[SOLVED] Ports open on one end, closed on other

[Blingbo]

Since changing to fiber optic internet, I've lost access to the main router settings. I had to call the ISP to open ports and make the IP static for a few game servers i wanted to host. Everything was dandy up until last night when no one could connect and the ports were deemed closed by portchecker and other sites. I called the ISP, they said everything was as it was on their end, only I couldnt access my server thru the external IP. I talked with IT for 30 min until one port opened on my end while directly connecting my PC to the main router. Note, my config is Main router>cable>access point router>cable>PC. Why would it stop working all of a sudden if I'm to believe the ISPs words that its on my end? I havent touched anything on the internet end since they installed the fiber cable. My "ipconfig" shows my PC is assigned an internal IP along with DHCP enabled for some reason, I'm bad at networking, but I think DHCP should be disabled for a static IP to work. I'd like to host a minecraft (or any game really) server again, thanks

I've also tried to manually assign the external IP to my PC, but i don't understand subnet masks and gateways enough. Also the 2nd router is a TP-LINK used in "access point" mode, which hasnt caused any issues even before the fiber cable came along.

 

[anotherdrew]

@Blingbo
The idea is that every device in the world get it's own IP address. That way, if you want to access any device in the world, you just put in it's IP address and bam. The problem is that there are not enough IP (IPv4) addresses in the world for all the devices in the world. So we developed a work around and as usual, work around make things more complicated.

So here is the idea behind NAT (Network Address Translation, the work around). We give a public IP address to 1 device (main router usually ... call it "ONE"). All of the other devices (which have private IP addresses) connect to "ONE". Now, all our other devices ask"ONE" to go get some information for them. "ONE", using it's public IP address, gets the information (like a web page) and transfers it back to our device. And the system works great for all outgoing internet traffic.

Here is the issue ... what if you want to run a server? Your buddy contacts "ONE" and says I want to connect to the server. "ONE" does not know anything about a server, so it drops the request or sends back a deny message (port closed). So we have to tell "ONE" about our server. We do this via port forwarding. We say, hey "ONE", if you get a request on port 100, then forward that request to my server on this address (which is a private IP address). And it works great .... unless

So, you have a couple issue with your setup.

1. You have 2 routers ... The main router and the access point router. If they are both doing NAT, then you have to do your port forwarding twice. Maybe an issue, maybe not, since you have router in access point mode.
2. DHCP is fine for assigning private IP addresses to your devices, but you have to make sure your server always gets the same address, otherwise "ONE" can't find it anymore. You can do this with a IP binding or by using a static IP address that is outside the range of DHCP pool.

Great ... tons of theory, but how do I fix it?
I would make an easy change to your AP router. The cable from the main router probably goes into the WAN port of your AP router. Move it to a LAN port. Your AP router is now a switch and WiFi AP and your main router is the only one that does NAT, firewall, DHCP, etc ... everything is setup on it (and you will probably be able to access it more easily without the AP router). Now you did say your router is in access point mode, so it should not be messing things up, but I would still make this change.

You need to make sure the IP address of your server is not changing, so which every router is doing NAT can find it when it port forwards.

That's a lot of info ... ask any questions you may have.

* EDIT * The one thing I always forget ... when you make changes to your network, you often have to update the IP address of your devices to make things work. You can do this by restarting the device (or on a cell phone turning WiFi on and off) or by opening a command prompt on a computer and typing "ipconfig /release" and then "ipconfig /renew".

 

[Blingbo]

@anotherdrew
That solution would've been too easy, since I've changed nothing to the connection prior to the closed port fiasco I mark it as retroactively completed. Routers have always been connected through the LAN ports and I haven't touched any setting beyond renaming wifi signals/passwords to match each other. Thanks for the reply, but I'm afraid that does not help in my situation.

 

[anotherdrew]

@Blingbo
I'm glad the 2nd router is not the issue ... that is a common problem.
What about the IP address of the computer you are running your server on ... is the IP address static or is it changing? If it changes from time to time, then the port forwarding will never work. Same goes for your public IP address ... if your ISP changes that from time to time, then you will issues. You did infer that you are paying for a static public IP address, so I hope that is not the issue, but it is worth checking.

Also, I'm very surprised that you can't gain access to your ISP provided router to make changes. Calling your ISP each time is a real pain. Can you share the make and model and we would happy to do some research.

 

[Blingbo]

@anotherdrew
ISP says I'm not allowed to touch these settings for some undisclosed reason. Maybe because the fiber runs the TV channels and internet. Both IPs are static, I've confirmed with them last night. Make of the GPON terminal/router is HUAWEI EchoLife HG8245H and the AP router is a TP-LINK Archer A6. Hope it helps both of us. I'm still convinced the problem is on the ISPs end

 

[anotherdrew]

@Blingbo
If your ISP insists on controlling everything, then yes, it's on them to setup your configuration and ensure it works.

I did find one thing ... the default address for that router is 192.168.100.1 ... Does that match the gateway address when you do "ipconfig" from a command prompt? What happens when you put the address into a browser?

Things you can do ...

1. Make note of your server's current IP address. It sounded like your ISP got things working again, so if/when it stops working, then look at your IP address again ... did it change? If it did, that is an issue.
2. Make note of your current public IP address. Typing "what is my IP address" into google normally works for finding this. There are also websites that will tell you. Again, if/when it stops working, verify your public address again ... did it change? If it did, that is an issue.

If neither of those is an issue, then it is most likely a configuration issue with the Huawei router and since you have no control of it, it's on them to fix it for you. Personally, I think that sucks.

 

[Blingbo]

@anotherdrew
Public IP is static, local also. Trying to enter the gateway gets me connection refused. Only time my server port (1 of 3 ports) was open, was when i directly connected my pc to the Huawei router that night. By the morning it was closed again. And they insist its on my end, I'll have a chat with them again soon.

 

[anotherdrew]

The part about it only working when directly connected to the Huawei bugs me. The TP-Link should not be interfering in it's current configuration, but it sounds like it is.

Questions ...

1. What is the IP address of your server (this should be a private IP address (starting with 10, 172, or 192) and thus it is safe to enter it here ... if it's a public address never post it)?
2. I assume you can still access your TP-Link to make configuration changes ... what is that IP address (should be private)?
3. What is your gateway address (should be private)?

My concern is that Huawei and the TP-Link might have the same IP address and this is causing issues.

Also, a test ...
With your server connected to the TP-Link open a command prompt and do "tracert google.com".
From a command prompt do "ipconfig".
Now connect your server connected directly to the Huawei.
From a command prompt do "ipconfig /release" and "ipconfig /renew"
From a command prompt do "tracert google.com".
From a command prompt do "ipconfig"

Looking at the first 3 lines of the "tracert" ... does the first trace route match the second?
Looking at the ipconfig info ... does the first match the second?

All of this is just to confirm that your TP-Link is not the issue, because if the issue is not your gear, then it is clearly an issue with your ISP.

 

[Blingbo]

@anotherdrew

1. it is public, so friends outside my house can join. I wouldn't need to forward ports to play LAN games
2. i cannot, since it is in AP mode. I can only rename,toggle wifi and switch modes. That is all more or less
3. gateway is the factory specified one

Test results are identical

 

[anotherdrew]

My "ipconfig" shows my PC is assigned an internal IP along with DHCP enabled for some reason, I'm bad at networking, but I think DHCP should be disabled for a static IP to work.

I'm sorry ... by internal IP I thought you meant a private address. If you have a public address on your computer (server) then your ISP must have setup something special on the main router. It is possible that the TP-Link is interfering with that special setup. So, yes, your network might be interfering with the ISP setup. I would suggest getting a long cable and keeping your PC (server) connected directly to the main router at all times.

 

[Blingbo]

@anotherdrew
That would limit the Wi-Fi range which is why the 2nd router is in place. And running a 2nd super long cable is not fun. Now it doesn't matter how i connect the PC, the ports are still closed. Seems that every port (80,20,25,etc) I check is closed. I'm sure there are ports that you have open by default, right?

 

[anotherdrew]

@Blingbo
No ports have to be open by default. I personally block all incoming traffic.

For a port to be detected as "open" (let's assume you are using a port checking website), a message generated by the checker first travels the internet to your ISP's network. It travels through your ISP's network and maybe passes through a firewall somewhere (depends on your ISP's setup). Your ISP can stop traffic here if they want (you get a result of port closed), but they probably don't. The message reaches your house and enters the Huawei router. The Huawei also has a firewall. Depending on the firewall rules the message will be forwarded. Most ISP firewalls default to blocking all incoming traffic. Since your PC (server) was setup with a public IP address, I would expect they set it up to allow all traffic sent to that IP address to be passed on, where as all traffic sent to your router's public IP address will be blocked. So, it is very important that you are checking your PC's (server) public IP address. Once the message reaches your PC (windows, I assume) it will reach another firewall (unless you disabled it). This firewall will check to see if the message matches any rules that allow the message, otherwise the message is denied or dropped (depends on the rules) and get a result of port closed. Finally, the OS passes the message on to server that is listening to that port. For example, a message sent to port 80 will normally be forwarded to your web server (software, not hardware) and your web server will respond and you get a port open result. If your web server is not running, then your web server can't respond and you get a port closed message.

I hope this clears things up a bit. There are lots of opportunities to get a port closed message and only one way to get a port open message.

As far as the wiring ... Your TP-Link really shouldn't prevent your servers from working since you are using it as a switch and not a router, but you inferred that it was, so I would bypass it at least until you have things working.

 

[Blingbo]

@anotherdrew
Ok, so now I launched a minecraft server and sure enough the port opens as soon as the server sends a signal. That is great news, but it doesn't explain how the first time around it didn't open (before talking to the ISP). I'll call this mission success for now. If anything pops up I'll refer to your replies, thanks!