Jump to content
RESET Forums (homeservershow.com)

Problem using Anywhere Access with Dynamic IP


doliveira
 Share

Recommended Posts

Hi,

 

At my home office i have a server running “Windows Server 2012 R2 Essentials” and I have already setup the Anywhere Access + VPN and all is working fine.

 

But there is one problem that I explain bellow:

 

My internet uses a Dynamic IP address that is shared to all the ISP clients in my street and city.

 

The problem is that I have tested to browse the internet dynamic IP instead of using the mycompany.remotewebaccess.com url it will open my server Anywhere Access page.

 

In a simple way, if I type on my browser my internet IP as: 111.111.111.111.remotewebaccess.com it will open the same page as if I type mycompany.remotewebaccess.com

 

---

 

I think this is a security risk and also if someone else on my street or city is using Anywhere Access it can conflict with my own install.

 

So does anyone knows what I need to do in order to resolve this problem? 

 

IMPORTANT NOTE: My internet ISP does not allows static IP’s, so that is not an option in my case.

 

Thanks

Link to comment
Share on other sites

This is a classic DNS issue.  The record is not getting updated thru the DNS server.  Who is hosting the DNS?  I was having a similar issue with 2011 a couple of weeks ago and it has cleared itself up.

Link to comment
Share on other sites

This is a classic DNS issue.  The record is not getting updated thru the DNS server.  Who is hosting the DNS?  I was having a similar issue with 2011 a couple of weeks ago and it has cleared itself up.

 

Hi jmwills,

 

The DNS is not running on the server. Instead its setup and running on my router (TP-Link TP-ER5120) where i'm using the Google Public DNS service (8.8.8.8 / 8.8.4.4).

 

What this what you wanted to know? Can you help me with my problem?

 

Thanks

Link to comment
Share on other sites

Hi jmwills,

 

The DNS is not running on the server. Instead its setup and running on my router (TP-Link TP-ER5120) where i'm using the Google Public DNS service (8.8.8.8 / 8.8.4.4).

 

What this what you wanted to know? Can you help me with my problem?

 

Thanks

Sorry if I am hijacking this thread but would like to know more about TP-ER5120, router.  Why did you choose it and any pros or cons?

Link to comment
Share on other sites

 

Hi,
 
At my home office i have a server running “Windows Server 2012 R2 Essentials” and I have already setup the Anywhere Access + VPN and all is working fine.
 
But there is one problem that I explain bellow:
 
My internet uses a Dynamic IP address that is shared to all the ISP clients in my street and city.
 
The problem is that I have tested to browse the internet dynamic IP instead of using the mycompany.remotewebaccess.com url it will open my server Anywhere Access page.
 
In a simple way, if I type on my browser my internet IP as: 111.111.111.111.remotewebaccess.com it will open the same page as if I type mycompany.remotewebaccess.com
 
---
 
I think this is a security risk and also if someone else on my street or city is using Anywhere Access it can conflict with my own install.

 

 

Are you actually typing "111.111.111.111.remotewebaccess.com" or just "111.111.111.111"?  I'm assuming that 111.111.111.111 is your public IP that you got from the router.  Assuming that you are typing just the IP, then this is the typical behavior for a server - it provides the same page regardless of access by IP or by DNS name (actually, with SSL it usually has to provide the same page).

 

I'm a little confused what you mean by "Dynamic IP address that is shared to all the ISP clients in my street and city".  It's typical that dynamic IP's jump around between clients in the same area, but no two clients should have the same public IP, unless the ISP is using NAT, in which case you'd definitely run into some problems if someone else wanted to use remote web access.  Is the IP that you're using the same one that you see if you check the WAN connection status on your router?  As long as your router has a public IP assigned to it, you should be fine.  The only issue that may crop up from time to time is that if your IP changes (usually unlikely unless the router reboots), it may change and may take a little while for the change to propagate through DNS before the server can be accessed by name again.

 

What security risk do you see, can you explain your thoughts there a little better?

Link to comment
Share on other sites

First i want to thank you all for your advices and help on this issue.

 

Did you use a custom Domain name or a Microsoft provided one?

 

I'm using the Free domain provided by Microsoft (xxx.remotewebaccess.com).

 

 

Sorry if I am hijacking this thread but would like to know more about TP-ER5120, router.  Why did you choose it and any pros or cons?

 

Im choose the TP-ER5120 because of i needed a enterprise level router for my small office that must had multi-wan and good security settings and also to handle propely wan fiber connections up to 200Mbps (this router has a NAT Throughput of. 350Mbps)... all this at a good price, so i found TP-Link brand to offer all this and i bought the router. It's running at almost 2 years and until now, no problem at all. 

 

Anyway if it was today i would buy the TP-ER6120 model, just because it has VPN build in feature. The only downside of the TP-ER6120 is that only supports 2 WAN ports, when the TP-ER5120 is capable of having 4 WAN ports.. but i only need 2 to maintain internet redundancy.

 

In a resume way, im very satisfied with TP-Link brand. It seems to have one of the best price/quality/features combination on the market. The only downside i see is their software that is good but could be better. You can see for yourself on their website where they have available the TP-ER6120 admin interface live version (the software on TP-ER5120 is equal, except the VPN and number of WAN options):

 

http://www.tp-link.us/emulators.html 

 

Are you actually typing "111.111.111.111.remotewebaccess.com" or just "111.111.111.111"?  I'm assuming that 111.111.111.111 is your public IP that you got from the router.  Assuming that you are typing just the IP, then this is the typical behavior for a server - it provides the same page regardless of access by IP or by DNS name (actually, with SSL it usually has to provide the same page).

 

I'm a little confused what you mean by "Dynamic IP address that is shared to all the ISP clients in my street and city".  It's typical that dynamic IP's jump around between clients in the same area, but no two clients should have the same public IP, unless the ISP is using NAT, in which case you'd definitely run into some problems if someone else wanted to use remote web access.  Is the IP that you're using the same one that you see if you check the WAN connection status on your router?  As long as your router has a public IP assigned to it, you should be fine.  The only issue that may crop up from time to time is that if your IP changes (usually unlikely unless the router reboots), it may change and may take a little while for the change to propagate through DNS before the server can be accessed by name again.

 

What security risk do you see, can you explain your thoughts there a little better?

 

I'm typing "my-dynamic-ip-address.remotewebaccess.com". 

 

My internet uses a Dynamic IP, but now you raise a good question about if my Dynamic IP is or not used by more than one client at the same time. I will call my ISP to ask them about this.

 

About NAT, my ISP provides its own router and the option was to put the ISP router in Bridge Mode and then connect to the WAN port of my own router that is making the NAT. 

 

When i browse to www.whatismyipaddress.com to find my internet public IP address the resultis: 217.129.199.XX. I also leave bellow the WAN settings on my own router and an example traceroute from my computer to a example website for you to see if with this you can help me more to see how is my internet/NAT setup and how this can relate with the issue being discuss here.

 

WAN Dynamic IP Status
IP Address: 217.129.199.XX
Subnet Mask: 255.255.248.X 
Default Gateway: 217.129.192.X 
Primary DNS: 8.8.8.8
Secondary DNS: 8.8.4.4

 

C:\>tracert sapo.pt
 
Tracing route to sapo.pt [213.13.146.138] over a maximum of 30 hops:
 
  1    <1 ms    <1 ms    <1 ms  192.168.0.1  >> This is my own router
  2     7 ms     7 ms     7 ms  10.29.0.1  >> I think this is my ISP router that is in bridge mode
  3     7 ms     6 ms     7 ms  pa1-84-91-1-145.netvisao.pt [84.91.1.145]  >> This is already my ISP 
  4    20 ms    20 ms    20 ms  pa1-84-91-0-198.netvisao.pt [84.91.0.198] >> >> This is already my ISP
  5    25 ms    21 ms    21 ms  te0-7-0-1.rcr21.lis01.atlas.cogentco.com [149.6.144.73]
  ....
 10    68 ms    68 ms    69 ms  sapo.pt [213.13.146.138]
 
Trace complete.
 
--
 
The security risk i see is that is someone types my public IP address as: "dynamic-ip.remotewebaccess.com" it goes to the same page if they browse "mycompanyname.remotewebaccess.com". So if my dynamic IP is shared by many people (at the same time or not i still don't know. i will have to call my isp to ask), this can be a security risk, specially in case of the same IP is being used by more than 1 client at the same time. Just imagine if my next door neighbour is using the same IP and it types on its browser the IP.remotewebaccess.com, it will have access to my server login page that i want to keep private. Also what will happen if my neighbour is also using a Windows Server with the setup equal to mine. What will happen when both we type the ip.remotewebaccess.com... that can be a conflit.
 
Now this is just an idea that i don't know if its possible: if i use a Dynamic DNS just like no-ip.com can solve it this issue? With a Dynamic DNS service will i be able to give my server to have a "static name / address" instead of using the dynamic ip provided by my ISP?

 

 

Can you give us the URL of the remote webaccess?

 

If needed yes. But for security reasons not in a public way. I can send you a personal PM. Is this ok with you?

 

Link to comment
Share on other sites

The only way two computers can have the same public IP is if NAT is in use.  Given that you have a public IP showing on your router, I doubt that is the case.  However, I am slightly confused about your traceroute, it doesn't show the default gateway that your router has in it.  You mention needing two WAN connections for redundancy, are both of them active right now?  If so, I suspect that one of your connections two NAT's in place (not sure if it's the ISP router or at the ISP data center) and the other one does not.  In the case of having multiple computers on the same public IP running server essentials, even if your site was configured to only respond to remote.remotewebaccess.com and the other server responded to home.remotewebaccess.com, there's the possibility that you going to remote.remotewebaccess.com actually takes you to your neighbor's server.  Things like remote web access and VPN require that you have a publicly routed IP address on the router.

 

If you want the server login page to be private, then don't let it be mapped to a public IP.  As long as it's available on the internet, people can access it and generally speaking, security through obscurity isn't much security.  Even if people can find the login page, it is meant to be exposed to the internet in general, that's part of why it uses SSL.  Even if no one else knows the URL or IP address, it's still possible for someone to stumble into the site by accident through other means.

 

By the way, even if you have two connections for your internet, I don't think that your remote web access/VPN connection is taking advantage of them at all.  The dynamic DNS is only going to configure itself for one of your WAN connections, so I'm not sure what would happen if it goes down.  I suspect that if it's down long enough things may reconfigure onto the second WAN connection, depending on how your router behaves.  I'd also worry a little bit that since one of your WAN connections appears to have a double NAT if the server tries to connect through it once, it will break your remote web access completely until the connection reconfigures for the other WAN connection again.

 

While we're discussing security, just in case you're using UPNP right now (default way for the server to configure the router), many people around here strongly recommend that you configure the port forwarding for Server 2012 manually in the router instead.  I believe that the only ports needed anymore are 80 and 443 (that's all I use).  It also reduces the number of errors the server reports about a misconfigured router because something hasn't rebooted or timed out properly yet.

Link to comment
Share on other sites

If 192.168.0.1 is your router why is the gateway set to:

 

Default Gateway: 217.129.192.X

 

did you set this up manually or let the utility set it up?  I'd recommend doing it manually.

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...