What's the aim?
The aim, as alluded to in part 1 is to obtain access to information or control of a computer at home or the office. This can be really convenient if you are traveling about, want to give others the ability to send you big files, or even host your own web site!
With any service, all that is required is that the remote computer (client) has a clear path to the home computer (server) on the correct port(s).
Step 1 - find your WAN.
If you have a static IP address, you don't need to do anything here; since your ip address will always be the same, then this will always be the correct address for your home computer. If you do not, then you will either need to know the IP address that is currently assigned or use a dynamic DNS service like http://www.dyndns.org/.
Dynamic DNS
The dyndns service is free currently in this respect; it allows you to have a domain or sub-domain that always points to the current IP address of your home computer. I.e. you can have the address 'myhomepc.selfip.net', and a special piece of software on your home computer (supplied by dynDNS.org free) always maintains the correct IP address for your domain. So, when you are out and about, visiting myhomepc.selfip.net will always point to your router and PC!
Step 2 - The server PC address
Ok, you know the home WAN address. This gets you to the 'front door'. The next step is to get through the router to your PC. The router's job is to share an internet connection (mainly). It also usually assigns IP addresses to pcs/macs on a local network. This is called DHCP. So, when you connect a computer to your router, also called the 'local network', the computer gets given an IP address (in exactly the same way as the router gets an address when it joins the Internet).
You can tell your 'local' ip address in a number of ways. On a PC, open a command prompt (click start, run, then enter 'cmd'), then enter 'ipconfig'. A sample output is here:
As you can see, the the ip address of my PC is 192.168.1.10. The address of the gateway (the router) is 192.168.1.1.
Subnet mask - This is like a list of who my computer is allowed to talk to. 255 means 'only equivalent' and 0 means 'anything'. I.e. my computer is allowed to speak directly to ip addresses 192.168.1.anything.
So the aim is to make the router interpret a call to the 'front door', and to forward this to your PC, as long as it is on the required port. But, this requires that you know the address of your PC. Mine is '10', but if I switch it off and on again, then it might be different because of the router's DHCP?
Fixing your PC's address or name.
For the router to send an incoming call to a local computer it must know the address of the computer, and this address must not change! The easiest way to do this is to fix the address of your PC manually. This is done on a PC by editing the tcp/ip settings for your network card, and changing the address from 'DHCP assigned' to 'manually specified'. As long as the address used is not likely to be the same as anything else that is on or may join the local network you will be fine. Leave DNS server blank, or enter the router address there, set the subnet mask to 255.255.255.0 and set the gateway to the router address.
Alternatively,
If your router supports routing to computer names rather than addresses (as many new ones do, including the BT Office router currently being supplied) then you do not need to change the address properties of the intended server.
Step 3 - Configuring the router
Assuming you have configured your computer to respond to remote desktop calls (port 3389) then this port needs forwarding to your computer. The router is configured by using a browser on the local network to go to the router's address, and gain access with a password. I.e. point your browser to 192.168.1.1 and enter 'admin' is very common.
Find a page that relates to port forwarding, and enter the following details:
public port: 3389
local port: 3389
local address: 192.168.1.10
I.e. if a WAN request comes in on port 3389, this is immediately forwarded to port 3389 and local address 192.168.1.10.
As mentioned, some routers allow port forwarding to names and not numbers. Simply use the name of the machine as described by the router instead of the local address.
That is all there is to it. By configuring port 80 to forward to a computer, you will be able to access any web site that may be hosted by Apache or IIS. By forwarding port 21, you will be able to access an FTP site that may be hosted there.
Step 4 (sometimes) Local firewalls
In addition, computers have firewalls too. Windows has one, you may have also installed an additional one. These need to be configured to allow the required ports through uninhibited.
The alternative method - VPN
Some routers allow connection via VPN. This effectively eliminates the routing steps described above as it allows a client computer on the Internet to virtually connect to the local network via a VPN dial up connection. This method is invariably slower when it comes to data transfer, but it is secure. It is however all or nothing, so is not suitable for public access in any way.
SECURITY!!!!!
At this point (actually about 2 steps ago) it is really important to think about security. When you forward a port like 3389, ANYONE can 'have a crack' at gaining control of your PC. To make things worse, there are automated 'bots' out there that are constantly 'having a crack' at any apparently open ports, 24/7! It is therefore vital that any sort of Guest or Administrator access is turned off, and that any passwords are strong... No, Seriously! I use a similar setup for my home computer that has not been breached (yet), but I monitor the log files for attempted and refused access, and they sporadically record attacks where people have tried to gain control of my system.
In general, when a port is forwarded, it is no longer the router's job to control access to that port; that responsibility has passed to the server computer, and so the security needs to be set up accordingly.
Conclusion
Although there appears to be many steps involved, this really is a worthwhile exercise to do, just as a learning exercise. The understanding of TCP/IP that this process gives is really useful for diagnosing all sorts of issues that you may come across and expanding knowledge of the net generally. It is also extremely useful to be able to access information stored on a home hard drive from anywhere.
DISCLAIMER
Opening ports is tricky to get right first go. I recommend doing this with a computer where a security breach does not matter initially. Certainly, I want to stress that a 'loose' security configuration is HIGHLY likely to result in private information being accessed by the public. I therefore accept no responsibility whatsoever for any damage casued by experimentation in this area.
If you would like to discuss remote control with me directly, please do so by contacting me: http://www.ginzola.com/contact.php
No comments:
Post a Comment