Am beginning to get to grips with using Ubuntu7.0.4 as a file server. Open-ssh is installed and functional from within the LAN. For example no problems using the portable apps Putty (SSH console access) and FileZilla (SFTP access) on a PenDrive from Windows-based PCs on the LAN.

The LAN uses DHCP from a TP-Link (TL-WR641G) Router and the Broadband is from a Wireless ISP. I believe I have a dynamic public IP address but that is where I begin to get lost.

I would like to be able to access using Putty or FileZilla when I am away from home but don't know how to find out which IP address I should be entering to get to the relevant PC on the LAN.

Have searched around and cannot find-out what must be something fairly straightforward - since I can access remotely with no problems at all using software such as LogMeIn.

Any help or tips or useful links would be most gratefully received.

I think I have made some progress in understanding about remote access to a server application. That is to say that I believe that I have to either set all PCs on the LAN to static IP addresses or set the router to reserve an IP address for the server PC.

Then forward the correct port (22 in this instance) to that IP address.

What I really have not got to grips with is the area to do with my public IP address. Presumably I may have to setup a dyndns (https://www.dyndns.com/) or similar. However if I know the public IP address at the time I wish to access would it not be possible to avoid such a dyndns approach?

Or maybe there is a secondary problem because my lan is behind my router receiving from a Wireless (as opposed to a DNS or cable) ISP. Looking through all my own IP addresses used on this site it would appear that this broadband connection has a static IP since only one arises. That makes it look to me as if that is the address of the ISP, who in turn must be forwarding to the aerial on the roof.

Its a confusing area for us networking n00bs. ;)

My wireless ISP assigns dynamic IPs, but in general, they aren't all that dynamic...basically, the lease on it will expire when the receiver is rebooted, but otherwise it stays the same (and often, it won't even change then...). Yes, each customer has a unique IP. If you treat it as a static address, it will change. Setting up dyndns and treating it as a dynamic address is probably the way to go.

dyndns will work, I use it for remote access to client machines. If the cost is low, I would ask for a static IP. If you have only one machine you want connectivity to you could port forward SSH to a statically assigned IP. You want to us static IP's for a server. If you had multiple machines, you would have to SSH to one machine and then from there SSH to the other machines. If you check your IP often and it does not change, you could already have a static IP. Do you have an antenna on the roof and a router below? What is the WAN side IP of your router? If it is a internal network, do you have access to the wireless antenna? It is possible it is set up as a bridge. In that case they should have given you a router or told you to use the one you already have. Not sure what the set up is, so it is hard to say.

Thanks very much guys.

At the moment this is a pretty experimental area for me but the potential uses are many and varied and the learning process itself is of great value too. Every new insight adds to my collection of "pearls".

I had the router prior to getting Wireless BB and there are usually 2-3 wired and 2-3 wireless PCs on the LAN - all on the 192.168.0.x group.

The router's LAN/Wireless IP is 192.168.0.1 and its WAN is 192.168.1.101 (flagged as dynamic in its settings) with the Gateway (presumably this is the aerial) having 192.168.1.100. I can bring up the prompt to access the aerial with http:// 192.168.1.100 but don't know the logon or password for it - probably by design.

I've had this setup for over 6 months now and in that time, despite a number of reboots and two temporary losses of service, only a sole IP address has been listed on the website here for myself accessing these forums whereas there are numerous other ones for all the dial-ups that took place prior to getting BB. So perhaps it is static but I wouldn't like to rely on it without knowing for sure. The provider is a small one-man outfit and he is touchy whenever I ask any questions and being as remote as I am I don't want to do anything to upset the applecart for what has been a godsend of a service for me.

I have used LogMeIn to access two of my own machines and also a couple of clients and relatives so the basics of remote access will I know work in both directions but I would like (a) to be free of third party proprietary software as much as possible and (b) to gain a better understanding of this area.

I will be looking at setting up dyndns tomorrow and will post back with success or failure.

I would not be surprised if it is a static IP, if you set up port forwards on your router (the one with 192.168.x.x for both the LAN/WAN) to a internal machine and you are able to then access this machine using the public IP address succesfully, the wireless router is set to bridge.

Haven't been able to play with this yet - but one question more. Can one configure two servers using two different ports (and two separate port forwards obviously) on the same LAN. For example a web server on one PC and SSH on another one?

Sure, you can differentiate by port and/or IP.

It's fantastic and thanks. First of all I reserved the local IP addresses of the two servers by setting MAC-Address/IP-Address Pairs in the Router. This seemed much easier than setting static local IP addresses on all PCs. Then I forwarded Port22 to PC#1 and Port80 to PC#2 in the Router. Then I went to a standalone PC and used Dial-Up to attempt to FTP access PC#1 with "SFTP using SSH2" via FileZilla using the known "static" or public IP address. No joy.

So I then got myself a dyndns account and domain and configured the Router to logon to these settings; (I didn't need to setup a software dynamic dns client on the server). Bingo. Can access both computers remotely using the dyndns domain; SFTP on one and Website on the other.

So the outstanding question is "why didn't accessing via the public IP address work"? I think I have a partial answer in that when attempting to logon with FileZilla the failure to do so is accompanied by a dialog box with the ID of the server displayed on it.

With both dyndns remotely and with direct local access I get an identical response:

"The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is. The server's key fingerprint is:"
ssh-rsa 2048 xx:xx:.... etc.

However when attempting to access using the public IP address I get a different server fingerprint:
ssh-rsa 1040 yy:yy:.... etc.

This fails to connect. So it appears that this attempted connection is going to another computer. I can only assume this is the ISPs own Server and that there must be another LAN on which my aerial is situated. If I could access the aerial's settings I suppose I could expect to see a LAN and not a WAN IP address. ??

It would be nice to know exactly how the whole thing is structured and the nature of the TCP packets that are sent out to the dyndns host. Maybe that's for another day - but right now I am a happy bunny with a functional system.

hmm, when you ping the dyndns name is it the same IP as the public Ip you are trying to address? You don't actually connect to the name, the name is just to make it easier for you to remember and the IP or IP's behind the name can change but you only have to remember the name. So, when you connect to your servers with SSH, you are using the IP. The OS just does a DNS lookup first... Ping the name you are connecting to, is it the same IP you are conencting with? If that is the ONLY difference in your testing the IP must be different, otherwise it doesn't make sense to me. Make sure your testing outside the local network, i.e. not within the wireless broadband network.

I detach the cable from the LAN and go on-line using dial-up. I can then connect to the web server PC using the dyndns domain-name in a browser and see my (apache initial) home page just fine. However pinging the same domain name resolves to 192.168.1.101 (which is the same as the router's WAN IP address, when the pc had been previously attached to it). All four packets however time-out, not surprisingly, since the PC is now a stand-alone on dial-up.

Seems very weird unless the 192.168.1.101 is somehow cached locally but it is not to be found in hosts or any other files inside C:\WINDOWS\system32\drivers\etc

I am about to backup my server PC and then do a clean reinstall (I have screwed up the PHP/SQL installations somehow) of ubuntu onto it so it wont be available (till tomorrow probably) for others, such as yourself or other peeps well away from here, to try to access and ping.

Correction.

I cannot now connect as standalone via dial-up as previously stated - only when connected to the router. I think that what I originally saw must have been the web-page loaded from the cache and not from the web. I was sure I had also successfully tried the SFTP with FileZilla from Dialup but perhaps I am mistaken.

Anyway the pings still resolve to 192.168.1.101 so its not surprising that whilst attached to the router the packets are directly routed via the LAN and that I cannot then connect to either server using dial-up.

I suppose the next thing to try is to install a dyndns client on just one server (rather than use the one intrinsic to the router) and see if that can alter things. There is obviously client software installed for logmein that must work in an analagous way and I know for sure that I can use logmein to access my PC from my vet's surgery some 15 miles away.

I have gone from happy to sad in the process - darnit.

Update. Switching from the router itself contacting dyndns to an installed software client allows the "outside public IP address" to be correctly resolved. Pings etc all OK. However (not surprisingly) can't connect to the servers using the dyndns domain any more than by attempting direct access by IP address.

I suppose I'll have to contact the ISP but I'd love to know how LogMeIn is able to function perfectly and even without any port-forwarding. You just install it on the host (or multiple hosts on the same LAN) and access the LogMeIn login web-page from a web-browser (having downoaded a plug-in or activeX control to allow functionality).

I suppose I'll have to contact the ISP but I'd love to know how LogMeIn is able to function perfectly and even without any port-forwarding.

I think i can explain it. The reason why log me in works without a port forward is because of how NAT and firewalls treat traffic going out the network. It is called "established" traffic, so established traffic is generally sent unmolested out the gateway. Inbound traffic goes through NAT and any firewall rules that are stateful. This is why you can surf webHTTP) sites on the internet without any issues because, you are initiating traffic from inside your network, and the firewall and routers know to be expecting a reply. If you are outside your network and try to surf via HTTP to your server behind NAT and a firewall, the traffic is "uninitiated" so, unless rules to allow the traffic to pass through NAT and firewall are set to allow this behavior, it will simply fail. The "firewall" can actually be more than one firewall, for instance, you may have a firewall packet inspector on your router itself and you may also have a software firewall on the machine that you are trying to connect to. You would need to allow traffic on NAT, router firewall and software firewall to be sure the traffic would travel from outside your network to your machine running a web server. I know that seems obvious to you but, I explain it so that others reading it follow the logic.

Now, in the case of LogMeIn, you install an application on your machine, call it the client, this application contacts the LogMeIn servers regularly. When you want to connect to your machine, you connect to LogMeIn servers first, and then establish a connection to your machine. So the application is connecting every few seconds to LogMeIN servers and saying "Here I am do you have anything for me to do?" and most of the time the answer is "thank you but, not at this time." But suppose you need to connect to your home machine from work, when you connect to www.LogMeIN.com and type your username/password for your account, you can then click on your remote machine. When you do this, the next time the LogMeIn client application running on your machine checks in and says "Here I am do you have anything for me to do?" the servers says, "Yes, we would like to establish a connection." Now since the traffic was originally "initiated" from the client, the return traffic passes through NAT and the firewall unmolested. Instead of the conversation ending with a "Not at this time" response, it continues on transferring packets back and forth. So to a person, it seems like you are connecting to your machine first, but actually, your machine at home or wherever, is connecting to LogmeIn servers all the time. You are just piggy backing on that established connection and then keeping it going.

Update. Switching from the router itself contacting dyndns to an installed software client allows the "outside public IP address" to be correctly resolved. Pings etc all OK. However (not surprisingly) can't connect to the servers using the dyndns domain any more than by attempting direct access by IP address.

What this probably means is the public IP is bound to the wireless antenna and you have no way to port forwarding on this device because you do not have access. I would call your ISP, on our wireless broadband antennas we do not allow the customer to connect and make changes either. But we give the LAN side a public IP and the client gets another in the same network to add to the WAN side of their router or firewall, which is behind the Wireless antenna/router.

Well I will be speaking to them after the weekend but I discovered earlier today (when visiting another house some three miles away on another matter) that another client that is using the same wireless broadband has the exact same pubic IP address as myself. Whatever that means! So there must be another transmitter that serves both of us and that has that IP address upstream of it somewhere.

But its not all their clients because I began to ask around and some have different public IP addresses.

Forgot to say thanks for the "logic" about LogMeIn. I can see that it acts as a beacon in an analogous way to the dyndns client software with the latter just sumbitting an IP address and the former doing something much more elaborate.

It's not the full picture however (or perhaps maybe it is) because the LogMeIn software must work in a similar way to any IM program such as MSN messenger or Skype or Netmeeting. These are "Clinet/Server" pairs which can both initiate and react to requests.

Any software that runs on your machine that receives input from outside your network has either a mechanism like I explained for LogMeIn or you must manually open ports through NAT and firewalls.

Just to report that I have finally been able to get remote access working - in rudimentary fashion at least. I have now been assigned a static public IP address and also static IP addresses (192.168.xxx.xxx and 192.168.xxx.yyy) set on the aerial (LAN side) and the router (WAN side). So I can access by public IP address http:/xxx.xxx.xxx.xxx and port forward successfully on both port 80 and 22, which are the only two I wanted for the time being.

Apparently what was wrong previously was (a) that the aerial was being used as a router and not as a bridge - if that makes sense and (b) the router's WAN side IP address was being set dynamically.

When I tried to access http:/xxx.xxx.xxx.xxx before these changes to the aerial and router were made I used to get a login box for a name and password. I assume this was the WAN-side login to the aerial set up as a router.

Anyways - I really am a happy bunny just now and can access my Apache2 server and SFTP upload/download to my Ubuntu box from anywhere in the world. FileZilla works great from my mobile USB pen drive.

PS I thought I would have to say that dyndns wasnt working. It wasn't until I manually requested an update of the server (it was retaining and somehow stuck on the original gateway local IP address and not the public IP address). Now I can access not only by IP address but also by subdomain.dynamicdnsdomain.com. Fab! And thanks for all inputs.