Port forwarding

[Banjo123]

Hello,
I have an Omnipro2 and have been using Snaplink the last 7 years. For my needs, while at home or away, it all works good. Recently I can't connect when "away". Local control continues to work well. I think perhaps the fellow who port forwarded my Omnipro2/router for me about 7 years ago isn't in business anymore. I'm thinking I need to get a new host name etc?? All the info on my snaplink app is correct for "Away", it just does't want to work in that mode. I accessed my router (Actiontec C1000A router) and can see where info has to be entered for port forwarding. I was wondering if anyone can walk me through the port forwarding steps?

Thanks for any info.

 

[ano]

So the trick with port forwarding is to have it work inside your house and outside your house. Did it just stop working outside, or did something change? There are several solutions ranging from marginal to great.

Lets start with GREAT. Get your own domain name if you don't have one. They can cost $10-$30/year and once you get one its yours as long as you pay for it every year. I used GoDaddy.com but there is lots of choices. Goggle.com was good but it just got purchased, so I would stay away. I have my last name.com but got it years ago so couldn't do it today.

Step 2 is get a DDNS provider. This tracks your home IP address if it changes. Go into your Actiontec C100A because routers usually support several. Yours supports dyndns.com, but there are others. If you don't use the router one (dyndns.com) in your case, you can use any, but just run their app on a PC/Mac that is on most of the time. So the domain name they give you, will be set to your home IP address. If you have, say, Centrurylink, your IP address likely changes, but you need to get to your home ALL the time.

Next you need to find the PORT on your Omnipro2. Likely 4369 if you haven't changed it, which I WOULD recommend.

So for step 3 we put this together as to what you put in Snaplink to get home. Something like "tom.dyndns.com:4369" . If you get your own domain, it can be "tomsmith.com:4369" and for even more security something like "tomsmith.com:24369"

And wait, we haven't even gotten to port forwarding....

On your router, find the Port Forwarding screen. Select Manually enter IP address, and put in the IP address of your Omni. If you go to the keypad, you can find that. Maybe something like 192.168.1.102. For starting port and ending port enter 4369, or whatever you pick. On the next part, pick "All IP Addresses".

So this should get you started, but maybe easier to figure out why it DID work but now doesn't. In any case, this should work, both inside and outside IF your router supports a loopback feature. Otherwise it won't work inside, but we can cover that if it applies.

 

[Frunple]

Hello,
I have an Omnipro2 and have been using Snaplink the last 7 years. For my needs, while at home or away, it all works good. Recently I can't connect when "away". Local control continues to work well. I think perhaps the fellow who port forwarded my Omnipro2/router for me about 7 years ago isn't in business anymore. I'm thinking I need to get a new host name etc?? All the info on my snaplink app is correct for "Away", it just does't want to work in that mode. I accessed my router (Actiontec C1000A router) and can see where info has to be entered for port forwarding. I was wondering if anyone can walk me through the port forwarding steps?

Thanks for any info.

First thing to do is verify the port is forwarded correctly, and to the correct IP.
You don't say if anything (hardware) has been changed recently so chances are, your public IP changed and isn't pointing to your hostname anymore.
Go to https://www.yougetsignal.com/tools/open-ports/ and put in the port you use for the Omni, then click check. It'll tell you if it's open or closed.
Do this from your home and it'll fill in the IP automatically.
If it's open, then ping your hostname, the returned IP should be the same as the auto-filled in IP from that site.
If it's not, there's the problem.
Next steps depend on the results.

 

[sic0048]

Great advice so far!

I'll just add my standard answer that port forwarding is an extremely unsecure way of allowing outside access to your network. When you forward ports, your network is only as "secure" as the device/service that the data is being forwarded to. A single exploit in that device/firmware could allow complete and unrestricted access to your entire network. Personally I wouldn't want to bet my network's security on the ability of the IOT/network devices (including the OmniPro) to be exploit free.

The solution is to use a self hosted VPN. Then you'll only need to forward a single port to the VPN service which allows total access to all of your network devices (of course this can be limited in the VPN setup if needed) without forwarding any other ports through the firewall. The benefit to using a VPN is that typically a user must present a valid username and password in addition to a matching encryption key before any traffic is allowed on your network. It's this use of the encryption key that makes it much more secure than simply forwarding ports. Without the matching encryption key, no outside traffic is ever getting to the end devices which might have an exploit.

Now ultimately you are shifting the risk of an exploit from the IOT and other devices on your network (which are notoriously bad at network security) to the VPN service itself. That's not a 100% guarantee there will never be an exploit found, but the odds of the VPN service having an unpatched exploit is about 99.999% less than the other devices on your network. (I assure you there are 1000 times more security experts reviewing the VPN service's code for potential exploits than there are experts reviewing the code for the OmniPro or any other IOT device for potential exploits).

Odds are if you google "VPN" along with the model of your router/firewall, you will find a guide on how to set up a self hosted VPN service on your device.

PS - Self hosted means you set up the service on a device on your network (usually the firewall/router) and it is not the same as the paid/free VPN services you see advertised on the internet. Those services have two goals - to mask your data from your service provider and make it appear as if that data is originating from somewhere other than your physical location. A self hosted VPN service is designed to allow a secure and encrypted tunnel from your local network to remote devices (like your cell phone when you are away from the local network). As long as your device supports hosting a VPN, there is no cost to run this, although you will still need to use a DDNS service or have your own domain set up as the previous posts have mentioned.

 

[Banjo123]

So the trick with port forwarding is to have it work inside your house and outside your house. Did it just stop working outside, or did something change? There are several solutions ranging from marginal to great.

Lets start with GREAT. Get your own domain name if you don't have one. They can cost $10-$30/year and once you get one its yours as long as you pay for it every year. I used GoDaddy.com but there is lots of choices. Goggle.com was good but it just got purchased, so I would stay away. I have my last name.com but got it years ago so couldn't do it today.

Step 2 is get a DDNS provider. This tracks your home IP address if it changes. Go into your Actiontec C100A because routers usually support several. Yours supports dyndns.com, but there are others. If you don't use the router one (dyndns.com) in your case, you can use any, but just run their app on a PC/Mac that is on most of the time. So the domain name they give you, will be set to your home IP address. If you have, say, Centrurylink, your IP address likely changes, but you need to get to your home ALL the time.

Next you need to find the PORT on your Omnipro2. Likely 4369 if you haven't changed it, which I WOULD recommend.

So for step 3 we put this together as to what you put in Snaplink to get home. Something like "tom.dyndns.com:4369" . If you get your own domain, it can be "tomsmith.com:4369" and for even more security something like "tomsmith.com:24369"

And wait, we haven't even gotten to port forwarding....

On your router, find the Port Forwarding screen. Select Manually enter IP address, and put in the IP address of your Omni. If you go to the keypad, you can find that. Maybe something like 192.168.1.102. For starting port and ending port enter 4369, or whatever you pick. On the next part, pick "All IP Addresses".

So this should get you started, but maybe easier to figure out why it DID work but now doesn't. In any case, this should work, both inside and outside IF your router supports a loopback feature. Otherwise it won't work inside, but we can cover that if it applies.

Hey, thanks a lot! I'll get on this and see what happens. I think the problem is the domain name. It was provided by the Onmipro2 tech, but he's not around anymore and with that the domain name doesn't work out anymore (just a wild guess on that though.) I'll get back and with any questions I might have. Thanks again.

 

[Banjo123]

Great advice so far!

I'll just add my standard answer that port forwarding is an extremely unsecure way of allowing outside access to your network. When you forward ports, your network is only as "secure" as the device/service that the data is being forwarded to. A single exploit in that device/firmware could allow complete and unrestricted access to your entire network. Personally I wouldn't want to bet my network's security on the ability of the IOT/network devices (including the OmniPro) to be exploit free.

The solution is to use a self hosted VPN. Then you'll only need to forward a single port to the VPN service which allows total access to all of your network devices (of course this can be limited in the VPN setup if needed) without forwarding any other ports through the firewall. The benefit to using a VPN is that typically a user must present a valid username and password in addition to a matching encryption key before any traffic is allowed on your network. It's this use of the encryption key that makes it much more secure than simply forwarding ports. Without the matching encryption key, no outside traffic is ever getting to the end devices which might have an exploit.

Now ultimately you are shifting the risk of an exploit from the IOT and other devices on your network (which are notoriously bad at network security) to the VPN service itself. That's not a 100% guarantee there will never be an exploit found, but the odds of the VPN service having an unpatched exploit is about 99.999% less than the other devices on your network. (I assure you there are 1000 times more security experts reviewing the VPN service's code for potential exploits than there are experts reviewing the code for the OmniPro or any other IOT device for potential exploits).

Odds are if you google "VPN" along with the model of your router/firewall, you will find a guide on how to set up a self hosted VPN service on your device.

PS - Self hosted means you set up the service on a device on your network (usually the firewall/router) and it is not the same as the paid/free VPN services you see advertised on the internet. Those services have two goals - to mask your data from your service provider and make it appear as if that data is originating from somewhere other than your physical location. A self hosted VPN service is designed to allow a secure and encrypted tunnel from your local network to remote devices (like your cell phone when you are away from the local network). As long as your device supports hosting a VPN, there is no cost to run this, although you will still need to use a DDNS service or have your own domain set up as the previous posts have mentioned.

Thanks, good info.

 

[pete_c]

You can utilize your Internet IP address if it doesn't change too often. Mine has been the same now for years. That said I have used No-IP now for many many years.

Many / most of the newer firewall combo modems do include OpenVPN server and an easy peasey configuration of said VPN.

 

[ano]

I'll just add my standard answer that port forwarding is an extremely unsecure way of allowing outside access to your network.

Sometimes true, but I can assure you that the number of people that are attempting to break into your OmniPro II is no greater than zero. If someone should ever stumble on the Omni port they will have no idea what it is or how to break into it. I think your fooling yourself if you think hackers in Russia or China are attempting to break into your system.

I monitor every packet that reaches my house, and there might be 4 or 5 scans per hour, and in 10 years, nobody has even attempted to hit the Omni port twice in a row. Most scan are not hackers, but university projects mapping the internet.

 

[ano]

Here is what a few hours of these break-in attempts are. Not all of these are "hackers" many are scanners, which I don't allow either.

 

[sic0048]

Sometimes true,

Actually always true. Obscurity is not effective security IMHO. If an exploit was ever found (and that doesn't necessarily mean it would be publicly announced), it would be easy enough for hackers to scan for that specific device on the WWW and potentially find your forwarded port. Just because the "scanners" have been looking for other devices up to this point doesn't mean your device won't be found/exploited in the future.

Please understand that my posts are simply an effort to educate people. Most people honestly don't understand network security and therefore may be doing insecure things out of ignorance. Each person is 100% capable of making their own decisions and if someone wants to use port forwarding after understanding the implications of doing so, then they are free to do that without judgement from me. However if someone is using port forwarding simply because they don't understand the security risk, or understand what other options are available to them, then that is a situation where some education might change their method of opening up their system to the greater WWW.

 

[pete_c]

I have been using VPN to get to my home network for over 10 years now. Mostly because I want access to multiple servers that I tinker with.

The benefit for me is one VPN server configuration for all of my devices and not a per host configuration on my firewall. (currently using OpenVPN and IPSec VPN servers).

Relating to my OmniPro 2 panel it is very easy to get to via VPN whether using Windows, Linux or Android.