router settings/remote desktop

[GHOST]

i have been able to use vnc and remote destop within my local network, but have never been able to connect from outside, through the net.

i presently have a dell truemobile 2300 wireless router. i have been trying to get port forwarding set up. on my set up page i have "display routing table'


Type - Dest IP Address - Subnet Mask - Gateway IP Address - Hop Count

INF - 192.168.2.0 - 255.255.255.0 - 192.168.2.1 - 1
INF - 24.xxx.yy.0 - 255.255.240.0 - 24.xxx.xx.194 - 1
INF - 0.0.0.0 - 0.0.0.0 - 24.xxx.yy.1 - 1


i wonder if there is something wrong here, the computer i want to connect to, the host, is 192.168.2.5 but is not on the table.

do i need to have all clients mac addresses and grant access to them?

i've done alot of searching and reading but am just going in circles.

just noticed that one subnet mask has a .240 instead of .255, i thought they were always .255.

thanks for any help

[Bok]

the routing looks ok as far as I can see. Your local network is 192.168.2.x and you have an outside IP address of 24.xxx.?????

However, routing in itself is nothing really to do with port forwarding.....

You need to find some page which will enable you to port forward 5900 (I think that's VNC right?) from 24.xxx.???? coming in to 192.168.2.5 port 5900

I do it on my OpenBSD firewall, routing 22 (ssh) to an internal box. From there I can get to the rest, including VNC'ing to any windows boxen. SSH takes care of the rest of the tunneling

Bok

[PCZ]

Ghost

Your subnet masks are fine.
Looking at your routing table I can see that your private network is 192.168.2.0 /24
Your public network is 24.xxx.xxx.0 /20 {I can't be more precise here because you put too many XXX's in the address.

/24 is 255.255.255.0
A standard Class C mask, the last octet,8 bits are used for hosts.
This is 256 IP's minus the broadcast, network and gateway address's.

/20 is 255.255.240.0 {Covers the last four bits of the 3rd octet and the whole of the fourth octet, this gives 12 bits for hosts. Over 4000 address's.

You need to setup a static nat translation from your public interface to 192.168.2.5.
port 3389 if you are using Terminal services.

Make sure that this host is not using DHCP.

Any traffic hitting your public IP {This will be a 24.xxx.xxx.xxx address} on port 3389 will be redirected to 192.168.2.5.

[FoBoT]

just to clarify, you need port 3389 open on your external interface firewall AND port 3389 forwarded to your internal box IP address/port

if you forward the port , but it is firewalled to external traffic , it won't work
if you open the port on the firewall, but don't forward it, only the firewall(router) will see the incoming traffic

good luck

3389 is for RDP(remote desktop protocol) , 5900 sounds right for VNC, but i haven't used it in a couple years, RDP on XP and server 2003 is already installed, so i don't bother with VNC

[PCZ]

I just had a look at the manual for the 2300, it supports port forwarding.

Here is the relevant section.

[Bok]

Of course,

I'd be very careful about having those ports open to the outside world. Most versions of VNC are not secure (passwords not encryted) and without knowing too much about Terminal Services I doubt it is secure either.

So you'd be open to hacking by anyone doing a quick nmap on your IP address and finding the ports open.

Bok

[PCZ]

You can change the port for RDP.
I always do this on public facing boxes, or nat translated from a public to private.

Most people don't scan the whole range of possible ports, it takes to long.
So by changing to a high port number most of the script kiddies will not notice you running RDP.


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp]
"PortNumber"=dword:00000d3d

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"PortNumber"=dword:00000d3d

The above examples are the default port of 3389.
You need to change the dword values, click on binary to enter the values unless you are very good with hex !!

After changing the above values you will need to reboot if you are using 2K/XP, or restart terminal services if you are using 2003.


To connect to a host which has had the port changed you need to put a colon and the port number after the IP address in the connect box.

Example:
10.10.10.100:29872

[gopher_yarrowzoo]

or if you can't be bothered changing the port number internally
be sneaky and do this (if possible)
port 48131 (randomly choosen external port for RDP / VNC) to 3389/5000 on 192.168.2.5
so that you RPD/VNC to port 48131 but according to your pc on 192.168.2.5 it's looking like port 3389/5000 from your router :> or something like that
i know it works cos I've tried it with an apache server port mapped a totally different port to port 80 on 2 machines
so that I can have 2 apache servers running and just tell people it's abc.dyndns.orgort/ what ever and the machine still gets a port 80 request neat
if it works port map a range that way you can do the whole network and all your doing is mapping to 48130 - 48140 for machines 192.168.2.2 - 192.168.2.12 for what ever
if this is a little sorry just thought I'd meantion it..
oh and mine ain't hardware it's s/ware but it looks 'ard
definate but the newer version of this sucks do not get Kerio Winroute Firewall 5 (unless you wanna take a day re learning it)

[GHOST]

thanks guys, i'll give it another try when i get home from work.

[GHOST]

i just realized my isp issues a dynamic address. i had thought it was static.

does this look like a good way around the problem? any better ideas?

Dealing with dynamic IPs
One of the biggest issues associated with gaining access to your home PC or network remotely is that the IP address assigned by your ISP is likely to change regularly. To get around this, consider using one of the many free dynamic DNS services available online, such as the one available at www.dyndns.org. This service enables you to create a dedicated hostname for your system, such as 2000trainers.dyndns.org, and then use this name rather than your IP address to connect.

Services like dyndns.org make it possible to update your IP address manually via a Web page, but a better solution exists. A variety of small software packages can handle this function automatically, such as the Dynamic DNS client software available from http://sitedevelopers.com. This tool will not only learn the public IP address assigned to your home IP address or router, but will update the dyndns.org servers automatically when your IP address changes. This then ensures that you’ll always be able to connect to your home systems using the hostname you’ve chosen.

http://www.maxpc.co.uk/tutorials/def...bsectionid=710

looks like this is the fix. here is another article.

What’s the public IP number of the machine?
You need to know this number when you connect to the machine, this is the
internet address of your home machine. The problem is the ISP changes the number
every so often.
If someone is at the remote machine you can have
them go to http://www.showmyip.com which tells them
their current number.
For remote assistance only, this is acceptable since
someone needs to be at the computer anyway.
For remote desktop you would need another option.
DNS2Go from Deerfield (www.dns2go.com) offers a free
solution (for home users) to this problem.
You register a name with them (like “franklin-home”) and they give you a small
program that runs on your home computer (all the time as a service) and checks
your IP number every minute or so. When you want to connect, the IP you type in is
franklin-home.dns2go.com.

http://www.rethinkit.com/files/Remot...ndows%20XP.pdf

[Bok]

sure,

I used dyndhs.org for a long time (in fact I probably still am).

Until recently though, I had the same IP address for almost 18 months, so I got lazy. But I have a script on my firewall which once an hour does a wget on a small file on my server (where free-dc is also hosted).

I can then easily parse the apache logs and look for the IP which does that wget

Bok