Router Port Forwarding

pleung

I am new to AMX.

We have a NI3100 & a wireless touch panel (MVP-7500) behind a router and the touch panel can be access within the router thro' a browser.

We would like to access the touch panel in the WAN and have setup the router port forwarding as:
1. port 80 to the NI3100
2. port 5900 to the MVP-7500

I can access the NI3100 from the WAN but not the MVP-7500.
I have also tried forwarding port 1319 & 10500 to the NI3100, but still doesn't work.

Have I missed any ports that need to be forwarded?
Any hints? Thanks.

Patrick

DHawthorne

5900 is all you need for the panel for a VNC connection, but if you are using the web interface to access the panel from outside, forwarding alone isn't going to work. Since it is passing through the web interface, it's bypassing the router, and the port never gets connected to the outside. It will work if you use a stand-alone VNC client and connect to the panel directly. Just don't try to use the web interface on the NI.

shr00m-dew

See tech note #669:

http://www.amx.com/techsupport/techNote.asp?id=669

You need to add a command to the code if you want to use the master's web page to link you to the panel.

Kevin D.

Spire_Jeff

A conversation I had in AMX chat over the weekend has inspired me to share this information. For anyone out there using Port Forwarding, please check out http://nmap.org/ . This is a tool that I am sure some kid with too much time on their hands will eventually find and use on your clients' homes. This does not guarantee access to your systems, but I just wanted everyone to know about some of the things that are out there.

This tool can be configured to automatically scan large blocks of IP addresses and the information that it shows can be very useful to an individual trying to gain access to other systems (it is also used by network admins to secure their networks). If you think about security with the philosophy of: Nobody knows the IP address of our clients, you are just asking for trouble. I will leave it up to the individual I was talking with to post their findings, but some routers won't even stop the most obvious attacks/scanning attempts generated by this program. Now, I admit that using security on a NetLinx Master will probably stop 99% of the attackers out there, (assuming you also change the default passwords in place). The bigger problem is port forwarding to the touch panels. Even if you use a password on VNC, it is still fairly easy to get past it. Even if they aren't able to gain access, a hacker could continuously flood the devices with requests. I am not sure, but I am guessing that this will not be good for performance on your system.

Also, anyone that thinks: It's only access to the Audio/Video system... it's not like it's lights or security integration. Imagine a kid getting access to your touch panel (not even the base code), and then at 3am turning on all audio systems to full volume. How happy do you think the client will be? Not to mention, the potential for blown speakers, projector bulb usage (they turn it on and the client doesn't realize for 2 weeks because they were out of town), HVAC usage (if it's on the system), .... With home automation becoming more and more common (thanks to some of the cheaper offerings), I expect that technogeeks and hackers will become more aware of the potentials of home automation and may even start specifically targeting home automation.

Ok, that's my current rant on Port Forwarding.

Jeff

a_riot42

Port scanning usually breaks the TOS of the ISP. The generally keep track of port scanners and will block your IP address from having access to their network. Ask me how I know.
Paul

DHawthorne

Spire_Jeff wrote: »

A conversation I had in AMX chat over the weekend has inspired me to share this information. For anyone out there using Port Forwarding, please check out http://nmap.org/ . This is a tool that I am sure some kid with too much time on their hands will eventually find and use on your clients' homes. This does not guarantee access to your systems, but I just wanted everyone to know about some of the things that are out there.

This tool can be configured to automatically scan large blocks of IP addresses and the information that it shows can be very useful to an individual trying to gain access to other systems (it is also used by network admins to secure their networks). If you think about security with the philosophy of: Nobody knows the IP address of our clients, you are just asking for trouble. I will leave it up to the individual I was talking with to post their findings, but some routers won't even stop the most obvious attacks/scanning attempts generated by this program. Now, I admit that using security on a NetLinx Master will probably stop 99% of the attackers out there, (assuming you also change the default passwords in place). The bigger problem is port forwarding to the touch panels. Even if you use a password on VNC, it is still fairly easy to get past it. Even if they aren't able to gain access, a hacker could continuously flood the devices with requests. I am not sure, but I am guessing that this will not be good for performance on your system.

Also, anyone that thinks: It's only access to the Audio/Video system... it's not like it's lights or security integration. Imagine a kid getting access to your touch panel (not even the base code), and then at 3am turning on all audio systems to full volume. How happy do you think the client will be? Not to mention, the potential for blown speakers, projector bulb usage (they turn it on and the client doesn't realize for 2 weeks because they were out of town), HVAC usage (if it's on the system), .... With home automation becoming more and more common (thanks to some of the cheaper offerings), I expect that technogeeks and hackers will become more aware of the potentials of home automation and may even start specifically targeting home automation.

Ok, that's my current rant on Port Forwarding.

Jeff

All valid points, but what if the customer themselves wants to access the panel remotely? There comes a time when you have to weigh the risks, make reasonable precautions, then balance them against function. Overall, VPN is the best solution, but still not always appropriate. I have one client with three homes, and for him, a VPN connection is "too much;" he wants to click a link on his desktop and be done. Making a connection first is "too technical." Yet he wants full control of his remote audio systems, cameras, HVAC, and lighting. I have more port forwards than you can shake a stick at for that guy, and the built-in security is the best I can give him.

Spire_Jeff

DHawthorne wrote: »

All valid points, but what if the customer themselves wants to access the panel remotely? There comes a time when you have to weigh the risks, make reasonable precautions, then balance them against function. Overall, VPN is the best solution, but still not always appropriate. I have one client with three homes, and for him, a VPN connection is "too much;" he wants to click a link on his desktop and be done. Making a connection first is "too technical." Yet he wants full control of his remote audio systems, cameras, HVAC, and lighting. I have more port forwards than you can shake a stick at for that guy, and the built-in security is the best I can give him.

Have you looked at SSL-VPNs? You can set them for varying degrees of security. They run through a browser. They are actually better than VPNs when configured to be so (They comply with HIPAA guidelines... or so I've been told). You can even have the SSL-VPN configured for VNC connections and the client can check their house from most any computer as the SSL-VPN will load a java based VNC client to allow the connection. There is even an option to go into a full VPN mode and it is much easier (I have one configured for the office).

Here is a link to the sonicwall demo of SSL-VPNs: https://sslvpn.demo.sonicwall.com/cgi-bin/welcome

Jeff