NAT port trouble

bgstack15 · April 8, 2020, 12:59pm

In a Devuan ceres (basically Debian unstable, just no systemd) environment running with the stable apt repo packages, I have installed Jitsi Meet.
I want to run Meet with my own certificate available on the Internet, so I am setting up NAT but I cannot seem to get it working. Meet works on the LAN already.
I have read thoroughly this thread:

My external port 443 is in use by another application, which is probably the cause of my problem with Meet. Otherwise, I don’t care what ports are used. I have full control of the router. Could I get some help to figure out what I’m missing from the instructions and above thread?

My goal is to use port 4443 externally, so https://mydomain.ddns.example.com:4443/

What I currently get when visting my above link (obviously the domain name has been changed): I see the lobby and I can choose a meeting name. The meeting shows up, but the video does not work. This sounds identical to the linked thread, but my port 10000 is not conflicted like that thread.

My configuration files sections:
/etc/jitsi/meet/jitsi1.ipa.example.com-config.js

    bosh: '//jitsi1.ipa.example.com:4444/http-bind',

/etc/nginx/sites-enabled/jitsi1.ipa.example.com

server {
    listen 4443 ssl http2;
    listen [::]:4443 ssl http2;
    server_name jitsi1.ipa.example.com;

/etc/jitsi/videobridge/sip-communicator.properties

#org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=192.168.1.81
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=335.331.252.23
org.jitsi.videobridge.SINGLE_PORT_HARVESTER_PORT=4444
org.jitsi.videobridge.rest.jetty.port=4444
org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true

The stun mapping harvester addresses have been commented out per /github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md.
(link broken on purpose because of new-user link posting limit)

EDIT: additional info
Current port forwarding:
Protocol: both (tcp and udp) from 4443 to 192.168.1.81 4443
Protocol: both from 4444 to 192.168.1.81 4444

damencho · April 8, 2020, 10:34pm

If your site is litening on 4443, change and bosh to be the same port, 4443.

bgstack15 · April 8, 2020, 11:17pm

I have set that setting and then restarted jicofo and jitsi-videobridge2 services. It still does not work from outside the LAN.
My host firewall is wide open.
So I am listening on these ports. I have excluded other things like ssh, nfs clients, etc.

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:4443            0.0.0.0:*               LISTEN      5556/nginx: master
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      5556/nginx: master
tcp        0      0 192.168.1.81:4445       0.0.0.0:*               LISTEN      1293/turnserver
tcp        0      0 192.168.1.81:4445       0.0.0.0:*               LISTEN      1293/turnserver
tcp        0      0 0.0.0.0:57949           0.0.0.0:*               LISTEN      1037/rpc.statd
tcp        0      0 0.0.0.0:43903           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:5280            0.0.0.0:*               LISTEN      1449/lua5.2
tcp        0      0 0.0.0.0:5222            0.0.0.0:*               LISTEN      1449/lua5.2
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1028/rpcbind
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5556/nginx: master
tcp        0      0 0.0.0.0:5269            0.0.0.0:*               LISTEN      1449/lua5.2
udp        0      0 0.0.0.0:40671           0.0.0.0:*                           1037/rpc.statd
udp        0      0 0.0.0.0:5000            0.0.0.0:*                           5460/java
udp        0      0 192.168.1.81:4445       0.0.0.0:*                           1293/turnserver
udp        0      0 192.168.1.81:4445       0.0.0.0:*                           1293/turnserver
udp        0      0 192.168.1.81:443        0.0.0.0:*                           1293/turnserver
udp        0      0 192.168.1.81:443        0.0.0.0:*                           1293/turnserver

Should I be forwarding the 4445 or any other of these ports, thruogh my NAT?

damencho · April 8, 2020, 11:31pm

Have you forwarded port 10000 udp to the bridge?

bgstack15 · April 9, 2020, 12:28pm

I have added that port forward rule. Would that still apply? I don’t see that port being listened to by the Meet server! I had tried changing it to 4443 so my “Both” would catch the tcp and udp.