Remote Access-M1Gold

[ifarrison]

Hello,

I am having an issue trying to access the M1 Gold remotely. I have worked with Elk TS but they are telling me that thye think my ISP is blocking port 80. The ISP says they are not.

I'm using Netgear WRN1000

My router is setup to port 2601, 21, 26 and 80 to the IP of the M1EXP. If I use a computer on my network and type in the URL, the M1EXP web page shows fine. As soon as I use a computer outside of my network, I get nothing. I have even tried to setup the M1EXP LAN IP in the DMZ to allow all ports to be forwarded with no success.



I read a post that "TXFlatlander" responded to.. almost identicle to my issue. The fix was to create another port and direct that one to Port 80.

HOW DOES ONE CREATE A PORT THEN REDIRECT IT? I can create it but, have no idea how to re direct it to port 80.

Any suggestions would be greatly appreciated!!!

 

[Kevin L]

Welcome to CocoonTech.

I don't have information on that router, but this website should be able to help: PortForward.com

HTH,

Kevin

 

[maknoll]

If I use a computer on my network and type in the URL, the M1EXP web page shows fine. As soon as I use a computer outside of my network, I get nothing.

Are you typing in the same url from both locations? You know you have an 'in-network' address and an 'out-of network' address, right?

 

[wuench]

If I use a computer on my network and type in the URL, the M1EXP web page shows fine. As soon as I use a computer outside of my network, I get nothing.

Are you typing in the same url from both locations? You know you have an 'in-network' address and an 'out-of network' address, right?

The Elk needs two ports to run ElkRM, they connect to 80 initially then run Java which connects to 2601. You don't want to forward 2601 to 80, you want to forward 2601 to 2601 on the Elk. Also, if it is like my Netgear you can't translate the port. You can only forward it. If you want to do port translation (or use other features) you could consider loading custom firmware like DDWRT.

Even if your ISP is not blocking port 80, they may be blocking 2601. Also, 2601 may be blocked outbound from whatever network you are doing this from (i.e. work). Most mid/large corporations and even a lot of public networks (like hotels, etc) only let 80/443 out by default.

It is also a really bad idea to open your Elk up directly to the internet like that. I would recommenced you consider setting up an SSLVPN on a machine at home and forward 443 to that. From there you should be able to access all the resources on your home network securely from anywhere with no worries of being blocked. Assuming your ISP allows 443 in.

 

[signal15]

Your router might not allow you to forward port 80 to an internal server. Since the web interface on your router probably runs on port 80, some routers won't let you forward it inside to another box. It's router dependent.

I wouldn't open it to the internet anyway. You should be using some sort of VPN. I can do a specially crafted google search and find all sorts of M1's exposed to the internet. Did these people change their default codes? Who knows. Could someone write a script to sit there and brute force it? Sure they could. In some other thread, I figured out how long it would take on average to brute force 4 and 6 digit codes. It's not long. Use a VPN.

 

[gatchel]

What I don't get is that you tried to use the DMZ with no success. I would try to get that working first. You should be able to put your public IP in and get access to anything on the DMZ.

 

[signal15]

What I don't get is that you tried to use the DMZ with no success. I would try to get that working first. You should be able to put your public IP in and get access to anything on the DMZ.

Most cheapy firewall/routers bind the webserver to port 80. If you have the box unchecked that allows access to the admin interface from the outside, they just put in an access-list that prevents someone from connecting to port 80 from the outside. It doesn't "unbind" the HTTP server from port 80. If you can change the admin port of your router to something other than 80, it might work fine.

 

[ifarrison]

If I use a computer on my network and type in the URL, the M1EXP web page shows fine. As soon as I use a computer outside of my network, I get nothing.

Are you typing in the same url from both locations? You know you have an 'in-network' address and an 'out-of network' address, right?

I believe I am.. I even had Tech support at ELK try it.I am assuming that they would know the difference. They concluded that either my ISP or or router was blocking.. Talked to both. niether is blocking.
PS. I have Panasonic BL-C111a that has port forwardig and that works just fine...(outside network)

 

[ifarrison]

If I use a computer on my network and type in the URL, the M1EXP web page shows fine. As soon as I use a computer outside of my network, I get nothing.

Are you typing in the same url from both locations? You know you have an 'in-network' address and an 'out-of network' address, right?

The Elk needs two ports to run ElkRM, they connect to 80 initially then run Java which connects to 2601. You don't want to forward 2601 to 80, you want to forward 2601 to 2601 on the Elk. Also, if it is like my Netgear you can't translate the port. You can only forward it. If you want to do port translation (or use other features) you could consider loading custom firmware like DDWRT.

Even if your ISP is not blocking port 80, they may be blocking 2601. Also, 2601 may be blocked outbound from whatever network you are doing this from (i.e. work). Most mid/large corporations and even a lot of public networks (like hotels, etc) only let 80/443 out by default.

It is also a really bad idea to open your Elk up directly to the internet like that. I would recommenced you consider setting up an SSLVPN on a machine at home and forward 443 to that. From there you should be able to access all the resources on your home network securely from anywhere with no worries of being blocked. Assuming your ISP allows 443 in.

I would love more info on the DDWRT...not sure what that is..ALSO, if I do a SSL VPN I'm asumming I would need a dedicated computer always running. I'm trying to cut down on that.. Apparently ELK M1G users are able to do this without all the mess I am having.. Maybe I just need to change my router.. Any ideas are greatly apreciated..

Also, could use some more understanding on SSLVPN (not sure how to implement it-even as backup if I get it running)

 

[wuench]

If I use a computer on my network and type in the URL, the M1EXP web page shows fine. As soon as I use a computer outside of my network, I get nothing.

Are you typing in the same url from both locations? You know you have an 'in-network' address and an 'out-of network' address, right?

The Elk needs two ports to run ElkRM, they connect to 80 initially then run Java which connects to 2601. You don't want to forward 2601 to 80, you want to forward 2601 to 2601 on the Elk. Also, if it is like my Netgear you can't translate the port. You can only forward it. If you want to do port translation (or use other features) you could consider loading custom firmware like DDWRT.

Even if your ISP is not blocking port 80, they may be blocking 2601. Also, 2601 may be blocked outbound from whatever network you are doing this from (i.e. work). Most mid/large corporations and even a lot of public networks (like hotels, etc) only let 80/443 out by default.

It is also a really bad idea to open your Elk up directly to the internet like that. I would recommenced you consider setting up an SSLVPN on a machine at home and forward 443 to that. From there you should be able to access all the resources on your home network securely from anywhere with no worries of being blocked. Assuming your ISP allows 443 in.

I would love more info on the DDWRT...not sure what that is..ALSO, if I do a SSL VPN I'm asumming I would need a dedicated computer always running. I'm trying to cut down on that.. Apparently ELK M1G users are able to do this without all the mess I am having.. Maybe I just need to change my router.. Any ideas are greatly apreciated..

Also, could use some more understanding on SSLVPN (not sure how to implement it-even as backup if I get it running)

DDWRT or OpenWRT are custom firmware you load that add a lot more functionality to your router based on Linux. The SSLVPN I use is SSLExplorer, it does run on a server. You would port forward HTTPS/443 to that machine. You open a browser to that machine, all encrypted, and it allows you to RDP, Telnet, Web, to machines on your network through the SSL which is encrypted. So all anyone knows on either end is you have an HTTPS connection, they can't see what you are running through that tunnel. HTTPS is almost always allowed out of a corporate network and usually allowed into home network.

 

[Ira]

I would love more info on the DDWRT...not sure what that is..ALSO, if I do a SSL VPN I'm asumming I would need a dedicated computer always running. I'm trying to cut down on that.. Apparently ELK M1G users are able to do this without all the mess I am having.. Maybe I just need to change my router.. Any ideas are greatly apreciated..

Also, could use some more understanding on SSLVPN (not sure how to implement it-even as backup if I get it running)

There are SSL VPN "appliances". Netgear has the FVS336G router which has both IPSec and SSL VPN server functions built in. It also has dual WAN ports and eight LAN ports (all gigabit speed) With one of these, you don't need a separate computer for SSL VPN (or IPSec VPN). I'm sure there are others.

To implement SSL VPN on the FVS336G, you set up a few options/definitions/users/passwords on the router to allow it to do SSL VPN. You don't need any software on the client side other than a browser. To make a SSL VPN connection from a remote client, you point the client's browser at you public/WAN IP address. When the router responds, it will ask for a user ID and password. That's all it takes.

Ira

 

[signal15]

I would love more info on the DDWRT...not sure what that is..ALSO, if I do a SSL VPN I'm asumming I would need a dedicated computer always running. I'm trying to cut down on that.. Apparently ELK M1G users are able to do this without all the mess I am having.. Maybe I just need to change my router.. Any ideas are greatly apreciated..

Also, could use some more understanding on SSLVPN (not sure how to implement it-even as backup if I get it running)

There are SSL VPN "appliances". Netgear has the FVS336G router which has both IPSec and SSL VPN server functions built in. It also has dual WAN ports and eight LAN ports (all gigabit speed) With one of these, you don't need a separate computer for SSL VPN (or IPSec VPN). I'm sure there are others.

To implement SSL VPN on the FVS336G, you set up a few options/definitions/users/passwords on the router to allow it to do SSL VPN. You don't need any software on the client side other than a browser. To make a SSL VPN connection from a remote client, you point the client's browser at you public/WAN IP address. When the router responds, it will ask for a user ID and password. That's all it takes.

Ira

That device may have gig interfaces on it, but according to the specs the maximum firewall throughput is only 60Mbit/sec. If you're using the internal ports as a switch, then you'll get gig speeds between internal machines only. Just wanted to throw that out there since 100+ meg service is available in some areas and this box would be a bottleneck.

 

[Ira]

That device may have gig interfaces on it, but according to the specs the maximum firewall throughput is only 60Mbit/sec. If you're using the internal ports as a switch, then you'll get gig speeds between internal machines only. Just wanted to throw that out there since 100+ meg service is available in some areas and this box would be a bottleneck.

That's how I'm using it. The best ISP service I can get is 6Mbit download speed on DSL. All of my LAN switches are gigabit speed.

Ira

 

[tmbrown97]

I can say I wasn't fond of the idea of opening my elk up to the world... I reluctantly eventually opened my secure port only and use eKeypad on my iPhone for any outside-the-house access - it requires only the secure port. I was really not impressed with the built-in web interface; I use ElkRMS and eKeypad all the time.

I helped another member do this same thing a few months ago... if you want to swing by the chat room someone could probably get you there faster as well. It can be confusing if you're not familiar with what you're doing; but some of us configure firewalls all the time so it goes quick.

 

[ifarrison]

I can say I wasn't fond of the idea of opening my elk up to the world... I reluctantly eventually opened my secure port only and use eKeypad on my iPhone for any outside-the-house access - it requires only the secure port. I was really not impressed with the built-in web interface; I use ElkRMS and eKeypad all the time.

I helped another member do this same thing a few months ago... if you want to swing by the chat room someone could probably get you there faster as well. It can be confusing if you're not familiar with what you're doing; but some of us configure firewalls all the time so it goes quick.

Todd, Actually My main point in doing this is to get it up on my iphone...
I just figutred if I couldn't get it working on a pc outside the house , I couldnt get ekeypad via iphone working as well and I didn;t want to pay for the app knowing my chances of it working being slim to none..

Would really apreciate your help..

Thanks,
S2b