Elk M1 Simple Port Forward Question

[SIMKO]

First let me say that I can't believe that I can't figure this out. I'm no computer guru, but I can usually Google my way out of almost any computer issue.

- I have my Elk M1 completely installed with a M1XEP
- The XEP is set up with a static IP that is outside of the range of the DHCP server
- The static IP is assigned to the ELK in the modem/router config
- The RP software connects flawlessly to the XEP with a static IP and allows me to program the system when I am inside the LAN
- I have dynamic dns set up to point to my WAN IP and is updated via the XEP
- I have ports 2601, 26, and 80 forwarded to the static IP address of the XEP

I cannot access my system from outside the LAN with the dynamic dns or if I type in the WAN IP directly which leads me to believe that the port forwarding is messed up.

There really isn't much to mess up, but maybe I'm doing something wrong. The picture below if a pic of the router screen that I found on the internet and does not have my specific info in it

Protocol - I've tried TCP and both
Global Port Start - If I'm forwarding 2601, I enter 2601
Global Port End - If I'm forwarding 2601, I enter 2601
Base Host Port - I think this is where I'm messed up. If I'm forwaring 2601, I've tried both 2601 and 80. What port does the Elk M1 listen on?

After I setup the port forwards, It asks where I want the ports forwarded to and I select the static IP of my XEP which the router has self identified in a drop-down list. along with the MAC Address.

Anyone have any ideas? Am I missing something simple here?

 

[wuench]

It is not designed to be accessed from outside your network. What happens is, you open an HTTP connection on port 80 and that launches a JAVA app that attempts to connect to 2601 on the Elk's internal address, not the external address. It doesn't work across NAT.

To be more specific you'll see:

Client --> M1XEP:80
M1XEP:80 --> Client (Sends Java Applet as Embedded Object)
Client --> M1XEP:26
M1XEP:26-->Client (Response with Internal IP address and Port 2601 in data)
Client --> M1XEP Internal IP:2601

 

[SIMKO]

Thanks for the quick reply. I apologize for not being clear in my first post. The java app is what I am trying to connect to but I can't get the java app to open up when accessing it outside the LAN using my WAN IP or DynDns in a web browser.

I think it's my port forwarding as I had it working with the old router, but my ISP sent me a new router and I can't get the port forwarding to work.

 

[jpmargis]

Both the Java app and ELKRP work from pretty much anywhere in the world. I can sit in the terminal at LAX and make rule changes just like I can at home.

Without knowing the specifics of your router, the only thing I can suggest is powering down both the router and the M1XEP. Then power up the router, wait 5 minutes, and power up the M1XEP. You may need to wait another 8 minutes for the M1XEP to respond.

 

[SIMKO]

I got it working by setting Global Port Start, Global Port End, and Base Host Port as all the same number for each port forward rule:

(2601,2601,2601).
(26,26,26)
(80,80,80)

Not sure why it works and I thought I already tried that, but I must not have done it right one of the times. :blink:

 

[wuench]

Well i'll be *****, it does work now. They must have fixed it in some firmware update. The port 26 connection is now passing the external and internal addresses, when accessed externally. All I did was port forward the 3 ports (5580 to 80 for HTTP), my router is running DDWRT. And to access I just hit my dynamic DNS name port 5580...

 

[tmbrown97]

If you use web authentication, I believe that's when it'll die. As long as you just use your arming code, I think it works. That said, I'd never do it - I forward the secure port to the elk only - anything else in the house that I need to access required VPN in.

 

[SIMKO]

So if I forward 2601, 26, and 80 to the ELK static IP am I opening myself up for issues?

All I did was port forward the 3 ports (5580 to 80 for HTTP), my router is running DDWRT. And to access I just hit my dynamic DNS name port 5580...

Is this how most people do it by using their dynamic DNS address with a port (ie. 5580) rather than just using the dynamic DNS address by itself (port 80 assumed?) . Does this make it more secure?

That said, I'd never do it - I forward the secure port to the elk only - anything else in the house that I need to access required VPN in.

Are you saying that you only forward the secure port (2601) to the ELK. What are you doing with the other two ports required (26 and 80).

I just want to make sure I don't set it up with some gaping security hole. Thanks for the help so far.

 

[wuench]

I agree with Work2Play as far as security, someone posted a Google search a while back that showed how easy it was to find people that had exposed their Elks to the Web. It is a security risk. At a minimum I would change the port from the default of 80 to something else. I would never expose port 80 for anything, that gets hit constantly by probes. I just did the above as a test and immediately closed it all down. If Elk had followed industry standards and used SSL/HTTPS and not this hokie Java applet connecting to 2601 business it would have been a better solution.

I think most people rely on other more secure methods to access their Elks, like eKeypad/Elkdroid and just exposing 2601, or home automation software, VPNs, or Remote Desktop.

 

[SIMKO]

I just bought eKeypad and had it up and working in a matter of 5 minutes. Why couldn't it have been this easy out of the box with no additional software? Took out all the other port forwards except for 2601.

Not only is it easier to set-up, but it looks better and is more functional than the Java app.

 

[video321]

For security, I use SSH and if you have a custom firmware router I wrote a tutorial on how to set it up here.

 

[nov0798]

I just use teamviewer, and remote to a computer on my network, and then I can do anything I want. Nothing really to set up.

 

[treo650]

Am I correct that to use the remote java app, M1XEP requires ALL THREE open ports?

26, 80, and 2601????

 

[wuench]

I think so, you might be able to skip 26, there is some sort of discovery going on there. But 80/2601 for sure. 80 displays the initial web page and allows you to download the java app, then the java app connects to 2601 to send commands to the Elk.