Remote Access - Beginners Guide to the Interweb...
Posted: Fri Aug 07, 2020 1:14 pm
Gathered up my notes in case it might help someone understand things like port forwarding.
IP Addresses
Your home is connected to the internet through your ISP and you most likely have one router/modem that is the interface between the internet (world wide) and intranet (your home). Understanding the difference between your net (LAN) and the Internet (WAN) is the first hurdle.
Technically every device in your home could have its own world wide available IP address but for a number of reasons that just isn't practical. Your router/modem is the ONLY device that ends up getting assigned a publicly visible IP address on the WAN. The router assigns private reusable addresses on its LAN side. The router funnels all outgoing connections through is one single address. No problems there. But inbound requests are the challenge.
Google "what is my ip address" to see what your single address currently is. Remember that all outbound connections are channeled through your single IP on your router.
All of your internal devices get private addresses that are reused by everyone. They are usually of the form 192.168.x.y or maybe 10.10.x.y but you need to understand that my 192.168.1.12 is not the same as your 192.168.1.12 and our internal addressing is only valid on our own networks.
Easy way to tell if someone understands this: Ask them their IP address and if they tell you 192.168.x.y or 10.10.a.b then they don't understand yet.
Ports and Protocols
The way computers talk to each other is by first identifying their IP address of the computer that is accepting connections, then secondarily identifying the sub-address (ports) withing that computer that will be accepting connection, then thirdly agreeing on what protocol they expect to chat with.
The analogy here is calling a big company on the phone with departments using extensions. This isn't as common as it once was, but call Comcast's main phone number (IP address) then dial extension 204 (department or person) then start chatting in a language you both understand. If you call AT&T by mistake, you have the wrong IP address. If you call the wrong department (port) they won't understand. Also if you don't talk the same language (protocol) they won't understand.
For ease of use, there have been some standards that have been agreed to that the port should be usually equal to the protocol. Port 80 = web. Port 443 = secure web. Port 25 = email. etc etc etc. Ports below approximately 1024 are reserved while above that can be relatively safely reused. Of interest is that some folks think that they can 'fool' scammers by running their services on non-standard ports (ie running web on port 81 instead of 80) but that is a foolish idea because scammers can scan all ports in milliseconds to running web on non-standard will stop no one.
Modern apps now usually make assumptions about the ports that people want to use. When you use a browser it assumes you want to connect to 80 or 443 depending on whether the URL begins with http:// or https:// . FYI if you want to connect to web on a non-standard port you use the format http://domain.com:yy where yy is the non-standard port.
How web connections usually work...
Connect to web server at CNN by going to the web URL http://www.cnn.com your computer looks up the IP address of "www.cnn.com" and since we prefaced the URL with http:// then we assume we are going to use port 80. The data center at CNN is accepting incoming connections on their main firewalls on port 80 and serving up a nice pretty web page in the agreed upon protocol.
Connecting from the Internet to your Home devices...
Now let's think about your home rather than CNN... First, what domain name or IP address shall we use???? And what is your IP address???
This is always the first battle and is usually answered by using a Dynamic DNS service and a domain name assigned by that service. I think BI has some service for this but frankly I never used it and am not sure. You don't need a DDNS but you'd always need to know your current IP address.
However you get the valid IP address of your home router, we then move to the second challenge... All incoming connections form the internet will hit your router/modem which by default... doesn't know what the heck to do with the incoming request. Your router gets a web request and barfs without setup steps.
Port Forwarding
To make progress you will need to be able to log into your router/modem and have access to its configuration pages.
What we need to do is set up some rules on your router to instruct the router what to do with incoming connection requests. This is the port forwarding rule. They will look something like this
Basic data -
Saving quickly now but I will update this paragraph.
Security
In general, exposing devices to the internet exposes them to the jungle of world wide scammers. Some devices are notoriously less secure and have long histories of being hacked by vulnerabilities. IP cameras are one of those notoriously insecure devices.
Your router/modem is your safety device between you and all of the skanks on the internet!!! (I changed my crude reference to something more tame )
NEVER setup your router to allow connection requests from the internet to be forwarded to your cameras or any other device that you don't have complete confidence in.
Some devices ARE more secure and can be set up to securely allow internet connection requests.
VPN - Virtual Private Networks are very secure and once a VPN connection is made, make it seem like you are actually home when you are away. You virtually tunnel through the VPN server and you are like home awaqy from home. The only problem is that they are more advanced to set up and use on a day to day basis.
Controlled and Limited Web Port Forwarding - If you trust your BI machine to be secure, you can expose just incoming web connection request to the internet. You do this by going into your router and configuring a rule to say that any incoming connection request to your home on port 80 (or 81) shall be forwarded to your BI computer on the same port 80 (or 81).
There are lots of alternatives in this area but you will NEED to grasp these basics first.
IP Addresses
Your home is connected to the internet through your ISP and you most likely have one router/modem that is the interface between the internet (world wide) and intranet (your home). Understanding the difference between your net (LAN) and the Internet (WAN) is the first hurdle.
Technically every device in your home could have its own world wide available IP address but for a number of reasons that just isn't practical. Your router/modem is the ONLY device that ends up getting assigned a publicly visible IP address on the WAN. The router assigns private reusable addresses on its LAN side. The router funnels all outgoing connections through is one single address. No problems there. But inbound requests are the challenge.
Google "what is my ip address" to see what your single address currently is. Remember that all outbound connections are channeled through your single IP on your router.
All of your internal devices get private addresses that are reused by everyone. They are usually of the form 192.168.x.y or maybe 10.10.x.y but you need to understand that my 192.168.1.12 is not the same as your 192.168.1.12 and our internal addressing is only valid on our own networks.
Easy way to tell if someone understands this: Ask them their IP address and if they tell you 192.168.x.y or 10.10.a.b then they don't understand yet.
Ports and Protocols
The way computers talk to each other is by first identifying their IP address of the computer that is accepting connections, then secondarily identifying the sub-address (ports) withing that computer that will be accepting connection, then thirdly agreeing on what protocol they expect to chat with.
The analogy here is calling a big company on the phone with departments using extensions. This isn't as common as it once was, but call Comcast's main phone number (IP address) then dial extension 204 (department or person) then start chatting in a language you both understand. If you call AT&T by mistake, you have the wrong IP address. If you call the wrong department (port) they won't understand. Also if you don't talk the same language (protocol) they won't understand.
For ease of use, there have been some standards that have been agreed to that the port should be usually equal to the protocol. Port 80 = web. Port 443 = secure web. Port 25 = email. etc etc etc. Ports below approximately 1024 are reserved while above that can be relatively safely reused. Of interest is that some folks think that they can 'fool' scammers by running their services on non-standard ports (ie running web on port 81 instead of 80) but that is a foolish idea because scammers can scan all ports in milliseconds to running web on non-standard will stop no one.
Modern apps now usually make assumptions about the ports that people want to use. When you use a browser it assumes you want to connect to 80 or 443 depending on whether the URL begins with http:// or https:// . FYI if you want to connect to web on a non-standard port you use the format http://domain.com:yy where yy is the non-standard port.
How web connections usually work...
Connect to web server at CNN by going to the web URL http://www.cnn.com your computer looks up the IP address of "www.cnn.com" and since we prefaced the URL with http:// then we assume we are going to use port 80. The data center at CNN is accepting incoming connections on their main firewalls on port 80 and serving up a nice pretty web page in the agreed upon protocol.
Connecting from the Internet to your Home devices...
Now let's think about your home rather than CNN... First, what domain name or IP address shall we use???? And what is your IP address???
This is always the first battle and is usually answered by using a Dynamic DNS service and a domain name assigned by that service. I think BI has some service for this but frankly I never used it and am not sure. You don't need a DDNS but you'd always need to know your current IP address.
However you get the valid IP address of your home router, we then move to the second challenge... All incoming connections form the internet will hit your router/modem which by default... doesn't know what the heck to do with the incoming request. Your router gets a web request and barfs without setup steps.
Port Forwarding
To make progress you will need to be able to log into your router/modem and have access to its configuration pages.
What we need to do is set up some rules on your router to instruct the router what to do with incoming connection requests. This is the port forwarding rule. They will look something like this
Basic data -
- Incoming port connection request to port X, should get forwards to LAN computer A on port Y.
Saving quickly now but I will update this paragraph.
Security
In general, exposing devices to the internet exposes them to the jungle of world wide scammers. Some devices are notoriously less secure and have long histories of being hacked by vulnerabilities. IP cameras are one of those notoriously insecure devices.
Your router/modem is your safety device between you and all of the skanks on the internet!!! (I changed my crude reference to something more tame )
NEVER setup your router to allow connection requests from the internet to be forwarded to your cameras or any other device that you don't have complete confidence in.
Some devices ARE more secure and can be set up to securely allow internet connection requests.
VPN - Virtual Private Networks are very secure and once a VPN connection is made, make it seem like you are actually home when you are away. You virtually tunnel through the VPN server and you are like home awaqy from home. The only problem is that they are more advanced to set up and use on a day to day basis.
Controlled and Limited Web Port Forwarding - If you trust your BI machine to be secure, you can expose just incoming web connection request to the internet. You do this by going into your router and configuring a rule to say that any incoming connection request to your home on port 80 (or 81) shall be forwarded to your BI computer on the same port 80 (or 81).
There are lots of alternatives in this area but you will NEED to grasp these basics first.