Port forwarding from several computers

Discussion in 'macOS' started by steevg, Dec 15, 2012.

  1. steevg macrumors member

    Joined:
    Aug 5, 2008
    #1
    Hi, and Merry Christmas to you all,

    I have a query regarding remote access, which I'd like to get some feedback on if possible.

    I run a very small business for which we use remote connections to support & update software. Up until now we have only supported 1 Mac at each remote office (connecting via port forwarding of their own routers, using No-iP.com), but now we've been asked to support up to 3 at each office due to expansion.

    I understand there may be a way to "Tunnel" to each computer but have absolutely no idea how this may be achieved.

    Any help would be most gratefully received.
    Thanks
     
  2. switon macrumors 6502a

    Joined:
    Sep 10, 2012
    #2
    RE: tunneling...

    Hi steevg,

    There are a number of ways of "tunneling" to different machines behind your router's firewall. It sort of depends upon just what you want to do. Below I'll explain two possibilities.

    To me, I would think seriously about running a VPN server (many routers can do this already; or you could run a VPN server on one of your Macs). The VPN server then allows you to "log in" to your LAN from the Internet just as if your computer was connected (wired or wirelessly) to your LAN. Once you have VPN-ed in to your LAN, you then administer all of your computers just as if you were sitting in your office, but from afar. VPN does both strong authentication and encryption, so it is secure and safe. I believe this is how most businesses allow workers/administrators access to their internal LANs from external sites.

    But let's say you just want to have terminal access from the Internet to each Mac individually. Well, you could start the Remote Login (SSH) on each machine in the Sharing pane of System Preferences. You could then configure each of the different machines to use a nonstandard port, say 14500, 14501, and 14502, for their SSH service. You then add port forwarding to your router that port forwards 14500 to Mac1, 14501 to Mac2, and 14502 to Mac3. Reconfiguring the SSH service to use nonstandard ports entails the editing of the ssh.plist files on each machine. This can be done and is easy, but it is actually more work than simply using VPN. It also would be much more work to administer such nonstandard port forwarding for SSH, but it is possible and it does work. Then from the Internet you SSH in to any particular Mac just by telling ssh to use a particular port: "ssh -p 14501 username@noip.com.IP-address" would open a terminal window on Mac2.

    There are other ways, but I really would recommend that you use VPN.

    Regards,
    Switon
     
  3. steevg thread starter macrumors member

    Joined:
    Aug 5, 2008
    #3
    Switon,

    Thanks for the reply, and the useful information.

    The access I'll need will be via Apple Remote Desktop & screen sharing as I'll need to be able to "see" & control what goes on, on the screen, mainly for customer training. Also we have occasional software updates and various copying of files to and from these machines from my office location to each remote machine.

    At present, I'm simply connecting to the machine via ARD & Port Forwarding, and taking control of the mouse & keyboard as i have little to no terminal experience. At some stage in the future we hope to employ an experienced technical person to run support & training, but until then I'm trying to setup and run the system myself.

    So if I'm to use a VPN setup (does this support ARD or screen sharing etc?), would you be able to explain the basics of how to set this up, what it entails (ie: static IP addresses, setup of on of the Mac's at customer's premises to act as a server etc?), as I have a very basic understanding of networking, but would certainly like to learn more so I can set up the systems when I do the installations.

    Thanks
     
  4. switon macrumors 6502a

    Joined:
    Sep 10, 2012
    #4
    Re: ARD ...

    Hi steevg,

    VPN is a readily configured service that allows one to log in to a LAN from an external IP address (Macs/Windows PCs/Linux boxes can all run the VPN server and many routers also can run VPN tunnels). When you log in to the LAN your computer is assigned an IP address on the LAN. Thus it appears as if you were sitting in the office logging in over the LAN network. You have access to everything you normally would from the office, such as the ability to administer routers/printers/wireless routers/other computers/NAS/RAID Shares and so forth. You can then Screen Share from the LAN (which you VPN-ed in from the Internet) to administer other computers ... or, for you, you could then ARD from the LAN to the other computers.

    I don't use ARD, so I'm not certain of all of its features, but I believe that ARD itself, without having to VPN to the local LAN, allows you to administer the computers from an external IP address. The protocols used by ARD are related to those of VNC and it uses some of the same ports, such as 5433tcp, 5988tcp, 5989tcp, 3283tcp/udp, and 5900tcp/udp. In other words, I don't think you need to use VPN if you are using ARD. ARD allows you to administer the machines including software updates. If you can't use ARD from an external IP, then VPN would allow you to login to the LAN to use ARD.

    Regards,
    Switon
     
  5. steevg thread starter macrumors member

    Joined:
    Aug 5, 2008
    #5
    So to clarify,

    I can setup both my machines using VNC servers on each Mac - or do i need a dedicated Mac to run this for access to the LAN where the machines reside?

    Will I need the customer to have a static IP or can I use no-ip (Dynamic DNS service) to do the work for me?

    Thanks,
    Steevg
     
  6. switon macrumors 6502a

    Joined:
    Sep 10, 2012
    #6
    Re: Vpn ...

    Hi steevg,

    If you are planning on doing VPN (not VNC=Virtual Network Computing=Screen Sharing as you state in your post), then at each site you will have to be running a single VPN service. That VPN server could either be running on your router (many routers have VPN tunnels) or you could run the VPN server from one Mac running Mac OS X Server ($20). You can use the No-IP.com dynamic DNS to provide you the DNS name that you use to VPN into your local network from anywhere on the Internet (this is what I do, but I use Dyndns instead of No-IP). If you are using the Mac OS X Server's VPN server, then the software provides a configuration file that you can e-mail to any client that you wish to have access to your LAN, this configuration file does all of the work of setup for the VPN client (it is not difficult to do the setup manually, but with the VPN configuration profile it is a no-brainer).

    In summary, you obtain a DNS name from No-IP.com so that your office does not need a static IP address. You office runs a VPN server, either on your office's router or via Mac OS X Server running on one of the Macs. From anywhere on the Internet your authorized clients can log in through VPN to your office's LAN. And after VPN-ing in to the office's LAN from the Internet you can administer any computer/router/printer/NAS/Share that you could do if you were sitting in your office. For instance, you can Screen Share with the computers in the office through the VPN tunnel. Since VPN requires strong authentication and performs encryption, your connection from the Internet to your office's LAN is secure.

    Below is the connection diagram:

    Starbucks --> Internet --> VPN --> Office LAN --> VNC(Screen Sharing) --> any office computer

    Good luck,
    Switon
     
  7. steevg thread starter macrumors member

    Joined:
    Aug 5, 2008
    #7
    Swilton,

    Excellent info, many thanks for taking the time to put that together.
    All pretty much understood thanks for the additional info via the diagram.

    One final question:-

    Are there routers which are better than others to setup using VPN?
    I ask as I recently setup a customers' D-Link, and it was a pain to do, whereas others I've done, are much easier to configure.

    Any you'd recommend right off the bat?

    Thanks
    Steevg
     
  8. switon, Dec 17, 2012
    Last edited: Dec 17, 2012

    switon macrumors 6502a

    Joined:
    Sep 10, 2012
    #8
    RE: routers...

    Hi steevg,

    First of all, thanks for the kind remarks. They are appreciated and I'm glad if I can be of any help.

    Secondly, with regards to VPN and routers, as I mentioned it depends on whether you run VPN on a server computer behind the router or if you run VPN on the router itself. If you run VPN on a computer behind the router, then most any router will do since all it has to do is pass the VPN ports through to the VPN server behind the router. (Running the VPN server via Mac OS X Server is an extremely easy thing to configure and it provides client configuration profile files that you can email to clients for automatic configuration of their computers to have access to your VPN.) If you wish to have the router itself do the VPN tunnels, then obviously you will need a router that has VPN tunneling capabilities. If a router does VPN tunneling, it will say so in the description. I'd also look into firewalling by the router, and, in particular SPI (Stateful Packet Inspection) firewalling. Most router will also do DoS (Denial of Service) protection and, of course, NAT (Network Address Translation) so all of your office's computer can individually have Internet access. There are a number of manufacturers that make these routers, as I'm sure you know. For convenience, some of these even have smartphone apps that will allow configuration by smartphone (I don't have any experience with these yet). Many of these routers can be configured and administered using a web browser. The router is essentially running its own web service setting up a web page(s) for configuration of the router. Some manufacturer's call their web-based configuration methods "wizards" and others actually have a separate "wizard" app for configuration. I nearly always find the "wizards" of little use to me personally, mostly because I find that I need to configure something slightly out of the ordinary and these "wizards" typically won't allow this. But these web page configuration routers I find particularly easy to configure. I personally use the Netgear FVS318G VPN Firewalling router, but there are many others out there. I can't really recommend any VPN router over any other mostly because, by their very nature, VPN routers are inherently more difficult to setup since you have to setup the VPN tunnels and so are more of a "business" product than a "home" product. If you have a store near you that sells routers, go see if you can find a knowledgeable person to help you pick one. Ask about the configuration method in particular, does it have a web browser interface?

    Good luck,
    Switon
     
  9. steevg thread starter macrumors member

    Joined:
    Aug 5, 2008
    #9
    Swilton,

    Again, many thanks for the excellent information.
    I'm leaning towards the router route at the moment, and will give that a go first.

    If it's possible to use no-ip.com to access the Macs via VPN in a router, it would provide us with the means to ask our client to setup a new and separate account, which would alleviate some current issues surrounding security with their current systems.

    Thanks again for your time and the information, and I hope you and your family & friends have a wonderful Christmas, and a very healthy, happy and prosperous 2013.

    Regards,
    Steevg
     
  10. switon macrumors 6502a

    Joined:
    Sep 10, 2012
    #10
    RE: the No-IP.com address

    Hi Steevg,

    Yes, the No-IP.com supplied DNS name just resolves to the router's IP address and not to an individual computer behind the router, the router then allows VPN logging in to the LAN behind the router from which you can access any and all other computers/shares/devices on the LAN.

    Thanks for the thoughts, and I hope you and your family also have a great holiday.

    Regards,
    Switon
     
  11. steevg thread starter macrumors member

    Joined:
    Aug 5, 2008

Share This Page