A (quick) primer on how to access a DVR/mail server/web server/etc from outside your network, with DynDNS.
Device: This may be a computer, a DVR, a web-cam, anything on your network that you can access from your network, but want to be able to access from outside it.
LAN: Your network
WAN: Your connection to your ISP's network
Before You Begin
Check the WAN IP address of your router - if it looks like
172.31.x.x then you have what is known as an RFC-1918 IP address (often referred to as private addresses). You will need to contact your ISP to find out how to get a public IP address, or have traffic routed to you. Until that is done you won't be able to get anything else working.
The only way to be certain of the WAN IP address is to look at your ISP facing device, your router, or if you have one your DSL modem. You can use one of the many web pages that will tell you what your WAN IP address appears to be. Be warned however that if you are behind a proxy server, or you have one of the RFC-1918 IP addresses referred to above, they will report the wrong IP address and you will waste time trying to get this working.
There are 6 general steps:
- Create your Dynamic DNS hostname or Standard DNS hostname.
- If you have a dynamic IP address (if you don't know - you have one), configure a device on your network (that is always on) to update your DynDNS hostname with your IP address. DynDNS publish a list of approved clients that you should consult. There are also community maintained lists of devices known to work and those known to cause problems.
- Configure the device you want to forward traffic to with either a static IP address, or a static DHCP lease. This ensures that the time spent configuring the router (in a moment) isn't wasted if/when the IP on your device changes.
- Test the device from your LAN.
- Configure your router to forward traffic to your device. How you do this depends on your router, and what you want to access. Fortunately there is a web site that publishes guides.
- Test your setup from outside your LAN.
DSL or multiple routers
If you have a separate DSL modem and router, or you have multiple routers, what follows isn't enough. You'll also need to forward the same ports from the external network device (DSL modem or router) to the internal router before forwarding those ports from the internal router to the device you're trying to access.
Step 1 - Create your hostname
Create your Dynamic DNS ("Remote Access") hostname or Standard DNS hostname (Standard DNS is for use with your own domain). If asked for an IP address when creating the hostname use the auto-detected value or enter something like
192.0.2.1 - the IP address will be replaced by your update client later.
Step 2 - Configure Updating
If you have a dynamic IP address from your ISP, you have to make one basic decision - are you going to do your updating from your router or other device like DVR or camera, or from a computer? Running it from a computer (Windows, Linux or other) can mean that you get better logging and more control, but may result in more network traffic and greater delays in updating changed IP addresses (10 minutes rather than 1 minute). Using a non-approved router or device may mean that it is harder to get it working, or that you get your hostname blocked for unnecessarily updating your IP address information too often.If you are running your updater on Linux/*BSD or any other non-Windows platform it is generally best to install from a package (whether that be an RPM, a DEB or from ports/portage). That way you should get the required startup scripts and a sample configuration file.
Step 3 - Configuring the Device
You need to ensure that the device you forward traffic to has a static (aka fixed) IP address. If you don't do this then at some point the IP could change, and you'll be wondering why it's suddenly broken.There are 2 ways of doing this.
- On the device itself - how you do this depends on the device or underlying operating system.
- On the DHCP server (usually on the router) - many offer the option of assigning a fixed IP address to any given device (usually by MAC address).
If you go with option (1) make sure that you use an IP address outside of the range your DHCP server is allocating from. If you don't do this you'll end up with a duplicate IP on your network, and things won't work. In the rest of this document I'll use 192.168.0.1 to refer to this IP address.
Step 4 - Initial Testing
At this point you should be able to connect to the device, using the chosen IP address, from another computer on the LAN (it is important not to test from the device running the service). Until you get this to work there's no point in going further.
Step 5a - Before Configuring the Router
Your first step here is identifying what port(s) you need to forward.If you access the device with a web browser and a URL that looks like
http://192.168.0.1/ then you'll want to forward port 80/TCP. If it looks like
http://192.168.0.1:3128/ then you'll want to forward the number after the colon (:) - in this case port 3128/TCP.EMail (SMTP) uses 25/TCP for mail server to mail server communication. Other ports are used for other purposes: 587/TCP is a port for client to server (SMTP), 110/TCP for POP3, 143/TCP for IMAP. Other ports are also used for SSL versions of those services, though most modern software can use TLS instead.Other ports can usually be found easily by visiting Google, or consulting the appropriate guide (more in a moment).Now, before you configure your port forwarding there may be a problem. Some routers will not actually forward traffic on the same port as their administrative interface uses, even though they'll happily let you set that up. If this applies to your router it'll be easy to spot - instead of getting the device you expected to see you'll get your router's admin page (or a login prompt for the router).At this point you have 3 choices:
- If supported, move the admin page to a different port.
- Forward a different port (and optionally use WebHop so that people don't have to add the port to the URL).
- Try a firmware upgrade, or alternative firmware (DD-WRT, OpenWRT etc) where supported.
Step 5b - Configuring the Router to Forward Traffic
Now it's time to configure the port forwarding. The manual that came with the router will detail how to do this, but if you've lost it (or don't want to look for it) there's a handy website with guides, and they even provide a program called PFConfig to do it for you.All you have to do is pick your router, pick the program you want to forward traffic to (or the protocol) and follow the instructions - complete with pictures.Be aware of problems with the Actiontec MI424WR (and probably other devices). If you configure the port forwarding using the hostname of the device to forward to then you may have problems. You have to use the IP address at all times.
Step 6 - Testing
You now need to test from outside your LAN with the DynDNS hostname. The reason for testing from outside your LAN is that not all routers support loopback connections (NAT reflection). There are several ways to test this:
- Via a suitable online page. For web servers (or anything which uses a browser interface) there are various (limited functionality) online browsers (such as TCP Query from CentralOps). For email servers you can use the MX Toolbox service, which allows you to run some basic checks.
- From an external PC, online proxy or a VPN to a remote location. This will give you a proper test, allowing you to see what others would see. If you are using a computer ensure that you do your testing from another home user connection. Many public connections and work networks block ports and will give you an invalid result.
- The Open Port Tool or this one allows you to check if portforwarding on your router is correctly configured, and your application is listening on the related port(s).
It doesn't work!
Before you post, take a few minutes to go through the steps above again, checking that you've got it all right. It could be that you've made a typing error in the IP or port, selected UDP when you should have selected TCP, or just forgot to hit save on the router's configuration page.Now, if you are using a web browser and a port other than port 80, are you remembering to specify the port. For example, if you are using port 8080 then you would enter
http://example.dyndns.org:8080/ in the URL bar of your web browser. Many problems are caused by not specifying the port.Next, check that the IP address your hostname resolves to is the same as the WAN IP address of your router.
nslookup example.dyndns.org. (inc the trailing dot!)
If it doesn't, wait 10 minutes and check again. If it still doesn't, then check that your update client is working and has updated your hostname with the current WAN IP. If it has, you may need to change your DNS servers (DynDNS, OpenDNS and Google all run free DNS servers) or flush your DNS cache.
If your router has a WAN IP address that looks like 10.x.x.x, 192.168.x.x or 172.16.x.x to 172.31.x.x then you have what is known as an RFC-1918 IP address. You will need to contact your ISP to find out how to get a public IP address, or have traffic routed to you.
Another thing to consider is that some ISPs block incoming traffic on common server ports (or just anything below port 1024). If you're trying to access a web based service (that is, with a web browser), then try forwarding a different port (say 10080) to your device. If that works then your ISP is blocking traffic - WebHop may be one option here. For mail servers a service like Email Gatewaycan help.
Once you've checked all that, search the forum! It's highly likely that your problem isn't unique to you. This means that others have probably posted the solution. You'll save yourself, and others, a lot of time if you spend some time searching first.
Finally, if nothing you've found helps, start a fresh topic for your problem. Posting in a topic somebody else is active in will only confuse matters and increase the chance you'll be overlooked. Please also only start a single topic - opening multiple topics for the same problem will just annoy people.
Remember to provide as much detail as you can - IP addresses, router models, what update software you're using, and what version number it is, what you're trying forward the traffic to and how you've configured the port forwarding - along with anything else you think is relevant (network diagrams can help if you've not got a simple network).
Here is a good starting list of things to provide:
- Your DynDNS hostname
- The ports you have forwarded
- The make, model and version of your router
- The make, model and version of any DSL modem or router
- The LAN IP address, netmask and default gateway for the device you're trying to reach
- The WAN IP address of the ISP connected device (modem or router) (as shown in the modem or router's management pages, not what any web site shows)
- If you're forwarding to a hardware device (for example a DVR) the make, model and revision
- If you're forwarding to a computer the operating system and patch level (for example Windows XP Pro SP2, MacOS X 10.6.5 or Ubuntu 10.04.2)
- Details of the update client you are using (if you're using a software client both the name and version number of the client and name and version number of the operating system)
Please do not hide or alter any of the information - it will make it much harder for us to help you, particularly if you do that to any IP address, port or hostname.