Internet access without port forwarding?

If doesn't fit into any other category ....
Zim
Posts: 280
Joined: Mon Feb 08, 2021 9:15 pm
Has thanked: 253 times
Been thanked: 128 times

Internet access without port forwarding?

Post by Zim »

Hi Gents
What would be required to access a device without using port forwarding? Is there a application that can be run from your own domain?
I would like to stay away from 3rd party stuff.
I have limited knowledge in such topics...

Thanks
Zim
User avatar
Electroguard
Posts: 836
Joined: Mon Feb 08, 2021 6:22 pm
Has thanked: 268 times
Been thanked: 317 times

Re: Internet access without port forwarding?

Post by Electroguard »

Some points to clarify…
"Access a device without port forwarding" presumably means to access a device on your premises from somewhere outside on the internet?
"Run an application from your own domain" could mean running your own domain servers, if so, then what? (HTTP, VPN, FTP, MQTT, etc) and where? (at home, in the cloud). Or it could mean running a dynamic DNS client app locally to notify a dynamic DNS service of changes to your dynamic IP address.

If you have internet access at home then obviously so can any of your devices.
But the important point to realise is that all outgoing internet connections (to anywhere and everywhere) are all instigated locally from on your property. And they only connect somewhere because the target location has a server waiting at the target IP address with a specific port open waiting to service your type of incoming call.

Now switch your point of view... to receive incoming connections on your property from the internet would need to host a server at home with a reachable IP address and an open port number waiting for incoming connections from outside.
Which would require port-forwarding of incoming calls to that IP address and port number of the waiting server.

Technically you could host your own off-site servers elsewhere, which you could connect to with outgoing connections from your property to avoid having to accept incoming connections, but it requires a 3rd party and serious commitment.


So if you are just wanting occasional incoming connection to your devices at home, it's not going to be as easy as you'd hoped… but a twisted mind can do it with help from Annex!

The diagram of my router layout (below) shows 2 independent subnets.
One is for our normal houshold internet access.
The other is just for Annex devices, which I prefer isolated from the internet for safety reasons.
However, one of the Annex devices is a Sonoff S20 controlling the mains adapter of a cheap little ethernet hub which is normally kept Off… but can be switched ON whenever needing to physically connect the Annex subnet to the main internet router for temporary internet access.

subnets.jpg

I only need outgoing internet access - but each Annex device with an Output page is actually an html server, and it would be easy to receive incoming internet access to an Annex device simply by port-forwarding through the Annex router.
Port-forwarding is not difficult, it just creates a potential access vulnerability… but not in my case, because the target would only be accessible after turning on the 'Hub' S20 (perhaps by email or SMS). My Annex SENTRY alarm has remote monitoring and connection to the HUB device, so besides logging its status to file, it also automatically turns the Hub Off after a preset duration to prevent me from forgetting to isolate from the internet again.

Note that to make incoming connection from outside requires knowing the public IP address you've been assigned by your ISP. Not a problem if you have a static IP address, but if you are assigned a dynamic IP address (which typically change nightly) then you will need some way of knowing the currently assigned address. If you have a registered domain, dynamic DNS services are available (some free) which let you use a client app to keep your changing IP address registered with DNS servers, thereby allowing access by your domain name.
You do not have the required permissions to view the files attached to this post.
Zim
Posts: 280
Joined: Mon Feb 08, 2021 9:15 pm
Has thanked: 253 times
Been thanked: 128 times

Re: Internet access without port forwarding?

Post by Zim »

Thanks for the reply Electroguard
Seems a lot harder than I had hoped. I guess I'll just suck it up and continue port forwarding....

Thanks
Zim
User avatar
PeterN
Posts: 366
Joined: Mon Feb 08, 2021 7:56 pm
Location: Krefeld, Germany
Has thanked: 171 times
Been thanked: 203 times
Contact:

Re: Internet access without port forwarding?

Post by PeterN »

Hi Zim
Very quick and dirty ... and I am not sure to meet your requirements.

Install a webbrowser in your LAN that can be remote controlled thru the NAT-Internet-Router e.g. by Teamviewer. This service uses a securing and connecting mechanism via an external third party server, communicates via http and requires no changes at your router. I recommend not using VNC or "remote desktop" to contact the PC as they require port forwarding and can be attacked very simple.
I admit: One more PC in your LAN that is (mostly?) always on and Teamviewer waiting to be connected (only!) via the external service
Zim
Posts: 280
Joined: Mon Feb 08, 2021 9:15 pm
Has thanked: 253 times
Been thanked: 128 times

Re: Internet access without port forwarding?

Post by Zim »

Very interesting! Thanks PeterN!
Zim
User avatar
PeterN
Posts: 366
Joined: Mon Feb 08, 2021 7:56 pm
Location: Krefeld, Germany
Has thanked: 171 times
Been thanked: 203 times
Contact:

Re: Internet access without port forwarding?

Post by PeterN »

GSontag
Posts: 18
Joined: Wed Feb 10, 2021 9:38 am
Location: Antony,France
Has thanked: 2 times
Been thanked: 5 times

Re: Internet access without port forwarding?

Post by GSontag »

Hello Zim,
Just a stupid question:
Why you don't want to access a device without using port forwarding ?
Gérard
Tool Kit 1.22
Annex32 WiFi 1.43.2
Windows 10-64b
Firefox 86.0
Serial TeraTerm 4.105
User avatar
PeterN
Posts: 366
Joined: Mon Feb 08, 2021 7:56 pm
Location: Krefeld, Germany
Has thanked: 171 times
Been thanked: 203 times
Contact:

Re: Internet access without port forwarding?

Post by PeterN »

Hi Gerard,
If port forwarding is active, this might be visible to a lot of people on the Internet by means of very simple scanner software.
I suspect that Zim, like me, is afraid that someone might use the ANNEX web interface without authorisation. Only the annex-password assignment then protects against immediate but very wide access to the entire LAN behind the router in which the ESP8266/ESP32 is located.
Last edited by PeterN on Tue Feb 23, 2021 2:16 pm, edited 1 time in total.
User avatar
cicciocb
Site Admin
Posts: 1899
Joined: Mon Feb 03, 2020 1:15 pm
Location: Toulouse
Has thanked: 407 times
Been thanked: 1269 times
Contact:

Re: Internet access without port forwarding?

Post by cicciocb »

Hi all,
if you have a web space account with a php server installed, it is possible to control your modules using the php as a shield.

Basically the idea is very simple :
The annex module will simply do GET requests to a php file.
The request will contains some information in the form of variable.

For example, considering a fake domain such as fakedomain.com, it could be possible to do :

a$ = wget$("fakedomain.com/annex.php?temp=20&hum=40&press=1020", 443)

In this case, it will be required to create a simple php file (annex.php) that will copy the values sent (temp, hum,...) into a local file on the server.
Then, an html page hosted on the same server could simply get the content of this file and show the information.
The php file could send back some information to, eventually, remote control some devices via the same web page.

To use the WGET$ it will not be required to open any port on the local internet router and the ip address of the module that is sending the information will be hidden.

Doing a WGET regularly (let's say each 5 seconds), it will be possible to control the module without being obliged to open any port and then exposing it to attacks from the web.

In association a simple password mechanism it will be possible to have the control of any modules safely without being obliged to rely on 3rd party servers like MQTT, thingspeak, etc.

All this is based on the assumption that the php files are completely hidden and that cannot be read by anybody else except the owner.

This simple drawing shows the idea:
image.png
I'll try to do a little demo in next days
You do not have the required permissions to view the files attached to this post.
User avatar
Electroguard
Posts: 836
Joined: Mon Feb 08, 2021 6:22 pm
Has thanked: 268 times
Been thanked: 317 times

Re: Internet access without port forwarding?

Post by Electroguard »

So… to avoid incoming connections by periodically connecting outgoing to an offsite php server (which you have hosted elsewhere and always online) to send it latest data from the connecting device, and read any waiting instructions from the server back to the device ?
Post Reply