General questions

[migeo]

I'm trying to educate myself more on everything regarding networking. I've been reading up on DDNS recently and I have a few questions regarding DDNS and port forwarding.

 

First of all, I understand the concept behind port forwarding. However, the thing that's bugging me is let's say I have a dedicated public IP which means that I can use windows remote desktop by inputting my IP no problem as long as I have forwarded the port 3381 to the computer I want to connect to. I've tried it and it worked. The thing that I am wondering now is let's say that I have two different computers and I want to be able to connect to both remotely. The incoming connection will be using the same port for both. How do we change the port that is used with the remote desktop app? I tried to port forward to my second computer: external connection 4000 to internal connection 3389 and on the remote desktop app I tried to sign in with public_address:4000. It didn't work though.

 

Then, for DDNS, if I create a DDNS account and set it up, once that I have allowed DDNS on my router and all that stuff, how do I then port forward the right port? So far, I did everything aside from the port forwarding so not surprising that my router is spouting an error regarding the DDNS settings. In my case there is a server that I'm trying to connect to. What is the incoming port regarding the DDNS? I know that my question most likely doesn't make sense but I'm wondering what port the incoming connection will use. Those are the first few questions I have and I'll probably have a few more. Thank you very much for the help!

[Electronics Wizardy]

You can change the port remote desktop uses, thats how you have multiple. 

 

But you really shouldn't pass a ton of systems through with remote desktop, thats why we have vpns.

 

DDNS doesn't affect port forwarding, just keeps you domain name with your IP.

 

 

[Meic]

4 minutes ago, migeo said:

I tried to port forward to my second computer: external connection 4000 to internal connection 3389 and on the remote desktop app I tried to sign in with public_address:4000. It didn't work though.

That sounds correct to me so I'm surprised it isn't working. might be work double checking no typo in any of the config? 

You can also take a look at: https://support.microsoft.com/en-us/help/306759/how-to-change-the-listening-port-for-remote-desktop

 

1 minute ago, Electronics Wizardy said:

But you really shouldn't pass a ton of systems through with remote desktop, thats why we have vpns.

This is very good advice though - a VPN would be much more secure and solve the issue of port forwarding.

 

 

For DDNS - this does not affect port in any way, it just allows you to connect via a friendly name rather than a IP address so for your remote desktop connection you could connect via:

my-ddns-name.ddns.com:3389
rather than
1.2.3.4:3389

[Windows7ge]

The external port needs to be different for each host you want to connect to. The internal port can be the same. Your router uses the external and internal ports as unique identifiers to determine which and what connections are to be made. Assigning port 4000 to computer IP 192.168.0.10 will cause external connection coming in to be forwarded to that machine. If you have lets say host .10 & .11 bot with external port numbers of 4000 the router will receive the request from the internet on port 4000 the router will either drop the packet because of duplicate addressing or it will send it to both hosts which in either event will cause the connection to be lost due to conflict. Each remote host needs a dedicated external port. Each internal host can in theory use the same internal port if desired since every machine can use ports 1 - 65536 at the same time. If this doesn't work assign unique internal ports as well.

 

Whatever remote desktop software you're using you simply replace your Public IP with the domain. The port number being used for the specific machine you want to connect to will determine which machine it connects to once inside your network. All DNS does is resolve domain names to IP addresses. It's kind of a mask if you will. DDNS is a feature that can be used for DNS but that's unrelated to your questions.

[migeo]

5 hours ago, Windows7ge said:

The external port needs to be different for each host you want to connect to. The internal port can be the same. Your router uses the external and internal ports as unique identifiers to determine which and what connections are to be made. Assigning port 4000 to computer IP 192.168.0.10 will cause external connection coming in to be forwarded to that machine. If you have lets say host .10 & .11 bot with external port numbers of 4000 the router will receive the request from the internet on port 4000 the router will either drop the packet because of duplicate addressing or it will send it to both hosts which in either event will cause the connection to be lost due to conflict. Each remote host needs a dedicated external port. Each internal host can in theory use the same internal port if desired since every machine can use ports 1 - 65536 at the same time. If this doesn't work assign unique internal ports as well.

 

Whatever remote desktop software you're using you simply replace your Public IP with the domain. The port number being used for the specific machine you want to connect to will determine which machine it connects to once inside your network. All DNS does is resolve domain names to IP addresses. It's kind of a mask if you will. DDNS is a feature that can be used for DNS but that's unrelated to your questions.

 

5 hours ago, Meic said:

That sounds correct to me so I'm surprised it isn't working. might be work double checking no typo in any of the config? 

You can also take a look at: https://support.microsoft.com/en-us/help/306759/how-to-change-the-listening-port-for-remote-desktop

 

This is very good advice though - a VPN would be much more secure and solve the issue of port forwarding.

 

 

For DDNS - this does not affect port in any way, it just allows you to connect via a friendly name rather than a IP address so for your remote desktop connection you could connect via:

my-ddns-name.ddns.com:3389
rather than
1.2.3.4:3389

 

5 hours ago, Meic said:

That sounds correct to me so I'm surprised it isn't working. might be work double checking no typo in any of the config? 

You can also take a look at: https://support.microsoft.com/en-us/help/306759/how-to-change-the-listening-port-for-remote-desktop

 

This is very good advice though - a VPN would be much more secure and solve the issue of port forwarding.

 

 

For DDNS - this does not affect port in any way, it just allows you to connect via a friendly name rather than a IP address so for your remote desktop connection you could connect via:

my-ddns-name.ddns.com:3389
rather than
1.2.3.4:3389

Thank you, everybody, for the info. Helped me understand. The only thing that I am missing is, you said that's why we use a VPN. Okay well, then this means that I need to create a private VPN such that the only person connected to the client is me. How do I do this? are there free apps that do this or do I just set up DMZ for the second computer that I'm trying to connect to and once I do this, I'll be able to connect using the ipv4 of the system? I haven't really read up much on dmz, what I think it is is that it opens up the computer to every connection (basically opening every port). I'm most likely wrong here as well but that's to be expected. Thanks again for the help!

[Meic]

To try and give a simple explanation of a DMZ - If you split your network into two areas*, call them DMZ and core, then you would keep anything that accepts inbound communications from the internet in the DMZ and everything else in the core. This is a security measure so that if someone manages to gain access the your DMZ, you still have another line of protection before they can access your sensitive data in your core network.

 

* "areas" are really one or more subnets

 

However, you do not need to split up your network like this to use a VPN.

 

 

 

For a VPN, this just allows you to access the entirety of your home network (as if you were at home) from a coffee shop or wherever you are. This means you would:

1. Connect to your VPN
2. RDP to desired host on their local IP address

No need for any port forwarding, apart from one port for the VPN server.

 

I use OpenVPN (free, open source software) on an ubuntu linux server. Although a quick google suggest you can install the OpenVPN server on windows as well.

 

Note: Linus also uses OpenVPN, you sometimes see the windows client on his start bar on WAN show.

[migeo]

4 hours ago, Meic said:

To try and give a simple explanation of a DMZ - If you split your network into two areas*, call them DMZ and core, then you would keep anything that accepts inbound communications from the internet in the DMZ and everything else in the core. This is a security measure so that if someone manages to gain access the your DMZ, you still have another line of protection before they can access your sensitive data in your core network.

 

* "areas" are really one or more subnets

 

However, you do not need to split up your network like this to use a VPN.

 

 

 

For a VPN, this just allows you to access the entirety of your home network (as if you were at home) from a coffee shop or wherever you are. This means you would:

1. Connect to your VPN
2. RDP to desired host on their local IP address

No need for any port forwarding, apart from one port for the VPN server.

 

I use OpenVPN (free, open source software) on an ubuntu linux server. Although a quick google suggest you can install the OpenVPN server on windows as well.

 

Note: Linus also uses OpenVPN, you sometimes see the windows client on his start bar on WAN show.

Thank you very much for the information.I've been able to fix my problem with remote desktop connection. I had port forwarded a range instead of a specific port by mistake (external and internal). I set it up as a single port: 3400 and for a third computer 3500. As a result, since I'm using a ddns, I'm just connecting now using hostname.dnsservice.com:port and it's working no problem. I will try and do the VPN connection since it sounds pretty cool imo. Don't really need to do all this but it's fun seeing how things connect. Either way, thank you very again for the explanation!

[Meic]

7 minutes ago, migeo said:

Thank you very much for the information.I've been able to fix my problem with remote desktop connection. I had port forwarded a range instead of a specific port by mistake (external and internal). I set it up as a single port: 3400 and for a third computer 3500. As a result, since I'm using a ddns, I'm just connecting now using hostname.dnsservice.com:port and it's working no problem. I will try and do the VPN connection since it sounds pretty cool imo. Don't really need to do all this but it's fun seeing how things connect. Either way, thank you very again for the explanation!

 

No problem and good luck playing with the VPN

 

P.S. I'm sure you already have but if you are opening up those ports for RDP, make sure you have a very strong password on those computers for all users.

[migeo]

Just now, Meic said:

 

No problem and good luck playing with the VPN

 

P.S. I'm sure you already have but if you are opening up those ports for RDP, make sure you have a very strong password on those computers for all users.

obviously XD. I do not want to have 123456 or password as a password LOL.

[Mikensan]

Enable NLA to lesson the load if people start banging on your RDP door. Make sure your client and host machine are Windows 8 or greater, so your stream is encrypted with semi modern standards. RDP will use the highest available security settings, but it by default will accept the lowest security settings as well.

 

RDP is frequently attacked and there are a lot of CVEs out, so make sure you stay up to date.

 

OpenVPN can be used at the firewall/router level, as such you can restrict what (RDP/SMB/etc..) traffic goes to/from the OpenVPN segment. The idea is only trusted devices will make a successful connection (assuming you're using certificates in combination with credentials) so you give them a tiny bit more leeway. I suppose you could say the same about RDP, but given its history most people don't trust it.