External Connection Issue

Openfire Openfire Support
1

Guys,

I just finished setup of Openfire 3.8.1 on Ubuntu Server 12.10 using Spark 2.6.3. I configured the server name as the internal ip. I configured WAN access using one of our static ip’s on our Astaro ASG 220 (have DNAT and Full Nat). All is working well on LAN using internal ip and external ip. External ip does not work on WAN. I am logging in with account ‘username’, port 5222 and server = external ip. My first guess is that the firewall is blocking, but the configuration looks right.

Please help.

2

Simple test is to use telnet to connect to the port - If the telnet connection just hangs, or times out, you’ve got a firewall problem.

When you added the DNAT rule did you check the ‘automatic fw rule’ option? I’m not sure what ‘Full Nat’ means, but you’ll want to double check your DNAT is for tcp/5222 with a pre-NAT destination of your outside IP, and a post-NAT destination of your inside IP.

You could also log into the Astaro (as loginuser), then su - to root and run ‘tcpdump -ni eth0 port 5222’, where eth0 is your outside NIC to see if you see inbound tcp packets for XMPP.

When you say WAN I’m assuming you mean Internet? Or are you talking about XMPP traffic coming from tunnels?

3

I wasn’t able to telnet, so it must be a fw issue. When I say WAN i mean anything outside of the internal network. I have the following for my DNAT:

Traffic Source: Internal IP of OpenFire Server

Traffic Service: Any

Traffic Destination: External IP Address

Nat Mode DNAT (Destination)

Destination: Internal IP of OpenFire Server

Automatic firewall rule is checked.

This is the same configuration layout that I have for my Media, Security Cam and Remote Server and they all work fine.

4

Change your ‘Traffic Source’ from what it is to ‘Any’.

5

Unfortunately that did not work.

6

Did you try tcpdump? There is also an option to log initial packet, so see if that helps. You could also try to connect from the outside and do:

grep =5222 /proc/net/ip_conntrack

and see if it shows anything. Perhaps also try to tcpdump on your internal system to see if it sees the connection attempts from the outside. Hard to guess what the problem is when I don’t know your environment.