Connectivity Issue with UrBackup Client Not Accepting Connections from Server

Server
1

Hello Community,

I am facing an issue with the UrBackup client on my network where the client is not accepting connections from the UrBackup server. I have the UrBackup client installed on a Linux machine and the server on a Windows machine. Both systems are within the same local network.

Client Version:

 $ sudo urbackupclientbackend --version
UrBackup Client Backend v2.5.25.0
Copyright (C) 2011-2019 Martin Raiber
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Server (UrBackup 2.5.33) to Client:

PS D:\UrBackupServer> @(55413, 55414, 55415, 35623).ForEach({ Test-NetConnection -ComputerName "chuwi" -Port $_ | Select-Object ComputerName, TcpTestSucceeded, RemotePort })
WARNUNG: TCP connect to (192.168.178.173 : 55413) failed
WARNUNG: TCP connect to (192.168.178.173 : 55414) failed
WARNUNG: TCP connect to (192.168.178.173 : 55415) failed
WARNUNG: TCP connect to (192.168.178.173 : 35623) failed

ComputerName TcpTestSucceeded RemotePort
------------ ---------------- ----------
chuwi                   False      55413
chuwi                   False      55414
chuwi                   False      55415
chuwi                   False      35623

Client to Server:

$ sudo nmap -sT desktop-6p79g8t.local -p 55413,55414,55415,35623
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-13 18:39 UTC
Nmap scan report for desktop-6p79g8t.local (192.168.178.162)
Host is up (0.0028s latency).
rDNS record for 192.168.178.162: DESKTOP-6P79G8T.local

PORT      STATE    SERVICE
35623/tcp filtered unknown
55413/tcp open     unknown
55414/tcp open     unknown
55415/tcp open     unknown
MAC Address: D8:BB:C1:43:13:90 (Unknown)

tcpdump Protocoll:

$ sudo tcpdump -i any 'tcp port (55413 or 55414 or 55415 or 35623) or udp port 35622'
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
18:49:50.390927 enp1s0 In  IP DESKTOP-6P79G8T.local.44282 > chuwi.local.55413: Flags [S], seq 428408656, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:49:50.391064 enp1s0 Out IP chuwi.local.55413 > DESKTOP-6P79G8T.local.44282: Flags [R.], seq 0, ack 428408657, win 0, length 0
18:49:50.912775 enp1s0 In  IP DESKTOP-6P79G8T.local.44282 > chuwi.local.55413: Flags [S], seq 428408656, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:49:50.912899 enp1s0 Out IP chuwi.local.55413 > DESKTOP-6P79G8T.local.44282: Flags [R.], seq 0, ack 1, win 0, length 0
18:49:51.432293 enp1s0 In  IP DESKTOP-6P79G8T.local.44282 > chuwi.local.55413: Flags [S], seq 428408656, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:49:51.432433 enp1s0 Out IP chuwi.local.55413 > DESKTOP-6P79G8T.local.44282: Flags [R.], seq 0, ack 1, win 0, length 0
18:49:51.951284 enp1s0 In  IP DESKTOP-6P79G8T.local.44282 > chuwi.local.55413: Flags [S], seq 428408656, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:49:51.951429 enp1s0 Out IP chuwi.local.55413 > DESKTOP-6P79G8T.local.44282: Flags [R.], seq 0, ack 1, win 0, length 0
18:49:52.454016 enp1s0 In  IP DESKTOP-6P79G8T.local.44282 > chuwi.local.55413: Flags [S], seq 428408656, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:49:52.454144 enp1s0 Out IP chuwi.local.55413 > DESKTOP-6P79G8T.local.44282: Flags [R.], seq 0, ack 1, win 0, length 0
18:49:55.452420 enp1s0 In  IP DESKTOP-6P79G8T.local.44283 > chuwi.local.55414: Flags [S], seq 3909549676, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:49:55.452545 enp1s0 Out IP chuwi.local.55414 > DESKTOP-6P79G8T.local.44283: Flags [R.], seq 0, ack 3909549677, win 0, length 0
18:49:55.968389 enp1s0 In  IP DESKTOP-6P79G8T.local.44283 > chuwi.local.55414: Flags [S], seq 3909549676, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:49:55.968509 enp1s0 Out IP chuwi.local.55414 > DESKTOP-6P79G8T.local.44283: Flags [R.], seq 0, ack 1, win 0, length 0
18:49:56.480303 enp1s0 In  IP DESKTOP-6P79G8T.local.44283 > chuwi.local.55414: Flags [S], seq 3909549676, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:49:56.480439 enp1s0 Out IP chuwi.local.55414 > DESKTOP-6P79G8T.local.44283: Flags [R.], seq 0, ack 1, win 0, length 0
18:49:56.999605 enp1s0 In  IP DESKTOP-6P79G8T.local.44283 > chuwi.local.55414: Flags [S], seq 3909549676, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:49:56.999750 enp1s0 Out IP chuwi.local.55414 > DESKTOP-6P79G8T.local.44283: Flags [R.], seq 0, ack 1, win 0, length 0
18:49:57.523793 enp1s0 In  IP DESKTOP-6P79G8T.local.44283 > chuwi.local.55414: Flags [S], seq 3909549676, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:49:57.523919 enp1s0 Out IP chuwi.local.55414 > DESKTOP-6P79G8T.local.44283: Flags [R.], seq 0, ack 1, win 0, length 0
18:50:00.360157 enp1s0 In  IP DESKTOP-6P79G8T.local.44287 > chuwi.local.55415: Flags [S], seq 3527866430, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:50:00.360287 enp1s0 Out IP chuwi.local.55415 > DESKTOP-6P79G8T.local.44287: Flags [R.], seq 0, ack 3527866431, win 0, length 0
18:50:00.868454 enp1s0 In  IP DESKTOP-6P79G8T.local.44287 > chuwi.local.55415: Flags [S], seq 3527866430, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:50:00.868591 enp1s0 Out IP chuwi.local.55415 > DESKTOP-6P79G8T.local.44287: Flags [R.], seq 0, ack 1, win 0, length 0
18:50:01.388394 enp1s0 In  IP DESKTOP-6P79G8T.local.44287 > chuwi.local.55415: Flags [S], seq 3527866430, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:50:01.388524 enp1s0 Out IP chuwi.local.55415 > DESKTOP-6P79G8T.local.44287: Flags [R.], seq 0, ack 1, win 0, length 0
18:50:01.908445 enp1s0 In  IP DESKTOP-6P79G8T.local.44287 > chuwi.local.55415: Flags [S], seq 3527866430, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:50:01.908578 enp1s0 Out IP chuwi.local.55415 > DESKTOP-6P79G8T.local.44287: Flags [R.], seq 0, ack 1, win 0, length 0
18:50:02.416310 enp1s0 In  IP DESKTOP-6P79G8T.local.44287 > chuwi.local.55415: Flags [S], seq 3527866430, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:50:02.416449 enp1s0 Out IP chuwi.local.55415 > DESKTOP-6P79G8T.local.44287: Flags [R.], seq 0, ack 1, win 0, length 0
18:50:05.222820 enp1s0 In  IP DESKTOP-6P79G8T.local.44288 > chuwi.local.35623: Flags [S], seq 691695993, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:50:05.222916 enp1s0 Out IP chuwi.local.35623 > DESKTOP-6P79G8T.local.44288: Flags [R.], seq 0, ack 691695994, win 0, length 0
18:50:05.736304 enp1s0 In  IP DESKTOP-6P79G8T.local.44288 > chuwi.local.35623: Flags [S], seq 691695993, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:50:05.736443 enp1s0 Out IP chuwi.local.35623 > DESKTOP-6P79G8T.local.44288: Flags [R.], seq 0, ack 1, win 0, length 0
18:50:06.257344 enp1s0 In  IP DESKTOP-6P79G8T.local.44288 > chuwi.local.35623: Flags [S], seq 691695993, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:50:06.257479 enp1s0 Out IP chuwi.local.35623 > DESKTOP-6P79G8T.local.44288: Flags [R.], seq 0, ack 1, win 0, length 0
18:50:06.773077 enp1s0 In  IP DESKTOP-6P79G8T.local.44288 > chuwi.local.35623: Flags [S], seq 691695993, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:50:06.773168 enp1s0 Out IP chuwi.local.35623 > DESKTOP-6P79G8T.local.44288: Flags [R.], seq 0, ack 1, win 0, length 0
18:50:07.300299 enp1s0 In  IP DESKTOP-6P79G8T.local.44288 > chuwi.local.35623: Flags [S], seq 691695993, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:50:07.300423 enp1s0 Out IP chuwi.local.35623 > DESKTOP-6P79G8T.local.44288: Flags [R.], seq 0, ack 1, win 0, length 0
18:50:23.044425 enp1s0 B   IP DESKTOP-6P79G8T.local.35623 > 255.255.255.255.35622: UDP, length 1
^C
41 packets captured
42 packets received by filter
0 packets dropped by kernel

Client local Firewall:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80,443/tcp (Nginx Full)    ALLOW IN    Anywhere
55413/tcp                  ALLOW IN    Anywhere
55414/tcp                  ALLOW IN    Anywhere
55415/tcp                  ALLOW IN    Anywhere
35623/tcp                  ALLOW IN    Anywhere
35622/udp                  ALLOW IN    Anywhere
7655/tcp                   ALLOW IN    Anywhere
80,443/tcp (Nginx Full (v6)) ALLOW IN    Anywhere (v6)
55413/tcp (v6)             ALLOW IN    Anywhere (v6)
55414/tcp (v6)             ALLOW IN    Anywhere (v6)
55415/tcp (v6)             ALLOW IN    Anywhere (v6)
35623/tcp (v6)             ALLOW IN    Anywhere (v6)
35622/udp (v6)             ALLOW IN    Anywhere (v6)
7655/tcp (v6)              ALLOW IN    Anywhere (v6)

Problem Description:
When I attempt to connect from the Windows server to the Linux client, the connections fail. Using Test-NetConnection from PowerShell on the Windows server indicates that all attempts to the client’s ports are unsuccessful (i.e., TcpTestSucceeded is False). Despite the client machine’s firewall rules allowing the necessary TCP and UDP ports, the server cannot establish a connection.

Technical Details:

  • The UrBackup client is configured to listen on 127.0.0.1 and [::1], which I realized limits it to localhost connections. This setup prevents the server from communicating with the client.
  • When checked with ss -tulnp, it confirms that the client is listening only on localhost for both IPv4 and IPv6.
  • Firewall settings on the client (managed via UFW) are properly configured to allow inbound connections on the required UrBackup ports (55413, 55414, 55415 for TCP and 35623, 35622 for UDP).

Attempts to Resolve:

  • I tried modifying the client configuration to listen on all interfaces by changing 127.0.0.1 to 0.0.0.0 and [::1] to [::], but how?

Does anyone have suggestions on how I might resolve this issue or further steps I can take to diagnose and address this problem effectively? Any advice on how to make the client accept external connections would be greatly appreciated.

I attach some screenshots, mybe it helps

image
image1201Ă—427 23.9 KB

image
image1239Ă—802 31.1 KB

image
image1217Ă—794 31.4 KB

Logs are empty:
image

I try also from Server:

$ sudo urbackupclientctl start --full
Error starting backup. No backup server found.

Thank you for any help you can provide!

2

Any idea?
From Urbackupserver:

PS C:\Users\User> Test-NetConnection -ComputerName 192.168.178.36 -Port 55413
WARNUNG: TCP connect to (192.168.178.36 : 55413) failed


ComputerName           : 192.168.178.36
RemoteAddress          : 192.168.178.36
RemotePort             : 55413
InterfaceAlias         : Ethernet
SourceAddress          : 192.168.178.162
PingSucceeded          : True
PingReplyDetails (RTT) : 2 ms
TcpTestSucceeded       : False



PS C:\Users\User> Test-NetConnection -ComputerName 192.168.178.36 -Port 55414
WARNUNG: TCP connect to (192.168.178.36 : 55414) failed


ComputerName           : 192.168.178.36
RemoteAddress          : 192.168.178.36
RemotePort             : 55414
InterfaceAlias         : Ethernet
SourceAddress          : 192.168.178.162
PingSucceeded          : True
PingReplyDetails (RTT) : 1 ms
TcpTestSucceeded       : False



PS C:\Users\User>

tcpdump urbackupclient:

$ sudo tcpdump -i any port 55413 or port 55414 -n
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
23:39:27.579176 enp1s0 In  IP 192.168.178.162.18484 > 192.168.178.36.55413: Flags [S], seq 3137527383, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:39:27.579326 enp1s0 Out IP 192.168.178.36.55413 > 192.168.178.162.18484: Flags [R.], seq 0, ack 3137527384, win 0, length 0
23:39:28.082452 enp1s0 In  IP 192.168.178.162.18484 > 192.168.178.36.55413: Flags [S], seq 3137527383, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:39:28.082601 enp1s0 Out IP 192.168.178.36.55413 > 192.168.178.162.18484: Flags [R.], seq 0, ack 1, win 0, length 0
23:39:28.585948 enp1s0 In  IP 192.168.178.162.18484 > 192.168.178.36.55413: Flags [S], seq 3137527383, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:39:28.586097 enp1s0 Out IP 192.168.178.36.55413 > 192.168.178.162.18484: Flags [R.], seq 0, ack 1, win 0, length 0
23:39:29.092979 enp1s0 In  IP 192.168.178.162.18484 > 192.168.178.36.55413: Flags [S], seq 3137527383, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:39:29.093128 enp1s0 Out IP 192.168.178.36.55413 > 192.168.178.162.18484: Flags [R.], seq 0, ack 1, win 0, length 0
23:39:29.599406 enp1s0 In  IP 192.168.178.162.18484 > 192.168.178.36.55413: Flags [S], seq 3137527383, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:39:29.599550 enp1s0 Out IP 192.168.178.36.55413 > 192.168.178.162.18484: Flags [R.], seq 0, ack 1, win 0, length 0
23:39:36.344217 enp1s0 In  IP 192.168.178.162.18485 > 192.168.178.36.55414: Flags [S], seq 1089593205, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:39:36.344362 enp1s0 Out IP 192.168.178.36.55414 > 192.168.178.162.18485: Flags [R.], seq 0, ack 1089593206, win 0, length 0
23:39:36.859990 enp1s0 In  IP 192.168.178.162.18485 > 192.168.178.36.55414: Flags [S], seq 1089593205, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:39:36.860141 enp1s0 Out IP 192.168.178.36.55414 > 192.168.178.162.18485: Flags [R.], seq 0, ack 1, win 0, length 0
23:39:37.367407 enp1s0 In  IP 192.168.178.162.18485 > 192.168.178.36.55414: Flags [S], seq 1089593205, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:39:37.367558 enp1s0 Out IP 192.168.178.36.55414 > 192.168.178.162.18485: Flags [R.], seq 0, ack 1, win 0, length 0
23:39:37.871714 enp1s0 In  IP 192.168.178.162.18485 > 192.168.178.36.55414: Flags [S], seq 1089593205, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:39:37.871862 enp1s0 Out IP 192.168.178.36.55414 > 192.168.178.162.18485: Flags [R.], seq 0, ack 1, win 0, length 0
23:39:38.376050 enp1s0 In  IP 192.168.178.162.18485 > 192.168.178.36.55414: Flags [S], seq 1089593205, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:39:38.376200 enp1s0 Out IP 192.168.178.36.55414 > 192.168.178.162.18485: Flags [R.], seq 0, ack 1, win 0, length 0
^C
20 packets captured
22 packets received by filter
0 packets dropped by kernel

netstat

$ sudo netstat -tulnp | grep 5541[34]

is empty

3

Push?

I disable windows 11 firewall and ufw
both, Server and Client, are at same network.
But Client is still offline…same network. No firewall.

i can install the Client but after that the client is offline

Deinstall Urbackupserver , deinstall client from server.
Install everything new.

image
image1164Ă—144 5.92 KB

i can install and register the client, last seen “28.05.24 20:49” but after that he is show as offline.

image
image1312Ă—18 1.92 KB

on windows Firewall i change from public to everything “Private, Domain and Public”
image

on clinet ufw is disabled.

Where i can search for the solution ? i just want backup some folders… :confused:

4

Hello!

I try to help you to resolve it.

When the client and server are on the same network, the mechanism works as follows:

  1. The UrBackup client listens on port 35623 UDP.
  2. Approximately once a minute, the server sends a broadcast packet via UDP on port 35623.
  3. The client receives this packet on port 35623 UDP and responds to the server, then the client connects to the server.

Here is the output of netstat -tuln on one of the clients running Debian. As you can see, the port is being listened to (udp 0.0.0.0:35622).

I suspect that for some reason, the broadcast packets are not reaching the client (maybe something in your network is filtering them).

Please make a “sudo tcpdump -i eth0 udp port 35622” on the client and check if it receives packets on udp 0.0.0.0:35622.

Execute the commands below on the client. Then send your output. Disable FireWalls before check.

My outputs from one of linux clients:

netstat -tuln

Command output:
root@nas1:~# netstat -tuln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:57729 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:35621 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:35623 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:57737 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.104:5357 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:61209 0.0.0.0:* LISTEN
tcp6 0 0 :::445 :::* LISTEN
tcp6 0 0 :::57730 :::* LISTEN
tcp6 0 0 :::10050 :::* LISTEN
tcp6 0 0 :::35621 :::* LISTEN
tcp6 0 0 :::35623 :::* LISTEN
tcp6 0 0 :::139 :::* LISTEN
tcp6 0 0 :::111 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 0.0.0.0:35622 0.0.0.0:*
udp 0 0 0.0.0.0:60412 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 239.255.255.250:3702 0.0.0.0:*
udp 0 0 192.168.1.104:68 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 192.168.1.255:137 0.0.0.0:*
udp 0 0 192.168.1.104:137 0.0.0.0:*
udp 0 0 0.0.0.0:137 0.0.0.0:*
udp 0 0 192.168.1.255:138 0.0.0.0:*
udp 0 0 192.168.1.104:138 0.0.0.0:*
udp 0 0 0.0.0.0:138 0.0.0.0:*
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp 0 0 0.0.0.0:51942 0.0.0.0:*
udp6 0 0 :::5353 :::*
udp6 0 0 :::56818 :::*
udp6 0 0 :::111 :::*
udp6 0 0 ::1:323 :::*

ip a

root@nas1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 2e:20:f5:8f:9f:13 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.104/24 brd 192.168.1.255 scope global dynamic eth0
valid_lft 336sec preferred_lft 336sec

sudo tcpdump -i eth0 udp port 35622

root@nas1:~# sudo tcpdump -i eth0 udp port 35622
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:12:46.851152 IP 192.168.1.150.35623 > 255.255.255.255.35622: UDP, length 1
02:12:47.008408 IP nas1.local.35622 > 192.168.1.150.35623: UDP, length 24
02:13:37.384585 IP 192.168.1.150.35623 > 255.255.255.255.35622: UDP, length 1
02:13:37.470828 IP nas1.local.35622 > 192.168.1.150.35623: UDP, length 24
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

5

Hey Dmitrius7,

Thank you for your response!

I switched from using the DNS name to the IP address here:

image
image1176Ă—156 6.1 KB

Now the client receives some packets:

$ sudo tcpdump -i enp1s0 udp port 35622
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp1s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:50:35.688065 IP6 fe80::9d98:8d96:8d77:2613.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:50:35.688297 IP6 2a02:8109:b318:ef00:fd98:101c:8e47:7f14.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:50:35.688563 IP6 2a02:8109:b318:ef00:cc50:da59:e54b:ad01.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:50:35.688735 IP DESKTOP-6P79G8T.local.35623 > 255.255.255.255.35622: UDP, length 1
18:50:35.692116 IP nipogi.local.35622 > DESKTOP-6P79G8T.local.35623: UDP, length 8
18:51:25.987139 IP6 fe80::9d98:8d96:8d77:2613.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:51:25.987540 IP6 2a02:8109:b318:ef00:fd98:101c:8e47:7f14.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:51:25.987894 IP6 2a02:8109:b318:ef00:cc50:da59:e54b:ad01.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:51:25.988139 IP DESKTOP-6P79G8T.local.35623 > 255.255.255.255.35622: UDP, length 1
18:51:26.253531 IP nipogi.local.35622 > DESKTOP-6P79G8T.local.35623: UDP, length 8
18:52:16.543276 IP6 fe80::9d98:8d96:8d77:2613.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:52:16.543709 IP6 2a02:8109:b318:ef00:fd98:101c:8e47:7f14.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:52:16.544894 IP6 2a02:8109:b318:ef00:cc50:da59:e54b:ad01.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:52:16.545069 IP DESKTOP-6P79G8T.local.35623 > 255.255.255.255.35622: UDP, length 1
18:52:16.893516 IP nipogi.local.35622 > DESKTOP-6P79G8T.local.35623: UDP, length 8
18:53:07.207530 IP6 fe80::9d98:8d96:8d77:2613.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:53:07.207715 IP6 2a02:8109:b318:ef00:fd98:101c:8e47:7f14.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:53:07.208211 IP6 2a02:8109:b318:ef00:cc50:da59:e54b:ad01.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:53:07.208305 IP DESKTOP-6P79G8T.local.35623 > 255.255.255.255.35622: UDP, length 1
18:53:07.451777 IP nipogi.local.35622 > DESKTOP-6P79G8T.local.35623: UDP, length 8
18:53:57.737382 IP6 fe80::9d98:8d96:8d77:2613.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:53:57.737729 IP6 2a02:8109:b318:ef00:fd98:101c:8e47:7f14.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:53:57.738210 IP6 2a02:8109:b318:ef00:cc50:da59:e54b:ad01.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:53:57.738417 IP DESKTOP-6P79G8T.local.35623 > 255.255.255.255.35622: UDP, length 1
18:53:57.852735 IP nipogi.local.35622 > DESKTOP-6P79G8T.local.35623: UDP, length 8
18:54:48.171402 IP6 fe80::9d98:8d96:8d77:2613.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:54:48.171835 IP6 2a02:8109:b318:ef00:fd98:101c:8e47:7f14.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:54:48.172204 IP6 2a02:8109:b318:ef00:cc50:da59:e54b:ad01.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:54:48.172447 IP DESKTOP-6P79G8T.local.35623 > 255.255.255.255.35622: UDP, length 1
18:54:48.239968 IP nipogi.local.35622 > DESKTOP-6P79G8T.local.35623: UDP, length 8
18:55:38.545583 IP6 fe80::9d98:8d96:8d77:2613.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:55:38.546080 IP6 2a02:8109:b318:ef00:fd98:101c:8e47:7f14.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:55:38.546480 IP6 2a02:8109:b318:ef00:cc50:da59:e54b:ad01.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:55:38.546706 IP DESKTOP-6P79G8T.local.35623 > 255.255.255.255.35622: UDP, length 1
18:55:38.804900 IP nipogi.local.35622 > DESKTOP-6P79G8T.local.35623: UDP, length 8
18:56:29.097576 IP6 fe80::9d98:8d96:8d77:2613.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:56:29.098171 IP6 2a02:8109:b318:ef00:fd98:101c:8e47:7f14.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:56:29.098449 IP6 2a02:8109:b318:ef00:cc50:da59:e54b:ad01.35623 > ff12::f894:d:dd00:ef91.35622: UDP, length 1
18:56:29.098699 IP DESKTOP-6P79G8T.local.35623 > 255.255.255.255.35622: UDP, length 1
18:56:29.354138 IP nipogi.local.35622 > DESKTOP-6P79G8T.local.35623: UDP, length 8
^C
40 packets captured
134 packets received by filter
0 packets dropped by kernel

The client is now online:

image
image737Ă—288 8.6 KB

However, it only works with no internet client configuration:

#If true client will not bind to any external network ports (either true or false)
#INTERNET_ONLY=true
INTERNET_ONLY=false

image
image1187Ă—244 13 KB

I’m not entirely happy with this setup, but it works for now. I need to understand why this configuration works to fully trust this backup system. I hope to understand it better in the future.

My goal is to better understand which ports need to be opened and in which direction.

According to the documentation:

10.3 Used Network Ports

The Server binds to the following default ports:

Port Usage Incoming/Outgoing Protocol
55413 FastCGI for web interface Incoming TCP
55414 HTTP web interface Incoming TCP
55415 Internet clients Incoming TCP
35623 UDP broadcasts for discovery Outgoing UDP

The Client binds to the following default ports (all incoming):

Port Usage Protocol
35621 Sending files during file backups (file server) TCP
35622 UDP broadcasts for discovery UDP
35623 Commands and image backups TCP

Summary of Required Ports:

  • Server:
    • Outgoing: 35623 (UDP broadcasts for discovery)
    • Incoming: 55415 (Internet clients), 55414 (HTTP web interface)
  • Client:
    • Incoming: 35621 (Sending files during file backups), 35623 (Commands and image backups), 35622 (UDP broadcasts for discovery)

Areas of Confusion:

  1. Functionality of Internet Clients and Encryption:

    • How exactly do the internet clients operate to ensure encryption is properly utilized?

  2. Port 35621 Usage:

    • The documentation specifies that port 35621 is used for sending files during file backups and must be open for incoming connections on the client. However, there is no mention of the server needing to use this port outgoing. Why must the client open a port that the server does not utilize outgoing?

Any insights or clarifications on these points would be greatly appreciated. Understanding the port configurations thoroughly is crucial for securing and optimizing the backup system.

My Clients Firewall:

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
443/tcp                    ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
7655/tcp                   ALLOW       Anywhere                   # SSH
35621/tcp                  ALLOW       Anywhere                   # UrBackup Client Kommunikation
35622/udp                  ALLOW       Anywhere                   # UrBackup Client Entdeckung
35623/tcp                  ALLOW       Anywhere
55413/tcp                  ALLOW       Anywhere
55414/tcp                  ALLOW       Anywhere
55415/tcp                  ALLOW       Anywhere
443/tcp (v6)               ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
7655/tcp (v6)              ALLOW       Anywhere (v6)              # SSH
35621/tcp (v6)             ALLOW       Anywhere (v6)              # UrBackup Client Kommunikation
35622/udp (v6)             ALLOW       Anywhere (v6)              # UrBackup Client Entdeckung
35623/tcp (v6)             ALLOW       Anywhere (v6)
55413/tcp (v6)             ALLOW       Anywhere (v6)
55414/tcp (v6)             ALLOW       Anywhere (v6)
55415/tcp (v6)             ALLOW       Anywhere (v6)

Thanks again for your help!

6

image
image1176Ă—156 6.1 KB

This setting only specifies the address where your UrBackup server site should be opened. It does not affect client connections.

I don’t use it at all because I don’t want users to be able to restore data on their own. The field is left blank.

image
image887Ă—152 6.64 KB

However, it only works with no internet client configuration:
INTERNET_ONLY=false

This setting enables the client to work ONLY over the internet! In this mode, the client will not see the server on the local network, which might be what happened in your case. More specifically, the client ignores incoming packets from the server on the local network and instead immediately tries to connect to the UrBackup internet server.

In normal mode, this setting should be:
INTERNET_ONLY=false

This does not mean that the UrBackup client will work only on the local network and will not connect to the UrBackup internet server.
When the UrBackup service is started on the client, the client waits for packets from the local server for 3 minutes. If it does not receive them within 3 minutes, it then starts connecting to the internet backup server.

I’m not entirely happy with this setup, but it works for now. I need to understand why this configuration works to fully trust this backup system. I hope to understand it better in the future.

I have been using UrBackup in production for over 5 years. It works very reliably, and there has never been a time when I couldn’t restore something from a backup. I use Debian or Ubuntu as the server and btrfs and ZFS as the file systems. I prefer ZFS because I can connect NVME caches (cache vdev and special vdev), which provides a significant performance boost.

Regarding security and ports.

I connect to the web interface through HTTPS, which needs to be configured separately. I created a ready-made tool: GitHub - Dmitrius7/UrBackup_simple_make_web_via_ssl_https: UrBackup. Simple make web interface accessible via SSL (nginx)

I allow access to the admin panel based on a whitelist of IP addresses:

My ufw rules:

Allow web interface access only to the whitelist IPs

55416 - HTTPS port for accessing the web admin panel

ufw allow from YOUR_IP to any port 55413,55414,55416 proto tcp comment "URB web ports. Trusted IP"
ufw allow from YOUR_IP to any port 55413,55414,55416 proto tcp comment "URB web ports. Trusted IP"

55415 - Port for internet backups. This is the only port open to the outside (from the internet). It cannot be used to manage the server or cause any harm; it is solely for connecting clients over the internet.

55415 - Port for internet clients available to everyone from the internet. If the server is behind NAT, only this port should be forwarded!
ufw allow proto tcp to 0.0.0.0/0 port 55415 comment "URB internet backups"

35623 - This port is needed for local network backups (NOT internet backups). The outgoing port is for broadcasting, where the UrBackup server sends broadcast packets that clients on the local network receive and respond to. This is how local clients connect to the server (waiting for an invitation from the server). If this rule is not added, clients will not be found.

ufw allow proto udp to 0.0.0.0/0 port 35623 comment "URB UDP broadcast for discovery"

Thus, if your UrBackup server is behind NAT, only port 55415 (internet backup port) needs to be forwarded. This setup ensures maximum security.

1 Like
7

When I started studying UrBackup, I spent an enormous amount of time understanding the nuances.
Unfortunately, some things are not documented, so I had to figure them out myself. I wrote detailed instructions for myself on the issues I encountered that are not described in the documentation.
By the way, if the @uroni allows, I would be happy to supplement the documentation. I have a large amount of ready material.

1 Like