Port forwarding/firewall question (I think!)

My router has a public IP of, say 92.34.56.78 and connected to that I have a web server/NAS on 192.168.0.111. I’ve set up a forwarding rule on port 80 so navigating to http://92.34.56.78/ from outside my local network, brings up the index.html of the server (it asks for a login for external addresses).

In addition to several other computers and devices, I have an arduino connected to 192.168.0.222 which is used to trigger the opening sequence for my electric gates. Within the local network, this works fine but from the Internet, it doesn’t (there is essentially a PHP script on the NAS that runs fopen("http://192.168.0.222/?open=yes","r") and the code on the Arduino processes this to operate a couple of relays).

I’m assuming this is because 192.168.0.222 (and all other local IP addresses) aren’t visible from the Internet. I can’t forward port 80 to 192.168.0.222 because it’s already forwarded to 192.168.0.111 (and I wouldn’t want all web traffic going there anyway)

Not sure if it’s possible to change the port on the Arduino but if I could, would this solve the problem (i.e. could I port forward incoming traffic to, say 192.168.0.222:123)?

Two steps,

  • On your router setup a forwarding rule to the Arduino, something like port in the range of 49152–65535, these ports are defined as "Dynamic, private or ephemeral ports"
  • change the port on the Arduino server.
    This is really simple, if you are using the Example Ethernet Server code, just change the instance definition from EthernetServer server(80); to EthernetServer server(49152);

To access it from the Web; http://92.34.56.78:49152
Inside on your local net; http://192.168.0.222:49152

Chuck.

I'm using the Ethercard library - there is an ether.hisport setting but no ether.myport. Don't think the server settings you mention are applicable

I can, however, change the port on my NAS although seeing if I can set up a VirtualServer on Apache first...

Thanks, that did work, specifying hisport=49152 (for example) and setting up corresponding rules on the router now allows me (or anyone else!) to open my gates from anywhere in the world!

spandit:
Thanks, that did work, specifying hisport=49152 (for example) and setting up corresponding rules on the router now allows me (or anyone else!) to open my gates from anywhere in the world!

So, Post your IP address, and the World will come to your Door! (or actually open the gate!) :slight_smile:

Chuck.

chucktodd:
So, Post your IP address, and the World will come to your Door! (or actually open the gate!) :slight_smile:

Chuck.

Ha! Fortunately I’m not that green:)

Anyway, the plan for tomorrow is to rewrite the server code to make it a little more secure. At the end of the day, it’s not Fort Knox so no point having incredible security in the system as someone could just climb over or ram them :astonished:

spandit:
Ha! Fortunately I'm not that green:)

Anyway, the plan for tomorrow is to rewrite the server code to make it a little more secure. At the end of the day, it's not Fort Knox so no point having incredible security in the system as someone could just climb over or ram them :astonished:

Good luck!

Chuck.

Well, somebody is having a go :o (actually looks like a couple of people). I've snipped out the repeat attempts as there were many!:

[Thu Aug  4 05:17:27 2016] [error] [client 195.154.33.182] user admin not found: /
[Thu Aug  4 05:17:27 2016] [error] [client 195.154.33.182] user admin not found: /Forms/home_lan_1
[Thu Aug  4 05:17:28 2016] [error] [client 195.154.33.182] user admin not found: /
[Thu Aug  4 10:13:44 2016] [error] [client 188.0.236.119] user airlive not found: /
[Thu Aug  4 10:13:45 2016] [error] [client 188.0.236.119] user support not found: /
[Thu Aug  4 10:13:47 2016] [error] [client 188.0.236.119] user super not found: /
[Thu Aug  4 10:13:48 2016] [error] [client 188.0.236.119] user mts not found: /
[Thu Aug  4 10:13:49 2016] [error] [client 188.0.236.119] user telecomadmin not found: /
[Thu Aug  4 10:13:49 2016] [error] [client 188.0.236.119] user mgts not found: /
[Thu Aug  4 10:13:50 2016] [error] [client 188.0.236.119] user kyivstar not found: /
[Thu Aug  4 10:13:51 2016] [error] [client 188.0.236.119] user telekom not found: /
[Thu Aug  4 10:13:51 2016] [error] [client 188.0.236.119] user superadmin not found: /
[Thu Aug  4 10:14:17 2016] [error] [client 188.0.236.119] user adsl not found: /
[Thu Aug  4 10:14:17 2016] [error] [client 188.0.236.119] user osteam not found: /
[Thu Aug  4 10:14:18 2016] [error] [client 188.0.236.119] user root not found: /
[Thu Aug  4 10:14:18 2016] [error] [client 188.0.236.119] user ZXDSL not found: /
[Thu Aug  4 10:14:19 2016] [error] [client 188.0.236.119] user Cisco not found: /
[Thu Aug  4 10:14:20 2016] [error] [client 188.0.236.119] user cisco not found: /
[Thu Aug  4 10:14:20 2016] [error] [client 188.0.236.119] user admin not found: /
[Thu Aug  4 10:14:23 2016] [error] [client 188.0.236.119] user enable not found: /
[Thu Aug  4 10:14:24 2016] [error] [client 188.0.236.119] user pnadmin not found: /
[Thu Aug  4 10:14:25 2016] [error] [client 188.0.236.119] user root not found: /
[Thu Aug  4 10:14:25 2016] [error] [client 188.0.236.119] user user not found: /
[Thu Aug  4 10:14:26 2016] [error] [client 188.0.236.119] user  not found: /

I think I'd better change my TCP port for my main webserver... Good job I had a login anyway

spandit:
Well, somebody is having a go :o (actually looks like a couple of people). I've snipped out the repeat attempts as there were many!:

[Thu Aug  4 05:17:27 2016] [error] [client 195.154.33.182] user admin not found: /

[Thu Aug  4 05:17:27 2016] [error] [client 195.154.33.182] user admin not found: /Forms/home_lan_1
[Thu Aug  4 05:17:28 2016] [error] [client 195.154.33.182] user admin not found: /
[Thu Aug  4 10:13:44 2016] [error] [client 188.0.236.119] user airlive not found: /
[Thu Aug  4 10:13:45 2016] [error] [client 188.0.236.119] user support not found: /
[Thu Aug  4 10:13:47 2016] [error] [client 188.0.236.119] user super not found: /
[Thu Aug  4 10:13:48 2016] [error] [client 188.0.236.119] user mts not found: /
[Thu Aug  4 10:13:49 2016] [error] [client 188.0.236.119] user telecomadmin not found: /
[Thu Aug  4 10:13:49 2016] [error] [client 188.0.236.119] user mgts not found: /
[Thu Aug  4 10:13:50 2016] [error] [client 188.0.236.119] user kyivstar not found: /
[Thu Aug  4 10:13:51 2016] [error] [client 188.0.236.119] user telekom not found: /
[Thu Aug  4 10:13:51 2016] [error] [client 188.0.236.119] user superadmin not found: /
[Thu Aug  4 10:14:17 2016] [error] [client 188.0.236.119] user adsl not found: /
[Thu Aug  4 10:14:17 2016] [error] [client 188.0.236.119] user osteam not found: /
[Thu Aug  4 10:14:18 2016] [error] [client 188.0.236.119] user root not found: /
[Thu Aug  4 10:14:18 2016] [error] [client 188.0.236.119] user ZXDSL not found: /
[Thu Aug  4 10:14:19 2016] [error] [client 188.0.236.119] user Cisco not found: /
[Thu Aug  4 10:14:20 2016] [error] [client 188.0.236.119] user cisco not found: /
[Thu Aug  4 10:14:20 2016] [error] [client 188.0.236.119] user admin not found: /
[Thu Aug  4 10:14:23 2016] [error] [client 188.0.236.119] user enable not found: /
[Thu Aug  4 10:14:24 2016] [error] [client 188.0.236.119] user pnadmin not found: /
[Thu Aug  4 10:14:25 2016] [error] [client 188.0.236.119] user root not found: /
[Thu Aug  4 10:14:25 2016] [error] [client 188.0.236.119] user user not found: /
[Thu Aug  4 10:14:26 2016] [error] [client 188.0.236.119] user  not found: /




I think I'd better change my TCP port for my main webserver... Good job I had a login anyway

It looks like that last one was 'bot.

Looks like you are having fun!

Chuck.

I've turned it off for now whilst I find out how secure Apache is.

spandit:
I’ve turned it off for now whilst I find out how secure Apache is.

Apache is fine but if you open any ‘well known port’ to the internet, it is only a matter of time before a bot finds it and tries to exploit it. Learning point - Strong passwords are worth the hassle.

Your firewall should allow you to forward a ‘custom’ port on the outside, to a well known port at a specific IP on the inside. So in your scenario, where yo have multiple web servers inside your LAN but don’t need anonymous access by the general public. I would redirect from a custom port to a default port, using port forwarding on the router.

92.34.56.78:9222 → 192.168.0.222:80
92.24.56.78:9111 → 192.168.0.111:80

Advantages

  • Bots scanning well known ports will not find the web servers on your devices.
  • Easier to manage. Only the port forward rules on the firewall are changed.
  • You only have to remember the custom port numbers when accessing devices from outside.

Alas, my router doesn't allow custom port forwarding (not to a different port anyway:(). A quick search indicates that I'm lucky to be able to do this at all - some people with the same router can't do anything. Don't want to name the model but it's supplied by the ISP and isn't very good.

I can open a custom port to the Arduino webserver (which isn't running on 80 anyway)

92.34.56.78:9222 -> 192.168.0.222:9222
92.34.56.78:9111 -> 192.168.0.111:9111

and I can set up a virtualserver under Apache to listen on port 9111 so the rest of my webserver isn't accessible. Just need to check directory permissions etc. before doing this. I think this is a reasonable work around as don't want the hassle of accessing my local webserver on ports other than 80