Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[rec head]

I have been having trouble accessing MC from outside my LAN for a while now. I don't think it is related to the setting on my PC but I went to the Taming Windows Defender Wiki to make sure. I'm using a Windows 10 PC and the Windows Defender Firewall application is much different now. There is no longer a setting tab like the one shown. I tried searching the Control Panel for "Excluded Files and Locations" but didn't get results.

Ultimately I turned off the Windows Defender to test if that was my problem but I still couldn't connect. That is what I expected but I think it would be useful if the wiki was updated.

[glynor]

Trouble accessing JRemote/Panel/Media Network from outside your LAN is almost certainly Firewall.

You need to make sure you do two things:

1. Port Forward the TCP port MC uses through your NAT Router to the machine you use to run MC (or configure Full-NAT for the Port if you have that option on your firewall, but you probably don't). This will be simpler if your MC-running-machine has a static IP address (so that it doesn't change if you have it offline for a while and then breaks your port-forwarding rules).

You have to do this because when outside your LAN, the attempts to access your server come into the ROUTER, not directly to your computer. A NAT Router doesn't know how to deal with those connections, and has to be told where to send them. If you don't tell it where to send them, it "drops" (ignores) them.

It isn't really possible to write instructions for this, because all Routers implement this in their own way. But, this is kind of a decent general guide: https://www.lifewire.com/how-to-port-forward-4163829

If you want instructions specific to your model, Google search: port forward BRAND MODEL

2. Open the same TCP port on the Windows Defender Firewall as described here: https://www.windowscentral.com/how-open-port-windows-firewall

This is a bit simpler than Port Forwarding because you don't need to tell Windows where to send the packets, but is otherwise the same idea. If your computer receives a packet from an external subnet (outside of your LAN) it will, by default, drop (again, ignore) the packet. So, you need to make a rule in the firewall that specifically says "except for these packets, when they come in on this specific port, let them through."

This isn't needed for communication inside your LAN because the Defender Firewall's automatic application-based exceptions will automatically allow these connections from your computer's subnet (any other connection on the same LAN). But they don't trust external IPs without a manually added rule.

Notes:
* MC does not use UDP, so you don't need to open/forward UDP packets.
* You can skip #2 if you turn off the Windows Defender Firewall (which is a decent way to test if that side is blocking the connection) but you shouldn't do that, and should just open the port.
* Many routers have a system of UPnP based automatic port forwarding. MC does not work with these systems because they're based on constant use and the internal application "asking" for the connection. These systems are also WILDLY insecure, and you should find the settings for the system in your Router (while you're in there setting up the Port Forward rule) and just turn the whole thing off.

[JimH]

* Many routers have a system of UPnP based automatic port forwarding. MC does not work correctly with these systems because they're based on constant use and the internal application "asking" for the connection. These systems are also WILDLY insecure ...

Which is why we don't do it automatically.

[glynor]

For sure! I didn’t intend to make it seem like you should. Those things are awful (and fundamentally counter to the security goals of the Firewall).

I removed the word “correctly” from my original note, because that made it seem like MC was broken and not that it was an intentional choice.

[greynolds]

While I am currently using port forwarding myself, that’s widely considered a huge security risk these days.  The recommended solution is to setup a VPN connection to your home network and then setup the appropriate VPN client software or app on the devices you want to connect to your home network.  Some routers have built in support for running a VPN server, but this is another case where there’s no reasonable way to support every router here and setting up a VPN is often it not trivial.

[rec head]

Thanks for the reply. Because I'm only a novice but not afraid to try a few things does this process make sense:
1) Plug MC Server directly into the modem/router and get it working
2) The plug back into the router and work on the router settings if needed

My setup is modem (with 4 LAN ports and built in Wifi) -> Eero router (and some switches) -> MC server.

If I can't get it working plugged into the modem I plan on calling the ISP for tech support.

[DJLegba]

Thanks for the reply. Because I'm only a novice but not afraid to try a few things does this process make sense:
1) Plug MC Server directly into the modem/router and get it working
2) The plug back into the router and work on the router settings if needed

My setup is modem (with 4 LAN ports and built in Wifi) -> Eero router (and some switches) -> MC server.

If I can't get it working plugged into the modem I plan on calling the ISP for tech support.

The minute you plug your server directly into the modem it will be hit with all kinds of malicious scans and attacks. I strongly advise against doing this.

[rec head]

My modem is the one provided by AT&T and has 4 LAN ports and dual band Wifi. Is it really that insecure?

[zybex]

That's a Router with embedded modem. As long as you don't have it in "bridge mode", you're fine. There's no need for a 2nd router at all, unless you need some extra features/control.

[greynolds]

Yeah, what's the intended purpose of the 2nd router?  Unless you really know what you're doing, that's likely to add a lot more trouble than it solves.  It might help if you post the specific brand and model of the 2 routers and switches as we might be able to give you some more specific advice.

[glynor]

The purpose of the second router is, I'd assume, that it is what AT&T provides with the account (this is very common in the US, where the companies all provide them unless you specifically go out of your way to buy your own modem). It used to be that they wanted the extra rental money for the routers, though many of the providers raised their prices and "built in" the rental fee (like mine did, so I'm now paying to "rent" their modem/router even though I don't use it).

To the OP, that's likely the cause of your overall issue. Unfortunately, because you have TWO routers (this is known as double-NAT) you have to do Step #1 in my guide above TWICE. Once to pass the traffic from your AT&T Modem/Router to your "home network router", and then again in your "home network router" to your MC-running computer.

Moving the computer to the AT&T Router might help to teach you how to do it, but it won't help to keep you set up because the port forwarding rules you create need to point to the specific device where you want the traffic forwarded. So, once you put your home router back in, you'd have to change the rule so that it forwards to the home router instead of directly to the MC Server.

[zybex]

The ISP provides either a Modem device (single LAN output) AND a Router device (3 or 4 LAN outputs), OR a single device with Modem+Router combined. It usually won't provide a second router if the modem already includes a router. Are they really providing two routers to customers over there? That's asking for problems.

[greynolds]

The purpose of the second router is, I'd assume, that it is what AT&T provides with the account (this is very common in the US, where the companies all provide them unless you specifically go out of your way to buy your own modem). It used to be that they wanted the extra rental money for the routers, though many of the providers raised their prices and "built in" the rental fee (like mine did, so I'm now paying to "rent" their modem/router even though I don't use it).

That isn't the purpose of the second router - that 2nd router is almost 100% guaranteed to be a user supplied device.  If the ISP is providing a separate modem and router, that router should be used OR replaced with a user supplied router.  If the ISP is providing a combined modem/router (which is becoming more and more common these days), the router functionality should either be used OR set to bridge mode so a user supplied router can be used.  But stacking routers generally isn't a good idea, especially for someone who isn't really well versed in setting up networks.

[greynolds]

The ISP provides either a Modem device (single LAN output) AND a Router device (3 or 4 LAN outputs), OR a single device with Modem+Router combined. It usually won't provide a second router if the modem already includes a router. Are they really providing two routers to customers over there? That's asking for problems.

No, ISP's don't provide customers with 2 routers in the USA.  All it would do is cost them more money and generate more support headaches.  As you said in your first sentence, they either supply a separate modem and router (2 boxes) or a combined modem + router (1 box).

[rec head]

I have a combination router+modem from AT&T. There is no choice in what equipment they provide. I have Wifi disabled on it. From here on I will refer to it as the modem. I have an Eero mesh router for all my wifi needs. All of the LAN traffic goes through it as well. The Eero is nice and having a mesh setup has made my life so much easier. The switches are Asus "dumb" switches that are plug and play. I have never needed to modify their setup.

I have had MC working with this setup in the past. I don't know what has changed. My MC server is now on a different PC but the old one wasn't working either. Previously all I had to do in the modem's firewall is to allow the Eero to pass traffic. Then setup the port forwarding in the Eero. I had done a little research and I don't think the modem allows true bridge mode.

FWIW all devices I use regularly I have DNS reservations so their address stays the same.

I apologize if I don't use all terminology correctly.

[TheShoe]

Are you using a VPN?

Recently started using NordVPN on both my iOS devices and on my HTPC server.  JRemote stopped connecting from my iPhone outside my home network.  I reconfigured Nord on the HTPC server to do split tunneling and added Media Center to its configuration to bypass the VPN.  Started working again after that.

NordVPN (and I suspect other providers) block most ports except the most common.  So while JRemote had the correct VPN-assigned IP, the port I am using for MC is blocked at the VPN server

[greynolds]

I have a combination router+modem from AT&T. There is no choice in what equipment they provide. I have Wifi disabled on it. From here on I will refer to it as the modem. I have an Eero mesh router for all my wifi needs. All of the LAN traffic goes through it as well. The Eero is nice and having a mesh setup has made my life so much easier. The switches are Asus "dumb" switches that are plug and play. I have never needed to modify their setup.

I have had MC working with this setup in the past. I don't know what has changed. My MC server is now on a different PC but the old one wasn't working either. Previously all I had to do in the modem's firewall is to allow the Eero to pass traffic. Then setup the port forwarding in the Eero. I had done a little research and I don't think the modem allows true bridge mode.

FWIW all devices I use regularly I have DNS reservations so their address stays the same.

I apologize if I don't use all terminology correctly.

If the AT&T router can't be put into a true bridge mode, that is most likely the issue you're running into, if you didn't set port forwarding up on it as well.  That's kind of a problem with those combined modem / routers that the ISP's are forcing on people.

The other potential sticking point is if your WAN IP address isn't static (which is likely the case) - you need to either setup a dynamic DNS service (and ensure you have the appropriate app running to update your WAN IP address) or manually reconfigure your outside devices with the new IP address every time it changes.  The stacked router might make it difficult to keep the WAN address updated correctly.  Even if you have the port forwarding configured correctly, if you're trying to connect to the wrong IP address, you won't be connecting to your house.

[rec head]

I use Google Fi on my phone which has its own type of VPN https://blog.google/products/google-fi/google-fi-vpn-updates-help-you-connect-safely/ I think the main point of it is for Google to keep customer data to themselves because they are an MVNO. I have tried disabling it but I still can't connect to MC.

I don't use a typical VPN into my home network.

[glynor]

That isn't the purpose of the second router - that 2nd router is almost 100% guaranteed to be a user supplied device.

I was referring to the "second" one as the "inside" one. You read my comment backwards.

[rec head]

If the AT&T router can't be put into a true bridge mode, that is most likely the issue you're running into, if you didn't set port forwarding up on it as well.  That's kind of a problem with those combined modem / routers that the ISP's are forcing on people.

The other potential sticking point is if your WAN IP address isn't static (which is likely the case) - you need to either setup a dynamic DNS service (and ensure you have the appropriate app running to update your WAN IP address) or manually reconfigure your outside devices with the new IP address every time it changes.  The stacked router might make it difficult to keep the WAN address updated correctly.  Even if you have the port forwarding configured correctly, if you're trying to connect to the wrong IP address, you won't be connecting to your house.

When it was working it worked for a long time but I'm guessing that the ISP could change my WAN IP at any time right?

Would MC generate a new network access code if that was the case?

[glynor]

I have a combination router+modem from AT&T. There is no choice in what equipment they provide. I have Wifi disabled on it. From here on I will refer to it as the modem. I have an Eero mesh router for all my wifi needs.

Cool. I figured it was something like that. I've helped my brother-in-law set up MC Networking with nearly an identical setup.

The thing you need to understand is that, even though you have wifi disabled on it, your AT&T "modem" IS actually a ROUTER/FIREWALL and behaves as such, even though you have wifi disabled and don't use it as such.

Therefore, you have "two layers" of firewalls, like an onion: The internal "shell" is your Eero. The external "shell" is the AT&T "modem". All traffic coming in from the internet first needs to "pass" the AT&T Modem's firewall, and then it needs to pass the Eero's Firewall. So, to get it working, you need to forward through both of these, and ensure the port MC uses (52199 by default) is forwarded along this chain:

Internet > AT&T Modem > Eero > MC Computer

To do so, you need to:

1. Do Step #1 in my original list ON the AT&T Modem's interface, and forward TCP port 52199 (or whatever MC is set to use) to whatever IP address the Eero has.

2. Then, you need to login to the Eero interface/app, and forward TCP port 52199 to whatever IP address the MC Server computer has.

Both of these things will be easiest to keep working permanently if both the Eero AND the MC Server computer are set to Static IPs in their respective IP address ranges.

Then, lastly, do Step #2 in my setup above (or you can do that now, it needs to be done in any case).

[glynor]

I'll note: The SIMPLEST setup for you would be to buy your own modem (a real one, with only one ethernet port) for AT&T and give them their router back. This may generally make your network more reliable, and it will ensure that YOU control your settings on the modem.

But, obviously, that'll cost money. You can't just take the one they give you with the service because they don't offer "modems only" (which is common). You'd have to figure out what one you can buy that will work with their service and buy it and then call them to activate it as a "customer-owned device" (and then mail them theirs back).

You CAN forward the port through your "double-NAT" setup. It is fine. Just a little more elbow grease and a LITTLE more prone to breakage (if the AT&T Modem is crappy, as they often are from the providers). But it'll work just fine. I don't know what specific modem/router you have, or what AT&T does to "lock them down", though so you'll have to look that up or figure it out yourself.

[rec head]

1. Do Step #1 in my original list ON the AT&T Modem's interface, and forward TCP port 52199 (or whatever MC is set to use) to whatever IP address the Eero has.

2. Then, you need to login to the Eero interface/app, and forward TCP port 52199 to whatever IP address the MC Server computer has.

Thanks. I'll try it right now but to be clear I need to

1. In the Modem -- Forward TCP port 52199 to 192.168.x.x (the eero)

2. In the eero -- Forward TPC port to 192.168.x.x (the PC with MC)

[greynolds]

I was referring to the "second" one as the "inside" one. You read my comment backwards.

Yes, I know you were referring to the second one as the "inside", user supplied router.

[greynolds]

When it was working it worked for a long time but I'm guessing that the ISP could change my WAN IP at any time right?

Would MC generate a new network access code if that was the case?

Yes, the WAN IP can change any time the lease expires on it OR the modem/router devices reboots.  DHCP uses the concept of a lease so that if a device goes away and doesn't come back, that IP address can be reused.  And yes, you may need to have MC generate a new network access code, but I'm not exactly sure how MC handles that situation.

[TheShoe]

Thanks. I'll try it right now but to be clear I need to

1. In the Modem -- Forward TCP port 52199 to 192.168.x.x (the eero)

2. In the eero -- Forward TPC port to 192.168.x.x (the PC with MC)

This tool might also help some:

https://www.yougetsignal.com/tools/open-ports/

It will at least tell you if an IP:Port combination can be reached externally (and also - you can scan your open ports - the results might surprise and scare you by the way....  properly hardening your network is not an easy task)

If possible, try plugging the MC PC into the ATT provided modem/router, let it assign an IP, then do your port forwarding to that IP in the modem/router.  Use the tool I posted and verify - outside of JRemote - that the port is open.  If you get that far, try JRemote next (put the phone on cellular network); I know the iOS version shows connection error messages and you can see what IP:Port it's attempting to use.  If you receive an error, verify the correct IP:Port for the access key you are using...

Basically - remove as many devices as you can and break it down to as simply a config as possible to troubleshoot the problem and add back one at a time until you find the device/config causing the issue.

[zybex]

Just a couple triplet of notes:
(I'll refer to the external router/modem as "Modem")

1. The modem should be connected to the WAN port of the Eero. Nothing else should be connected to the modem (except the external fiber/cable of course. And power

2. The IP subnet configured on each router needs to be different. i.e., 192.168.0.1 for the modem, 192.168.1.1 for the Eero. The 3 first numbers cannot be the same.

3. If you cannot enable Bridge mode on the Modem, you'll need to open ports on both routers as described above. OR, you can enable the DMZ option on the Modem, pointing to the Eero - this basically tells the modem to forward ALL connections to the Eero. This is only safe to do if you follow points 1 and 2 above!

[rec head]

OK, so a few things to try. Thanks for all the help.

3. If you cannot enable Bridge mode on the Modem, you'll need to open ports on both routers as described above. OR, you can enable the DMZ option on the Modem, pointing to the Eero - this basically tells the modem to forward ALL connections to the Eero. This is only safe to do if you follow points 1 and 2 above!

This is how it worked in the past.

[greynolds]

OK, so a few things to try. Thanks for all the help.

This is how it worked in the past.

If it worked previously and you haven't change the configuration on either router, then most likely either the IP address of the PC you're forwarding to changed or your WAN IP address changed.

You can ensure your PC has the same address by using a static IP in the network settings or by using DHCP and changing the setup in your router to always assign the same IP address to that PC.  The router setup for this goes by various names, such as "static mapping".  My preference is to use static mapping on the router for devices in my home that need to have static IPs as it allows the router to manage all of the IP addresses and avoids conflicts (2 devices trying to use the same IP).

[CHaun]

Also, make sure that neither of your computer's network connections changed to "public". I've seen that happen in the past with windows updates.

[rec head]

Thanks for all the help and replies. Getting this figured out yesterday was secondary to trying to get HDR working properly again on the PC but that is a different topic. I still have not had a chance to try everything and I'm afraid to make changes to the network while people are on it working today.