Hi, BT says the Business Router has a professional grade Firewall but its not as it has limited control. All I want to do is allow an external IP address through for Dameware, I cant do this as I can only state ports, I'm used to Cisco PIX and Nokia's. Has anyone experience of setting up a small business network and using Dameware over the internet to remote into a PC from outside? I have entered the application 'Dameware' in the routers firewall. The remote Dameware session holds for about 8 seconds then gets disconnected with a Winsock Error 10054- connection reset by peer. The BT business router firewall log shows its being stopped. I assume by the wonderful all singing and dancing Stateful Packet Inspection. I want to be the boss of the router not the other way round.
Many thanks, Phil
Solved! Go to Solution.
Ok, I have a solution. BT 2Wire 2700HGV Business Hub (wireless router) and Dameware
No VPN or Citrix, just accessing over the internet using TCP/IP.
Target PC is the PC inside the office behind the router
Originating PC is the one your user is using to access the office, however, get your head round that you are remoting into the originating PC from the office (not using the Dameware PC though, i tried that and its a hoot, you get feedback)
This is a medium security solution but the only one that works as Dameware has something going on that trips the router smart firewall, even if you have selected 'Dameware' in the 'application' drop down and you do not use the DMZplus mode option. Having said that, the next device post router firewall can bump the security again. All other stated devices do not use DMZplus mode for max security.
1. Make sure that you have a fixed IP address at your office for the router. You can order one from BT at £5 per month if you dont have this. You dont need it to do this but you will have to change the host ip address in the originating PC's Dameware.
2. Remote into the originating PC using logmein rescue, do not expect the user to help you.
3. Use tracepth from the originating PC and ping the external IP address of the router (make sure your router is set to respond). The tracepath should show a full path from your originating PC to the BT business router external ip address. You can find out external ip addresses by going to http://www.whatsmyip.com from the PC. Once the router welcomes and passes the Dameware connection, it safely port fowards internally to your nominated PC.
4. Set the router to use DHCP if it is not already doing so.
5. DO NOT state fixed IP addresses for any device within your set up. I went wrong here. This is cos the router uses non-professional standards to try and make life fool-proof but it backfires. It uses MAC addresses not IP addresses. This means you should use DHCP on the router issuing IP addresses to the devices.
6. Do not clear the router firewall log at all.
7. Make sure you turn off all devices including router. Leave router off for 3 mins.
8. Start router up and wait 3 mins.
9. Start up devices and wait a while till they have been detected by the router. Use a web browser and 192.168.1.254 to access the router. You may have to set/recover an administration password.
10.You can see when the devices become available within the LAN section and also the firewall section.
11. Play around with the firewall options, its not intuitive thanks to Chinese/Yanky GUI design, also look out for light grey words/blocks bars that may look like you can't click on them, you can.
12. Goto the firewall option and select the PC you want to use for the Dameware access (by name, remember it uses MAC so IP don't matter)
13. This PC is your portal in to manage other PC's/servers by RDC. Make sure it is firewalled and has intrusion detection and logging if possible. This is cos we are going to use the least secure option for the firewall but only for this 'Dameware' PC. You are not allowed to turn off the firewall for any device. You can open it up by using the Allow all applications (DMZplus mode). I think I am right in saying the router firewall will still have a good sniff at the packets to see if they fit into a pattern or are dodgy even if DMZplus mode is used.
14. I started off with all firewalls, AV and anti-malware turned off an all devices within the chain from originating PC to target PC then started to use tracepth from the remote device tracing the route into office and BT router. You should see it respond as complete even if it gives a * and 100% loss for some device. This is cos TCP port 445 is closed-ICMP setting 'Allow incoming echo requests' is turned off on some devices. Once you have a complete path checked you can use the Dameware in the originating PC and save a host within Dameware. DO NOT use challenge and respond but normal log on. Make sure that the target PC has a user name with a password and use this username and password as stated in Dameware. (It is good practise to have your firewall disallowing incoming echo requests). You can turn disallow on after your done.
15. You have to have printer and file sharing enabled on both PC's
16. DMZplus mode does open up your security, however, I tried to turn this off (to increase security) and use stated rules such as the 'Dameware' application or custom rules using TCP port numbers that Dameware publish, but, the firewall blocked the connection everytime.
17. So its functionality versus security and you just hand the security down to the firewall in the nominated Dameware pc.
18. Its not needed to mess about with the reverse connection that Dameware has, this is really meant for one-off support sessions with non-power users. You can use this to prove a point such as is the firewall in the router at the remote PC causing issues.
19. Keep checking the external IP addresses have not changed.
20. Use the CD that came with the router and install the BT total broadband software. I did this in a separate PC behind the router. It sniffed an upgrade to the software and it upgraded itself. I then used it to 'check the line' and it found a fault. It then said did I want to fix it, so I said yes and it did something. I don't know what, but it didnt cause any issues.
21. Turn everything off as per powercut, unless you are running a UPS (and you should be). Leave it a while and turn it back on like power is being restored.
22. Wait a little while and check broadband speed and use the BT software to check the line again.
23. Use your logmein rescue to access the originating PC again and do a tracepth again to the external IP address of the router. If it fails, use http://www.whatsmyip.com to check the router address. Make sure this address is entered in the originating PC's Dameware host entry. Do another tracetpth if needed to check the path is clear. Start switching on AV and firewalls one by one and keep doing tracepth from the originating PC.
24. The firewall has no facility for remote access (even some SOHO/SME routers have this), but if you have this set-up working OK, you can use it to access the router from the Dameware PC.
25. In summary, keep a tick list, and use the tracepth and keep testing the path a hop at a time, like a good chef, keep tasting the soup 🙂
Port forwarding and DMZplusmode--> http://tinyurl.com/yhkefsd
Pic of router --> http://preview.tinyurl.com/34v5gnc
2 wire make the router --> http://www.2wire.com/?p=7
BT have it locked down with its own firmware and have reduced the wireless signal by 75% but do not jailbreak it. If your wirless signal is not getting through contact BT.
screenshots of error messages etc --> http://tinyurl.com/3amttq7
Phil Swift MBCS ITIL
http://uk.linkedin.com/in/philswift/
M: 0044 7918 630 876
W: swiftcs.com
W: Tecorum.com
It seems not using DHCP and using static IP addresses with a scope as per norm it not best practise. Look at this
'FYI, the way the 2700HGV does port forwarding is radically different from most routers. Most forward incoming data by using rules which specify which ports to forward to which IP address, which means that the device to be forwarded to MUST have a static IP. The 2700HGV is actually quite clever in that it forwards to a device using MAC addresses. For each device in its network list it remembers the MAC address and then uses the forwarding rule for that device to route the specified ports to that MAC address. This means that you can still use port forwarding with DHCP. Unfortunately I think this is why it works better when the 2700 allocates the address via DHCP as it seems to be able to identify the device easier. Having said that as long as the device is showing as 'active' in the 2700's 'Local network' then it should forward ok.'
From Cheshire at http://www.dslreports.com/forum/r18832140-BT-Business-hub-vpn
Set DHCP active in the router, take out any static ip in any device. Turn off devices, reboot router, turn on devices, ping router from device to make yourself know to the router, then you can port set firewall pinholes and port forwarding etc. I presume BT went with this router so as to minimise problems assuming they would be contacted if users had a problem. Users that call in 3rd party engineers that are not expereinced with this router do not know that it uses MAC addresses so it can Uniquelu Identify each device, not ip addresses so it can port foward etc when it uses DHCP. This means that is does not matter if the IP address changes, the MAC will never change.
Try using DHCP and the 'Allow all applications (DMZplus mode)' initially. Uses Damewares 'Accept Incoming Connections' (Ctrl A) on the out of office remote PC that is away from the router. Goto the PC that is in the office ( you need to have installed the DMRC Client Agent http://www.dameware.com/support/kb/article.aspx?ID=100000)
and right click on the Client Agent icon in the bottom right toolbar (little red and green screens), choose connect to client and enter the out of office external ip address (use http://www.whatismyip.com/). You can do this with another PC in the office that using LogMeInRescue to connect to the out of office PC although you obviously need someone there to accept the LMIR requests. If you get a disconnection stating error 10054-connection reset by peer, check the BT business router firewall log. Do not clear the log. Check the time that you initiated the Dameware connection against the firewall log (you may need to wait 15 secs and refresh). You can see here if the firewall is automatically blocking the external ip address.
Ok, I have a solution. BT 2Wire 2700HGV Business Hub (wireless router) and Dameware
No VPN or Citrix, just accessing over the internet using TCP/IP.
Target PC is the PC inside the office behind the router
Originating PC is the one your user is using to access the office, however, get your head round that you are remoting into the originating PC from the office (not using the Dameware PC though, i tried that and its a hoot, you get feedback)
This is a medium security solution but the only one that works as Dameware has something going on that trips the router smart firewall, even if you have selected 'Dameware' in the 'application' drop down and you do not use the DMZplus mode option. Having said that, the next device post router firewall can bump the security again. All other stated devices do not use DMZplus mode for max security.
1. Make sure that you have a fixed IP address at your office for the router. You can order one from BT at £5 per month if you dont have this. You dont need it to do this but you will have to change the host ip address in the originating PC's Dameware.
2. Remote into the originating PC using logmein rescue, do not expect the user to help you.
3. Use tracepth from the originating PC and ping the external IP address of the router (make sure your router is set to respond). The tracepath should show a full path from your originating PC to the BT business router external ip address. You can find out external ip addresses by going to http://www.whatsmyip.com from the PC. Once the router welcomes and passes the Dameware connection, it safely port fowards internally to your nominated PC.
4. Set the router to use DHCP if it is not already doing so.
5. DO NOT state fixed IP addresses for any device within your set up. I went wrong here. This is cos the router uses non-professional standards to try and make life fool-proof but it backfires. It uses MAC addresses not IP addresses. This means you should use DHCP on the router issuing IP addresses to the devices.
6. Do not clear the router firewall log at all.
7. Make sure you turn off all devices including router. Leave router off for 3 mins.
8. Start router up and wait 3 mins.
9. Start up devices and wait a while till they have been detected by the router. Use a web browser and 192.168.1.254 to access the router. You may have to set/recover an administration password.
10.You can see when the devices become available within the LAN section and also the firewall section.
11. Play around with the firewall options, its not intuitive thanks to Chinese/Yanky GUI design, also look out for light grey words/blocks bars that may look like you can't click on them, you can.
12. Goto the firewall option and select the PC you want to use for the Dameware access (by name, remember it uses MAC so IP don't matter)
13. This PC is your portal in to manage other PC's/servers by RDC. Make sure it is firewalled and has intrusion detection and logging if possible. This is cos we are going to use the least secure option for the firewall but only for this 'Dameware' PC. You are not allowed to turn off the firewall for any device. You can open it up by using the Allow all applications (DMZplus mode). I think I am right in saying the router firewall will still have a good sniff at the packets to see if they fit into a pattern or are dodgy even if DMZplus mode is used.
14. I started off with all firewalls, AV and anti-malware turned off an all devices within the chain from originating PC to target PC then started to use tracepth from the remote device tracing the route into office and BT router. You should see it respond as complete even if it gives a * and 100% loss for some device. This is cos TCP port 445 is closed-ICMP setting 'Allow incoming echo requests' is turned off on some devices. Once you have a complete path checked you can use the Dameware in the originating PC and save a host within Dameware. DO NOT use challenge and respond but normal log on. Make sure that the target PC has a user name with a password and use this username and password as stated in Dameware. (It is good practise to have your firewall disallowing incoming echo requests). You can turn disallow on after your done.
15. You have to have printer and file sharing enabled on both PC's
16. DMZplus mode does open up your security, however, I tried to turn this off (to increase security) and use stated rules such as the 'Dameware' application or custom rules using TCP port numbers that Dameware publish, but, the firewall blocked the connection everytime.
17. So its functionality versus security and you just hand the security down to the firewall in the nominated Dameware pc.
18. Its not needed to mess about with the reverse connection that Dameware has, this is really meant for one-off support sessions with non-power users. You can use this to prove a point such as is the firewall in the router at the remote PC causing issues.
19. Keep checking the external IP addresses have not changed.
20. Use the CD that came with the router and install the BT total broadband software. I did this in a separate PC behind the router. It sniffed an upgrade to the software and it upgraded itself. I then used it to 'check the line' and it found a fault. It then said did I want to fix it, so I said yes and it did something. I don't know what, but it didnt cause any issues.
21. Turn everything off as per powercut, unless you are running a UPS (and you should be). Leave it a while and turn it back on like power is being restored.
22. Wait a little while and check broadband speed and use the BT software to check the line again.
23. Use your logmein rescue to access the originating PC again and do a tracepth again to the external IP address of the router. If it fails, use http://www.whatsmyip.com to check the router address. Make sure this address is entered in the originating PC's Dameware host entry. Do another tracetpth if needed to check the path is clear. Start switching on AV and firewalls one by one and keep doing tracepth from the originating PC.
24. The firewall has no facility for remote access (even some SOHO/SME routers have this), but if you have this set-up working OK, you can use it to access the router from the Dameware PC.
25. In summary, keep a tick list, and use the tracepth and keep testing the path a hop at a time, like a good chef, keep tasting the soup 🙂
Port forwarding and DMZplusmode--> http://tinyurl.com/yhkefsd
Pic of router --> http://preview.tinyurl.com/34v5gnc
2 wire make the router --> http://www.2wire.com/?p=7
BT have it locked down with its own firmware and have reduced the wireless signal by 75% but do not jailbreak it. If your wirless signal is not getting through contact BT.
screenshots of error messages etc --> http://tinyurl.com/3amttq7
Phil Swift MBCS ITIL
http://uk.linkedin.com/in/philswift/
M: 0044 7918 630 876
W: swiftcs.com
W: Tecorum.com