# Need help with Tivoweb networking issue



## itm (Aug 12, 2001)

I've got a routing problem which is preventing me from accessing Tivoweb from the internet, and was wondering whether there were any networking gurus here who could help?

My router setup is:
O2 ADSL Router - LAN-side address 10.0.0.138
->
Dual WAN Router - WAN-side address 10.0.0.3, LAN-side 192.168.1.1
(this is the DHCP server and gateway on the LAN)
->
Local network and Tivo (subnet 192.168.1.x)

My Tivo is 192.168.1.200, and my web server PC 192.168.1.4. I also have a Sky ADSL broadband router (LAN-side address 192.168.0.1), but I use the O2 IP address to connect from the outside.

I have Tivoweb running on port 8082, and can access it fine on this port from other PCs on the LAN. I have port 8082 forwarded from the O2 ADSL router to the Dual WAN router, and from the Dual WAN router to the Tivo (192.168.1.200). The problem is that no internet traffic appears to be reaching the Tivo. I have other ports forwarding fine to the web server PC (8080 and 8084 for example), and they are routing fine.

The ARP table from the dual WAN router is below - for some reason it doesn't contain an entry for the Tivo on 192.168.1.200:
40) 0013B6-048DC5 0 N 0x00 192.168.1.237 59213 59228
43) 00120E-6FB420 0 N 0x00 192.168.1.14 62431 62474
44) 00508D-959207 0 N 0x00 192.168.1.4 54771 62187
45) 001302-BBEC3A 0 N 0x00 192.168.1.7 50881 62513
46) 001F9F-D2A2E6 1 N 0x00 10.0.0.138 62364 62517
47) 001C25-A94284 0 N 0x00 192.168.1.10 53293 62520
48) 00146C-B5C730 2 N 0x00 192.168.0.1 61681 62523
49) 0019E0-75E774 0 N 0x00 192.168.1.8 53295 62526

I can ping the Dual WAN router and other PCs on the LAN from the Tivo. I also have full connectivity to the Tivo from other PCs on the LAN. I cannot ping internet IP addresses from the Tivo however.

Does anyone know why my port forwarding does not appear to be working from the O2 to the Dual WAN router to the Tivo?


----------



## dieselnutjob (Apr 6, 2005)

Personally I wouldn't put a tivo on the internet anyway.
How often are you going to see security patches for the tivo?
For me it's too critical to expose it to the internet
I configure a reverse proxy on my web server an access it that way.
Something like this if it's apache

ProxyRequests off
ProxyPass /tivo http://10.0.1.201
ProxyPass /tivo/ http://10.0.1.201/
ProxyHTMLURLMap http://10.0.1.201 /tivo
<Location /tivo>
ProxyPassReverse /
SetOutputFilter proxy-html
ProxyHTMLURLMap / /tivo/
ProxyHTMLURLMap /tivo /tivo/
RequestHeader unset Accept-Encoding
AuthType Basic
AuthName username
AuthUserFile /web/apache/passwd
Require user username
</Location>

also I needed some modules in /etc/httpd.conf

LoadFile /usr/pkg/lib/libxml2.so
LoadModule proxy_html_module lib/httpd/mod_proxy_html.so


----------



## itm (Aug 12, 2001)

Thanks for the reply.

Unfortunately I run IIS and I have no idea how to set up a reverse proxy with IIS, and I don't really want to invest in Wingate or equivalent.

It seems that there is a basic internet connectivity problem with the Tivo (in and out), and I'd like to crack that if possible.


----------



## Milhouse (Sep 15, 2001)

Have you confirmed that your TiVo is not accessible from the internet *from a PC on the internet*, or only from a PC on your LAN?

If only the latter, chances are everything is set up correctly but your router is not allowing internal LAN requests to your WAN address to be redirected back into your LAN - check to see if you can enable "Loopback" (sometimes called NAT Redirection) on your O2 router.

With loopback disabled, the router will basically not allow internal machines to access the public IP address of the router, which may be leading you to believe there is a problem further down the line.

The reason for disabling loopback is to prevent internal machines from accessing other internal machines (ie. servers) on the same LAN via the internet. Which in this case is exactly what you want to do, at least while testing.


----------



## itm (Aug 12, 2001)

Yes I've been using a Logmein account to connect from my desktop at work, so it's a proper internet connection. Using this same connection I have no problem connecting to a webcam on my web server at home which is running on port 8080. 
If I route port 8082 to the same server I can also connect without problems, so there's no problem with the firewall at work blocking port 8082.
So there's no basic internet connectivity problem into servers on my LAN - it's just the Tivo which doesn't seem to be accessible. Could it be anything to do with the fact that it's the only Linux machine on my LAN??

I also tried accessing my internal network via the Sky ADSL router (the other one connected to the Dual WAN router), port forwarding 8082 in the same way. I couldn't connect that way either. 

I can't work out why the Tivo can ping the gateway router on 192.168.1.1, and also every other device on the 192.168.1.* subnet, but not get any internet connectivity (I've also checked that the Tivo gateway is set to 192.168.1.1 using nic_config_tivo)

???


----------



## dieselnutjob (Apr 6, 2005)

itm said:


> The ARP table from the dual WAN router is below - for some reason it doesn't contain an entry for the Tivo on 192.168.1.200


if the router can't arp for the tivo, then it won't send it any packets either
ping the router from the tivo, then look again at the arp table

the only other thing you can do is unplug the tivo and put a laptop there instead with same IP address, see if you can send packets to the laptop. if they don't arrive at the laptop then it's nothing to do with the tivo


----------



## Pete77 (Aug 1, 2006)

dieselnutjob said:


> Personally I wouldn't put a tivo on the internetanyway.


Well you seem to be heavily in the minority there as numerous forum members (including the renowned TCM2007) have put their Tivos on the internet their router with only a username and password as protection and no one ever seems to have had their Tivo attacked or destroyed from the web. The Tivo operating system just isn't of interest to the average trojan program looking for a Microsoft operating system or a web browser or well known email package to take over.

Setting a port number other than 80 is probably the only other wise precaution that needs to be taken.

Coming back to the OP these O2 Thomson routers do seem to have particular nasty issues with allowing port redirects. For instance the port redirects I set up on my Mum's Be Box Thomson Router were forgotten whenever the router was power cycled and there seemed to be no way to force the Thomson router to remember them permanently. I have never had these issues using a humble Netgear DG834G v2 router at my home address with my own Tivo.


----------



## mutant_matt2 (Dec 16, 2008)

Can you ping 10.0.0.138 (the LAN interface of your O2 ADSL Router), from the Tivo? Can you ping Tivo (or some other IP address) out on the internet from the TiVo? (using IP addy, not a DNS name).

As has been said, if you ping the WAN router, the TiVo should be in the arp table, but over time, this might drop off (which is probably what you saw).

Matt.


----------



## johala_reewi (Oct 30, 2002)

itm said:


> (I've also checked that the Tivo gateway is set to 192.168.1.1 using nic_config_tivo)
> 
> ???


FWIW nic_config_tivo does not check the default gateway.
It offers to change it to 192.168.1.1 (or some other value you input).

To find out what your default gateway is currently set to, use route.tivo -n and look for the line beginning 0.0.0.0

If you are still using dial up for programme guide data, another gotcha is that nic_config_tivo will not set a default gateway so while dial up will still work, Tivo will not be able to talk to the outside world. In this situation, you will have to add the gateway manually.

http://archive2.tivocommunity.com/tivo-vb/showthread.php?p=2897965&&#post2897965


----------



## itm (Aug 12, 2001)

If I ping 192.168.1.1 (the gateway/Dual WAN router) from the Tivo it appears in the ARP table for a while, but when I re-check the ARP table a couple of hours later it has disappeared.

I can't ping either of the two ADSL routers from the Tivo (neither the O2 on 10.0.0.138 nor the Sky on 192.168.0.1)

route.tivo - n shows the following:

route_info, afname=inet, options=37
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 32767 0 0 eth1

Does the Gateway 0.0.0.0 give the clue to my problem?


----------



## itm (Aug 12, 2001)

I just followed the instructions to manually modify the gateway and hey presto - the Tivo is now online! Many thanks to all.

Now I need to check that the daily call still works - is there a quick way of telling?


----------



## mutant_matt2 (Dec 16, 2008)

BTW, Pete is correct in that, the Thomson O2/BE boxes are absolutely terrible and should be replaced if almost anything outside of "provide an internet connection", is required (or indeed, reliable service, especially Wireless).

On another note, I personally wouldn't like to put my TiVo out on the internet, without some protection (username and password I don't consider "protection"), but I understand plenty have with no issues. I wonder though, how it would stand up to some fairly keen to get in/curious what it would take to take it down, I wouldn't like to guess all that well (maybe an experiment when I have time one day, for interests sake, on a spare TiVo).

Glad the problem is solved! 

Matt


----------



## Milhouse (Sep 15, 2001)

mutant_matt2 said:


> On another note, I personally wouldn't like to put my TiVo out on the internet, without some protection (username and password I don't consider "protection"), but I understand plenty have with no issues.


I'm in the camp that wouldn't put a TiVo directly on to the internet, but if someone wants to hammer away on my Apache reverse proxy - and several have tried over the years! - they're more than welcome...


----------



## itm (Aug 12, 2001)

I did have a crack at an Apache reverse proxy, following instructions on this forum, but I could never work out how to install Apache modules correctly on my Windows machines. I thought I'd got everything set up correctly with the .so and .dll files in the modules folder but couldn't get it to recognise the proxypass command.
Does anyone know of a good idiot's guide to Apache module installation on Windows? (including links to pre-compiled modules for Windows)


----------



## Milhouse (Sep 15, 2001)

Oddly enough, I've never seen or worked on an Apache on Windows installation!

I would suggest you try dedicating a small Linux machine for web related stuff (as it's so much easier - I run Ubuntu as it's also a desktop) but realise that could be unreasonable...

I suppose you did load the necessary modules for proxying? With Apache2 you need to load mod_proxy and mod_proxy_http, in Windows-land I presume these modules will be .dll's rather than .so's

This is the fragment I have for external password-protected access to my TiVo:


```
<Location /tivo>
	Allow from all

	ProxyPass http://tivo
	ProxyPassReverse http://tivo

	AllowOverride None
	AuthType Basic
	AuthName "Authorised TiVo User"
	AuthUserFile /var/www/passwd
	require valid-user
</Location>
```
In case it's confusing, the local DNS entry for my TiVo is "tivo" so "ProxyPass http://tivo" forwards each inbound request to my TiVo via it's tivo DNS entry, and ProxyPassReverse rewrites any headers being returned to the browser to match the original inbound /tivo request.

The two proxy modules are loaded in the main apache2.conf.


----------



## johala_reewi (Oct 30, 2002)

itm said:


> route.tivo - n shows the following:
> 
> route_info, afname=inet, options=37
> Kernel IP routing table
> ...


What that shows you is that network traffic for IP addresses 192.168.1.* gets sent directly to the eth1 interface and not to a gateway. So Tivo can talk to the local network.

For the 'default gateway', you should see a destination of 0.0.0.0 with a gateway of your router's IP address (eg 192.168.1.1). In this case, you haven't got one so Tivo is unable to talk to the outside world.

A solution (as you have found) is to manually add the default gateway. However, a Tivo reboot will lose this setting unless you change the startup script.

The other option is to configure Tivo to get programme data via the network (not dialup) in which case the nic_config_tivo program will set up the default gateway for you.


----------



## itm (Aug 12, 2001)

Milhouse said:


> I suppose you did load the necessary modules for proxying? With Apache2 you need to load mod_proxy and mod_proxy_http, in Windows-land I presume these modules will be .dll's rather than .so's


This is what's in my httpd.conf file:
...
LoadFile modules/libxml2.dll
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so
...
<VirtualHost my.public.ip.address:8082>
DocumentRoot "e:/web/tivo"
ServerName www.mydomainname.com
ProxyPass / http://192.168.1.200/
ProxyPassReverse / http://192.168.1.200/
</VirtualHost>

My Apache \modules folder contains:
mod_proxy.so
mod_proxy_html.so
mod_proxy_http.so
mod_rewrite.so
libxml2.dll (I wasn't sure whether this needed to be there)

My Apache \bin folder contains:
libxml2.dll

Does this all look right??


----------



## dieselnutjob (Apr 6, 2005)

another option is to install cooperative linux ( search for colinux ) on to your windows box. I ran an apache server on a colinux box for years without trouble. and it was a pentium 3 with sod all ram


----------



## Ian_m (Jan 9, 2001)

Milhouse said:


> I'm in the camp that wouldn't put a TiVo directly on to the internet, but if someone wants to hammer away on my Apache reverse proxy - and several have tried over the years! - they're more than welcome...


I have had my TiVo on the Internet, via simple port forwarding since early 2005, and not had any unknown access.

It is located at a high port number and has logging on the router enabled, not seen any access since installation.

Mind you as for ports 21, 25, 80, 443, 135-8...well I had to block logging on these as the log just kept on filling....


----------



## dieselnutjob (Apr 6, 2005)

it's not an argument that can ever be resolved, because it's a matter of opinion, and how risk averse you are.
I have a web server on all the time anyway, so to reverse proxy it cost me nothing except a few lines of config
others will be perfectly valid in coming to a different conclusion, and they'll probably get away with it
also I like to access tivoweb from my PC at work, which means going out through the company proxy, and that means no funny port numbers because the company proxy blocks most of them


----------



## Ian_m (Jan 9, 2001)

The other argument that made me decide to use simple port forwarding was running cost.

My router uses 7W, thus yearly cost (electric at £0.15 per kWh) is

7/1000 x 0.15 x 24 x 365 = £25/year 

If I used an old PC (I had 90MHz Pentium & 1.4GHz P4 both available) both take about 100W when idle (going to 160W when active).

100/1000 x 0.15 x 24 x 365 = £131/year 

So a massive increase in cost...for me since 2005 is a saving of over £400 and again for me not needed..


----------



## dieselnutjob (Apr 6, 2005)

the solution to that is a soekris pc
my mail/web server is currently running on a mini itx pc which I think is 10W
the soekris pc is even less
another option is that some of the broadband routers can be reflashed to run linux


----------



## mutant_matt2 (Dec 16, 2008)

I'm seriously thinking about using my Linksys Slug (NSL2) in my DMZ, to do this task in the future (with the os/modified firmware, running off a flash drive, to keep the power consumption down). It's currently my ftp server only, which hardly gets used, and would presumably hardly get used much more, running as my TiVo reverse proxy as well...

Matt


----------



## Milhouse (Sep 15, 2001)

dieselnutjob said:


> the solution to that is a soekris pc
> my mail/web server is currently running on a mini itx pc which I think is 10W
> the soekris pc is even less
> another option is that some of the broadband routers can be reflashed to run linux


I can better that - I quite like the look of this - it would be perfect as a little linux "server" running a host of network related services... and only consumes 5W.


----------



## mutant_matt2 (Dec 16, 2008)

Nice! (thanks for the link).


----------

