This article is a continuation of a series on remote access and firewalls seen in our October and December 2015 editions
Now that you have your network all setup you will need to open up the front doors and allow outside access in. How do you do this? What kind of equipment do you need? Well, the answer is simpler than you think. All Internet accessible routers have the ability to allow outside access. There are a few rules that need to be followed, but it is not a difficult endeavor!
The method for opening a port through a firewall has many names, but both Linksys and Netgear use the term “Port Forwarding.” In a nutshell you are telling the firewall that you want to allow people that knock on a certain port or door access through the firewall to a certain computer or end device on the network.
For example: If we want to share the cool website that we created, we would open port 80 on the firewall; we then tell the firewall to direct anyone that contacts our public-facing IP address, looking for port 80, to port 80 on a host (the webserver) located at a specific IP address on our local network.
All routers have some form of a firewalling technology. The most basic type is a simple network address translation and the most advanced and complicated firewalls are stateful. In this article we’ll just talk about inexpensive firewall routers — Linksys and Netgear are two that come to mind.
You should also know that most of the time a nice Cisco router can be obtained for just a few dollars more than a Linksys or Netgear router (on eBay, for example). The main issue with a Cisco router is that it is not as easy to configure as a Linksys or Netgear consumer router. The off-the-shelf routers are known to be of lesser quality and easier to configure than a Cisco router, and this ease of use has a huge draw for people that are not familiar with setting up routers for Internet access. This ease of setup comes at a cost of risk and security.
Routers and end devices need to be configured separately. The router needs to be told what port number, transport type and destination address to forward data. The end device needs to be setup in a certain way to allow access to services located on a certain port and transport type. Remote access will fail if both of these devices are not setup properly!
How do I access the router to set it up? The router we are talking about is also the gateway for your LAN and the convention (generally speaking) is to use the first address in the segment for management purposes. The out-of-the-box default is usually 192.168.1.1 for Linksys routers and 192.168.0.1 for Netgear. In order to setup a port forward in a router you need to access the setup pages of the router, and you get to those by browsing the management address and entering the default credentials. (You should change those too, by the way.) Once in the setup of the router, locate the area that allows you to configure port forwarding. The port forwarding setup pages will have places to put the port number you wish to forward, the transport type, and the internal address that you wish to forward the data.
You will need to know four items to setup a port forward: The external IP address of the internet connection, the port number that you wish to use, the type of transport, and the internal IP address of the computer or device that you wish to access (See Fig. 1).
CONFIGURING AN AOIP CODEC
So as an example, let’s look at getting an audio stream to the Comrex BRIC at my transmitter site. The first thing I need to do is get the external IP of my transmitter site DSL line.
As an example, this IP could be 126.96.36.199. I need to know what port number needs to be forwarded. Comrex has excellent documentation and I have found that I need to have port 9000 open on the firewall (See Fig. 2). Comrex also lists the transport as UDP. I have set up my Comrex BRIC with a static IP of 192.168.1.200 on the local network. With that information in mind, I open up the management page of my firewall and configured it to allow port 9000 UDP to pass through it and be directed to the Comrex BRIC unit located at 192.168.1.200 on my local network. The Comrex BRIC has been configured to accept UDP data on port 9000.
Now at the studio we simply configure our Comrex Bric link to connect to 188.8.131.52 port 9000 or use the Dynamic DNS name (see more on that below) and port 9000. Once we configure this remote connection, the audio should flow between the units. (See Fig. 3).
There are a couple of things that can happen with plain old run-of-the-mill internet access, similar to what you would get at home, that you need to be aware of.
As I already mentioned, you need to know two particular IP addresses for this configuration: The public-facing, external IP address, and the LAN address of the device that is the object of the port-forward. If you are not sure of what your external IP is, browse a website, such as IPchicken.com or speedtest.net, to see what external IP address has been assigned to you.
Unless you have paid extra for a business class Internet connection or static IP, you more than likely have a dynamic external IP address. This means that this external address can change at any time. Why is that a problem? Imagine if you wanted to call your friend across town and his phone number changed at random times. How would you ever be able to get ahold of him? Well the answer is simple: You would hire a service that would tell you what the number is each time you wish to call him.
This service is called dynamic DNS. If you do not have a static external IP address, then you will need to utilize a dynamic DNS service to ensure that you have remote access. Dynamic DNS does not change the configuration of the remote end; dynamic DNS has an agent that is loaded on a computer in the local network that sends the dynamic DNS service the external IP of the network every 15 minutes. Instead of accessing your remote network via the external IP address directly, you use the dynamic DNS name that you created when the service was setup. This takes care of the issues caused by the use of a non-static IP address on your external network.
Either way, you will need to know the external IP address or the dynamic DNS name to access your network remotely.
The second or internal IP address needs to have an IP address that never changes as well. Most of the networks that are setup with Linksys or Netgear routers utilize Dynamic Host Configuration Protocol. When a computer or other host device is first turned on it will broadcast a request for an IP address on the LAN. The DHCP server will in turn respond with an IP address for its use.
This makes deploying a network easy but causes issues with remote access, because every time the device is restarted there is a chance that this IP can change. Port forwarding requires that a static internal address be configured. Again, this is done by way of the router’s management page; in the DHCP settings you will find a place to configure the DHCP range. Set the range for, say, .100 to .254. You can then set all hosts that need static addresses to have their last octet below .100.
What type of transport is going to be utilized? I have covered UDP and TCP data types in a previous article (Radio October 2015). What a person needs to know about this is simple: Most of the time it is TCP, but if you are working with audio or video then it will probably be UDP. The transport type will need to be setup when a port forward is configured.
Both Linksys and Netgear routers have a simple drop down menu selection for this. The drop down has options for TCP, UDP or both. There is no real harm in leaving it as both. When in doubt, use TCP. Most manufactures of equipment that have instructions for remotely accessing their devices will list what type of transport is needed.
TESTING YOUR REMOTE ACCESS
After a port forward has been successfully configured, you must test it. The testing is either pass or fail. It will either work or not at all. If you are having trouble with the remote access, start with troubleshooting the port forwarding information. Do I have the right port? Do I have the right transport? Almost all remote access issues arise from incorrect firewall configuration information.
Every remote access solution is different. The software used to access your remote access solution will depend on what you are trying to access. The Comrex Bric link requires that you access it with a Web browser. Solutions by Burk remote controls require the use of their Autopilot software. The point is that you will need to use the right software solution to test your remote access setup.
Make sure you read the documentation and use the right software!
Cottingham is the chief engineer of KFMK(FM) in Austin, Texas.