Port Forwarding 80 and 6036

[Otto Pylot]

I have a security camera setup for my home. When I originally set it
up, I needed to set port forwarding to public ports 80 and 6036 so I
could access the camera DVR remotely. I checked ports 80 and 6036 with
canyouseeme.org and both ports were open. Setup was easy and it worked
perfectly. Accessing the camera DVR on my LAN also works as designed.

Recently I switched out the power strip that the Apple Extreme Base
Station and my DSL gateway is connected to for an APC battery backup so
I turned everything off and made the switch. Reconnecting was flawless
and internet et al was up and running in minutes.

About a week after the switch I tried to access the camera DVR from
work and "Connection timed out". I checked all settings when I got home
and everything was fine including accessing the camera DVR from my LAN
(wirelessly). I checked with my ISP and they are not blocking ports 80
and 6036. Canyouseeme.org now said that there was no connection to
ports 80 and 6036. I called Apple Support and they couldn't help me.
Apple had me power cycle (again) by disconnecting the cables from the
AEBS and DSL gateway, waiting at least 15 seconds and then
reconnecting. They did suggest that I downgrade to Apple Airport
Utility 5.6 from 6.1 (which worked just fine before) because Apple said
that 5.6 seems to work better for port forwarding than 6.1. That didn't
work. Apple then suggested that I needed to set the public UDP ports to
80 and 6036 as well as the private UDP ports 80 and 6036. That was not
how I had them originally setup per the mfrs instructions and it worked
fine with just the public UDP ports set. The only other wired device
that I have connected to the AEBS is my AT&T MicroCell tower which also
requires port forwarding and that hasn't shown any issues at all with
either Airport Utility, but it doesn't use ports 80 and 6036.

MacBook Air, OS 10.7.4, Airport Extreme Base Station (4th Generation)
version 7.6.1.

So, why can't I all of a sudden not connect to public UDP ports 80 and
6036?

--
Deja Moo: I've seen this bullshit before. Please respond to: sca...@invalid.net
replacing invalid with sonic.

[Otto Pylot]

In article <vilain-2E53C2....@news.individual.net>, Michael
Vilain <vil...@NOspamcop.net> wrote:

> In article <170720122116536215%ot...@bogus.address.com>,

> is there something else you can setup to prove the external network
> connects to your internal one? Like setup a web server page on the
> macbook air that's wired through a cable connect to the Microcell. See
> if you can connect from a site on the internet like your web host's via
> a shell script to an IP address and port on the Mac. Can you connect
> externally? Most things like this require a static IP address. How you
> got this to work without such things seems happenstance to me. Somehow
> the IP address on the "outside" needs a way to tunnel back to your local
> LAN. If the Microcell allows this without a static IP, then you can
> start adding other things into the equation.

The MicroCell is not the issue. It communicates just fine with AT&T via
it's own designated ports (which are different from the camera
system's). I have a static IP address for my DSL connection (I had my
ISP give me one today). However, canyouseeme.org still says that there
is no connection to ports 80 and 6036. I even disconnected the AEBS and
took it out of the chain and connected directly via ethernet to the DSL
gateway. Still no connection to 80 and 6036 via canyouseeme.org. What
is baffling is that it worked perfectly before , when canyouseeme.org
said the ports were open. Now, even with a static IP, with or without
the router, no connection to 80/6036 so no remote connection to the
camera system. My ISP confirmed that they are not blocking 80 and 6036.

[Barry Margolin]

In article <190720122049561629%ot...@bogus.address.com>,

If you connected the camera directly to the DSL modem, and still can't
connect, it sounds like the problem is with the camera.

If you can connect to the camera locally on the LAN, I think the problem
is with the camera's routing table -- it's not picking up the default
gateway from the router.

--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

[Otto Pylot]

In article <barmar-3235E5....@news.eternal-september.org>,

The camera system's DVR allows for the IP address to be obtained
automatically (which happened to be the IP address that I assigned to
it based on the DVRs MAC address). Once obtained, that function is
disabled from further use and the subnet and gateway is automatically
configured which matches what is in the router. The only other
configuration to do is to put in the preferred and alternate DNS server
and that's it. Very straightforward. When the DVR is shutdown and
rebooted, the information is still in place. The DVR is always left on.

My ip address is static and Public/Private UDP Ports 80 and 6036 are
reserved for the DVR's assigned ip address. Typing in my static address
to connect remotely results in an HTTP error, which never happened
before. Again, connncting wirelessly locally is not a problem.

I really appreciate the help that you and Michael have given me. And
yes Michael, I could go and try to find someone else to help me but
I've always been able to get the help I need here in areas that are
obviously over my head and out of my area of expertise. This security
camera system was fairly easy to setup and worked as designed until
recently, but following the same steps as before, it now doesn't allow
remote access which is most confusing. It has to be something simple
but I can't seem to find it. My ISP insists that they do not block
those ports and Apple can't find anything wrong with the AEBS as far as
setup goes. And of course, port forwarding to the AT&T MicroCell works
because we have a constant and reliable connection (which btw, is
unusual for the MicroCell).

[JF Mezei]

I haven't read all the messages in this thread.

However, most consumer ISPs tend to block ports 25 and 80. If port 80 is
blocked by your ISP, you can't do anything to reach your device from the
internet.

Port 6036 should work though.

Your fixed IP address is only between your ISP and your router. DHCP
between your router and your LAN devices is not "fixed", although
devices tend to keep their DHCP leases for a very long time.

For incoming IP calls, you need to configure your router to route calls
to 6036 to the LAN IP address of the camera.

Because of NAT, the router needs to be told to what LAN side IP address
to route incoming connections to for every port. There is also a
default IP address to route the rest if you want. But if your default
points to your computer, you need to specify that calls to port 6036 go
to the IP address of your camera.

[Barry Margolin]

In article <500b006a$0$57779$c3e8da3$c8b7...@news.astraweb.com>,

JF Mezei <jfmezei...@vaxination.ca> wrote:

> I haven't read all the messages in this thread.
>
> However, most consumer ISPs tend to block ports 25 and 80. If port 80 is
> blocked by your ISP, you can't do anything to reach your device from the
> internet.
>
> Port 6036 should work though.

He didn't say what ISP he's using, but Comcast doesn't block port 80.
The only ports they routinely block are the ones used for NetBIOS, to
prevent accidentally sharing your files and printer with the Internet.
They block port 25 if you're suspected of spamming.

To check whether this is the case, the OP could enable a web server on
his PC, and change the router's port forwarding to send port 80 there
instead of the camera, and see if it can connect.

Another thing: does the AEBS have a log of connections that have been
forwarded? Check this to see if the attempts to connect to the camera
are being forwarded.

[Otto Pylot]

In article <barmar-350928....@news.eternal-september.org>,

Barry Margolin <bar...@alum.mit.edu> wrote:

> In article <500b006a$0$57779$c3e8da3$c8b7...@news.astraweb.com>,
> JF Mezei <jfmezei...@vaxination.ca> wrote:
>
> > I haven't read all the messages in this thread.
> >
> > However, most consumer ISPs tend to block ports 25 and 80. If port 80 is
> > blocked by your ISP, you can't do anything to reach your device from the
> > internet.
> >
> > Port 6036 should work though.
>
> He didn't say what ISP he's using, but Comcast doesn't block port 80.
> The only ports they routinely block are the ones used for NetBIOS, to
> prevent accidentally sharing your files and printer with the Internet.
> They block port 25 if you're suspected of spamming.
>
> To check whether this is the case, the OP could enable a web server on
> his PC, and change the router's port forwarding to send port 80 there
> instead of the camera, and see if it can connect.
>
> Another thing: does the AEBS have a log of connections that have been
> forwarded? Check this to see if the attempts to connect to the camera
> are being forwarded.

My ISP is Sonic and they insist that the only port they block is 25.
But as I indicated, it worked as designed before with the setup process
I detailed in my last post. The AEBS lists the ip addresses via the MAC
address that have been allowed access to my network (which is just our
laptops, iTouches, ATV2, MicroCell, camera DVR, etc). Both the
MicroCell and the camera DVR are port forwarded based on their
static-assigned ip address but I'm not sure if that's what you mean. I
just don't understand why canyouseeme.org indicated that 80 and 6036
were open before I set it up initially ( a couple of months ago) and
now it says they are closed. Even if I disconnect the AEBS from the
Comtrend modem and connect my laptop directly to the Comtrend via enet
I still can't see an open 80 or 6036 so to me, that would indicate that
Sonic, or maybe the Comtrend is blocking access.

[JF Mezei]

Otto Pylot wrote:

> My ISP is Sonic and they insist that the only port they block is 25.
> But as I indicated, it worked as designed before with the setup process
> I detailed in my last post. The AEBS lists the ip addresses via the MAC
> address that have been allowed access to my network

Not sure what "AEBS" is. But there is no MAC address involved in
allowing inbound calls from the internet, through your modem/router and
to a specified IP address on you LAN. The router routes packets to/from
internet and does the NAT based on IP addresses, not MAC addresses.

You need to know what device on your premises acts as router. There are
many modems that do both the modem and the router, and there are routers
that are standalone and expect the modem to just be a modem (a bridge in
ethernet architecture).

If you have a router and a modem, you need to make sure your modem is
set to be a modem only (sometimes called "bridge mode") and doesn't
block or route ANY packets, and doesn't do any DHCP or PPPoE etc.

Then you know that your modem won't interfere with your router.

It is perhaps best if you tell your router to direct inbound calls for
port 80 to your computer and then run a web server on it. This way, you
can verify more easily the connecrivity from internet and debug it. Once
you get that working, then you can change your router config to point
calls destined for port 80 to your camera's IP address.

[Barry Margolin]

In article <500b6eec$0$1772$c3e8da3$fdf4...@news.astraweb.com>,

JF Mezei <jfmezei...@vaxination.ca> wrote:

> Not sure what "AEBS" is.

Airport Extreme Base Station, which is the router he's using.

[Otto Pylot]

In article <barmar-8B93B5....@news.eternal-september.org>,

Barry Margolin <bar...@alum.mit.edu> wrote:

> In article <500b6eec$0$1772$c3e8da3$fdf4...@news.astraweb.com>,
> JF Mezei <jfmezei...@vaxination.ca> wrote:
>
> > Not sure what "AEBS" is.
>
> Airport Extreme Base Station, which is the router he's using.

Yes. Thank you. I should have been more specific. The DSL gateway is
not set to do anything but pass traffic to the Apple Extreme Base
Station which handles the NAT and DHCP chores. As I stated, the only
two DHCP addresses that I've assigned as static are to the camera DVR
and the AT&T MicroCell. My IP address is static and shouldn't change
even with a power cycle, either on purpose or because of an outage.
Unfortunately, setting up a server to check is a bit beyond my skill
set so I'll have to talk my bro-in-law to check that out for me (he
works for MacAfee so this should be right up his alley). BTW, could
DHCP leasing have anything to do with anything? I have it set at its
default setting which is one day which has always worked (as far as I
can tell) but I don't really know what it's for in my simple home
setup.

[JF Mezei]

Otto Pylot wrote:

>> Airport Extreme Base Station, which is the router he's using.
>
> Yes. Thank you. I should have been more specific. The DSL gateway is
> not set to do anything but pass traffic to the Apple Extreme Base
> Station which handles the NAT and DHCP chores.

Have you verified this to be the case ?

You base station is a DHCP client to the internet. Verify that the IP
address it gets from your ISP is indeed an internet IP address.

Consider that if your modem is NOT set to be in bridge mode, it will be
the DHCP client to the ISP and it will be the one getting the internet
IP address from the ISP. When your base stations does the DHCP request
to the internet, it is actually the modem that will respond to it and
offer a non routable private IP address (10.*.*.* , 192.168.*.* are the
most common)

While this will appear to work for outbound access, it will fail for
inbound because the modem is the one doing the filtering and first later
of NAT and won't know where to direct calls destined to port 80. Your
base station will do a second NAT but packets won't get to it.