Port Forwarding?

[Mark Ivey]

I would like to learn more about port forwarding.

I would like to be able to reach my PC from work.

Here is my current setup at home.
Windows XP (Home Edition)
D-Link (DI-514) Wireless Router
WebStar Cable Modem (DPX100 Series)

It is my understanding that I must setup a port forward on my router to be
able to access my PC from the web. The D-Link model I have refers to
something as a Virtual Server, but nothing about port forwarding. I would
like to do this, but I am concerned about the security risk involved as
well.

Can anyone educate me more on this topic or send me a link where I could
learn about it more?

TIA...

Mark Ivey

 

[Chuck [MVP]]

I would like to learn more about port forwarding.

I would like to be able to reach my PC from work.

Here is my current setup at home.
Windows XP (Home Edition)
D-Link (DI-514) Wireless Router
WebStar Cable Modem (DPX100 Series)

It is my understanding that I must setup a port forward on my router to be
able to access my PC from the web. The D-Link model I have refers to
something as a Virtual Server, but nothing about port forwarding. I would
like to do this, but I am concerned about the security risk involved as
well.

Can anyone educate me more on this topic or send me a link where I could
learn about it more?

TIA...

Mark Ivey

Mark,

The term "Virtual Server" is D-Link speak for port forwarding. You can forward
any port using the setup on page 21 of the DI-514 manual. You'll have to
forward to a fixed IP address, so you'll have to disable DHCP for the server.

But I wouldn't do this, if I were you. Plain old port forwarding (by any name)
is notoriously unsafe. The forwarded port will be open to any computer on the
Internet. I'd setup a VPN, which creates an encrypted tunnel between a specific
computer at the other end of the tunnel, and your server. The DI-514 only
supports VPN passthru, so you'll have to setup a VPN client on the server.
<http://nitecruzr.blogspot.com/search/label/VPN?max-results=100>
http://nitecruzr.blogspot.com/search/label/VPN?max-results=100

--
Cheers,
Chuck, MS-MVP 2005-2007 [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

 

[Mark Ivey]

Thanks for the information Chuck.

I agree that I need the added security with a VPN. Do you think something
like Real VNC would work well for this connection?


Mark Ivey

I would like to learn more about port forwarding.

I would like to be able to reach my PC from work.

Here is my current setup at home.
Windows XP (Home Edition)
D-Link (DI-514) Wireless Router
WebStar Cable Modem (DPX100 Series)

It is my understanding that I must setup a port forward on my router to be
able to access my PC from the web. The D-Link model I have refers to
something as a Virtual Server, but nothing about port forwarding. I would
like to do this, but I am concerned about the security risk involved as
well.

Can anyone educate me more on this topic or send me a link where I could
learn about it more?

TIA...

Mark Ivey

Mark,

The term "Virtual Server" is D-Link speak for port forwarding. You can
forward
any port using the setup on page 21 of the DI-514 manual. You'll have to
forward to a fixed IP address, so you'll have to disable DHCP for the
server.

But I wouldn't do this, if I were you. Plain old port forwarding (by any
name)
is notoriously unsafe. The forwarded port will be open to any computer on
the
Internet. I'd setup a VPN, which creates an encrypted tunnel between a
specific
computer at the other end of the tunnel, and your server. The DI-514 only
supports VPN passthru, so you'll have to setup a VPN client on the server.
<http://nitecruzr.blogspot.com/search/label/VPN?max-results=100>
http://nitecruzr.blogspot.com/search/label/VPN?max-results=100

--
Cheers,
Chuck, MS-MVP 2005-2007 [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

 

[Sooner Al [MVP]]

Thanks for the information Chuck.

I agree that I need the added security with a VPN. Do you think something
like Real VNC would work well for this connection?


Mark Ivey

You might look at either UltraVNC with its encryption plug-in or run VNC
(any flavor) through a Secure Shell (SSH) tunnel. SSH is pretty easy to
setup and you can use a private/public key pair protected by a password for
strong authentication versus a password only (strong or otherwise). Some
links...

http://www.uvnc.com/

SSH links including the copSSH server package and Tunnelier client. I
recommend copSSH because its based on OpenSSH/OpenSSL/cygwin and is updated
as those are updated...

http://theillustratednetwork.mvps.org/Ssh/SSH-HomeUser.html

http://www.itefix.no/phpws/index.ph...er_op=view_page&PAGE_id=12&MMN_position=22:22
http://www.bitvise.com/tunnelier

How to secure your SSH server including generating a private/public key pair
using Tunnelier...

http://theillustratednetwork.mvps.org/Ssh/SecureYourcopSSHServer-Vista.html
http://theillustratednetwork.mvps.org/Ssh/Private-publicKey-Tunnelier.html

The same thing if you want to use PuTTY/WinSCP versus Tunnelier...

http://theillustratednetwork.mvps.org/Ssh/copSSH-WinSCP-KeyPair.html

You would need to setup port forwarding in either Tunnelier or PuTTY to run
VNC (any flavor) through the tunnel. See these examples for Remote Desktop
and modify as needed for VNC...

http://theillustratednetwork.mvps.org/Ssh/Client06.jpg

http://theillustratednetwork.mvps.org/Ssh/PuTTYRDPTunnels.JPG

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375

 

[Chuck [MVP]]

Thanks for the information Chuck.

I agree that I need the added security with a VPN. Do you think something
like Real VNC would work well for this connection?


Mark Ivey

Mark,

VNC, in its many different brands (like *nx), is a remote desktop type product.
It doesn't in itself add any security, just functionality (the ability to see
the desktop). Now Sooner Al, another MVP who posts here too, will recommend VNC
over SSH, if you WANT remote desktop access.

The problem with VNC is that it requires you to leave the server connection up,
just as with any file sharing server connection. With UltraVNC, you can have
the "server" connect to the client, which is a big help in working through NAT
routers, but you still have one computer online all of the time, and exposed.

I use UVNC; I install the clients (remotely supported computers), and have them
(as "servers") call my network only when necessary. I can activate the
forwarded ports in my router when necessary, and not worry about open ports in
the clients routers. UVNC and the reverse server technique works when there are
2 people active, one person at the "server" doing the calling, the other at the
"client" setting up to receive the call. If you're going to use VNC, you have
to either leave one end up all of the time, or have a second person available at
the other end.

The advantage of the VPN is that, once it's established, the tunnel works only
between the 2 specific computers (end points). For a third computer to break
into it, it would have to break the multi level authentication and encryption,
plus spoof its identity.

So yes, you could use VNC, but it will add ability, not security.

--
Cheers,
Chuck, MS-MVP 2005-2007 [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

 

[Mark Ivey]

Thanks for the advice Chuck.

Can you give me some tips on setting up a VPN?

Mark Ivey

Thanks for the information Chuck.

I agree that I need the added security with a VPN. Do you think something
like Real VNC would work well for this connection?


Mark Ivey

Mark,

VNC, in its many different brands (like *nx), is a remote desktop type
product.
It doesn't in itself add any security, just functionality (the ability to
see
the desktop). Now Sooner Al, another MVP who posts here too, will
recommend VNC
over SSH, if you WANT remote desktop access.

The problem with VNC is that it requires you to leave the server
connection up,
just as with any file sharing server connection. With UltraVNC, you can
have
the "server" connect to the client, which is a big help in working through
NAT
routers, but you still have one computer online all of the time, and
exposed.

I use UVNC; I install the clients (remotely supported computers), and have
them
(as "servers") call my network only when necessary. I can activate the
forwarded ports in my router when necessary, and not worry about open
ports in
the clients routers. UVNC and the reverse server technique works when
there are
2 people active, one person at the "server" doing the calling, the other
at the
"client" setting up to receive the call. If you're going to use VNC, you
have
to either leave one end up all of the time, or have a second person
available at
the other end.

The advantage of the VPN is that, once it's established, the tunnel works
only
between the 2 specific computers (end points). For a third computer to
break
into it, it would have to break the multi level authentication and
encryption,
plus spoof its identity.

So yes, you could use VNC, but it will add ability, not security.

--
Cheers,
Chuck, MS-MVP 2005-2007 [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

 

[Chuck [MVP]]

Thanks for the advice Chuck.

Can you give me some tips on setting up a VPN?

Mark Ivey

I have written about some issues that you might want to consider.
<http://nitecruzr.blogspot.com/2006/12/using-internet-as-wan-link-use-vpn.html>
http://nitecruzr.blogspot.com/2006/12/using-internet-as-wan-link-use-vpn.html

I have yet to write a setup tutorial, though.

The above article leaves two relevant issues for you to consider.
1) Your router the DLink DI-514 is out of date, and doesn't have VPN endpoint
capability. It will do VPN passthru, I believe. That will require that you
setup one of your computers as the VPN server, and only that computer will be
accessible from work.
2) The LAN admins at your workplace may have a policy on VPNs, and provide some
specific guidelines (possibly requirements) on what type of VPN you can setup.

I, personally, prefer to setup a VPN using a NAT router as the endpoint. This
has its advantages and disadvantages though.
Router Endpoint Advantages
# No software to load on the computer.
# No reconfiguration of your LAN.
# Accessibility of all computers on your LAN (may be an advantage or
disadvantage).
# The server that you want to access from work remains accessible to the other
computers on your LAN.
# VPN tunnel maintenance is on the router, leaving the processor on the
computers free for normal work.
Router Endpoint Disadvantages
# You need a VPN Endpoint router.
# If your workplace requires, when the tunnel is active, all traffic to the
Internet will run through your workplace. This will increase latency, and your
home Internet activity will be subject to your employers policies.

--
Cheers,
Chuck, MS-MVP 2005-2007 [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

 

[Sooner Al [MVP]]

Thanks for the advice Chuck.

Can you give me some tips on setting up a VPN?

Mark Ivey

To setup a PPTP VPN server and client on an XP box see this...

http://www.onecomputerguy.com/networking/xp_vpn_server.htm
http://www.onecomputerguy.com/networking/xp_vpn.htm

A Vista how-to...

http://theillustratednetwork.mvps.org/Vista/PPTP/PPTPVPN.html

In all cases use a STRONG password...

http://www.microsoft.com/protect/yourself/password/checker.mspx

For PPTP VPN you need to forward/open TCP Port 1723 and enable GRE Protocol
47 traffic through any firewall/router the server is behind. The latter is
sometimes called "PPTP Pass Through" or "VPN Pass Through" or is
automatically enabled when TCP Port 1723 is opened, ie. the Windows Firewall
for example. Check the users guide/manual for any router or firewall for
help.

You can test all of this using the test detailed in the "PPTP Ping" and "VPN
Traffic" sections on this page...

http://www.microsoft.com/technet/com...uy/cg0105.mspx

Note you may have conflicts if both subnets, ie. the server and
client subnets, are the same, ie. 192.168.1.X for example. The solution is
to make sure one of the subnets is different, ie. change the server subnet
to 192.168.11.X for example. For example I have used a 172.21.11.X subnet in
the past for my home LAN to make sure my remote clients IP did not conflict
with it.

http://www.ietf.org/rfc/rfc1918.txt

If a PPTP VPN does not work out for you, more than likely because of a
router not passing GRE Protocol 47 traffic properly, then alternatives
include OpenVPN, Secure Shell (SSH), SSL-Explorer or a third-party solution
like Hamachi, etc. OpenVPN, SSH and SSL-Explorer all have strong
authentication functionality through the use of certs and/or private/public
key pairs versus a password only (strong or otherwise). I can't speak to how
Hamachi or similar services authenticate.

Here is help setting up an OpenVPN server/client...

http://theillustratednetwork.mvps.org/OpenVPN/OpenVPN.html

SSL-Explorer...

http://3sp.com/showSslExplorer.do

Personally I am a big fan of SSH and use SSH to remotely access my home LAN
for shared file access (Tunnelier SFTP or WinSCP), run Remote Desktop
through the SSH tunnel for remote control of my home PC and anonymous web
surfing while traveling and connected to public wireless hot spots. In my
case I use a 4096-bit private/public key pair protected by a strong password
for authentication.

If you decide to use a VPN end-point type router you can either purchase one
(ie. Linksys, Netgear, ZyXEL, etc all make them) or flash an existing router
with third-party firmware like DD-WRT, Tomato, etc...

http://www.dd-wrt.com/wiki/index.php/What_is_DD-WRT?

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375