What to do when your ISP doesn't allow to use port 80 and 443

SYSTEM INFORMATION
OS type and version Debian Linux 10
Virtualmin version 7.1-1

Darn…

I have a small server at home and I upgraded my internet to Fiber and I had to change ISP.
I set port forwarding accordingly to the new IP on the new fibre router (sagem).

I can see the default site using the local IP (192.168.xx.xx)
I can see the sites from a computer connected to my local network (IE: https://bernardsfez.com) <= I don’t understand how this is possible :exploding_head:
I can access Virtualmin and SSH from outside my network (ports 10000 and 22).
If I disable the router port forwarding for those 2 ports I can’t reach them. (so the port forwarding is doing something)

However, I can’t see reach the sites (port 80 and 443) from a computer outside my network.
I tested using my ip or any hostname and it end with “not reachable”.

I see that port 80 and 443 are closed using https://www.yougetsignal.com
If I test using https://www.grc.com/ and I see a little different picture. (what the hell is “stealth” ?)

GRC Port Authority Report created on UTC: 2022-07-05 at 14:52:20

Results from scan of ports: 22, 80, 443, 8043, 8080, 10000, 
                            58555

    3 Ports Open
    2 Ports Closed
    2 Ports Stealth
---------------------
    7 Ports Tested

Ports found to be CLOSED were: 8043, 8080

Ports found to be STEALTH were: 80, 443

I have contacted my ISP several times and they pretend everything is open but frankly I’m not sure the different guys I talk to knows exactly what they are doing… After 48h I think I hit a wall.

What is possible to do in such situation ? (other than to go back to dsl :woozy_face:)
Is there any way to re-route traffic within Virtualmin so different ports are used ?

Deleted due to change in situation.

OK. Something is up.

I just checked again and I can get to the default apache page on your server. I think you have a bad configuration in Virtualmin that has it set to the wrong directory.

1 Like

Oh thank you but I already set back my previous ADSL just for the server.

So now the server are available because I have the DSL modem set for the server and the optical modem for the house.

But I won’t pay 2 ISP. :joy:
My question still stand, is there a workaround for such problem ?

Many consumer routers do not handle routing for public IPs on the internal network (i.e., you cannot connect from your internal local network to your public network IP). I don’t know how being able to connect to port 10000 or ssh fits with that theory, though.

The solution to that problem (if that is the problem you have, I don’t know if it is) is to not do that. i.e. use the local IP instead when connecting locally. If you only have a couple/few local machines that need to connect, just add them to the hosts file. If you have a lot, you’ll probably need to use BIND views to provide different IPs depending on where the client is.

My original message was that some ISP’s intentionally block those ports to prevent you from doing web service from home. Typically, when that’s the case, if you look at your ISP’s website they’ll have a package that has a static ip and boasts “web service” or something like that for more money.

ISP’s have gotten wise to the fact that many people are doing it now and they’re taking steps to make money on it, especially given that they’re all almost always involved in doing web hosting themselves. They don’t want you doing it for free.

Do you know your external IP that your ISp is giving you?
Is that dynamic or static?

Is it a shared IPv4?
for as often a ipv4 is whith CGNAT if ISP if giving you only a ipv6 range.

So those you need to know before doing things as connecting from the outside.

Then your ISP router modem if you must use that one whith their settings / config ( and not possible to handle those ports yourself) then should be if possible in bridge mode, then a own othere router to handle the port forwarding behind it to your internal network.

For dynamic IPv4 there are some services on the web, but if it is shared and CGNAT , then you need on the external part the HOSTS and dns settings as @Joe told you.

But then is is not a webserver / site open for public use and visitors.

So take care if needed for visitors from outside that you get a uniq ip, static please, IPv6 should be also ok there in these days.

And take care of the dns , or use a good dns service provider to take care of it.

Oyea if you changed your ISP from dsl to Fiber, you did get other IP ( external ips) and therefore needed other DNS settings for that server (url) you need to set those and wait for the TTL time to be > updated! At this moment it is:

Technical details:

Web server IPv6 address IPv4 address
bernardsfez.com None 141.226.25.153

So if changing to Other ISp you need to set your dns for that domain to to that other ip(s) and wait for the TTL time to resolve you need to do that at your domain registrar this one i guess.

dns1.registrar-servers.com. 2610:a1:1024::200 156.154.132.200
dns2.registrar-servers.com. 2610:a1:1025::200 156.154.133.200

Stealth is only hiding ports for port scanners. to explain in very simple way. But read in the link here also the warning if you open that ports, you need a good owned router firewall mostly not the ones from ISP are that! And put your ISP Fibre modem into bridge mode if possible, ( you loose their support then mostly for many problems!)

As you can guess, I’m not a real IT Admin so thank you for your time… and patience. :wink:

I have one server and when I connect locally I use the local IP. (no problem)
My problem is to have my existing VPSs accessible from my external IP using a browser.

If you only have a couple/few local machines that need to connect, just add them to the hosts file. If you have a lot, you’ll probably need to use BIND views

I went at Servers => BIND DNS Server. Not a lot I understand still on Check BIND Config I see:

**The following errors were found in the BIND configuration file /etc/bind/named.conf or referenced zone files ..**

* zone bsfez.com/IN: NS 'server001.bsfez.com' has no address records (A or AAAA)
* zone bsfez.com/IN: not loaded due to errors.
* _default/bsfez.com/IN: bad zone

Something I can improve there ?

I asked several times the ISP’s staff about such package, they don’t have and keep telling me the ports are open.

Don’t go off into the weeds with BIND yet.

You still don’t know what your network problem is.

1 Like

Thanks for helping.

uniq ip, static please, IPv6 should be also ok

Understood that Static is better, I’ll ask them to set it back (tomorrow

Is it a shared IPv4?
for as often a ipv4 is whith CGNAT if ISP if giving you only a ipv6 range.

This I don’t know I’ll ask them tomorrow now, but I fear they won’t understand what this is about (level is quit low :frowning:

I got your point about using the ISP router as a modem only (bridge mode) and connect my own router.
I’m a bit frozen with this as I’m worried about wasting more and more time and money.

if you changed your ISP from dsl to Fiber , you did get other IP ( external ips) and therefore needed other DNS settings for that server (url) you need to set those and wait for the TTL time to be > updated!

I’m aware of this. Each time I plug my server from the DSL router to the Fiber one (different ISP) I change IP at my registrar to point to the server, update Virtualmin (error, your IP has changed) and restart the server so the local IP is also reseted. But again thanks for your advises.

By the way if I can hire someone to solve the issue I’m ok but so far I understand this is not about fixing configuration.

Then don’t waste time and money. Test the damned thing. Can you reach those ports from some other network (not your local one?). Use your phone network, it doesn’t matter. If it’s the router, you’ll be able to reach port 80 from any other network except the local one.

Stop making this complicated. It is an either/or question that determines everything else you do. Answer it first, and don’t worry about all this other crap. It is not mysterious. Either you have open ports from your provider or you do not.

2 Likes

As suggested, I asked my ISP for static IP and IPv6 if possible.
They don’t offer yet static IPv6 so I have a dynamic IPv6 and a static IPv4.
I have reseted to my fixed IP at my registrar.


Now this I don’t understand.
My main domain bernardsfez.com is set to reach my server at my registrar.

host bernardsfez.com
bernardsfez.com has address 82.80.136.139

When I try to reach it from outside my network using “https://bernardsfez.com” it fails.

When I try to reach it from inside my network it work (I see the website).
I tested on 2 internal computers (one has never seen this website).

I don’t understand how this happen. :thinking:

Dear Joe, I retested this morning;

From a previous screenshot you can see the port forwarding screen from my router. (port 80, 443 and 10000 are redirected to my server IP)

From 2 different mobiles not connected to Wifi I tried the following;

  1. Tested using Open Port Check Tool - Test Port Forwarding on Your Router => 80 and 443 are closed, 10000 is open.
  2. In a browser http://82.80.136.139 => error could not be open/reach
  3. In a browser https://82.80.136.139 => error could not be open/reach
  4. In a browser https://82.80.136.139:10000 => I reach Webmin login

From my terminal I connected to a distant server (AWS) and tested using telnet (and curl);

telnet 82.80.136.139 80
Trying 82.80.136.139...
telnet: connect to address 82.80.136.139: Connection timed out

telnet 82.80.136.139 443
Trying 82.80.136.139...
telnet: connect to address 82.80.136.139: Connection timed out

telnet 82.80.136.139 10000
Trying 82.80.136.139...
Connected to 82.80.136.139.

So I believe port 80 and 443 are not open. (you want me to test something specific ?)
I can’t say if they are blocked by the ISP or by the Sagemcom Modem.

So you have to find out yourself this is the point you have to solve before any other thing.

As mentioned, if possible ask your ISp to set the modem in bridge mode and then use a own good router/firewall combinatin where you can handle and configure this.

( IF ISP is saying that they don’t block / close port 80 443 incomming in their network to you)
And have the possibility for their modem to set it in bridge mode then that is the way to go is what i advice you.

But if such modem of ISP change to bridge they have other configurations for that and those takes time, so you should be sure bridge mode is set and working!

If you have full access to your ISP modem/router and can config everything, and that modem supports the config you want, you canb go for that, but keep in mind those isp modems are often not the best… :wink:

( i don’t like myself workarrounds with bind to other ports, (if closed) and co here so based on that is my advice)

UH very much info on the web for Sagecom modems and port 80 443 try that first! in duckduckgo :star:

Not able to forward ports 80 and 443 on Sagemcom Fast 5670 router.
Sagemcom Fast 5260 Router Port Forwarding Guide
Simple Instructions to Help Setup a Port Forward on the Sagemcom Fast 5350GV Router

and much more
only one example:

A tool and some guides that could help but ask them before there https://portforward.com/
https://portforward.com/router.htm
How to Get an Open Port on Sagemcom Routers

Thank you for helping. Really appreciate.

UH very much info on the web for Sagecom modems and port 80 443

I have already searched for that and I couldn’t find a solution among the few related answers I could found (no firewall or not the same model). Seems bridging the modem is coming back most of the time.

I wrote to Sagemcom company and explained my issue. May be they will answer…

If you have full access to your ISP modem/router

(I think) I have and I can configure the modem to work in Bridge mode.
But to do that I need a second device. Forgive my ignorance (and if this is not really Virtualmin stuff) but I’m not sure what I can use for the second device.

I have my previous DSL modem/router (TP link ArcherVR600), but it doesn’t have a “Wan” or “Internet” socket and I understood I need something like this;

Screen Shot 2022-07-06 at 12.04.39

No you can’t normally put a ISP modem / router yourself in bridge mode, your ISP have to know and agree and mostly has to set things for that, so is it in Germany and Holland.

“I wrote to Sagemcom company and explained my issue. May be they will answer”
Lot tried that here but no result while some modem/router and support and all are sold to other company’s!

So first look in the links i did give you read the portward.com router guides for your modem lot of sagecom models there, then look what you can access from those settings yourself, and if not contact your ISp for the bridge modes

FYI Sagemcom is cheap “rubbish” in my …

So first look in the links i did give you read the portward.com router guides for your modem lot of sagecom models there,

I have, my model is not there so I went to check other models; images are not diplayed… seems information is outdated.

No you can’t normally put a ISP modem / router yourself in bridge mode, your ISP have to know and agree and mostly has to set things for that, so is it in Germany and Holland.

Oh ok, thanks !
I will check with my ISP

FYI Sagemcom is cheap “rubbish” in my …

Ok but is there an alternative ?
I can’t find a router with optical socket.
Can I use a converter to RJ-45 work or this is adding another garbage in the middle ? (https://www.tp-link.com/us/business-networking/accessory/mc220l/)

No if you’re no good in network then don’t, but go for the bridge mode if you can’t config the sagemcom.
While your ISP lacks support if you do use a access FIBRE ( media converter and router whatever) router/modem from yourself mostly.

bridge mode is more easy to get a litlle support when base connection to that ( and direct laptop connected to test only) fails or have problems.

IN bridge mode the sagemcom can’t hurt much . :wink:

1 Like

OYEA important advice go to a fibre forum about ISP’s in your own Country, they know much more to help you with this.

Germany for example https://www.glasfaserforum.de