-
mike
I've always provided that data on the basis that it costs very little effort, so why not? Never attempted to track how much it's used though. Web clients would definitely benefit the most.
-
Arne
I See. I will try it later. Thanks!
-
bastoon
0156 is only declarative. Same "security" level than adding SRV. Thought, you should use "standard" endpoint naming (/http-bind, /xmpp-websocket). So, that would make no impact at all.✎ -
Link Mauve
bastoon, any reason for that? I’ve been using a bosh and a ws subdomains with pretty much no issue.
-
bastoon
Link Mauve: It actually depends on your use cases but few clients don't support XEP-0156 and only propose default URIs to ignorent users. ✏
-
bastoon
(precious message, I used "message correction" instead of "new message", but I believe it is seen as a new message anyway on this MUC)
-
mathieui
I saw it as a correction.
-
bastoon
oh so, I just erased and mixed up messages, sorry for that!
-
Link Mauve
bastoon, better fix these clients. :)
-
MattJ
+1
-
bastoon
Yes but I offer users the choice to use whatever client they want
-
alpha_dead
hello guys, I set up an ejabberd server with a domain name but when I'm on the very same LAN network as the server my xmpp clients all fail to connect. I see in ejabberd logs that the connection is accepted but there seems to be no authentication going on. I don't understand... I enabled all the IP pools and the external public IP address of the server in the access rules (in the loopback section). Is there anything you notice I'm doing wrong?
-
alpha_dead
if I explicitely set the local IP address of the server inside the host option of my clients, they do log in just fine✎ -
alpha_dead
if I explicitly set the local IP address of the server inside the host option of my clients, they do log in just fine ✏
-
alpha_dead
I had the same problem using prosody in another environment, with a different router, some time ago. So, there may be something I just ignore
-
Licaon_Kter
alpha_dead: as said elswhere, fix your router, "hairpin NAT" or thereabout
-
alpha_dead
Licaon_Kter, thank you. That's a good starting point I was missing. I am looking into it
-
alpha_dead
Licaon_Kter, the only thing I don't understand is why does ejabberd receives a connection, I can see it in the log, if the router is the problem? Isn't it enough to get to connect to the machine? That is happening, it's just no authentication happens
-
Licaon_Kter
alpha_dead: the router sends the connection but with what ip? set hide_ip to false and check
-
alpha_dead
Licaon_Kter, with the external public IP on the internet, which resolves to the local IP machine, I see that in ejabberd log
-
alpha_dead
I enabled both IP in the loopback section of the access rules of ejabberd, but still I locally I can only connect by declaring the LAN IP in the client (tried with Conversations and Gajim, works in both cases)✎ -
alpha_dead
I enabled both IP addresses in the loopback section of the access rules of ejabberd, but still I locally I can only connect by declaring the LAN IP in the client (tried with Conversations and Gajim, works in both cases)✎ ✏ -
alpha_dead
I enabled both IP addresses in the loopback section of the access rules of ejabberd, but still locally I can only connect by declaring the LAN IP in the client (tried with Conversations and Gajim, works in both cases) ✏
-
Licaon_Kter
How did you setup your router? (Don't mess with ejabberd defaults for access rules) Only setting up port forwarding is not enough...
-
Licaon_Kter
What kind of router?
-
alpha_dead
Licaon_Kter, it's a consumer router, Huawei, provided by the ISP. I indeed set up port-forwarding and open the additional firewall to make sure it was not in the way
-
alpha_dead
I have a few advanced options, but it's clearly not as advanced as a Mikrotik or similar
-
alpha_dead
I hope I didn't miss something
-
mss_cyclist
I guess it is something with NAT and ip resolution. The server probably needs the client to have an external ip. However in this case it connects with an internal.
-
bastoon
alpha_dead: is there a difference between : $ telnet <public_ip> 5222 $ telnet <private_ip> 5222 ?
-
Licaon_Kter
I'm more concerned that the ejabberd answer is lost by the router, which needs to be smart and track it back....locally or through the internet.
-
jonas’
alpha_dead, on the ejabberd machine, start a tcpdump on port 5222 before you connect to ejabberd via the external IP from a LAN client
-
jonas’
if you see the *LAN* IP of the client in there, you are doomed
-
jonas’
(that means your router doesn’t do hairpin NAT properly)
-
jonas’
then the SYN packet will arrive in ejabberd (and it’ll accept the connection), but no data can flow from ejabberd back to the client
-
jonas’
then the only way you could fix this is by solving that one layer up, for example with additional SRV records or split-horizon DNS
-
jonas’
this really stinks like a broken hairpin NAT thing.
-
alpha_dead
jonas’, thanks a lot! That's an amazing tip
-
bastoon
Just to add some blur: are you using same kind of network ? Buggy IPv6 conf for firewall / server ?
-
alpha_dead
bastoon, I'm not sure if I understood your question, I'd answer that the router generates the network of the server so they are on the same network, and it works as the firewall and port-forwards too.. that router generates two subnets, one for guests and one for the server. I've been using the server network to connect to ejabberd
-
Licaon_Kter
alpha_dead, do you serve a static route on your local lan DNS for domain.tld -> LANIP so DNS clients pick that?
-
alpha_dead
I didn't set a local DNS server, I thought a lot of clients would ignore it
-
Licaon_Kter
yeah they might, true, but you can test if it helps.
-
alpha_dead
that could be a good idea, for sure. I want to go back to the machine and try what jonas' suggested
-
alpha_dead
and would try the bastoon telnet test too
-
bastoon
I would said :
-
bastoon
from external : maybe ipv4 is used, from internal ipv6
-
bastoon
check telnet from inside : public + private ; and from outside (public). And pay attention to address resolution and connection opening or not