Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Reach Your Network Remotely

When you share an internet connection among one or more computers on a local network using private addresses, you gain the advantage of some privacy: all the machines are locked away from the rest of the internet by default. However, you also give up having an easy way to connect from the outside world to services—say, a gaming server or computer with remote desktop access—that’s located on one of those local computers.

But just because it isn’t easy doesn’t mean it’s not possible. In this chapter, I look at how you can configure gateways to route access from the outside world to specific computers, smart-home gear, and other devices for particular purposes.

Know Your Options

For systems outside your local network to reach devices on the LAN side of your gateway, you have to pursue one or more of the following four strategies:

Port mapping: With a fixed address for a LAN-based device, you can create a connection between a sort of IP address cubbyhole, called a port, on the gateway and another port on the device. This port mapping exposes the local device’s service that relies on that port to the outside world as if it’s directly on the internet. Port mapping typically requires a DHCP reservation or a static address for a device on the LAN.

Tip: I explain the details of ports and port mapping later in this chapter, so don’t worry if you can’t visualize a port yet—most people can’t!
Automatic punch-through: Some software and devices rely on one of a few protocols that communicate directly with the gateway to negotiate automatically opening a connection—punching through a connection—almost always using UPnP (Universal Plug and Play). This automatic management is terrific, because in most cases you don’t have to do any configuration other than turn the feature on, and thus don’t have to lock a device to a fixed IP address or reconfigure gateway settings if devices or services change.
Use one computer as your default host: A coarser way to make remote access work is to allowing a single computer behind a NAT act as though it’s directly connected to the internet. This option fits limited cases where you want a machine to be reachable from the internet on any of its ports without getting publicly reachable IP addresses from your ISP for computers on your network. I describe this in Set a Default Host for Full Access.

While I explain the three items above in their own sections in this chapter, there’s one more method for reaching a computer remotely. It’s self-explanatory, as it requires no configuration on your part after installation:

Remote connections between central servers: Some kinds of software, notably remote screen-control software for computers, can punch through gateways, double-NAT configurations, and all sorts of nonsense. They accomplish this by having the device from which you’re connecting and the device to which you’re connecting create a session with a central server under the service’s control. Instead of a device-to-device connection, this device-to-server-to-device gets around mapping or punching your way through. These kinds of services include the remote desktop service TeamViewer, as well as Apple’s macOS-only remote desktop and file-sharing access, Back to My Mac, as explained in this Apple support document.

Map Ports for Remote Access

Port mapping relies on network address translation (NAT). NAT acts as a gateway between a WAN IP address for a router reachable from a larger LAN or the public internet, and the private addresses hidden behind NAT on the access point’s LAN.

NAT Maps Private to Public Connections

When a computer within the LAN wants to connect to the internet, the NAT software creates an association between that computer’s outgoing connection and a public port on the WAN IP address of the access point.

When, for instance, a LAN-connected computer wants to retrieve a webpage, that computer might send a request from its IP address (192.168.1.100) using port 5509. (Ports for outbound connections are arbitrarily numbered above 1024; numbers below that are reserved for well-known services.)

The NAT server receives that connection and creates a request over the internet using the WAN IP address and, typically, a different port. So the NAT gateway’s request might originate from a public address such as 36.44.0.6 with a port of 12087.

The web server receiving the request doesn’t know about the original computer behind the NAT. Rather, the web server responds by sending HTML for the requested webpage to port 12087 on IP 36.44.0.6. The NAT server retains a list of associations between public and private ports and addresses, and hands that web connection over to the machine that requested it. This process is ugly, but it works reliably, almost all the time.

Understanding Ports

Every kind of network server you might run—from a personal web server to your side of a multi-player online game—uses a port to communicate with the rest of the machine, network, or world. You can compare a port number to an apartment number in a typical postal addressing system. A computer has an IP address like an apartment building has a street address; each service used by a computer has a port number, like each apartment has its own number (Figure 45).

Figure 45: Ports are like apartments within a building, where the building is an operating system, and the IP address is the building address.

It’s as if every apartment building had the manager in unit 1, the mailroom in unit 25, a lounge in unit 80, and so forth. Port numbers for common servers and services are the same on all devices.

Taking our metaphor one step further, if you have a static IP addresses, that’s like having a street-front address. In contrast, NAT-provided private addresses are like buildings within a gated compound, where nobody on the outside knows the building numbers, but you have a private courier you can call to your apartment.

If you were inside the compound, you would ring to get a letter sent to the outside world by having the courier take it from you to the compound’s mailroom. Then, the mail carrier would pick up your letter from there. Return mail, addressed to a mailbox number in the mailroom, is delivered only to that outer mailroom, where the courier picks it up and walks it to your private door.

Port Mapping Maps Public to Private Connections

With port mapping, you create a persistent connection that allows computers outside the LAN to connect to computers inside it. Port mapping lets you expose limited services in a way that you control.

When you map a port, you make the gateway connect one of its internet-accessible ports to the same (or a different) port on a computer on the otherwise-private inside network.

The gateway listens for traffic on the specific port on its public, WAN interface. When traffic arrives and a connection needs to be opened, the gateway reroutes the traffic from that public interface port to the appropriate private address on its LAN interface, whether that’s a Wi-Fi LAN or a wired LAN. In Figure 46, I show how two separate port mappings are passed through the gateway. Two people, one at Indiana University and one on the local network, connect to play TeamFortress 2 (thin blue lines), while a browser in Kuala Lumpur requests a webpage from the network’s web server (thin red lines).

Figure 46: The gateway rewrites addresses and maps ports on the fly to connect inside and outside services and users. — **Figure 46:** The gateway rewrites addresses and maps ports on the fly to connect inside and outside services and users.

To set up port mapping, you have to define two parts you set on your gateway: a persistent private (“reserved”) IP address for a computer on the LAN, and a persistent port mapping between a port on the access point and a port on the LAN computer. In the topics ahead, I explain how to complete both of these tasks.

Set a Reserved Address

For each computer with which you want to use port mapping, you should create a DHCP reservation, which I described in Reserved Addresses, earlier. As you work, I suggest that you create a text file or other list that includes the name of each computer (described by its owner or its unique name) along with the corresponding reserved addresses. Once you’ve reserved addresses, you can set up effective port mapping.

To use port mapping, you need to know which ports to map. This can be trivial. You could map port 80 on the public side to port 80 on a given computer on the private LAN, and establish a web server connection, for instance. For games, streaming media, and other purposes, you might need to set up a bunch of ports.

Example: Set Port Mapping for a Web Server

With a web server running on a computer on the network, we need to set up the access point to pass traffic to the newly configured port:

Set up the server on the LAN-based computer and figure out its private, reserved IP address. Pick a port other than the one used for plain web access (80) or secure web connections (443) if you’re configuring it differently.
On the gateway, find the section for port mapping or virtual servers and enter:
- The outside port number, which might be 80 or 443 or another port (see the sidebar, next). For more complicated servers, you may be able to select from a pop-up menu that populates all the necessary ports if it’s more than one.
- The inside port number from your LAN computer.
- The private IP address from your LAN computer.
Apply the changes and restart the gateway if that’s required.

Now try to connect from outside your network to the web server you enabled. This is easiest from a mobile device that has that service available. Turn off its Wi-Fi radio and connect via the cellular side.

If the connection doesn’t work, recheck your ports. Also make sure the computer running the service doesn’t have an active firewall that is blocking incoming connections.

One per Port

Every commonly used internet service—things like web servers, FTP servers, mail servers, and so forth—have uniquely assigned ports that by default are used by software that accesses those servers. So when you type in https://takecontrolbooks.com/ there’s an implicit :443 at the end. The colon says, “a port follows,” and 443 is the assigned port for secure connections.

What happens if you want to run two or more web servers behind a gateway? You can only use port mapping to assign one of them to the gateway’s port 80, and thus that leaves out general web access for other hidden sites.

However, there’s a workaround for private sites that you know someone will always type in the URL or use a link to get to: you can assign a different port to these other web servers. Unsecured web servers listen by default at port 80 and secure ones at 443, but a web server can be configured to listen to any port.

It’s typical to use ports 8000 and higher for alternative web severs. From outside the network, someone connects by using this format: http://serveraddress.com:0, such as http://tidbits.com:8001.

Punch Through Automatically

UPnP allows software and firmware to talk to a gateway and ask it for ports, which the gateway then automatically configures and opens up. It’s port mapping without any manual configuration.

The UPnP option is generally enabled by default in any gateway that offers it. You can check by using the admin interface and looking for the setting, which may be under Forwarding, NAT, or Remote Access. This section of the interface should also show active UPnP connections.

For access outside the LAN, on some gateways you will need to enable UPnP forwarding as well as plain-old UPnP. The former only passes traffic, while the latter lets it open ports.

With everything working, you shouldn’t have to take action at all. You can consult the software or device you’re using to determine the IP address and port combination it’s expecting incoming traffic to come over, or you can use the admin interface on the gateway to find both those values too.

The IP address will be the public-facing address the router relies on, and the port should be listed in the table noted above. However, you may not be able to find the service by name, because unless it uses specific UPnP registration, it will show up as a generic name along with the IP address and port combination from which it originates over the local network.

Some gateways can also act as UPnP servers for local and remote access, such as acting like streaming media servers using the DLNA protocol from attached hard drives.

Set a Default Host for Full Access

The alternative to creating reserved addresses and port mapping for each service on each computer you want to expose from your private network is to appoint a single computer as your public machine. This exposed machine could serve any kind of service over any port without the necessity of adding port mapping rules. If one computer runs FTP, web, and Samba servers, and no other computers on the LAN have any public services, this might be the right option.

Some gateway makers call this machine the default host; others call it the DMZ host. This may be self-evident, but a default host setup works only when NAT is active on the gateway, as all ports are being mapped to the private IP address you specify. Use a default host with a fixed address, too: if DHCP is active, set the address manual in an unreserved range or, if your gateway supports it, use DHCP reservation.

It’s simple to enable the default host. On every gateway I’ve configured, you need to find the default host or DMZ host setting, enable it, and then enter the private IP address you want to use in that fashion.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Reach Your Network Remotely

Create new playlist

Sign In

Sign Up