how do i connect to a comp that has an internal IP address ?

ok i have a computer at home that has an internal ip address of 10.10.14.141

it’s on a DSL connection, and it seems likely that my ISP’s router uses NAT.

so i have an internal IP address not visible to the outside world. all “test your comp for vulnerability/security/privacy” sites read my ip as 210.210.97.221 (which is the IP of the ISP’s router, i assume)

now, i need to connect to this home computer from an office computer (connected to the 'net, and with a static external ip address)… what server/remote admin software/etc. can i run on the home computer so that it can be made accessible for remote administration from the office computer ?

getting the isp to do any mapping of ip/port to my comp is not an option.

i checked out Virtual Networking Client and it says this:

so how can i connect remotely to the home computer from the office computer to be able to remotely administer it ?

thanks for your time.

an ipconfig on the home computer gives the following:



Windows IP Configuration 
 
        Host Name . . . . . . . . . . . . : hostname
        Primary Dns Suffix  . . . . . . . : 
        Node Type . . . . . . . . . . . . : Mixed 
        IP Routing Enabled. . . . . . . . : No 
        WINS Proxy Enabled. . . . . . . . : No 
 
Ethernet adapter Local Area Connection 2: 
 
        Connection-specific DNS Suffix  . : 
        Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethe 
rnet NIC #3 
        Physical Address. . . . . . . . . : 00-40-05-55-78-DD 
        Dhcp Enabled. . . . . . . . . . . : No 
        IP Address. . . . . . . . . . . . : 10.10.14.141 
        Subnet Mask . . . . . . . . . . . : 255.255.255.128 
        Default Gateway . . . . . . . . . : 10.10.14.129 
        DNS Servers . . . . . . . . . . . : 202.144.115.4 
                                            202.144.10.50 
                                            202.144.13.50


As the VNC docs mention, this requires mapping a port from your router’s outside IP to your machine’s inside IP. You said getting the ISP to do it isn’t an option, but maybe you can do it yourself. What equipment do you connect with on your end? What brand/model of router or modem?

There’s a quick test you can try. Connect to 10.10.14.129 in a browser window. If that doesn’t work, try telnet 10.10.14.129 at a command prompt. Post the results.

If you use MS Internet Connection Sharing, there is a free utility which will handle the port forwarding for you
http://www.practicallynetworked.com/sharing/ics/icsconfiguration.htm

However, if you only need browser access to the internal machine, this is easily done with the Apache webserver, which will also allow you an extra level of security, like so:
<virtualhost dell>
ServerAdmin you@you.org
ServerName internalmachine.dyndns.org
DocumentRoot C:/www
ProxyPass / http://192.168.0.135/
ProxyPassReverse / http://192.168.0.135/
<Location />
AllowOverride None
AuthType Basic
AuthName Tivo
AuthUserFile C:/.htpasswd
require valid-user
</Location>
</VirtualHost>
If neither of these scenarios work for you, it will depend your hardward router. Most decent routers have some method of port forwarding built in.

hi Number, dirty1… thanks for your responses…

Number… i tried telnetting to 10.10.14.129 it asked me for password. what should have been the best case response ?

the modem itself is not physically present in the house… i think the ISP has placed it somewhere outside and has just pulled in the cable to connect to my comp’s ethernet card…

dirty1… the first link is really interesting … it won’t help in this case, 'coz i don’t use ICS, i just have a DSL connection to a single PC… so any such script would need to be run on the server comps not mine… but it will be immensely useful in other scenarios where i do use ICS with multiple machines on a LAN… i shall try it the next time i play Age of Empires II with friends :slight_smile:

the apache server option i didn’t quite understand… will it allow me to reach an internal ip from the public internet by just running the server on the internal machine

just a note: dyndns.org and dns2go.org solutions don’t work in the case of internal ip addresses because they incorrectly map to the global external ip address of the router.

Number, you say i can do the mappings myself ? how ? assume i have no admin access to any comp outside of mine on the ISP’s internal network…

hopefully you guys would have some more suggestions ?

About the only way you’re going to do it short of getting a static 1-1 NAT from the ISP is by using some sort of tunneling protocol like IPSec or PPTP out from your machine. You might also be able to do some magic using ssh and initiating a connection from your home machine to an ssh server at the office. Once the connection from home is in place, you could forward some ports from the office server that redirect back through the ssh tunnel to another service on your home machine.

Didn’t read it too close but this page should give you some ideas.
http://boim.com/~aaron/unix/sshTunnel.html

Woo hoo, you do have a problem.

But there is an answer. You need to get that machine hidden behind NAT to reach out and touch your public machine. This way, the public machine will know where to touch it back, and NAT will correctly forward the traffic (back to the computer that requested it).

Here are a couple of links to get you started.

www.gotomypc.com - Appears to be a service that you sign up for. Connection is initiated on the client machine.

http://www.microsoft.com/windowsxp/pro/techinfo/administration/adminra/ranat.asp - This looks better. Uses a Windows Messenger invite to set up the connection.

These are only what I found using during a casual search. If you could be a little more specific with OSs, goals, software, etc, then maybe we can find something a little more suited for your purposes.

You would need to run Apache on both machines. The httpd.conf directive I showed would be on the external one.

If you use a service that allows wildcards, you can set up yourhouse.dyndns.org on the external machine, and comp1.yourhouse.dyndns.org etc. on the internal ones. The Apache directive aliases the domain to the internal IP or the machine name.

Good luck

He doesn’t have an external machine, though. Just one at his house using NAT from a router he has no access to. I could see how this would work if he had a lan at home with one PC having an external IP running NAT for the rest of them.

Judging from the responses, I think his problem is misunderstood.
He has a computer at home with a private IP (10.10.whatever). This computer is obviously behind a router providing NAT. He wants to access this machine from his office computer. The problem is, where do you tell the office computer to look? His home computer has no public IP. He has no access to this router to set up a DMZ or port forwarding.

Or, if I am the one misunderstanding, please correct me and tell me to shutup :slight_smile:

Okay, any IP address within range of 10.0.0.0 of a class-A network is known as martians. These addresses are reserved exclusively for private uses and do not get on the Internet - routers discard packets from these addresses.

We know, that’s the whole problem.

I thought perhaps you had a router and could configure a static NAT entry in it. This isn’t possible since it belongs to the ISP. It sounds like you’re SOL unless you can use one of the services Joey G mentioned.

Joey G, you’re spot on! please keep talking…

i’ll read through your other suggestions Joey G, sigSEGV

I don’t have anymore specific suggestions than those given by sigSEGV and Joey G but I wanted to chime in and say in principle you must be able to do it because servers manage to find you everytime you go to their web site.

The method dirty1 mentions is above my head but I can see how having apache on your office computer could be a solution. Lets say you set up apache and a web site on your office computer. If you connect to your office website from home, apache somehow has a method to find your home computer because it sends information to it. Therefore if you could somehow “hijack” your office computer’s connection you would have access to your home computer.

My summary of the methods that have so far been discussed.
You have to have the following system set up:

A. home computer server (Apache or ssh … etc)
B. office computer server (Apache or ssh … etc)
The type of access required (browser, ftp, telnet …) will determine the server type needed.

The steps to follow would then be:

  1. From home connect to your office server.
  2. The office server connects back to the home server through this line.
  3. “hijack” the office server’s connection when you are at your office.

If we agree that this is the method required, maybe then we can discuss specific software and techniques to accomplish this.

Interesting problem!

It is clear the xash’s DSL setup is like one big LAN with the router also acting as a proxy server.

AFAIK there is nothing can be done to access his computer unless he can arrange some kind of tunneling with his ISP. He also needs a non-martian for IP address.

:smack:

Hiccup with vBB code.

xash, what exactly are you trying to do on your home PC from the office? Depending on your answer, Microsoft’s NetMeeting may be a cheap (free!) option. With NetMeeting installed on both computers, you could host a meeting on your office PC, connect to it from the home PC, share the desktop on the home PC, then grant control of home PC’s desktop to the work PC.

I think NetMeeting also has a helpdesk-type remote control option, but I’ve never used that. Granted, it’s much easier to get things started in NetMeeting if you have an operator at both ends, but once the connection is made you may be able to accomplish whatever it is you are trying to do.

One other thing you might try is asking your ISP if they are using static or dynamic NAT. If their answer is static then presumably your internal IP address of 10.10.x.x would always be translated as 210.210.97.221. If that is indeed the case, then you should be able to use something like pcAnywhere host/remote to connect from work to home. You would have to install the host side on your home PC then use the remote side on the office PC to connect using the 210.210.97.221 address.

Of course, if they are using dynamic NAT, then all bets are off. Each time you connect to the NET, you would be assigned a different external IP by the ISP’s NAT server. Then you would be back to the situation described in my previous post.

BTW, since you have a DSL connection, you ARE using a personal firewall product on your home PC, AREN’T YOU?!? You don’t even want to think about all the nasty things that you could catch engaging in unprotected computing on the nasty old Internet!! :eek:

Not necessarily. That would only work if the ISP is directly mapping all ports from the external address to the private address, which means they’d have a different external address for each customer who’s set up like this.

I suspect the ISP is using NAT to conserve IP addresses, so multiple customers are using the same external address, in which case a direct forwarding like that is unfeasible.

If he can’t even connect to his home computer when he’s trying to, how is a hacker going to reach him?

That’s the upside of NAT - packets can only get to your computer by going through the NAT server, and the NAT server will only forward packets if you initiate the connection from your own computer (or if you set up forwarding manually). It only becomes a downside when you can’t control the NAT server, which seems to be causing the OP’s trouble.

Well, Mr2001… If the ISP has put a router out in the street to do NAT, and he only gets to see an Ethernet cable, then maybe there’re a lot of people on his street behind the same router. (If you were an ISP would you do one router+ a hub for a whole street? OR one router for every customer on the street? You also don’t conserve many IP addresses by sticking one client behind a NAT router.)

So if his neighbours are hackers, then they can ‘own’ him PDQ

At the very least, xash, I suggest you make sure that you’ve turned off ‘Client for Microsoft Networks’ and ‘Files and Print Sharing for MS Networks’ on the interface connected to the internet. If you’re worried about security at all, that is.