Remote control from anywhere: Difference between revisions
Line 50: | Line 50: | ||
Redirect target port: 6777 (port the host PC is listening to) | Redirect target port: 6777 (port the host PC is listening to) | ||
Description: Church bell remote control (for others to understand what you are doing) | Description: Church bell remote control (for others to understand what you are doing) | ||
NAT reflection: Disable | NAT reflection: Disable (enabling if available, may allow your WiFi to use the same host) | ||
Filter rule association: Pass | Filter rule association: Pass | ||
Revision as of 19:58, 6 December 2016
Advanced Topic
The information on this page assumes that you have the Church Bell Remote app installed on your phone or tablet, Management Suite installed on a PC connected to your Chime Master bell system, and you are able to remote control the bells from inside your facility using the local WiFi network.
Making your bell system available on the public internet
Risks
We always think more than twice about connecting lights, cameras and other Internet of Things (IoT) devices to our own network. So we understand your reluctance to it too. Realistically now, what is the worst case scenario? It is unlikely, but some kid might figure out your user name (your real name?) and password (the church phone number?) and make your bells ring. All night.
Search the Internet for more information regarding IoT risk management. James Andrew Lewis in his Managing Risk for the Internet of Things, says, "Being risk averse makes us poorer, not safer. There is risk in every technology we use. Hold IoT captive to our fears and we will sacrifice opportunity."
Chime Master continues to develop new products using the latest technologies that will balance ease of use with the highest security practices.
Best Practices
Don't network your bells unless you really need to control them when you are away.
Keep your Windows, phones, tablets, software and firmware up to date. We are not fans of third party anti virus software. Windows 10 comes with all of the security you should reasonably need. Always add Microsoft Security Essentials to Windows 7. Don't use any other version of Windows than these two. Don't visit nasty websites. Don't respond to email asking for personal information or taking you to web pages that do the same. Don't run with scissors.
The system requires user authentication before accepting commands from the remote control. This authentication process is only as strong as your user name and password that you have created in Management Suite. You should also lock the Management Suite host computer with a good username and password to prevent unauthorized users from changing the authorized users of the bell system. Use a nickname no one knows they called you in 4th grade. The password should be as long and as random as possible. The app will remember it, but you will need it again if you update your phone. Store it in a secure note using a password manager like LastPass.
If you do not need to access the bells for awhile, use the mobile app Settings menu to Log Out. No one can control the bells without re-authenticating.
Modern routers have firewalls built in, but the most IT professionals will add a dedicated firewall appliance between the incoming internet router or modem and their internal network. In the absence of a dedicated firewall, install a router that includes as many of the items on this Router Security Checklist as you can.
Putting any port of any device of your primary network on the public internet should always be done with planning, forethought and the wise advice of your IT professional. We recommend that all IoT devices you install in your facility be connected using a dedicated network (IP address subnet such as 192.168.120.node) apart form your file servers and database systems. Most newer routers and multi-port firewalls allow you to have more than one subnet for guests and devices (see Guest Networks in the Security Checklist linked above).
Another way of setting up a secure dedicated network for IoT devices if you have an older unused router available is to configure a Multi-NAT router network as described by security guru Steve Gibson.
Unfortunately, by putting the Management Suite host PC on a VLAN or other isolated subnet, you lock yourself out of being able to use a simple remote desktop to operate the Management Suite from your office PC. LogMeIn or GoToMyPC will allow you to use the Mangement Suite (even from home).
Setup
Management Suite PC
Every device on the network needs to have a unique IP address. By default, Windows PCs will get their IP addresses from the DHCP server on the network. This may be your Windows file server, or it may be the Internet Router. Typically the DHCP server will be set to provide a range of addresses dynamically. Outside this block of dynamic addresses will be static IP addresses that are reserved for file servers, printers and any other devices that are always connected.
It is more convenient for us to connect to the bell system if it doesn't move as dynamic IP leases expire. Before you set a static address on the PC, you need to know which addresses are already used. After setting it, you should document or inform others that manage the network which address you have taken.
Port Forwarding
If you have your tablet or phone already controlling the bell system on an internal network we can add it to the public network by forwarding the port of the bell system's server (the Management Suite host PC) out through the router's firewall. The port we want to forward is 6777 and the address we want to limit access of this port to is the PC hosting the Management Suite remote control server.
You will set this up either on your firewall appliance if you have one or the Internet connected router if you don't. The menu items for this will vary for different devices. The pfSense firewall appliance put this under Firewall > NAT > PortForward. The following parameters (similar prompts will be available on other firewalls) will be entered to create a new Port Forward:
Interface: WAN Protocol: TCP Destination: WAN Address (could be another selection from a your static block if available) Destination Port Range: From 6777 To 6777 (port the phone is set to connect to) Redirect target IP: (the static internal IP address of the Management Suite host PC) Redirect target port: 6777 (port the host PC is listening to) Description: Church bell remote control (for others to understand what you are doing) NAT reflection: Disable (enabling if available, may allow your WiFi to use the same host) Filter rule association: Pass
Dynamic Public IP
Static IPs and blocks of IPs are normally a part of a commercial Internet where you have your own web servers and such. Most of us have ordinary residential type Internet service from a provider such as the phone or cable companies provide at a more reasonable fee. These types of connections have a dynamic address assigned by the Internet provider (using DHCP) that may change over time.
It has been our experience that as long as the Internet router is on a battery backup and is never turned off that these connections retain their IP address over long periods of time. To determine what address your public Internet is currently using, browse to a search engine and enter the search term "what is my ip?"
Mobile Device
Add a host to the Church Bell Remote app Hosts setup menu for the public internet address. You may want to keep the WiFi host connection for troubleshooting. Use the public IP address you discovered in the search above and port 6777.
You will select this host when you are away from the church. When you are at church, you can either disable WiFi on the phone and continue to use the public host connection, or enable WiFi on the phone and and select the WiFi host connection in the Hosts menu of the app. The public host connection does not work when you are connected to WiFi because the router only redirects access from outside the LAN.