PLEASE HELP!!! gaining access to airport network

[bustthis]

hi,

i recently set up a airport network at home with my powerbook g4 and dual 1 ghz mdd g4. before i had the airport i was able to access my computer remotely with ssh, afp and ftp, but i am no longer able to through the airport network.

the airport address is 10.0.0.1, the powerbook is 10.0.0.2, and the g4 is 10.0.0.3. i have mapped ports 80, 22, 548, 427, 20 and 21 to 10.0.0.3. i have the base station hooked to my cable modem and i use dyndns for my wan ip address.

it is not working, it times out after 60 seconds!!! my question is how i can connect to my computer
so i can gain access to my 10.2.6 powermac.

please help!!!

thanks,

charles

[hschickel]

It sounds like you're not using NAT. Without that the port mapping is meaningless.

NOTE - the reason I think you're not using NAT is because Airport will give out addresses in the 10.0.1.x range if you are. If you're using another brand of wireless router please post back.

To enable NAT do the following:

1. Open the Airport Utility.
2. Click the "Show All Settings" button.
3. Click the "Network" tab.
4. Check the "Distibute IP addresses" box.
5. Toggle the "Share a single IP address (using DHCP and NAT) button.
6. Get your client computers onto the 10.0.1.x subnet via DHCP or static addresses.
7. Map away to your heart's content.

Hugh

[bustthis]

hi,

i am using a airport extreme base station and i might have made a mistake in my last post. i am at work now and i think the addresses are 10.0.1.1, 10.0.1.2, 10.0.1.3.

i have mapped all of the ports to 10.0.1.3 and i still can't get on my machine.

i will check if the settings match the ones you gave me, but i think it's like that by default.

am i doing something wrong?

thanks again,

charles

[hschickel]

If you're configured properly the likely culprit is your cabling. The WAN port on the AEBS does not auto negotiate for cable type.

If you're using a regular straight through patch cable try replacing it with a crossover cable (this is the more likely issue). If you're using a crossover cable try replacing it with a regular straight through cable.

Hugh

[bustthis]

hi,

i am pretty sure i have a crossover cable that goes from the airport base station to the cable modem, i will check when i get home and try a regular cable.

thanks for you help,

charles

[bustthis]

hi,
i am confused to what ip address to map the ports too. i rewired the airport so that it has a standard patch cable from the wan port on the abs to the cable modem.

the ip address on my g4 changed from 10.0.1.3 to 10.0.1.4 and now it's 10.0.1.2. my powerbook is 10.0.1.3 now.

the network tab is set to distribute and share a single address and since i am not sure what to map the ports to, i left it at the default setting which is 10.0.1.201?

i enabled the default host to be 10.0.1.253 in the wan privacy. i don't know what to do anymore, i'm confused!

please help me someone!!!

[kfaulhaber]

As you have discovered, you can't NAT without DHCP. But you can statically assign addresses above 10.0.1.201. So give any machines you wish to map a port to addresses above 201.

[bustthis]

how would i do that, i don't really understand.

should i assign a manual address to the machine in the network settings? for instance, configure a manual dhcp address to 10.0.1.201? beacuse as it is now i have all ports mapped to 10.0.1.201 in the abs settings for the machine with the 10.0.1.4 address and i can't get on that machine from work, it just times out.

the ip address that i used to use before i installed the airport is now my wan address for both machines on my network. i really just want to get on my g4 from work via ftp or sftp.

thanks

[hschickel]

First things first...

With the new cable setup can you access your mail, the internet, etc?

If yes - let's move on to the next problem.

1. You need to turn off the default host. To do this: Open the Airport Utility, click the "Show All Settings" Button, click the "Airport" tab, click the "WAN Privacy" button, and uncheck the "Enable Default Host" button. We're turning this off for 2 reasons: A - It's forwarding everything to a non-existent machine... and B - It's more secure to use port forwarding if you are forwarding only a limited number of services (as in this case.)

2. You need to assign a manual ip address to one of your machines that equals the ip address you're forwarding ports too (10.0.1.201). To do this: Open System Preferences, open the Network pane, create a new location (call it "Air - static" or some such thing), configure it manually (not manually dhcp) and be sure to put in the DNS servers.

You should be up and running at this point.

NOTE - I did not go into full detail on the Network configs - it sounded like you knew what you were doing there.

Hugh

[bustthis]

yes, everything seems to be working with the patch cable from my abs to cable modem.

i will try later tonight when i get home and i hope it works!!!


thanks again and i will let you know if it works.

will i be able to test it from home?

[bustthis]

okay, so i unchecked enable default host in wan privacy and entered a manual ip address in the network prefs for 10.0.1.201. i wasn't completly sure what to put in the dns servers, so i put in 10.0.1.1, 10.0.1.2, and 10.0.1.3.

i tested ssh and sftp (using fugu) with myusername@10.0.1.201 and i got in, but from the same computer.

my question is, did i set up the dns servers right? i use dnsupdate to access my web server at bustthis.homeftp.net and it's not working. in the dns client it says the registered ip is 24.90.86.xxx, the address i used to use. do i now use 10.0.1.201 to access my webserver across the internet or can i use 24.90.86.xxx.

thanks

[hschickel]

You get the dns addresses from your isp. Sometimes you can get dns by targeting your router - but it's better to enter the specific addresses from your isp. If you don't have any you can use these:

207.69.188.185
207.69.188.186

They're from earthlink. To hit your own webserver hit your actual address. Check out ddclient as a good OSX way to track a dynamic addresses.

Hugh

[bustthis]

in the airport admin utility under internet there are two numbers greyed out next to the fields for dns servers, they are:
24.29.99.17
24.29.99.18

i entered those numbers in my network settings, but i will also check with my isp, which is time warner roadrunner.

my friend was able to access my web server at bustthis.homeftp.net last night.

thanks,

charles

[bustthis]

it's working like a charm!

thanks so much for all your help!

charles

[hschickel]

You're welcome.

Hugh
D.U.M.B.O., Brooklyn, NYC

[jasperx]

I think this thread may have solved the problem I was having making a web page visible from the WAN.
I set my machine up to a static IP 10.0.1.201 and went into my airport base settings and mapped port 80 over to port 80 on 10.0.1.201. Sometime tomorrow i will be able to have some one check it out from outside (or is it possible for me to do?) Shortly after I did this it seemed like I could not get email. So I mapped 25 and 110 across.... do I really need to do this? By setting my IP manually did my Router (Airport) get amnesia about where I am?

[hschickel]

When you manually set your ip address you need to also manually set the dns address(es) so you can resolve names to addresses.

Sometimes this will work if you target your router (ABS in this case). It will always work if you plug in some real dns servers. (Generally you get these from you isp or by looking up dns servers - in a corporate environment you're probably running your own.)

Hugh

[bustthis]

is it normal that i see someone elses network in the list of available networks? my network is named home, but i also see a network name called thecrib85. is this someone in my building? is this a security risk?

a week ago, i found out someone was stealing my cable, i have seen this name pop up from time to time over the last month and didn't want to screw up my settings by changing anything.


thanks for your time...

[hschickel]

Airport in general is a serious security risk. If you enable WEP you mitigate this somewhat but WEP is a highly flawed encryption system that is trivial to crack for someone with the right knowledge and tools.

The following items will make your air network more secure if you're in an area where this matters:

1. Close the network. A closed network is more difficult for a hacker to find. This will not lock out dedicated hackers. It will help to lock out casual hackers.

2. Turn on access control by MAC address. Again, this will not lock out dedicated hackers as MAC addresses are trivial to clone. It will help to lock out casual hackers.

3. Turn on WEP 40. WEP 40 can be cracked in a couple of hours by a knowledgeable opponent with a good stream of data to work with. Again this only really helps against casual attackers. Adding any WEP puts an attacker on notice that the network is secure and private. They are breaking the law in most jurisdictions by hacking you.

4. Turn on WEP 128. WEP 128 can be cracked in a day or so with a good data stream by a knowledgeable opponent. This is very good for getting rid of casual hackers and if someone is trying to crack it they are probably after your specific data.

5. Create an IPSec tunnel from your air machines to your network. This is difficult for the casual user to implement but is very secure if used with strong passwords. There is a good tutorial to create a rudimentary system on http://www.afp548.com.

***An open airport system with no WEP or access controls is essentially a hubbed network. Anyone with access can capture and read every packet on the system. This means anyone with an airport card, a pringles can and the ability to get within a mile or so of you can read everything that crosses your network. The above is also true for public networks.

If your data is sensitive - run it through a VPN. Do not depend on the security measures that ship with airport. Apple has stated that these issues will not be fixed before Panther.

Hugh

[bustthis]

thanks... even though i don't really know what your talking about, i will look into it.

if i enable these settings, will i be able to access my computer from work? i use ftp and ssh from work to get onto my computer at home and don't want to mess that up.

i haven't had my firewall on, since i can't seem to ftp when it's on, even with port 20-21 mapped to 10.0.201 and the
passive ftp mode turned on.

so are you saying that since i am seeing this name thecrib85 in my available networks, that it is most likely a hacker? it's weird when i select thecrib85, it used to ask for a password and now it doesn't, but the signal strength is very low. i also found that if i go up to the menu bar and click on the drop down menu, thcrib85 only will appear after i click a second time. maybe thats a bug with the newest airport software because i can't see my network in the admin panel either, until i enter the abs number manually.

i would consider my area at risk, since last year my dsl wires were cut 3 times until earthlink refused to fix and now it turns out my super was stealing my cable and made me lose a whole weekend of cable service and a day of work. so i don't really trust anyone... lol!

i will try this and thanks so much for all your help!