[BlueOnyx:23161] Re: Redirection and forwarding, needing to redirect to a different server to a different port, can this be done easily?

Roy Urick rurick at usa.net
Fri Aug 23 21:42:32 -05 2019 

Sorry for the direct reply, not sure why my mail client decided to reply 
to you and not the list. But I digress.

A quick test to verify the carrier would be to plug in a web server, 
even if its just a simple IIS or 3rd party server on a laptop directly 
to the WAN in place of the firewall  (and set to the WAN address of the 
firewall) and see if you can hit it while directly connected to the WAN. 
that will rule out your firewall if you can hit the directly connected 
test server.

And I feel your pain. The company I work for does CCTV and until the  
vendor developed their mobile app, we had to bypass residential blocks 
on port 80 by setting the NVR to talk on 81 and teach the customer how 
to hit it by adding :81 to the end of the DDNS address to bypass the ISP 
block.

On 8/23/2019 10:21 PM, Fungal Style wrote:
>
> Roy,
>
> Thanks for the reply…
>
> I agree, I do not believe DNS can do it (although I know there are 
> some funky things that can be done).
>
> Port 80 would be open on the carrier for outbound traffic, but this 
> particular carrier has blocked unsolicited inbound traffic of specific 
> ports like port 25 and port 80 in the past (to block phishing sites, 
> spam, etc).
>
> Although when I enquired they advised that it was open, although they 
> were not specific and <rant> this is what I hate about technical roles 
> outsourced to developing countries </rant> (ironically I personally 
> know people who work for some of the BPOs who handle contact for this 
> particular carrier, so I am VERY sceptical they really know).
>
> I have reviewed their firewall and to me with enough knowledge to be 
> dangerous, copied the same rules which worked for port 443 and applied 
> them to port 80, changed order and various other ways to place a 
> priority, but to null effect, hence my suspicion for the provider 
> blocking, regardless of their claims.
>
> I am let to believe the service is a “business grade” service, which 
> is more about SLAs than anything else. (it is a fixed wireless 
> connection on the nbn in Australia)
>
> I did find references to others having the port blocked and others not 
> with the same provider for port 80, however no one ever raised any 
> issues over port 443 or other obscure ports (mainly seen 25 and 80 
> being reported as blocked).
>
> I have got another reply from Michael which I need to look at closely 
> and test, so I will post here again once I have looked at it also.
>
> But as for IP tables, unless I wanted to pass ALL traffic to the 
> external server, from what I am finding/reading it will not do it.
>
> Regards
>
> Brian
>
> *From: *Roy Urick <rurick at usa.net>
> *Date: *Saturday, 24 August 2019 at 1:09 am
> *To: *Brian Carter <wayin at hotmail.com>
> *Subject: *Re: [BlueOnyx:23157] Redirection and forwarding, needing to 
> redirect to a different server to a different port, can this be done 
> easily?
>
> Pretty sure DNS cannot add a port number to a query response, or even 
> know what port the subsequent traffic is going to use. It just is 
> asked "what is the IP of this host" and the DNS server responds.
>
> I'd guess that if 443 is open, 80 is also open at the carrier level. I 
> dont know of any non business service providers that block inbound 80  
> dont also block inbound 443 as well.
>
> My gut says the firewall is misconfigured. You can always call the ISP 
> and ask if they are blocking any inbound ports. In my experience they 
> will all tell you whether they are or not. If its not business class 
> service they are probably blocking it. But I cant imagine them not 
> blocking both.
>
> On 8/23/2019 10:02 AM, Fungal Style wrote:
>
>     Hi all,
>
>     Here is the situation, a website is hosted with an on-premise
>     server (I know, stupid idea, but these guys are raised on
>     *stoopid*, as in I bet their parents took a double helping thing
>     more is better), they have port 80 blocked and port 443 open, so
>     if you access their site via HTTPS, it works fine, but drop the
>     HTTPS and use just HTTP, it fails, as port 80 is blocked.
>
>     Simple solution would be to change their firewall right? Well I am
>     not certain the issue is with the firewall but the provider of the
>     link to their server, and the firewall is part of a fairly high
>     end router that you may need some additional training to
>     understand all of the features (I think it is one of the Vanguards
>     from memory, been a little bit since I last looked at the configs).
>
>     So here is what I am thinking, having a BO server handle the DNS
>     requests, change the port to port 443 and then forward the traffic
>     to the IP address of their on prem server, but I cannot think of a
>     good way to do this as I am thinking iptables but surely there
>     must be a better, (read as “easier way”) to do this that I am just
>     not seeing, as even with iptables I am not sure I would be able to
>     (could be a skills shortage on my side if it is possible).
>
>     Anyway, any thoughts or ideas on how to do this are warmly received.
>
>     Regards
>
>     Brian
>
>
>
>     _______________________________________________
>
>     Blueonyx mailing list
>
>     Blueonyx at mail.blueonyx.it  <mailto:Blueonyx at mail.blueonyx.it>
>
>     http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20190823/1ea8273e/attachment.html>

More information about the Blueonyx mailing list