Perry Lund's picture
Perry Lund - Thu, 2015/12/31 - 07:00

We have a virtualized instance of Turnkey Moodle is working great under HyperV. Access to the Moodle server is fine on the internal network at our school. However, people trying to hit the server outside of our network from home can not get to the server. We tested routing to another server to test our firewall rules and that narrowed down our problem to the Turnkey Moodle server itself. The server does not appear to route NAT traffic back to the requesting web browser from external sources. Can anyone assist me in configuring our Turnkey Linux Moodle server to accept and return NAT requests? Thanks.

 

Perry Lund

Evergreen Lutheran High School

Forum: 
Support
Tags: 
access
moodle
nat
Jeremy Davis's picture

Jeremy Davis - Tue, 2016/01/05 - 01:17
When testing this did you reroute the existing port forward (that was originally pointing to your Moodle server) to the test server? Or did you just create a new entry? If you didn't reroute your existing port forward then your test may not be adequate. Also double check that you had the IP right. Also did you port forward 443? Or were you using a non-standard port? IIRC Moodle will auto redirect to 443 so if it can't be accessed outside your NAT via port 443 the redirect will fail.

Bottom line is though that this should just work OOTB. The only thing to keep in mind that you will need to forward port 443 (https).

Perry Lund's picture

Perry Lund - Thu, 2016/01/07 - 02:35

With our Sonicwall, I simply changed the service name (Moodle) to the test IP. Once that worked, I reverted the Moodle service to the Moodle IP. I did not create a new entry. We used IPs of 80 and 443 and 65118. These exist on the Moodle server as well.

The odd thing is that all those port work internally on the LAN with the Moodle Server. But coming in from the outside does NOT work. Port forwarding seems to work fine, but the server does not seem to be able to response with the traffic going back through the firewall to the outside world where the request came from in the first place.

 

 

 

=======

Perry Lund

 

 

Jeremy Davis's picture

Jeremy Davis - Thu, 2016/01/14 - 05:43
That seems really weird.

I haven't explicitly tried this recently; but I have done similar stuff ewith TurnKey on my (consumer grade) router (i.e. local install; prot forwarded through NAT) and it has worked fine! I'm just downloading now so I can try specifically with Moodle v14.0

Still TBH I'd be somewhat surprised if it didn't work. But I'm already surprised that it doesn't work for you!?

Out of interest have you checked the Apache access logs (/var/www/apache2/access.log) to ensure that the request is actually getting through to the TurnKey Server? Other than that how can you be sure that the initial request is getting through?

In the past similar issues have been caused by IP conflict; but that doesn't make sense here as you can work with it locally. Also one other things that occurs to me is that if you are using a domain name; perhaps there is some funky redirection going on somewhere?

Perry Lund's picture

Perry Lund - Thu, 2016/01/14 - 07:26

I found a little time to test with network utility. 

Port scanning port 80 and 443 does not complete. However, the 65112 port that is setup does complete.

However I can not connect to the server from my web browser windows.

I can not find the apache www access log inside the webmin interface for Turnkey yet.

 

 

 

=======

Perry Lund

 

 

Jeremy Davis's picture

Jeremy Davis - Thu, 2016/01/14 - 07:37
I must have missed that before... That's not a standard port (obviously). What is that for?

As for finding the Apache log I suggest that you just use the commandline. It's much quicker and easier IMO. Either use Webshell (https on port 12320) or if on Windows use PuTTY (google will find it); if using Mac just open a terminal and type 

ssh root@ip-address
Then to get the last 20 lines of the access log: 
tail /var/log/apache2/access.log
You'll ideally want someone to try it externally and then check straight away. If they are connecting then it should show their IP in the log. If it does you could also try checking the error log to see if that shows anything (/var/log/apaches2/error.log) - use the same command (tail) to showthe last 20 lines.
Jeremy Davis's picture

Jeremy Davis - Thu, 2016/01/14 - 07:37
I must have missed that before... That's not a standard port (obviously). What is that for?

As for finding the Apache log I suggest that you just use the commandline. It's much quicker and easier IMO. Either use Webshell (https on port 12320) or if on Windows use PuTTY (google will find it); if using Mac just open a terminal and type 

ssh root@ip-address
Then to get the last 20 lines of the access log: 
tail /var/log/apache2/access.log
You'll ideally want someone to try it externally and then check straight away. If they are connecting then it should show their IP in the log. If it does you could also try checking the error log to see if that shows anything (/var/log/apaches2/error.log) - use the same command (tail) to showthe last 20 lines.
Perry Lund's picture

Perry Lund - Thu, 2016/01/14 - 11:46

Port 65118 was created as an external firewall port setup to pass through from external network to our internal network. Perhaps that is the issue. No port 65118 is needed.

 

=======

Perry Lund

 

 

Jeremy Davis's picture

Jeremy Davis - Fri, 2016/01/15 - 07:38
So to clarify you have your port forward configured to connect to 65118; and not 80 and/or 443? And you only use 80/443 for local connections?

Is there are reason not to just use 80 & 443? IMO there is no real value in using an additional extra port for external connections. You should be able to use the same ports for local and remote access (so long as you set up your NAT port forwarding correctly).

If you do think that there is a reason, then you'll need to actually enable the port in Apache too. Just creating a virtual host for that port isn't enough. You need to tell Apache to listen to that port too. I'm not sure how you do it in Webmin; but from the commandline do something this: 

echo "Listen 65118" >> /etc/apache2/ports.conf
service apache2 restart
Perry Lund's picture

Perry Lund - Sat, 2016/01/16 - 21:42

The creation of a virtual host for that port automatically added the listen port. I check the configuration file and port 65118 was there and being listened too. 

At this point, I may need to just use a physical PC as a host for the Moodle server in place of our HyperV virtual machine solution on our Windows 2012 server. Another box to put up and another day. 

Prior to my entrance to this work place, someone tried an Asterisk box for VoIP in a virtual machine and it failed too in NAT configuration. Asterisk is a physical box and works fine.

 

=======

Perry Lund

 

 

Jeremy Davis's picture

Jeremy Davis - Sun, 2016/01/17 - 05:43
I don't use Webmin much myself (I find that commandline is generally quicker, easier and more reliable). My comments regarding specifically adding the port relates to someone else who had issues with an Apache virtual host on a non-standard port (that they had added via Webmin like you showed) not working. They had to explicitly add the port as well to make it work (they ended up using Webmin to do that too; but it was on a separate page; just adding the virtual host wasn't enough). So either things have changed since then; or you did that separately. Regardless, I would be inclined to start with a known good working config (i.e just using ports 80 & 443).

So thinking this through some more, I'd like to summarise where we are up to. Please correct me if I'm wrong:

  • VM is accessible and works fine within the LAN (via ports 80 & 443). Are you using a domain name or the LAN IP?
  • there is no external firewall of any type between the VM and the external internet (with the exception of the NATing router)
  • You are port forwarding ports 80 & 443 from external internet to the VM (i.e. using the same IP and ports as internally). Are you trying to connect via the external IP address or a domain name? If domain name; have you double checked that it properly configured and sending you to the right IP? (although I guess tests rule that out...)
  • You have tested the port forwarding rule by forwarding the ports to an alternate IP which worked successfully. You used the same config, just changed the IP that the rule forwarded to. Was this another VM on the same Hyper-V host?

    I wonder if there is something weird going on with your Hyper-V host? From a router perspective it should not matter whether it is redirecting to a physical machine or a virtual one. Maybe that is why the Asterix VM failed too? Although TBH Asterisk routing is much more complicated than a simple webserver. Another factor for Asterisk too, is that it is quite resource heavy and from my reading Hyper-V isn't super resource efficient (although TBH I've never used it so can't really comment). FWIW I started using ProxmoxVE as a hypervisor about 5 years ago and haven't looked back...

    Anyway, assuming that I have it all right, it doesn't make any sense to me. By it's nature a NAT router only stops incoming traffic (not outgoing). So I'm almost certain that the traffic isn't making it to your VM from outside your LAN. My first guess would be the router (i.e. port forwarding rules) but by your accounts you have ruled that out. My next guess would be something to do with your Hyper-V host (like a firewall or something) but that doesn't make sense as it works fine on the LAN.

    IMO there's definitely something funky going on with your network. I urge you to use a packet sniffing tool like WireShark to see what is really going on with the incoming packets. Although it looks like a TurnKey issue on the surface; I'm 99.9% sure that it's not!

    • Add new comment