We have installed a COURN server referring to the https://docs.bigbluebutton.org/2.2/setup-turn-server.html#Configure_TURN_. But even with this, we are not able to access the BBB service within the University LAN protected with a restrictive firewall.
Please find the following diagram to illustrate the environment. Looking for your suggestions to solve this issue. We are banging our heads against this wall for some time now.
From your university network, can you open https://test.bigbluebutton.org/ in a Google Chrome browser, and check whether you can access audio/video without any 1007/1020 errors?
If yes, then check your Turn server config again and ensure your BBB server can use it.
Otherwise, check whether your university firewall allows connections on TCP ports 80 and 443 and UDP ports 16384 - 32768.
Related
this might sound a bit amateur-ish but I'm in a bit of a situation here.
So I created myself a website and managed to get it working on localhost, I tried port forwarding ports 80,443 but nothing helped, So next thing I'm googling around and I read about ngrok and it actually worked. Got it working on a long randomly generated domain but the problem is that I want to use the one that I have from no-ip.com. How can I do that please? I'm very lost here.
Software being used: Xampp (Apache,MySQL)
I've reserved a DHCP ip-address for my PC in my router's settings, hopefully that helps? I don't know. Help me internet.
There are a whole bunch of possible reasons that this might not work. Here are a few of them.
Your ISP
Even if you have port forwarding set up properly on your router, it is still possible that you cannot do what you want.
First, many ISPs block serving websites from residential internet connections. Connections to port 80/443 will never even reach your router. You might try experimenting by forwarding a different port number (such as 8000 instead of 80) to see if the traffic can get through on that port. (However, that will not work as a practical solution since your users will not know to use an alternate port and your ISP can choose to terminate your service if you are violating the terms of your agreement.)
Second, due to the exhaustion of public IPv4 addresses, some ISPs are implementing Carrier-Grade NAT (CGNAT, a.k.a. Large-Scale NAT - LSN). Instead of giving your router a public IP address, they give your router a private IP address inside their network. Once again, connections to port 80/443 (or any other port for that matter) will never reach you. You can check if you are behind CGNAT by going to your router's setting and finding the public IP address, then going to https://whatsmyip.com/ and seeing if it is the same or different. (In theory, you should be able to tell that you have CGNAT if your router's IP address is between 100.64.0.0 - 100.127.255.255, but in practice some ISPs use other private network ranges too, such as 10.0.0.0 - 10.255.255.255.)
The reason Ngrok works for you is because Ngrok opens a tunnel from your computer to their cloud servers and sends the traffic through that tunnel.
DNS
You mentioned in the comments that you have the DNS set to resolve the private IP of your computer. That certainly will not allow users on the public internet to get to your site, because they cannot connect to your address.
However, you also mentioned in the comments that if you change the DNS to point to your public IP, it doesn't work from either inside or outside. This could mean your problem is one of the ISP issues described above. It could also mean that your router does not support Hairpin-NAT (a.k.a. NAT Reflection), which is how the router would be able to redirect local traffic back to the local server instead of trying to send it out over the internet.
Firewall
Your computer's firewall can look at the source IP address of the incoming traffic, and it might be set not to allow external access to your web server. DO NOT DISABLE YOUR FIREWALL to try to get around this. Instead, you need to add a specific exception to the firewall rules to allow the incoming traffic. How you do this will depend on your operating system.
I have a webcam chat room application (so it's many-to-many video sharing) using WebRTC and a mediasoup server.
I am having problems with SOME of my users not being able to get an incoming video feeds to work. It's a difficult problem because I can't reproduce it at all, and I can't easily "remote-debug" the problem since most of my users are very non-technical. So far the only thing I can tell for certain is that it seems to be network-related, not browser-related, as I have had bug reports from people using Firefox, Chrome, Safari, and Edge. I'm running my server (mediasoup v2) on port 443 with no firewall on the server box, so that should make the door as wide as possible. I just don't know what the exact problem is yet so I'm feeling around in the dark.
So, I'm trying solutions. I don't think(?) I have a TURN server set up but from what I have read, it seems like adding one certainly can't hurt, and could help with my situation.
I don't fully understand the entire WebRTC protocol or RFC 7118 (this stuff is really complicated!) or exactly what/where/how a TURN server fits into the bigger picture. It would help, right? A lot of Googling has led to no clear answers. Would love some help! Thank you!
WebRTC tries everything it can do to make a p2p connection, but there are times that it will fail. The turn server acts as a last resort so that the peers can both connect through the turn server. Obviously this is not a p2p connection, so there will be extra latency, and you will have to make sure that your turn server has enough bandwidth to cover all of the connections you expect.
TL;DR, If you need 100% connection rates, you should have a turn server.
I believe AWS has a ready made instance you can spin up, or if you could use this open source coturn server https://github.com/coturn/coturn
On a debugging note... Check your ice candidates type. You should see host and srflx if you only have a STUN server, but if you have a TURN server you will also see relay. You can replicate this issue by discarding the ice candidates that have host and srflx types.
I'm running my server (mediasoup v2) on port 443 with no firewall on the server box, so that should make the door as wide as possible
That is websocket. The media traffic runs over UDP typically and mediasoup uses random ports. A TURN server which is configured on udp port 443 may help in some cases.
The other problem is UDP being blocked which is easy to reproduce with a local firewall.. Mediasoup supports something called ice-tcp which will allow media to run over a TCP connection. You should check if your mediasoup installation uses ice-tcp. If it does not, a TURN server with TURN/TCP will help.
I have developed a WebRTC based application along with Kurento-Media-Server.
Problems with this application is:
It works but only on open network (i.e. if run on a network without firewall).
When in firewall it runs sometimes (once out of 10 attempts).
I have tried several things with the firewall, I have disabled all kind of incoming/outgoing traffic. I have created a port-forwarding for my application as well as Kurento-media server.
I am not sure how much useful this information might be but I am deploying my
application on the same physical box along with Kurento-Media-Server. I have configured google's STUN server on my client.js, I have also configured same STUN servers on kurento using code. I haven't configured TURN server.
Just confirming this, signaling server can be behind firewall along with rest of the application, correct?
I am not sure what to look for now, any help in this area would be great.
EDIT-1
From this link I learned that my current network on which my isn't working it has issues with plain websocket connection, it doesn't allow it, it only allows secure Websocket connections.
EDIT-2
Image of netscan:
In my phone network where my app works fine I see all greens in Websocket's "plain" column.
EDIT-3 Solved
Finally found the problem, We were using a router for testing and development and I found that the router had issues, I used LAN cable on the same router and everything worked fine. Calls from application were working just fine. Firewall related details help in configuring the firewall later on.
Based on your problem description it seems all the UDP traffic is not open in your firewall. WebRTC media run on UDP ports.As you mentioned it works one out of 10 times whch means only few UDP ports are open in your firewall.You are lucky when traffic comes via tose ports.You can open port-range in your firewall and configure the same in kurento-media-server config.Your job should be done.
Even if you configure TURN server you need to open certain ports for outgoing and incoming UDP traffic.For TURN server default port is 3478 or 8443 for sending data towards it but for incoming traffic you need to configure port-range on your TURN server and open those ports in your firewall. Always remember TURN server is assured way to connect but it's always costly.
Apologies if this is a dumb question, I've limited network knowledge.
If I sent a string to port 80 on UDP, would the server / receiving IP log it? I'm pretty sure it wouldn't in access logs, but what about firewall logs?
This is far too general question, thus I'll give a general answer.
In general that would be up to the particular server in use. That is your UDP "Listener" might or might not log incoming traffic as per configuration/settings.
Same applies for your firewall.
It really depends on what kind of organization you're trying to portscan for your "art project". If you're targeting a government entity, or Fortune 500 (in which case assume you're going to be prosecuted theft of resources in a court with no understanding of technology) you should assume there will be an intrusion detection system sniffing the network and logging all traffic out of the ordinary.
However if you set up a Windows desktop out of the box, it's not going to log UDP access to closed ports.
I created a vb .net app and basically it connects to the server (my brother's computer at his house) and sends messages. The problem I'm having is, we both have routers. The only way I'v gotten all of this to work, is by both of us connecting ppeo broadband and then our ips work, otherwise the "real ip" is used for all the pcs in my house. How can I connect tcp to him wothout him having to connect broadband. Because to connect broadband he needs to be connected to an ethernet port, so then he cannot be wireless.
Thanks
I don't know what you mean by "connect broadband", but if the computers are not on the same local network, and you have a NAT router in between, you will either have to connect them via a VPN (like Hamachi for example) or configure port forwarding on both sides on the routers.
See: How do you get Java sockets working with public IPs?
Some routers also have "Dynamic Port Forwarding", where if you are using, say port 8084 for your traffic, both your and your brother set your routers to dynamic port forward port 8084.
The router then listens for client computers connecting across port 8084, and when it sees that traffic, it will route traffic across that port to the client computer that first requested it.
Another popular "NAT-traversal" technology is UPnP. See this SO question and associated article for more information on how to use .NET to control UPnP. Again, router hardware must support it and be configured to use UPnP.
Edit: Untested, but you could try also to use and IPv6 tunneling software such as the one from go6 to create a public IP. This is like VPN, but one-sided, and less private.
Rather than router configuration, you could use a VPN. Hamachi is free and easy.