Dynamic dns question
-
I set up a Domain name with DynDNS which i want to use for my router so i can set up my vpn and everything i need remotely since i have a dynamic ip address. I also have a HP MediaSmart server that has a domain name. one thing that i did not realize is that my external ip address is the same for all my computers. When i type in my DynDNS domain name one the local network it comes up with my pfSense interface (http or https). though when i type it in remotely the http gets connection error and if i use https i am connected to my home server web page.
what do i need to do to be able to access it remotely? At the moment i cant even ping either one of my domain names. Though I'm able to connect to my home server though the web browser.
Pretty much all i want to do is be able to access my vpn over my phone/laptop when im not at home.
-
Setup your firewall pin holes.
When you connect to your own DynDNS from within your network the NAT is reflected and your source IP is not your public IP but the IP of the pfsense box. Using a proxy or VPN will 'show' you how the traffic is really being handled from the outside.
-
I'm still new to this whole thing so what do you mean by firewall pin holes?
-
I'm still new to this whole thing so what do you mean by firewall pin holes?
Firewalls typically allow traffic from the LAN side to the WAN side and block traffic from the WAN side to the LAN side. When some access to the internet is initiated, the firewall keeps some state information so that it can allow responses through the firewall. (It wouldn't be very useful to block ALL traffic fro the WAN.)
If you are running some sort of service behind the firewall you need to have a small "hole" in the firewall to allow that specific access through the firewall. The previously described mechanism won't work because this sort of access is not initiated from the LAN side.
If the "modem" between your pfSense box and the internet is acting as a router/firewall you will probably need to configure it to allow vpn access from the internet and forward such access to your pfSense box.
The articles http://en.wikipedia.org/wiki/Port_forwarding and http://en.wikipedia.org/wiki/Firewall_pinhole explain in a bit more detail.
-
Thanks for explaining. i will check out the site.
-
so i forwarded ports 50 AND 51 TCP AND 500 UDP then pointed them to my router but i still can't connect to it. via my Iphone also its asking me for a secret which i dont have.
-
It's not prompting you for the pfsense user and pass is it?
-
It's not prompting you for the pfsense user and pass is it?
i set all that information in before i tried connecting to it.
-
Can you post a screen shot of you NAT rules and firewall rules?
-
wan rules (i still think this to limited im seeing a lot of things blocked in my logs.)
Nat
ipsec rules (dont know what to do here)
-
Your NAT and FW entries are correct.
Is your http server on another network (DMZ)?
I tried to connect to your server on port 80 from your external address (68.103.185.3) and it seems like it's trying to pass packets and by that I mean it doesn't take forever to time out it just drops. So it makes me wonder if 172.30.1.101 is reachable and if it has a firewall enabled that is dropping traffic.Also out of curiosity, what is the blue info icon next your FW entries?
-
The "blue i circle" icon means logging is enabled for that rule.
-
Your NAT and FW entries are correct.
Is your http server on another network (DMZ)?
I tried to connect to your server on port 80 from your external address (-) and it seems like it's trying to pass packets and by that I mean it doesn't take forever to time out it just drops. So it makes me wonder if -*****- is reachable and if it has a firewall enabled that is dropping traffic.Also out of curiosity, what is the blue info icon next your FW entries?
i can connect to my home server remotely by going to the site -- but i cant figure out how to go to -**- to point to my router. since i only have 1 external address which both -- and -- are pointed to. the blue info icons are for logging though im not sure how to access them.
-
I'm not sure why you are confused. parman.dyndns.org points to 68.103.185.3 and parman.homeserver.com points to 68.103.185.3.
https is working correctly.Are your trying to say you want a different port besides 443 to be redirect to another internal address? You can have as many public DNS records as you want, but if your ISP only gave you one public IP then you will only be able to use a port pin hole only once per internal IP.
Both DNS records do point towards your router, but your router is forwarding the traffic based on your NAT and FW entries. Just pick another port to use to access your router *by the way this is a really bad idea -
Yeah i figured it was a terrible idea. I really need more then one ip from my ISP. So then why am i not able to connect ipsec vpn remotely im told the port forwarding is correct?
-
I don't have an answer for IPSEC, however may I suggest something more easy?
If all your looking at is remotely managing your router then SSH might be the perfect solution. Also, if you needed to remote desktop into one of your home computers you could easily setup tunneling with ssh. -
I don't have an answer for IPSEC, however may I suggest something more easy?
If all your looking at is remotely managing your router then SSH might be the perfect solution. Also, if you needed to remote desktop into one of your home computers you could easily setup tunneling with ssh.maybe you could point me in the right direction for remotely ssh i know the concept but im not 100% sure how it works when you not on the local network. i also want to be able to access and open my files on my server remotely i used to use a pptp vpn from my home server and it worked great.
-
Sure.
Setup SSH on a server or the pfsense box. Change the default port to something other than 22. I also recommend certificate based authentication only, but if you use passwords make sure they are strong.Use a client like putty setup the connection. Use your DynDNS record. Setup Tunneling. (http://oldsite.precedence.co.uk/nc/putty.html for more info)
For example I want to connect to a RDP session within the SSH tunnel. My source port could be 555 while destination is 192.168.1.100:3389 Remote.
SSH in to your network. Now open Remote Desktop Client and connect to 127.0.0.1:555. Perfect. (Same concept with other resource access)SSH only requires a single TCP connection which is really FW friendly. If you are only going to be accessing a limited amount of resources then I highly recommend SSH over using a VPN. SSH does require attention to security however. Just like any other remote service always watch the logs. Install Denyhosts to help protect. Change your default port and enforce certificate authentication.
I use SSH to remote desktop, x-fer files, access the web *So much secure this way when on the road, maintain my websites, access email, and more. A VPN would be kind of overkill for just one person and a hassle just to setup.
-
Thanks man! It actually worked the first time. You have taught me a lot and I'm a greatly appreciative. how do you manage the to access files and do remote desktops. FYI most of this stuff i do on my Iphone/laptop but 99% is iphone.
fyi i have never really understood shh.
this this the where you do the remote desktop and stuff?
- In the 'Destination' box (see Figure 3) enter the address followed by a colon and the port number that you wish the NetManager to forward requests to (use localhost if you want to refer to the NetManager itself). For example, to access the NetManager's web pages you would enter 'localhost:80' or to access a Citrix server you might enter 'appserver:1494'. A list of useful ports are shown in the table below:
Port No. Service
25 SMTP Mail
80 Apache Web Server
110 POP3 Mail Server
143 IMAP Mail Server
880 NetManager web based administration pages
1494 Citrix ICA
3389 Microsoft RDP* Once you have entered the source port and destination details you must click the 'Add' button.
* You may add as many source and destination details as you want. Remember to click the 'Add' button each time.
* Click on 'Open'. This will open a Window and ask you to log on to your server. Log on as 'ncadmin' or any other interactive user. If the window closes straight away when you type in the password, the account is not interactive. Use the NetManager web-based administration pages to modify the user account, so that they have an interactive account.
* Once you have logged on, the tunnelled connection will be live.
* When configuring your client software (e.g. web-browser or email package), always enter localhost (i.e. the local computer) as the remote address instead of the IP address of your NetManager. If you do not do this, the computer will connect as normal instead of over the ssh tunnel. For example, if you have configured your source port to be '8000' and the destination to be 'localhost:80', you will be able to access the web pages served by your NetManager from a web browser on your local machine by using the URL 'http://localhost:8000/'. Similarly, if you have specified the source port as '1494' and the destination as 'appserver:1494', you will be able to configure the Citrix ICA client to connect to 'localhost'. The NetManager at the other end of the ssh tunnel will forward the traffic to machine 'appserver' on the remote network. -
Yes.
As an example lets say your desktop IP is 192.168.1.100 and it runs Microsoft Remote Desktop which listens on port 3389. You want to remote desktop to this PC with SSH from an external network such as work.In Putty expand 'ssh' and then 'tunnels'. You would add the following settings for the above example,
Source Port: 555
Destination: 192.168.1.100:3389
Selection radio option 'Remote' and 'Auto'When you successfully log into your SSH server open up Remote Desktop client and connect to 127.0.0.1:555
Now you have a completely secure and encrypted VPN connection to remote desktop. You can do the same with FTP, email, web, and so much more. SSH is a VPN solution but with a lot less hassle.
(Note: You don't have to use port 555 every time. This is just an easy port to remember but you don't want to use the same port number twice or it wont work)It's a lot of fun when you start playing around, and it is really powerful. Just don't forget to watch your SSH logs for hacking attempts. By changing the default port from 22 to something like 222 you can greatly reduce the amount of attacks on your SSH server.