You are here

Outbound Port opening?

5 posts / 0 new
Last post
AH6LE
Outbound Port opening?
I inadvertently deleted by previous thread about this so let's try again

I need to open up several outbound ports (LAN to WAN) for IRLP to run on the mesh (hAP Lite).  Incoming ports (WAN to LAN) are obviously easy to do via the web interface. Outgoing, apparently not so much

At first I thought using the DMZ server feature would do what I want but I have more than one computer attached to the LAN ports of my hAP Lite and from what I can determine, doing that will kill the rest of the LAN.

Do I need to directly edit iptables?


 
nc8q
nc8q's picture
I need to open up several outbound ports (LAN to WAN) for IRLP t

I need to open up several outbound ports (LAN to WAN) for IRLP to run on the mesh (hAP Lite).

Not usually. All outbound ports LAN -> WAN are already open.

Inbound ports need to know where to be directed if not intended for the device on your ISP client IP address (your home routers WAN).
This is often called a 'port forward' or 'pinhole'.

Inbound ports will need to be forwarded twice;
once in your home router and once in your hAP.

I assume that your IRLP node is connected to a LAN port of the hAP.
Your IRLP node gets an IP address from the hAP.
I assume that the WAN port of the hAP is connected to a LAN port on your home router.
The hAP gets an IP address from your home router.
Your home router gets an IP address from your ISP.

At first I thought using the DMZ server feature
Sorry, I am ignorant of a DMZ feature on AREDN firmware.

I hope this helps,
Chuck
 

AH6LE
I would have assumed that all
I would have assumed that all outbound ports were open by default myself but, according to the IRLP troubleshooting script, it doesn't believe they are.

I need to poke into this a bit more me thinks....
N2MH
N2MH's picture
Location of IRLP Machine

In addition to the outbound ports which should just work, I believe that IRLP needs some ports opened for inbound access on your Internet router (IRLP uses special ports both ways - in and out). Once these are opened up, you now have to do the same thing in your Internet facing node and tell the node what the mesh ip address of your IRLP box is to send those ports to.

One other thing that needs to be known is where, in terms of the mesh network, is the location of the IRLP machine. Is it connected directly to the mesh node which connects to the Internet? Or, is downstream of the Internet connected node (eg, at a repeater site). If it is downstream, then a few custom entries need to be made in the Internet connected node's firewall. A suggested format for these entries is included in the node but you must telnet/ssh into the node and enable them by hand by editing them manually. If the IRLP machine is local, you should be good to go and will not need to edit the firewall.

In essence, for inbound access from the Internet, you have to manually tell each piece of equipment how to route the special ports used by IRLP:
a) Internet to home network address of local Mesh node (configured in your Internet router)
b) local Mesh node to ip address of local IRLP machine (configured in local Node GUI)
c) local Mesh node to distant mesh node (if IRLP machine is not local) (configured through custom firewall statements)

73, Mark, N2MH
 

AH6LE
Hi Mark

Hi Mark

Yes, I have inbound ports opened as needed (and on the internet router, they point to the assigned IP of the hAP Lite router). In the hAP Lite, I also have the appropriate inbound ports opened and pointing to the Pi on which IRLP is running. And the Pi is indeed connected to a LAN port on the hAP Lite.

This is why I am so frustrated. I see no reason this should not be working
 

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer