Port forwarding not working on 80 or 443

jonrotter
Grasshopper

Some other ports appear to forward properly but port 80 and 443 do not work.

They did in the past but not anymore.

What gives? How do I fix this?

Labels (1)
22 Replies

Same for me. As of a few days ago (or even yesterday?), p...

Swiftb3
Grasshopper

Same for me. As of a few days ago (or even yesterday?), port 80 forwarded just fine.  Now it fails no matter what I do, even though all the other random port forwards work fine.

Reply
Loading...

Just had the same issue. Spent a while debugging nginx co...

wm8
Grasshopper

Just had the same issue. Spent a while debugging nginx configs only to find out that I was getting no traffic on ports 80 or 443 over the internet with correctly configured port forwards. The same ports work over the local network and random ports work over the internet, so I have to conclude that Shaw is filtering packets on 80 and 443.

0 Kudos
Reply
Loading...

-- Shaw is filtering packets on 80 and 443 That is not wh...

mdk
Legendary Grand Master

@wm8 -- Shaw is filtering packets on 80 and 443

That is not what I am seeing. 

When I try to connect to 70/TCP (this port is usually used by the very-old "Goper" protocol), I get:

$ telnet 70.166.49.172 70
Connecting ...

Could not open connection to the host, on port 70:
Connect failed

So, my cable-modem (I have changed the IP-address from the actual IP-address of my Hitron), the cable-modem received the connection-request, but refused to connect.

When I tried telnet 70.166.49.172 70    a connection opened, but when I typed "G" (as in the start of the "GET" HTTP-command), the connection closed.  This shows that the Hitron received some packets, sent some packets -- to fully "open" the session -- and was waiting for a valid command.

Please  try the same connection-attempts, using your "public" IP-address, and post your results.

 

0 Kudos
Reply
Loading...

I don't quite understand what you're trying to get at wit...

wm8
Grasshopper

I don't quite understand what you're trying to get at with this, as my Issue is specifically related to not receiving traffic on ports 80 and 443 on a server with the gateway configured to forward packets on these ports. Connecting via telnet to a modem which is not even the same model as mine(hitron vs bluecurve gateway) would give us no information about the problem. The issue observed is there is no inbound traffic(including connection attempts) on ports 80 or 443 on a device which my Bluecurve Gateway is configured to forward packets on these ports to. With my public IP address omitted for obvious reasons, here is the chain of commands I can run to show that shaw is blocking the packets. The configuration is as follows:

- Shaw bluecurve gateway with the port range 1-65535 forwarded to server$

- server$ a fresh arch linux install with no firewall installed connected to the gateway through ethernet running nothing but netcat servers

- client$ an internet connected linux install with netcat to create connection requests over TCP

The tests I ran was the following:

1. start netcat servers waiting for incoming TCP requests on the port range 444-79 on server$

2. on client$ create a TCP connection request with `netcat $PUBLIC_IP $PORT` for $PUBLIC_IP of server$ and each $PORT in the range 444-79

3. for each connection request, send the string 'test`. Manually observe which netcat processes have returned the test string

 

Running the above testing procedure shows that successful connection attempts are made on every port in the range 444-79, except for ports 443 and 80. For the processes running to listen on ports 443 and 80, no connection attempt is ever received.

Since there is no filtering being done in my setup for these packets and my client$ is able to receive and send connection requests on port 80 to other servers(the browser works), the filtering must be upstream from my Bluecurve Gateway for incoming packets on ports 80 and 443.

Reply
Loading...

I thought it might have been an issue with my old router,...

graphius
Grasshopper

I thought it might have been an issue with my old router, so I bought a replacement. Same issue. I tried forwarding to my backup server in case my Nas was somehow configured wrong (although it used to work) no difference

 For some reason Shaw has started blocking ports specially 80 and 443.not sure when, or why they started that.

 

0 Kudos
Reply
Loading...

-- I don't quite understand what you're trying to get at...

mdk
Legendary Grand Master

@wm8 -- I don't quite understand what you're trying to get at with this

Sigh. There were two typos in my reply:

  1. "Goper" should have been "Gopher" -- a protocol from the U. of Minnesota that preceded the HTTP protocol. Gopher provided ASCII text -- no graphics.
  2. The second occurrence of "70" should have been "80".

I was trying to show that the Shaw cable-modem (Hitron, and maybe BlueCurve) did two things:

  1. received the packet to connect to port "70", and responded with "unable to connect";
  2. received the packet to connect to port "80", and responded by opening an HTTP session.

So, in my case, traffic to 80/TCP _is_ reaching my cable-modem. 

I encourage you to try  TELNET aa.bb.cc.dd 80 [substitute your "public" IP-address] to see if you get either "time-out" (if there is "upstream" filtering) or "connected" (a response from your NETCAT app).

If Shaw is filtering, do you think that the filtering rules would be different for different Shaw routers -- Hitron versus BlueCurve, i.e., filtering on one device, but not the other?

 

0 Kudos
Reply
Loading...

--  my client$ is able to receive and send connection req...

mdk
Legendary Grand Master

@wm8 --  my client$ is able to receive and send connection requests on port 80 to other servers (the browser works)

Yes, unless you have your own firewall rules, any app on your computer should be able to try to initiate a connection to any port on any public IP-address, e.g., connect to 80/TCP on host www.google.ca

Once the Shaw router has noticed your attempt to send packets to that port, then "SPI" (Stateful Packet Inspection") becomes active within the router -- response packets from the IP-address that you specified to your computer will be allowed to "pass-through" the router, but only to the "private" IP-address of your computer -- not to any other "private" IP-address within your Local Area Network.  You can let your cat, named "Net", out of your front door. When "Net" scratches at your front door, wanting to enter, and if you recognize that it is the return of "Net-the-cat", not some other cat, you may open your door, to let "Net" into your home, but maybe "Net" is trained to not enter any room with a carpet, to avoid Net's wet-and-muddy-feet from messing-up your carpets.  If you know that Net is inside, and some other cat scratches at your door, you would automatically "deny" that other cat -- not opening the door at all.

 

0 Kudos
Reply
Loading...

I have the same issue. My modem is bridged and any other...

RickBeec
Grasshopper

I have the same issue. My modem is bridged and any other ports are fine (after creating port forwards on the firewall), but I cannot get 443 to go through. Support says that they don't block anything. Sounds sketch. 

0 Kudos
Reply
Loading...

Hello,  I'm having problems in the last 4 days and discov...

msilvoli
Grasshopper

Hello, 

I'm having problems in the last 4 days and discovered Shaw is blocking 80 and 443 for all incoming requests. Nothing you can do about it specially if you need 80 to install SSL like certbot.  I did various test with another port numbers together with my DNS (for my website) and all ports for testing purposes were forwarded correctly.

 

0 Kudos
Reply
Loading...