XMPP Service Operators - 2020-11-24

I've always provided that data on the basis that it costs very little effort, so why not? Never attempted to track how much it's used though. Web clients would definitely benefit the most.

I See. I will try it later. Thanks!

bastoon, any reason for that? I’ve been using a bosh and a ws subdomains with pretty much no issue.

Link Mauve: It actually depends on your use cases but few clients don't support XEP-0156 and only propose default URIs to ignorent users. ✏

(precious message, I used "message correction" instead of "new message", but I believe it is seen as a new message anyway on this MUC)

I saw it as a correction.

oh so, I just erased and mixed up messages, sorry for that!

bastoon, better fix these clients. :)

+1

Yes but I offer users the choice to use whatever client they want

hello guys, I set up an ejabberd server with a domain name but when I'm on the very same LAN network as the server my xmpp clients all fail to connect. I see in ejabberd logs that the connection is accepted but there seems to be no authentication going on. I don't understand... I enabled all the IP pools and the external public IP address of the server in the access rules (in the loopback section). Is there anything you notice I'm doing wrong?

if I explicitly set the local IP address of the server inside the host option of my clients, they do log in just fine ✏

I had the same problem using prosody in another environment, with a different router, some time ago. So, there may be something I just ignore

alpha_dead: as said elswhere, fix your router, "hairpin NAT" or thereabout

Licaon_Kter, thank you. That's a good starting point I was missing. I am looking into it

Licaon_Kter, the only thing I don't understand is why does ejabberd receives a connection, I can see it in the log, if the router is the problem? Isn't it enough to get to connect to the machine? That is happening, it's just no authentication happens

alpha_dead: the router sends the connection but with what ip? set hide_ip to false and check

Licaon_Kter, with the external public IP on the internet, which resolves to the local IP machine, I see that in ejabberd log

I enabled both IP addresses in the loopback section of the access rules of ejabberd, but still locally I can only connect by declaring the LAN IP in the client (tried with Conversations and Gajim, works in both cases) ✏

How did you setup your router? (Don't mess with ejabberd defaults for access rules) Only setting up port forwarding is not enough...

What kind of router?

Licaon_Kter, it's a consumer router, Huawei, provided by the ISP. I indeed set up port-forwarding and open the additional firewall to make sure it was not in the way

I have a few advanced options, but it's clearly not as advanced as a Mikrotik or similar

I hope I didn't miss something

I guess it is something with NAT and ip resolution. The server probably needs the client to have an external ip. However in this case it connects with an internal.

alpha_dead: is there a difference between : $ telnet <public_ip> 5222 $ telnet <private_ip> 5222 ?

I'm more concerned that the ejabberd answer is lost by the router, which needs to be smart and track it back....locally or through the internet.

alpha_dead, on the ejabberd machine, start a tcpdump on port 5222 before you connect to ejabberd via the external IP from a LAN client

if you see the *LAN* IP of the client in there, you are doomed

(that means your router doesn’t do hairpin NAT properly)

then the SYN packet will arrive in ejabberd (and it’ll accept the connection), but no data can flow from ejabberd back to the client

then the only way you could fix this is by solving that one layer up, for example with additional SRV records or split-horizon DNS

this really stinks like a broken hairpin NAT thing.

jonas’, thanks a lot! That's an amazing tip

Just to add some blur: are you using same kind of network ? Buggy IPv6 conf for firewall / server ?

bastoon, I'm not sure if I understood your question, I'd answer that the router generates the network of the server so they are on the same network, and it works as the firewall and port-forwards too.. that router generates two subnets, one for guests and one for the server. I've been using the server network to connect to ejabberd

alpha_dead, do you serve a static route on your local lan DNS for domain.tld -> LANIP so DNS clients pick that?

I didn't set a local DNS server, I thought a lot of clients would ignore it

yeah they might, true, but you can test if it helps.

that could be a good idea, for sure. I want to go back to the machine and try what jonas' suggested

and would try the bastoon telnet test too

I would said :

from external : maybe ipv4 is used, from internal ipv6

check telnet from inside : public + private ; and from outside (public). And pay attention to address resolution and connection opening or not