"Home Network" times out. Test shows Remote Connectivity Fails with "Timeout (0) Timeout"

  • So I successfully finished pairing the teleport and my router, but when I move to an external network, it fails on the last step ("Home Network"). Just shows a spinning green circle and then gives up. UPnP is enabled on my main router (the Amplifi is in bridge mode).

    When I go to the amplifi app and tap the teleport and hit "test connectivity", it checks off local connectivity and UPNP, but "Remote Connectivity" shows "Timeout (0) - Timeout". Any thoughts on how to get it to work?

    When I log into my main router, I can see the UPnP ports being forwarded (same port number on both UDP and TCP).

  • same issue. this seems to a problem that all of people are seeing.

  • @UBNT-Gunars

    Any help here? I got the update that lets me explicitly set a port (though the UI doesn't tell me if it's TCP/UDP, or if something else may be needed.

    My current guess is there may be something I need to manually open in my firewall on my main router. Does that sound plausible to you? Is there some kind of external test I can do (portscan? something else?) to check?

    Can you tell us specifically what ports / IP Protocol Numbers / ICMP Types need to be opened / enabled / forwarded for this to work? Forgive me if this is documented somewhere but I haven't been able to find it.

  • I figured it out!

    TL;DR; UPnP for my main router (which my AmpliFi AP is behind) was forwarding the ports, but wasn't opening those ports on the firewall. Manually forwarding the ports and opening them in the firewall fixed it.

    Full instructions:

    1. Update the AmpliFi HD and the Teleport to 2.6.2. Router update is easy with the app. Teleport can be updated by tapping support in the upper right on its captive portal page that you see when setting it up.
    2. Go to the AmpliFi AP's web portal (either via the amplifi.lan url if that works for you... (I had to find my AP's IP by looking at my main router's client list, so if amplifi.lan doesn't work for you, do this).
    3. Set a specific port number in the AmpliFi AP's portal for the Teleport. If you don't see an option to set a Teleport port number, make sure you're updated to 2.6.2, and make sure the Teleport is already paired with your AmpliFi AP. You can choose just about any port you like, but to be safe, you should probably go with something big and obscure. Google common ports and avoid what you see.
    4. On your upstream router (that your AmpliFi is connected to) go to your port forwarding options and forward that same port you specified in the previous step on both TCP and UDP to the internal IP address assigned to your AmpliFi HD router.
    5. Using the AmpliFi HD app, test and see if you're still getting the "Timeout (0)" error. If so, an upstream firewall is blocking you. Could be on the same router... could be higher up the network if your router doesn't have a public IP address.
    6. Find your firewall settings and make sure the same port you forwarded is open on both TCP and UDP for requests from any IP. For me, this was the missing piece as for some reason my router's firewall doesn't automatically open the ports I forward. As soon as I did this, the Timeout (0) error went away and I was in.

    Hope this helps!

  • @bee-cee Thank you for posting your solution! great step by step as well

  • @ubnt-brett

    Didn't solve for me. Tried a number of things. After Teleport reset I still get the prompt to pair the teleport in the app, but everything fails beyond that. The Teleport does not appear in the Android app any longer and all attempts, all remote networks tried, port forwarding and opening up primary router access rules to match the original UPNP ports that did open with the first setup attempt... nothing works. It appears the product is a dud.

    Should we return it for refund or are more updates coming in the next few days?

  • @david-lee Have you accidentally hidden the Teleport? Otherwise it would only disappear if you've manually unpaired it. We'll be removing the hiding option.

  • @ubnt-gunars I did not intentionally hide teleport, but certainly could have done it accidentally. Any method to restore?

  • @david-lee The fastest way to bring the Teleport devices back after it has been hidden is to connect to the device on a network other than your AmpliFi network (Different public IP) If that is currently not an option, there is another route.

    Please follow these instructions:
    connect to the unsecured network the Teleport unit is broadcasting "Teleport XXXXXX" where the last 6 characters match the last 6 of the MAC ID. Once its connected, you will get a pop-up window that begins the connection process, close this window.
    Next, navigate to amplifi.lan/support.php (while still connected to the teleports network) and there you will have an option to up-pair the Teleport. Keep in mind the Teleport Unit does have to be updated to do this, if not update the devices to 2.6.1

    Once the device is in pairing mode (Top half of LED flashing) If the option to pair the teleport devices is not available on the smart phone application, and the option to add device to the mesh network is not appearing on the routers LCD screen, follow these steps.
    Connect the computer to the Amplifi Router (hardwired or wireless) and navigate to amplifi.lan/select-device.php

    From there you should be able to pair the Teleport device.

  • @ubnt-brett

    Thanks if I take your instructions then also add a step to also unpair in router-amplifi.lan/select-device.php, I can get the device to show in the mobile app after repairing. Unpairing in Teleport support page isn't enough to restore the "icon" in the app.

    But I still get the Error during Home Network setup phase. This is with port forwarding enabled and I see "UPNP not required" during the teleport setup to show the port forwarding to the port specified in settings.php is working. But I still cannot get past the Home Network setup step.

    When I initially setup with UPNP and port=auto, I had the same failure point. But I can see the UPNP ports open in my primary router table. Thus I think it is not a ports issue in my case. I will reset everything to defaults and try again without port fowarding.

  • @ubnt-brett Ok, fixed by removing the port forwarding. Then opening Firewall Access Rules on my Peplink primary router to Any - Any. My router has a deny all rule by default. Teleport now finally able to connect. Check router access logs to find connection source and dst port. Lockdown access rules to open the specific source and dst ports to the Amplifi router LAN IP.

    So no port forwarding required beyond UPNP automatic setup. But interesting the ports needed for Access Rules do not align to the UPNP table ports. I'll have to remember to enable these access rules before I travel with Teleport.

  • Actually, that is not a solution as the Teleport keeps changing src ports. Unplug and replug and no go. And using the specified port in settings.php doesn't seem to help since the Teleport src ports change through a huge range with multiple TCP and UDP port changes even when a single port is specified in amplifi.lan/settings.php. Tried a full teleport reset and repair with port specified but no luck.

    Any ideas to get this to work without opening all ports or a huge port range on my primary router Access Rules? Possible to add functionality on Teleport settings to specific a single port?

  • @UBNT-Karlis: why wouldn't it work with the External port for Teleport connection setting?

  • @ubnt-gunars A connection can be established with the External port for Teleport setting and port forwarding. Works same as UPnP. But in either port forwarding use case, I have to set my router access rules to open roughly ports 18,000 to 65535 to connect locally on 9017. Otherwise Teleport goes offline. Teleport uses a wide range of ports when connected. If I set my router access rules to allow only the External port specified in Amplifi or whatever UPnP ports were set, Teleport loses connection. Even with a External port specified (which works for firewall rules), Teleport still needs to use many other ports.

    Basically, I think the only way to use teleport is to open router access rules to a huge port range. I wasn't expecting this. I can''t be the only one who has Deny all router access default rules. Limited access rules have never caused problems in recent years with my sea of gadgets. At most I have to open a port or two to allow access for a given remote access type device. For Teleport to connect, it appears I need the very large range of ports. By comparison using IPSEC or OpenVPN stuff usually involves a port or two, or passthrough, and actually handled differently in router settings with less exposure.

    Here is a stripped down router access log just to show the many ports Teleport uses (with a single MacBook client connected) each minute when connected. The UPnP or specified External port set in port forwarding are used much less frequently than the wider range other ports over the duration of the connection:
    Feb 23 11:26:15 Allowed PROTO=TCP SPT=36509 DPT=9017
    Feb 23 11:26:15 Allowed PROTO=TCP SPT=24916 DPT=9017
    Feb 23 11:26:03 Allowed PROTO=TCP SPT=34437 DPT=9017
    Feb 23 11:25:56 Allowed PROTO=TCP SPT=30526 DPT=9017
    Feb 23 11:25:55 Allowed PROTO=TCP SPT=55043 DPT=9017
    Feb 23 11:25:50 Allowed PROTO=TCP SPT=41517 DPT=9017
    Feb 23 11:25:49 Allowed TCP SPT=42850 DPT=9017
    Feb 23 11:25:47 Allowed PROTO=TCP SPT=22148 DPT=9017
    Feb 23 11:25:46 Allowed PROTO=TCP SPT=62029 DPT=9017
    Feb 23 11:25:44 Allowed PROTO=TCP SPT=54162 DPT=9017
    Feb 23 11:25:43 Allowed PROTO=TCP SPT=18741 DPT=9017
    Feb 23 11:20:43 Allowed PROTO=UDP SPT=30719 DPT=9017

    Feb 23 11:05:36 Allowed PROTO=UDP SPT=36985 DPT=9017
    Feb 23 11:05:36 Allowed PROTO=UDP SPT=36985 DPT=9017
    Feb 23 11:05:21 Allowed PROTO=TCP SPT=57204 DPT=9017
    Feb 23 11:05:15 Allowed PROTO=UDP SPT=36985 DPT=9017
    Feb 23 11:05:15 Allowed PROTO=UDP SPT=36985 DPT=9017
    Feb 23 11:05:14 Allowed PROTO=UDP SPT=36985 DPT=9017
    Feb 23 11:05:14 Allowed PROTO=UDP SPT=36985 DPT=9017

  • @Andrejs-Hanins: is this something we can change?

  • @david-lee Specifying external port in settings.php and then setting up port forward of that external port to the same internal port number of your AmpliFi router should be enough to make Teleport work.

    Make sure to forward both UDP and TCP protocols. Set source port and IP address to "any". Source port of Teleport can be any number - this is normal and not a security threat.

  • @ubnt-karlis Strangely no luck. I followed that precisely. Router is Peplink Balance One. For each port forward rule I need to also set a firewall access rule. Works for other things which all have single port involved.

    If I specify an external IP in Amplifi router, create port forward, create access rules for only that port, Teleport will get stuck at connecting to home network.

    And oddly, even if I open source external port access rules to Any source port (along with single port port forwarding) I cannot get the teleport connection. My only working option is set External port to auto in Amplifi router, let UPnP rules automatically create in my main router, then in Peplink router access rules open a huge external port range and specify the same internal port from the UPnP forwarding table and set destination IP to Amplifi router.

    Each firewall access rule has an option to log activity. Once Teleport connection is established I can clearly see the many wide range of ports being used in the router access logs. It is those many ports that my router blocks unless I open the access rule.

    Allowed CONN=WAN1 MAC=foo SRC=<my T-mobile hotspot IP> DST=<internal Amplifi router LAN IP> LEN=60 TOS=0x10 PREC=0x00 TTL=52 ID=24236 DF PROTO=TCP SPT=57745 DPT=9017 WINDOW=7300 RES=0x00 SYN URGP=0 MARK=0xc

    The range and number of source ports used is significant. The destination port is static.

  • @david-lee Source ports for TCP always change per connection. That's how TCP and UDP work. It's very rarely static and consider broken when it is. It's the destination port that needs to be static. Source port should be 1024 -> 65535.

    RFC Reference if you're into that kind of thing. https://tools.ietf.org/html/rfc6056

  • @michael-eckhoff I generally understand how the ports work. Am I unique in using deny all inbound Firewall access rules and only opening a few specified ports as a best practice? I've operated with firewall deny all, open a couple ports with port forwarding as needed access rules for years now without issue. I use some other unique connectivity and remotely accessible products and occasionally VPN successfully.

    I probably should have read more about Teleport before buying. What I expected is that Teleport would create something like a VPN tunnel and I could configure my main router accordingly to support that. Or at least after the initial Teleport <--> Amplifi connection is established using UPnP or specified port forwarded port, Amplifi would establish connections/ports as needed with Teleport so the Firewall would know to allow the inbound traffic (three-way handshake). For whatever reason, in the current implementation, my router has no means to trust all these inbound connection requests.

    Since I don't always trust all the products I use or test on my home network, I'd rather not have to keep all the ports open for inbound connections to my Amplifi. Unless some Teleport changes are coming (this seems likely to me), I think I'm better off sticking with an OpenVPN/IPSec VPN solutions for remote access.

  • @david-lee You'd be unique in using a deny rule to block all source ports. Even $100,000 firewalls don't do that by default.

    Most basic firewall rules are done as a 5 tuple rule. Action, Source, destination, port, and protocol with the port being the destination port since that's what the service listener binds to on the endpoint. You CAN further restrict source ports if you know for a fact they'll be static, but that's very rare and mostly unnecessary. The firewall will assume any (typically high level as in 1024-65535) source port by default as that's the standard.

    Take a look at netstat as you make a connection out to any website. You'll see the source port change every time, but the destination port will always be 80 or 443 (for standard sites).

    In my opinion as a network engineer, teleport is doing exactly what it should be doing. It's your firewall configuration that needs to be updated.

    OpenVPN will behave exactly the same way if you watch it on the wire. IPSec doesn't use ports except for the IKE connection on port 500 (which I do see as the same between source and destination ports for some implementations), but the real traffic goes over a different protocol than TCP or UDP (proto 50 or 51).

Log in to reply