from outside can work, including screen
> sharing, video and audio, but I can't even reach the server (time out in
> chrome) from within the network where the server runs. Is this intended?
> And how can I enable it?
> I can still reach the server with the internal IP address, so an entry
> in /etc/hosts on every client Mac at home is a work around, but a rather
> dirty one. Which setting forbids the access from within my network over
> the FQDN? (It's not the router. Another machine I've set up for tests
> with apache works with the same FQDN over the same router).
>
> regards,
> Dirk
>
>
>
>
>
>
>

> --
> You received this message because you are subscribed to the Google
> Groups "BigBlueButton-Setup" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to bigbluebutton-s...@googlegroups.com
> <mailto:bigbluebutton-s...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/bigbluebutton-setup/0f4f37a7-4425-4c8e-9a92-3bc466e8c325n%40googlegroups.com
> <https://groups.google.com/d/msgid/bigbluebutton-setup/0f4f37a7-4425-4c8e-9a92-3bc466e8c325n%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Dirk Feeken]

Thanks for the response, but the router is doing NAT reflection correctly. The other server (the corresponding moodle sever for BBB) which runs behind the same router, just with HTTPS on port 8443 instead of 443 is accessible from the outside and inside with the same FQDN without problems. Same settings in the router just another port. NAT reflection worked also without problems to the "naked" BBB server before I installed BBB.

best regards,

Dirk

[Fred Dixon]

Hi Dirk,

If you ping bbb.dirksdomain.de from within your network, do you get the external address of your server?

Regards,... Fred

To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-s...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-setup/9ae1409e-7360-4670-8262-e22fde85ee19n%40googlegroups.com.

--

BigBlueButton Developer

http://bigbluebutton.org/

Like BigBlueButton?  Tweet us at @bigbluebutton

[Dirk Feeken]

Yes, ping bbb.dirksdomain.de (btw, thats not the real name) returns the correct ext IP of my router on all internal clients. 

It's also possible to reach the moodle server (on a a raspi pi) behind the same router with https://bbb.dirksdomain.de:8443 from all clients.

It was also possible to check with netcat <ext server IP> 443 the connection to my bbb server from within the network before the installation of bbb. After the bbb installation this didn't work anymore. Somehow the bbb installation "cut of" the visibility of ports 80 and 443 from within my network over the router.

So it indeed looks like NAT reflection doesn't work anymore. But only for this server and only after bbb installation.

best regards,

Dirk

[Dirk Feeken]

I've found the reason: It's the dummy NIC for freeSWITCH which blocks the access to the BBB server from within my network.

If I delete the loopback entry with 

ip addr del 84.85.86.87/32 dev lo 

I can immediately reach the BBB start page bbb.dirksdomain.de from within my network, but then freeswitch doesn't work anymore and I get the 1002 WebRTC error after the echo test. If I add it again with 

ip addr add 84.85.86.87/32 dev lo 

BBB and freeSWITCH work again flawlessly from the outside but the server is not accessible anymore from within my network.

Am I the only one with this issue? And isn't there a better way to define the loopback?

best regards,

Dirk

[Mario Menezes]

Hi Dirk,

 Have you found a sollution to your issue? I'm facing exactly the same problem: BBB server is accessible from outside but not from within internal network (static NAT).

 I also have tried this dummy NIC trick without success for both access.

 Regards,

 Mário M.

[Dirk Feeken]

Hi Mário,

unfortunately not. I checked it with a completely new Linux machine without BBB or any webserver installed. When I listen with netcat -l on a port, forwarded by the firewall, I can reach it from outside and inside the firewall/NAT without any problems. If I add the external IP address to the loopback interface (ip addr add <ext IP> dev lo)  the whole server is not reachable anymore from within the network but still from the outside. So this has nothing to do with BBB or nginx configuration, but seems to be a general (intended?) behaviour of this kind of dummy NIC setting. I haven't understood why, but I'm not a network specialist. (The Linux/network specialists I asked couldn't explain it either)

best regards,

Dirk

[schartiie]

Hi,

I'm having the same issues with my setup behind a NAT Firewall.

In my test environment I got it working to connect from the internal network to the BBB server (without Error 1007) under the following conditions:

-configuring a host entry pointing to the local IP address of the BBB server

-opening the host firewall to accept all incoming udp connections

-no DMZ firewall in place. If so it would have been required to configure it too

Before my tests I also figured out that the absence of the (in a NAT setup unfortunately required) loopback adapter enables the internal clients to successfully connect.

In another post here in the forum I readearlier  that a TURN server would be required?!

Regards

Schartiie

[Dirk Feeken]

Hi Schartiie,

afaik, a TURN server is only required if your clients are sitting behind their own firewall which blocks their outgoing UDP connections, so that this has to be tunnelled over HTTPS. 
best,
Dirk

[Chris Halliwell]

"Its "A record" is pointing to the ext IP of my Router(NAT), e.g.: 84.85.86.87"

Apologies if I've missed this in the thread, but is that A record on an external server, or an internal DNS server?

If it's the former, you'll need an A record on the internal DNS server as well, pointing to the bbb server external IP.

I'm probably suggesting something way too basic. None the less, if you don't completely host your own domain, and the A record isn't there both sides of the gateway, it would cause this issue.

All the best,

Chris

[Dirk Feeken]

The A record bbb.dirksdomain.de is defined on the external server of my internet provider and points to 84.85.86.87.  I don't have a lokal DNS server installed, but since I can ping my router from within my home network with bbb.dirksdomain.de and get a  response from  84.85.86.87 I don't see why I need an additional a record within the network which points to 84.85.86.87?  The DNS resolution seems to work, I just can't reach my BBB server from within my network with the external IP. 

Maybe I'm missing something fundamental, I'm by no means a network expert

best,

Dirk

[City & Guilds of London Art School Admin]

Hi Dirk,

If there's no local DNS server then afaik there's nowhere to put another A record. One other thought, do you refer to to the external IP in the /etc/hosts file? E.g, the first three lines would be:

127.0.0.1 localhost
127.0.1.1 internal_name_for_your_bbb_server
84.85.86.87 bbb.dirksdomain.de

All the best,

Chris

You received this message because you are subscribed to a topic in the Google Groups "BigBlueButton-Setup" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/bigbluebutton-setup/UrjagG7N3-s/unsubscribe.
To unsubscribe from this group and all its topics, send an email to bigbluebutton-s...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-setup/f12047fa-9f17-49d4-9e41-14aa9789af41n%40googlegroups.com.

[Dirk Feeken]

Yes, I've tried this /etc/hosts entry also, but it doesn't make any difference. 

I've now installed a lokal DNS server in addition which pints dirksdomain.de to the internal IP address of the server and with this it is accessible from within the network.

best,
Dirk

[Mario Menezes]

Hi Dirk,

 So in the end, both your external users as well the internal ones are able to connect to your BBB server using this local DNS server? This is interesting - I had this since the begining ... maybe I've messed so much with my config that this didn't work for me.

 Would you mind to make a summary of your config options?

- Changes in config files (Freeswitch, Nginx, etc)

- Tweaks in server config (DNS, dev lo address, etc).

Sorry if this sounds too lazy, but it's not; I'm really lost after so many tries on changing configs without success.

 

Regards,

Mário M.

[Dirk Feeken]

Yes, it can now be used externally and internally at the same time. The final setup was the simplest: After configuring the router (port forwarding for ssh, http, https and the upn ports) I just run the bbb-install.sh script on a fresh Ubuntu 16.04 without any modifications (no demo but with greenlife, stun server from google). The script installed automatically the dummy NIC (although the stun server seems to be accessible also without it, but freeswitch seems to need it anayway)

I did no changes to any freeswitch or nginx files after the installation at all, also no entry in the /etc/hosts file of the bbb server (doesn't seem to make a difference)

Then I installed an additional local DNS server (dnsmasq on a raspberrypi) pointing the external domain name of my router to the *internal* ip address of the bbb serverand entered it as local DNS server in my router. That's all.

best,
Dirk