Accessing a Spider behind a router-firewall

How do I access a Spider that is on a private network behind a router?


Most modern LAN's use private IP ranges that are not visible on the Internet.  This is due to the limited number of IPv4 addresses and the high cost of maintaining a block of public, registered IP addresses.

As a result, most LANs use NAT or Network Address Translation to access the Internet.  Simply put, NAT takes a request from a private IP address and substitutes a public IP address for its transport across the Internet.  When the response arrives, the original, private IP address is swapped back for its return to the requestor on the private LAN.

Because of this mechanism, the only IP address that is visible on the Internet is the public address on the Internet or WAN side of the router.  Since that address is not explicitly associated with a specific LAN IP address, and because private addresses are not directly routable to the Internet, the LAN IP addresses are effectively invisible to the Internet.

How do you access a device on the private LAN when there is a NAT router in between?

On most modern routers, there are a few functions that can achieve this.  They include Port Mapping or Forwarding, Virtual Server, and DMZ Host.

Port Mapping or Forwarding and Virtual Server are practically the same.  Some routers have both functions and it is often unclear what the difference is between them.  If only one exists on a router, it is usually Port Forwarding.  For this document, we will focus on Port Forwarding, as it is the most common and recommended method.

Port Forwarding allows you to choose an IP port on the WAN (Public) side of the connection and map it to an IP address and port on the LAN (Private) side.  Every IP address has 65,535 ports associated with it.  Each can be used for a connection or session.  While all ports can technically be used, the ports from 1-1024 are considered registered ports for well known services, like FTP (21), SSH (22), telnet (23), SMTP (25), HTTP (80), and HTTPS (443).

On a Spider, among the connections that are supported are SSH (22), telnet (23), HTTP (80), and HTTPS (443).  Of these, HTTP and HTTPS are the ones you will want to have forwarded for connections to the web interface and KVM Console.  You can use one, the other, or both.

On a typical consumer or entry level business grade router, you will only have one public IP address and it will be a dynamically assigned address, meaning it can change periodically.  More on this later.

To map a port to a Spider, you need to determine where the Port Forwarding settings are on your router.  Most routers allow you to choose a outside (Public) port and an inside (Private) port that are different from each other.  This will be important if you plan on having more than one Spider on your network.

Once you find where to set up port mapping, you will need to choose an outside port.  If, for instance, you want to connect to port 443 on the Spider, you can choose port 443 as your outside port.  Make sure, however, it does not conflict with any remote management features on the router that may use port 443 to access the router from the Internet for management purposes.

Once you have entered an outside port, you will need to specify the IP address of the Spider on the inside network and the port to which you will connect (in this example, port 443).  Save the changes.

With the changes saved, you should be able to open a web browser to the Public IP address of the router (in the case of 443, you would use https:// in your address line) and it will forward the connection to the Spider.  You may not be able to do this from the same inside network as that on which the Spider resides, since most routers do not support hairpinning.  To test this, you would most likely have to do it from a location that is different from the Spider's.

What if I have more than one Spider?

If you only have one Public IP address, you will need to take advantage of the fact that most routers allow the inside and outside ports to be different.  Create another entry on your router's Port Forwarding table with a different outside port (4443, for instance).  Map that port to the IP address of your second Spider and port 4443.  

There are two caveats here. One is that you will need to tell your browser that you want to connect to a port that is not the default.  Normally, if you use https in your address, the browser assumes port 443.  Since your second Spider is mapped to an outside port of 4443, you need to make sure your browser knows this.  This is done by adding the port number to the end of the address using a colon (https://nnn.nnn.nnn.nnn:4443).

The second caveat is that the Spider does not know about the outside port number.  When it opens the KVM Console it tells the browser to connect to the port it is listening on (80 and 443, by default).  If the outside port is different, for instance you map 4443 on the outside to 443 on the Spider, the KVM Console connection will fail, since the Spider tells the KVM Console to connect to its port (443).  So, you need to change the HTTP or HTTPS port number to match that of the outside port.  So, if you are forwarding 4443 on the outside to a specific Spider's IP address, that Spider's HTTPS port needs to be set to 4443, as well.

What if my router does not allow me to specify inside ports that are different from the outside ports?

If your router requires the inside and outside ports to be the same, it actually fits in with the above requirement.  Because of the above described behavior, the inside and outside ports need to be the same.

How will I know my public IP address, especially if it is dynamic and changes?

Business Internet accounts often have at least one static IP address assigned to them that never changes.  On the other hand, most residential and many entry level business accounts use dynamic addresses that are randomly assigned from a pool at your Internet Service Provider.

This is a situation where it would be very helpful to get a router that has Dynamic DNS support.  With Dynamic DNS support, you can register a URL with a Dynamic DNS provider, like dyndns.org.  Once you do, you provide your router with the login for your Dynamic DNS account.  Every time your Public IP address changes, your router will log into your account and update the address with you Dynamic DNS provider.

In doing this, you can always access the Public IP address of your router using the URL you selected.  So, for instance, if you created a URL of "myrouter123.webhop.org", you could connect to your Spider at https://myrouter123.webhop.org or your second Spider (based on this example) at https://myrouter123.webhop.org:4443.

One reason that HTTPS was used in this example is that it is the recommended way of accessing the Spider over the Internet.  It is secure and encrypted, as opposed to HTTP, which passes over the network in the clear.

For more information on Port Forwarding and Dynamic DNS on your router, consult the documentation provided by its manufacturer.



[Originally Published On: 10/11/2011 10:25 AM]