GDavis01 Posted July 12, 2015 Posted July 12, 2015 (edited) I recently installed a new ISY994i at my cottage. My ISP changes my IP address often (daily or more!). I noticed that when I check the ISY (Help -> About-> Internet Access) the address is not updated! Why would this not happen automatically? Am I correct in assuming that if the ISY has not updated the IP address then accessing the ISY remotely would not work? Edit: I'm using Firmware v.4.2.18 Edited July 12, 2015 by GMD99
larryllix Posted July 13, 2015 Posted July 13, 2015 I recently installed a new ISY994i at my cottage. My ISP changes my IP address often (daily or more!). I noticed that when I check the ISY (Help -> About-> Internet Access) the address is not updated! Why would this not happen automatically? Am I correct in assuming that if the ISY has not updated the IP address then accessing the ISY remotely would not work? Edit: I'm using Firmware v.4.2.18 There are two IP addresses involved that ISY may show. The ISY is issued an internal (to your LAN) address, usually 192.168.x.xxx, by our router or is statically assigned by you. Your router is assigned and external (to your LAN) IP address by your ISP. How are you accessing your ISY remotely?
GDavis01 Posted July 13, 2015 Author Posted July 13, 2015 Thanks for the reply. On my home ISY the 'My URL' shows my internal IP address 10.0.x.xxx and the 'Internet Access' as Disabled. I am guessing that I disabled it at some point to get around the certificate messages I was getting! It doesn't appear that I need it. I currently use Mobilinc to access this network. On my cottage ISY 'My URL' shows the current external WAN IP address http://xxx.xxx.xxx.xxxand 'Internet Access' shows an old external WAN IP address https://xxx.xxx.xxx.xxx I have been trying to setup up a DDNS service (No-IP) to access my cottage but accessing my network using the 'host' name has not been successful so far! (I suspect that I haven't mastered the port forwarding for this!!) However by logging in to my No-IP account, from my home, I am able to see the cottage's updated IP address, and then, using a browser, I can access the ISY with https://xxx.xxx.xxx.xxx:443. Can I just disable the Internet Access like my home set up and still get remote access? Why does the cottage ISY show the external WAN IP address whereas my home ISY shows it's internal IP address?
larryllix Posted July 13, 2015 Posted July 13, 2015 Thanks for the reply. On my home ISY the 'My URL' shows my internal IP address 10.0.x.xxx and the 'Internet Access' as Disabled. I am guessing that I disabled it at some point to get around the certificate messages I was getting! It doesn't appear that I need it. I currently use Mobilinc to access this network. On my cottage ISY 'My URL' shows the current external WAN IP address http://xxx.xxx.xxx.xxxand 'Internet Access' shows an old external WAN IP address https://xxx.xxx.xxx.xxx I have been trying to setup up a DDNS service (No-IP) to access my cottage but accessing my network using the 'host' name has not been successful so far! (I suspect that I haven't mastered the port forwarding for this!!) However by logging in to my No-IP account, from my home, I am able to see the cottage's updated IP address, and then, using a browser, I can access the ISY with https://xxx.xxx.xxx.xxx:443. Can I just disable the Internet Access like my home set up and still get remote access? Why does the cottage ISY show the external WAN IP address whereas my home ISY shows it's internal IP address? One gotcha that gets many people . Make sure you use https from external access. ISY does not support DDNS. Something has to send your WAN IP address to your DDNS service, on a regular basis, and that is usually your router or an app on a PC somewhere that knows your WAN IP address. I assume you have a router that supports DDNS and of course that has to be setup, in your router, as well as the port forwarding, telling the router what port you want to access it with (defaults to 443 for https) and what internal IP address on your LAN (the ISY address = 10.0.xx.xx or 192.168.xx.xx) and port (defaults to 443 in ISY) you want it to convert it too. For port forwarding, in my route,r I use a 5 digit port number and convert it to my ISY port 443 and it's LAN IP 192.168.0.xx. I never accessed my router via an IP address from NO-IP. They provide you with a URL like mynetgear.GMD99.com so you would access your ISY with something like https://mynetgear.GMD99.com:45678. I have a NetGear router with free DDNS service except that No-IP will spam you and when I really needed it they changed my URL name to my last name from my nickname. Being close to the equator, at that time, and living in Canada I was out of luck. Then after apparently not rescuing my account deletion every month by kissing the account each month, required somewhere about the 6 month mark, they just deleted my account. IOW: I will not rely on NO-IP for free DDNS again. The ISY could have a better way but is not supported by UDI. May be completion for another program. http://forum.universal-devices.com/topic/13900-use-of-sysextip-variable-in-notifications/?hl=extip BTW: Android phones do not seem to have a method of viewing IP address information in SMS or email headers. *SIGH*. I resolved this by using about $20 worth of Internet access on a ship by emailing my ISP and explaining my predicament. They supplied me with my current home IP address and I stopped using DDNS. My IP has never changed since I have a long rental time, something uses it each day refreshing the timer, and the router is UPS backed up. I believe the Internet Access in ISY is for external service access. Turn it off. Not related. I have never found information on this and not really sure what it does.
GDavis01 Posted July 13, 2015 Author Posted July 13, 2015 I only use https to access the ISY. The No-IP app sends the WAN IP address to No-IP and so I can find the address by logging into my No_IP account from anywhere. Since my ISP changes the IP address often I need the revised address to gain access to the ISY remotely. I would like to see if I can figure out how to run that app on a Raspberry so that I don't have to keep a computer running 24/7 at the cottage. I have a new Asus router which I believe is supposed to handle No-IP but I simply haven't had the time at the cottage to play with it enough. I want to have a DDNS service because eventually I will want access to my IP cameras / NVR. For the time being I am testing out the access with the free version but I will probably end up with a headache-free (!!) pay version. Interestingly I can access the ISY with the https://xxx.xxx.xxx.xxx:443but not with https://mycottage.ddns.net:443 (the No-IP host name). Perhaps it's the way I have set it up on my router... I will try to turn off the Internet Access and see if it impacts anything I do... Any ideas on why the cottage ISY 'My URL' shows the current external WAN IP address whereas my home ISY shows the local address?
larryllix Posted July 13, 2015 Posted July 13, 2015 (edited) I only use https to access the ISY. The No-IP app sends the WAN IP address to No-IP and so I can find the address by logging into my No_IP account from anywhere. Since my ISP changes the IP address often I need the revised address to gain access to the ISY remotely. I would like to see if I can figure out how to run that app on a Raspberry so that I don't have to keep a computer running 24/7 at the cottage. I have a new Asus router which I believe is supposed to handle No-IP but I simply haven't had the time at the cottage to play with it enough. I want to have a DDNS service because eventually I will want access to my IP cameras / NVR. For the time being I am testing out the access with the free version but I will probably end up with a headache-free (!!) pay version. Interestingly I can access the ISY with the https://xxx.xxx.xxx.xxx:443but not with https://mycottage.ddns.net:443 (the No-IP host name). Perhaps it's the way I have set it up on my router... I will try to turn off the Internet Access and see if it impacts anything I do... Any ideas on why the cottage ISY 'My URL' shows the current external WAN IP address whereas my home ISY shows the local address? Do you have uPnP turned on in your ISY? I believe that previously would grab the WAN IP and display it but it displayed both. See the linked thread where I posted a screen capture. Edited July 13, 2015 by larryllix
GDavis01 Posted July 13, 2015 Author Posted July 13, 2015 No I don't have uPnP turned on for either ISY. I have now turned off the Internet Access for the Cottage ISY but still have the WAN IP address showing for My URL. It doesn't seem to be affecting anything so far...
stusviews Posted July 13, 2015 Posted July 13, 2015 GMD99, where do the respective addresses show? At the ISY configuration page, at your browser address bar, someplace else?
GDavis01 Posted July 14, 2015 Author Posted July 14, 2015 If I understand your question, I see the respective addresses when, on the Administrative Console, I go to Help--> About (as I explained in an earlier post) On my cottage ISY 'My URL' shows the current external WAN IP address http://xxx.xxx.xxx.xxx and 'Internet Access' showed an old external WAN IP address https://xxx.xxx.xxx.xxx. I have now disabled the Internet Access so there is nothing there. However the WAN IP address continues to show under 'My URL'. Whereas on my home ISY 'My URL' shows the local network address. My understanding is that 'My URL' should show the LAN IP address as it does on my home ISY. I am just trying to understand why there is a difference. Just a thought... given, that I am accessing my cottage ISY remotely is it possible that 'My URL' simply shows the address I am using for access? So if I logged on to the Cottage ISY, while at the cottage and through the cottage network it would then show the local LAN IP address.
stusviews Posted July 14, 2015 Posted July 14, 2015 Just a thought... given, that I am accessing my cottage ISY remotely is it possible that 'My URL' simply shows the address I am using for access? So if I logged on to the Cottage ISY, while at the cottage and through the cottage network it would then show the local LAN IP address. That's correct. That's why I asked. Help, About shows how you are accessing the ISY
larryllix Posted July 14, 2015 Posted July 14, 2015 I only use https to access the ISY. The No-IP app sends the WAN IP address to No-IP and so I can find the address by logging into my No_IP account from anywhere. Since my ISP changes the IP address often I need the revised address to gain access to the ISY remotely. I would like to see if I can figure out how to run that app on a Raspberry so that I don't have to keep a computer running 24/7 at the cottage. I have a new Asus router which I believe is supposed to handle No-IP but I simply haven't had the time at the cottage to play with it enough. I want to have a DDNS service because eventually I will want access to my IP cameras / NVR. For the time being I am testing out the access with the free version but I will probably end up with a headache-free (!!) pay version. Interestingly I can access the ISY with the https://xxx.xxx.xxx.xxx:443but not with https://mycottage.ddns.net:443 (the No-IP host name). Perhaps it's the way I have set it up on my router... I will try to turn off the Internet Access and see if it impacts anything I do... Any ideas on why the cottage ISY 'My URL' shows the current external WAN IP address whereas my home ISY shows the local address? Are you sure you are spelling the URL correctly? eg. .org or .com instead of .net? It seems the DDNS service is the problem if direct access via your router works OK.
GDavis01 Posted July 14, 2015 Author Posted July 14, 2015 Yes I was spelling the URL correctly. In fact, I was just copying and pasting from the No-IP site. My problem was the way I had set up the host within No-IP. I originally selected the Host Type as Port 80 Redirect whereas I believe that I should have selected DNS Host (A). I changed the Host Type to DNS Host (A) and now when I enter mycottage.ddns.net (not the real host name!) I can login into the ISY. When I look at 'My URL' (Help -> About) it shows "http://mycottage.ddns.net".So I realize now that I should always use the syntax https://mycottage.ddns.net:443 when l login. Am I correct in assuming that if my router does support DDNS and specifically No-IP then I would not need to have the No-IP app running on a computer 24/7 updating the Wan IP address every 5 minutes? For port forwarding, in my route,r I use a 5 digit port number and convert it to my ISY port 443 and it's LAN IP 192.168.0.xx. So if I understand correctly, you do not keep port 443 open to the outside but instead have a 5 digit port open which is routed internally to 443... right?
Teken Posted July 14, 2015 Posted July 14, 2015 If your router supports No-IP you will simply use it from there no computer application required. Keep in mind all DDNS services prohibit excessive polling (keep alive) pings to something like once every X hours. Paid services allow shorter polling intervals. BTW: Asus offers their own DDNS service so you won't have to pay or use that sh^t No-IP service. ️ Ideals are peaceful - History is violent
larryllix Posted July 14, 2015 Posted July 14, 2015 .... Am I correct in assuming that if my router does support DDNS and specifically No-IP then I would not need to have the No-IP app running on a computer 24/7 updating the Wan IP address every 5 minutes? So if I understand correctly, you do not keep port 443 open to the outside but instead have a 5 digit port open which is routed internally to 443... right? Correct and correct. Some ISPs may not pass certain ports also due to hacking frequency. Makes no sense to me. Port numbers don't stop hacking but perhaps the standard protocols used for each port may encourage it.
larryllix Posted July 14, 2015 Posted July 14, 2015 ... BTW: Asus offers their own DDNS service so you won't have to pay or use that sh^t No-IP service. ️ Yeah, so does NetGear routers (now through No-IP), except that after a few months they decide you should pay for the free DDNS service and then the games begin. Maybe I need to harp on Netgear to honour their advertising??
larryllix Posted July 14, 2015 Posted July 14, 2015 ... When I look at 'My URL' (Help -> About) it shows "http://mycottage.ddns.net".So I realize now that I should always use the syntax https://mycottage.ddns.net:443 when l login. Are you indicating that ISY knows the URL supplied by your DDNS service? I don't know how that could even be possible. Port 80 is not a secure protocol and uses http: Ports 443 is a more secure protocol and uses https
GDavis01 Posted July 14, 2015 Author Posted July 14, 2015 Are you indicating that ISY knows the URL supplied by your DDNS service? As I understand it, when I look at 'My URL' (Help -> About) it shows the manner by which I accessed the system. When I access it locally it shows the LAN IP address but when I access it remotely it shows the URL I used to access it. I too am surprised that the ISY would be able to see the No-IP Host name... is it possible that the ISY is simply showing a field that is picked up from the computer I am using to access the system?
GDavis01 Posted July 14, 2015 Author Posted July 14, 2015 BTW: Asus offers their own DDNS service so you won't have to pay or use that sh^t No-IP service Yes, thanks, I saw that. I had a quick look at it and it felt like I was going to have to bare my soul to them in order to set it up! I generally am very distrustful of cloud services, so I try to avoid them when possible. However I will admit that it was only a 5 minute look at their offer... I will look closer when I have the time.
stusviews Posted July 14, 2015 Posted July 14, 2015 Are you indicating that ISY knows the URL supplied by your DDNS service? I don't know how that could even be possible. When I log in using a DynDNS account, the ISY correctly shows my DDNS address.
MFBra Posted July 15, 2015 Posted July 15, 2015 Hi, Sorry it may be a long post. Just returning something i've been learning here.... I've been using a VPN to promote external access to my ISY, but it doesn't works pretty well in some places where I typically stay (i.e. firewall from my office) so I decided to open it to the external world, but this could create a WAF problem if any hacking activity takes place.... not sure if i'm being so paranoid but decided to take the script from this post http://forum.universal-devices.com/topic/9172-howto-proximity-notification-wifi-phone-ipad-laptop which detects wifi presence and after some tweek I could create a rule to open external access to my Isy only when i'm not at home and only to the typical external IPs/CIDRs i frequently get, so i reduce drammatically the probability of WAF risks... the script i'm using in my router to open the external access is the following, if it may help someone. #!/bin/sh ISY_Addr=xxx.xxx.xxx.xxx Int_Port=<your internal port> Ext_Port=<your external port> cmd="-I” # (-I means to include, if you want to delete replace to -D) exists=$( iptables -vnL | grep -c $ISY_Addr ) # Variable to check if the rule is already in place if [ $exists -eq 0 ]; then iptables -t nat $cmd PREROUTING -p tcp --dport $Ext_Port -j DNAT --to $ISY_Addr:$Int_Port # create the port forwarding while read line do iptables $cmd FORWARD -p tcp -d $ISY_Addr --dport $Int_Port -j ACCEPT -s "$line"; # authorize the external access done < IPs_to_open.txt #one source ip or ip range (CIDR) per line to authorize access i.e. 14.3.2.1 or 45.6.0.0/14 fi and an almost identical to remove the access when i'm at home #!/bin/sh ISY_Addr=xxx.xxx.xxx.xxx Int_Port=<your internal port> Ext_Port=<your external port> cmd="-D” (-I means to include, if you want to delete replace to -D) exists=$( iptables -vnL | grep -c $ISY_Addr ) # Variable to check if the rule is already in place if [ $exists -gt 0 ]; then iptables -t nat $cmd PREROUTING -p tcp --dport $Ext_Port -j DNAT --to $ISY_Addr:$Int_Port while read line do iptables $cmd FORWARD -p tcp -d $ISY_Addr --dport $Int_Port -j ACCEPT -s "$line"; done < IPs_to_open.txt #one source ip or ip range (CIDR) per line to remove access i.e. 14.3.2.1 or 45.6.0.0/14 fi My next step is to be even more strict and instead of using typical IPs i'll move to Dynamic DNS to identify my Iphone's or Computer current ip address and release only one IP... so much paranoia ?
MFBra Posted July 15, 2015 Posted July 15, 2015 Yeah, so does NetGear routers (now through No-IP), except that after a few months they decide you should pay for the free DDNS service and then the games begin. Maybe I need to harp on Netgear to honour their advertising?? In my research of Dynamic DNS i noticed that at least FreeDNS offers a way to update the current IP via a wget command, so it may possible to create a network resource and update your ip from ISY... they offer this method to update : wget -q --read-timeout=0.0 --waitretry=5 --tries=400 --background http://freedns.afraid.org/dynamic/update.php?alsdkjfqoweruoqpweurqweourqopwu #changed the final string just for this example
larryllix Posted July 15, 2015 Posted July 15, 2015 (edited) In my research of Dynamic DNS i noticed that at least FreeDNS offers a way to update the current IP via a wget command, so it may possible to create a network resource and update your ip from ISY... they offer this method to update : wget -q --read-timeout=0.0 --waitretry=5 --tries=400 --background http://freedns.afraid.org/dynamic/update.php?alsdkjfqoweruoqpweurqweourqopwu #changed the final string just for this example Thanks. Isn't wget a linux shell command? I doubt ISY is going to run it. ISY resources don't run code. Edited July 15, 2015 by larryllix
MFBra Posted July 15, 2015 Posted July 15, 2015 Thanks. Isn't wget a linux shell command? I doubt ISY is going to run it. ISY resources don't run code. Yes, it is available in linux/windows but my idea is to reproduce the "get" to that specific URL in a network resource. Don't you believe it may work? MFBra
larryllix Posted July 15, 2015 Posted July 15, 2015 Yes, it is available in linux/windows but my idea is to reproduce the "get" to that specific URL in a network resource. Don't you believe it may work? MFBra While not being that familiar with the Network resources AFAIK they cannot run lines of code but you are suggesting there may be an equivalent GET command that generates the same network string. Sounds very promising. Do you understand the protocol structure generated from the wget command syntax?
MFBra Posted July 15, 2015 Posted July 15, 2015 While not being that familiar with the Network resources AFAIK they cannot run lines of code but you are suggesting there may be an equivalent GET command that generates the same network string. Sounds very promising. Do you understand the protocol structure generated from the wget command syntax? Just tested and worked. Pretty simple network resource. Http / GET / URL ENCODED / standard time-out. MF_Bra
Recommended Posts