Jump to content

Remote access - Airport Extreme


Recommended Posts

Hi again everyone-

 

Ok, with some IP conflict stuff (mostly) resolved, back to getting the system "where it was" with our old Cisco router... was connected to our ISY as well as a separately controlled IP camera.

 

No issues before. Also, Cisco interface was pretty straightforward, at least, once I learned to use it.

 

So: Airport Extreme set up now, and I can't seem to get to the point where I'm prompted for a name/password when trying to reach remotely.

 

I'm not sure if the AE works differently from our Cisco router in terms of remote connection.

 

Searched around but haven't found the answer (yet). I have tried changing some ports and things around, but didn't want to do too much in fear of messing some stuff up.

 

Any suggestions where to start?

 

TIA

Andrew

Link to comment

From a technical and security stand point if you require access remotely to a network a VPN connection is the preferred method. If you wish to open a port in the router to access the same that is a compromise and is fine.

 

So long as you understand the risks vs rewards and have secondary measures in place like a solid hardware appliance firewall. Your first task is to determine what your public IP is using any of the free on line tools. You will need to really confirm if your WAN address is static or not.

 

If your service does not offer a static IP address and dynamically changes either from the ISP at random times or where hardware is replaced / hard reset. The best approach is to use the routers DNS hosting or use any of the free / paid DNS providers so you can simply use a friendly name instead of a IP address.

 

Having said all of that what port(s) are you forwarding to be seen outside the LAN? Also, have you confirmed the port(s) you're using are indeed open and not in conflict with any other known service ports used in existing hardware / global services?

 

It goes with out saying you also need to confirm with your ISP as to blocked ports. If you do a quick Google search you will find a list of known ports and ports to avoid using to ensure no conflicts.

Link to comment

Hi there -

 

And thanks as always for the fast response.

 

Looking for remote access to the ISY for lighting and separately, using an app, cameras (not via ISY)

 

I believe I set both the ISY and camera to static IPs last time, but everything has worked for so long I forgot. I don't do this much (obviously...)

 

I tried 80, 90, and 443.

 

Have not confirmed whether they're truly available or not, as I don't know how to do that.

 

Really wish there was a flowchart for this stuff...

 

 

 

Andrew

Link to comment

Honestly, for ISY, it is better to just get a Portal subscription. Is there some reason you'd rather not? With a Portal subscription, you can just skip all this nonsense, though it won't help with your camera. :(

 

Otherwise, you FIRST need to get the ISY on a fixed address on your network. There are two ways to do this, one that I recommend, and one that I do not, and neither of them is going to be easy to set-up. 

 

1. Static address set-up in the device configuration. You also have to exclude this address from your router's DHCP pool. Almost certain to get you in trouble. NOT RECOMMENDED.

 

2. DHCP fixed reservation. You set-up the router to always give the same IP address to some specific device(s). Again, you need to exclude this address(s) from the DHCP pool.

 

THEN, you have to decide how you will provide remote access:

 

1. VPN - will give you remote access to your ENTIRE home network. Requires setup on both your router and remote computer(s), phone(s), tablet(s).

 

2. Port-forwarding. You set-up the router to forward a port from your public Internet address to the ISY. DO NOT use HTTP! DO NOT use port 80! Use SSL only, for security reasons.

 

And in EITHER case, you also will need to arrange to have a domain name with a dynamically-updated IP address. You can do this with a free service, and your router can (probably) update the service. (My ASIS can, don't know about Airport Extreme.)

 

You are many complicated steps away from getting this to work. How about that Portal subscription? ;)

 

Alternately, you might employ the services of a local technician. That will be fun finding a good one. Too bad Apple Genii don't make house calls.

Link to comment

Lets keep this simple so you can get up and running with out too much hassle.

 

1. Login to the ISY Series Controller and confirm if its using a static IP address or DHCP. Write this down in case something goes wrong in this process.

 

2. As noted up above the ideal method is to use MAC address reservation in the router. Using this method ensures a few things which are: Same IP address is handed out to the network appliance, Any network changes that may happen will be pushed to all hardware devices set to DHCP mode.

 

If you have the ISY set to a fixed IP right now you can leave it as that for now and consider doing step two later. As you probably noted using a fixed IP can and will cause a IP conflict which you surely know now. Unless you are regimented enough to track and document all network changes which is industry best practices along with defining a subset of IP ranges for various appliances.

 

Defining a subset of IP ranges will ensure you always know *At a glance* what an item is when you scan it.

 

3. Assuming a static IP / reserved MAC address is now in place forward port 443 in the router that is assigned to the applicable IP address for the ISY. You will probably be asked to reboot the AE once or more than once if so do so.

 

4. When you use a web browser to find the ISY you will of course use the Public IP (WAN) address and the port you just assigned. For example your public IP is https://205.22.140.10:443 <- this is how it will be entered keeping in mind the HTTPS:// portion and the 443 at the end.

 

Done . . .

Link to comment

One thing that will be useful will be to know what addresses your router is using for DHCP.

 

You will probably get more help from some Apple forum, where there will be people expert in setting-up Airport Extreme.

 

I found this tutorial on setting-up DHCP reservations that may help. It's not quite right for ISY, as it talks about setting up a reservation for a MacBook on Wifi. But you will get the gist, and it will help you navigate the Airport settings.

 

I am GUESSING from this, that the default DHCP pool on AE is 10.0.1.2 to 10.0.1.200. That means you have 10.0.1.201 through 10.0.1 254 to use for either fixed addresses or DHCP reservations. Anything you set-up in the latter range, either by the not-recommended fixed-address-set-up-in-device-settings method, or DHCP reservation method, will not conflict with dynamic addresses handed out by DHCP.

 

You can get the MAC address of the ISY easily from the console, though it's a bit "disguised". Just to to Help > About, and look for UUID. It's the same as the MAC address.

 

http://www.macinstruct.com/node/553

 

If you can successfully set a reservation for the ISY, then at least you've completed Step 1. You will eventually need to do similar for your camera.

 

You will have to reboot the ISY, and MAY have to reboot the AE. (Probably not the AE, though, but won't hurt!)

Link to comment

And, alas, the page I linked to above seems WRONG to me, but perhaps AE works differently than most routers. Normally, you need to make reservations OUTSIDE of the DHCP pool. But that tutorial shows using an address from within the pool. Maybe AE "works different".

 

I looked at some other tutorials, but think they would be confusing, as many have reconfigured address ranges from the default of 10.0.1.0 ... 10.0.1.255.

 

Best to find a forum that deals specifically with AE!

Link to comment

It must be an ISY issue since he posted for help on the help for ISY.

 

Otherwise he surely would have posted on an appropriate support forum.

 

 

Well, I seem to recall the original goal was to get the ISY communicating again after replacing his router.

 

Draining swamp. Alligators. Priorities change.

Link to comment

Thanks-

 

Actually, it's using an IP starting with 73, according to the Airport Utility. I can't help but wonder if that has something to do with it.

 

IIRC my old router did use 192.

 

 

The Airport is likely using 192.168.1.x. I've got one, it works fine. Kinda sucks they've stripped out some useful power features lately, but it does what most people need. I've got port 80 and 443 directed to my Pi server.

Link to comment

Thanks-

 

Actually, it's using an IP starting with 73, according to the Airport Utility. I can't help but wonder if that has something to do with it.

 

 

 

No.

 

That's the PUBLIC IP address of your router on the cable modem/internet side. And, given that, I can tell that you have Comcast. My condolences. :(

 

    http://ipv4info.com/subblocks/s1344c7/73.0.0.0-73.255.255.255.html

 

We've already established that your LAN uses the 10.0.1.0/255 subnet (that's a way of saying "from 10.0.1.1 to 10.0.1.254") and that your router itself uses 10.0.1.1 on the LAN side.

 

Your old router used 192.168.1.0/255 subnet with the router at 192.168.1.1.

 

While Apple may have uses 192.168.1.0/255 in the past, currently their routers default to 10.0.1.0/255.  As well, others may have changed the subnet of their Apple routers, nothing stops you from doing that. (But probably no good reason to do so at this point, it will only complicate things even further.)

 

192.168.1.0/255 is by far the most common subnet used by home routers. Apple likes to "think different".

 

The public, 73... address of your cable modem WILL CHANGE OVER TIME. You cannot rely on it. That's why you will need to use a DDNS (Dynamic DNS Service) which will tie your CURRENT public IP address to a domain name.  

 

bilderb wrote:

 

I've got port 80 and 443 directed to my Pi server. 

 

 

Eek! Port 80. Hope you don't mind sharing your password with the barista at Starbucks!

 

-----

The average person will have great difficulty figuring all this stuff out. And it is about to get even more complicated, due to the rollout of IPV6. It turns everything on it's head, as all IPV6 addresses are routed. That is, IPV6 addresses are ALL "public". No NAT with IPV6, no "private" addresses, no port-forwarding.

 

The complication and technical gibberish are why "portal" services that reverse-proxy IOT devices are so popular. You don't have to worry about any of this stuff.

 

Sure you don't just want to get a Portal subscription? Any reason you prefer not to? Only good reason I can think of is if you are a Mobilinc app user and want to use their portal. (Only one portal per ISY.)

Link to comment

Hi-

 

Yes, I thought we were talking about the public address... Comcast has been pretty good for us, though. 

 

Port 80.... well, I'd change this as I did last time, but had no reason to jump ahead as nothing's working yet! :)

 

The Airport is a lot different than the Cisco & its control panel (which was pretty nice, or, at least, I knew how to use it... better...)

 

Nothing against portal services, as 1) I don't know what they are, and 2) if they take away complications, I'll look into it. That said, without knowing how they work, it seems like a potential security hole. Not sure... can you send a link?

 

cheers

Andrew

 

No.

 

That's the PUBLIC IP address of your router on the cable modem/internet side. And, given that, I can tell that you have Comcast. My condolences. :(

 

    http://ipv4info.com/subblocks/s1344c7/73.0.0.0-73.255.255.255.html

 

We've already established that your LAN uses the 10.0.1.0/255 subnet (that's a way of saying "from 10.0.1.1 to 10.0.1.254") and that your router itself uses 10.0.1.1 on the LAN side.

 

Your old router used 192.168.1.0/255 subnet with the router at 192.168.1.1.

 

While Apple may have uses 192.168.1.0/255 in the past, currently their routers default to 10.0.1.0/255.  As well, others may have changed the subnet of their Apple routers, nothing stops you from doing that. (But probably no good reason to do so at this point, it will only complicate things even further.)

 

192.168.1.0/255 is by far the most common subnet used by home routers. Apple likes to "think different".

 

The public, 73... address of your cable modem WILL CHANGE OVER TIME. You cannot rely on it. That's why you will need to use a DDNS (Dynamic DNS Service) which will tie your CURRENT public IP address to a domain name.  

 

bilderb wrote:

 

 

Eek! Port 80. Hope you don't mind sharing your password with the barista at Starbucks!

 

-----

The average person will have great difficulty figuring all this stuff out. And it is about to get even more complicated, due to the rollout of IPV6. It turns everything on it's head, as all IPV6 addresses are routed. That is, IPV6 addresses are ALL "public". No NAT with IPV6, no "private" addresses, no port-forwarding.

 

The complication and technical gibberish are why "portal" services that reverse-proxy IOT devices are so popular. You don't have to worry about any of this stuff.

 

Sure you don't just want to get a Portal subscription? Any reason you prefer not to? Only good reason I can think of is if you are a Mobilinc app user and want to use their portal. (Only one portal per ISY.)

Link to comment

 

Nothing against portal services, as 1) I don't know what they are, and 2) if they take away complications, I'll look into it. That said, without knowing how they work, it seems like a potential security hole. Not sure... can you send a link?

 

 

IMO, it is less of a security risk than hacking your own way to access it, and then naively making mistakes like using HTTP/port 80 (not secure - NO encryption).

 

Here's a brief review, it's a bit old (it hails for when the Portal was in beta), but clear and succinct:

 

  http://homeautomationguru.com/isy-portal-first-look/

 

The brief ISY Wiki section describing the Portal:

 

https://wiki.universal-devices.com/index.php?title=Main_Page#ISY_Portal.2FAmazon_Echo.2FIFTTT

 

Just ONE of the services that the portal offers is the ability to easily reach your ISY console from anywhere, with no network configuration needed. It also provides integrations with third-party services, such as IFTTT and Amazon Echo.

 

There's a forum section here for ISY portal:

 

  http://forum.universal-devices.com/forum/98-isy-portal/

 

A portal subscription is $49 for two years of service. It also INCLUDES the Network module. If you already bought the Network module within the past two years, you can request a 1 or 2 years extension of your portal subscription as compensation.

Link to comment

Well... gotta say, the portal is intriguing. This works around a provider reassigning an IP? (I believe mine, from Comcast, is not.) 

 

Just looked at those links briefly and I'm having a hard time finding interface / setup (not installation) examples... where am I missing these?

Also, I assume the module is electronic, e.g. activated when ordered?

Good stuff... thanks.

That said, believe it or not (and I'm sure you will) I am more concerned with reaching my camera remotely as I already know I can trust the ISY to function properly without much supervision :)

Link to comment

 

 

Just looked at those links briefly and I'm having a hard time finding interface / setup (not installation) examples... where am I missing these?

 

Also, I assume the module is electronic, e.g. activated when ordered?

 

 

There isn't any setup. None needed. There isn't anything to configure, unless you mean setting-up IFTTT or Echo.

 

Yes, the module is electronic, activated when ordered. Like all ISY modules.

 

If you already purchased the Network module, credit for your previous purchase is manual. You have to email UDI with your UUID.

 

As far as your camera goes many cameras are able to use a (camera) portal service. The manufacturer will often provide one. Comcast will be more than happy to sell you one, and their service. ;) Don't have a camera so don't know much about it. Though I used to (many years ago) operate the San Diego Baycam, one of the first outdoor public cams. Was an old-school Panasonic motion-JPEG camera with PTZ. Users could PTZ. I wrote software to convert the motion-JPEG to old-school Netscape server-push, and server software to allow multiple users to view. Alas, I don't have that view any more. :(

 

I trust UDI with the Portal.

 

I'm not so sure I'd trust the camera portals. It's a lose-lose situation with cameras, as on one side, misconfiguration of port-forwarded cameras is widespread, and probably millions of cameras can be watched by the public with no security unbeknownst to the owners. On the other hand, not sure I'd trust any portal service for a camera, depending on sensitivity of the view.

 

Insecure cameras played a part in last weeks huge DDOS attack. They were misused to direct traffic to the target, overwhelming their network.

Link to comment

Sorry, I misspoke! I have the portal, but don't really use it much. I set up some IFTTT then kinda forgot about it...

 

There IS some setup if you want to access the console:

 

    http://forum.universal-devices.com/topic/18727-using-portal-to-remotely-access-admin-console-doesnt-work-for-me/

 

You use the actual admin console Java applet. It just connects remotely. So, nothing is different about the UI.

 

You can access the ISY WEB interface directly from the portal website. (my.isy.io)

 

There isn't much to the portal website. Frankly, it's a bit ugly right now, IMO. 

 

Tabs at the top for ISY, Users, and Account. Users and Account aren't of much interest to most people. You can set-up multiple users, each with their own password.

 

Click on ISY tab, and you get to the meat of it, which, again, is not much. A drop-down from which you select a tool.

 

Web Access gives you the ISY's web interface.

 

Connectivity has a submenu for IFTTT and Amazon Echo, where you can set up integration with IFTTT and Echo. More will likely follow.

 

You can view the logs, update firmware, or reboot, without having to mess with either the console or ISY web interface. Handy for installers!

 

That's it. Just no much to it.

 

Sure you can find some screen shots on the Portal section of the forums.

Link to comment

All good!

Michel helped out with some IP weirdness- it may have changed in the middle of support - but working now, and onto getting a static IP set up.

jtara, thanks -  first I'm hearing of IFTTT. Looks intriguing. 

 

I'm able to get to the ISY's web control interface, but not programming.

 

I'll look into it more!

 

cheers all

Andrew

Link to comment

All good!

 

Michel helped out with some IP weirdness- it may have changed in the middle of support - but working now, and onto getting a static IP set up.

 

jtara, thanks -  first I'm hearing of IFTTT. Looks intriguing. 

 

I'm able to get to the ISY's web control interface, but not programming.

 

 

Like I said, your public IP address WILL change periodically. Odd that it happened to change during a support session, as typically, ISPs will only change it say eve 24 hours. Just happened to be THAT time, I guess!

 

Since you CANNOT rely on the public IP address to stay the same, you will NEED a DDNS (dynamic DNS) service. There are many, they are all either free or cheap.

 

Ironically, I use Dyn. They are the company that suffered the huge DDOS attack last week. They have grown from a small company offering DDNS services for individuals needed a way to attach a domain name to the changing IP address of their home router, to a company that provides primary DNS service to many of the biggest companies.

 

Although, I use Dyn, not sure I'd recommend them, after last week! I think I have some kind of grandfathered account...

 

https://en.wikipedia.org/wiki/Dynamic_DNS

 

Here's a little review of 5. I don't know much about the other companies. I know that no-ip is popular. Maybe others will chime in with which one they use.

Link to comment

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...