HDR Fox T2 - Web Interface & Port Forwarding

AndyMB

New Member
Forgive me if this has been covered elsewhere but I wonder if anyone could explain in simple terms what I need to do.

I am going away for 3 weeks and would love to be able to access the Hummy via the web interface over the internet to record things whilst I am away. I've tried remote scheduling but not had much luck with that.

I've also tried forwarding ports using my Billion 7800N router but really don't have much idea which ports to forward (I saw port 80 mentioned in another article)

Could anyone kindly help me with this please?

Thanks
 

Ezra Pound

Well-Known Member
Accessing your Humax's web-if over the internet (WiKi Notes HERE) isn't something I have done, but I think it's a lot trickier than getting the Remote Scheduling working and more of a security risk, could I ask what problems you are having with the RS Server?
 

dragon-it

Member
If you did want to do it you should need roughly:

1. Fixed IP address on Humax instead of DHCP, with router and subnet mask set correctly -- if it can get to Online portal should be OK
2. Port forward of port 80 from router to IP of humax. Some routers will let you pick a different port inside and outside, e.g. 54321 and redirect that to port 80, others the port has to be the same in and out. Some call this services, NAT/PAT, games etc.
3. A fixed address on your broadband connection so you can get to it from outside (or use a service like no-ip.org to give it a name).
4. An ISP that doesn't block any incoming connection.
5. Make sure your router doesn't have remote management or similar option turned on using the same port.

For starters if you do #1, and #2 then you can do http://x.x.x.x from another internet connection and see it.

As has been said you'll be opening up to the world then, at least make sure there is a good password set on it!

Steve
 

rpb424

Active Member
With no port mapping (also called port translation), and simply port forwarding port 80 to 192.168.2.3, then from outside it would be http://111.222.123.234, from inside http://192.168.2.3. The ':80' would not need specifying since this is the default that any web browser will use in the absence of anything else.

If however you port forward 54321 to 192.168.2.3 and also port map 54321 to 80 at the same time then the addresses become http://111.222.123.234:54321 and http://192.168.2.3 (the internal one hasn't changed). Externally you have to explicitly tell the browser which port to request web pages from instead of 80, but not internally since the Humax is still running on port 80 in reality behind the router.

The Billion 7800N supports port mapping, and I'd strongly recommend using it to map port 80 to an obscure port number or else you are opening up port 80 to the world, which is one of the most commonly used ports and one that practically all bots would try and scan. You can also set up Dynamic DNS on the router if you don't have a static internet IP address, or else you'll never be quite sure what IP address to point at from outside.

My preferred method of getting onto my Humax (or anything else) from outside is to SSH into my NAS (which is the only device my router port forwards to, and is also set to an obscure port number instead of the default of 22), and then tunnel through the SSH connection to my desired device, but that's possibly beyond the scope of this discussion.
 

dragon-it

Member
Agreed there... I would normally only open a port to the outside world if restricted to a certain external IP, and ideally through vpn or ssh unless I want it to be open to the world. While it is 'only' the humax and your home network if someone got into your humax webif they can get access into the console and then through onto other machines on the network.
 

Ezra Pound

Well-Known Member
rpb424 : In your#5 example, I follow what you are saying about increasing security by using port mapping, but, it seems more logical :-

when using say http://111.222.123.234:54321, to set up port mapping as port 54321 (external) to port 80 (internal), and then forward port 80 to 192.168.2.3

Rather than

when using say http://111.222.123.234:54321, set up port mapping as port 54321 (external) to port 80 (internal), and then forward port 54321 to 192.168.2.3
EDIT
having though about this it depends how the router's port mapping works :-

port mapping
external . . . internal
. . .80 . . . . . . 80 . . . >> port forward 80 to 192.168.2.3

external . . . internal
. . 54321 . . . . . . 80 . . . >> port forward 80 to 192.168.2.3

In the second example if external 80 is not forwarded then my suggestion would be O.K. BUT if external port 80 is also mapped to internal port 80, then any security is lost. So the question is does the router forward internal port number or external numbers?
 

MartinLiddle

Super Moderator
Staff member
rpb424 : In your#5 example, I follow what you are saying about increasing security by using port mapping, but, it seems more logical :-

when using say http://111.222.123.234:54321, to set up port mapping to be port 54321 (external) to port 80 (internal), and then forward port 80 to 192.168.2.3

Rather than

when using say http://111.222.123.234:54321, set up port mapping to be port 54321 (external) to port 80 (internal), and then forward port 54321 to 192.168.2.3
On the (several) routers that I am familiar with the port mapping and forwarding is done as a single entity so the second form is a closer approximation to what is required as input.
 

Ezra Pound

Well-Known Member
Martin, thanks for that, my router allows port forwarding but not port mapping (translation) so I have no screens to examine, It may be just the way it's worded, but it looks to me that if the distant user enters http://111.222.123.234:54321 into his browser and the router is set up to forward port 54321 to the Humax on 192.168.2.3 that entering port translation from 54321 (external) to port 80 (internal) doesn't do anything because the internal port 80 isn't forwarded anywhere. Would you have a screen capture of the setup page?
 

MartinLiddle

Super Moderator
Staff member
Would you have a screen capture of the setup page?
See attached, note that none of these rules have anything to do with the Humax and some are obfuscated.
 

Ezra Pound

Well-Known Member
Martin, thanks for the screen dump, not sure I can see whether 9332 or 22 is being forwarded in the top example, but it's clear you would be using http://x.x.x.x:9332 to remotely SSH to a device at 193.195.132.15 on port 22, I still think that external port 22 is being blocked while internal port 22 is being forwarded but I may be wrong
 

dragon-it

Member
Above shows that ports 9332 to 9332 are being forwarded from outside to port 22 onwards... in this case there is only only one port. It could be port 5900-5910 outside goes to 2000 to 2010 inside for instance.

Some routers you can define a service for each port no. you want to use then specify that in the rules, some seperate the NAT/PAT and firewall rules, i.e. you could say port X outside goes to port Y on x.x.x.x inside but then in the firewall rules filter this only for certain internet addresses etc.

But we over complicating here somewhat. Just need port 80 putting through firewall BUT to make it less easy to be spotted put it on a different port IF your router supports it.

Steve
 

ntm1275

Member
Something that doesn't seem to be mentioned is the previous posts is that the Humax would need to be out of standby or in standby but recording something for the WebIF to be accessed from the WAN
As the Humax cannot be left on permanently (it automatically goes to standby after about 3 hours) it needs some instruction to come out of standby before it can be accessed

If only it had WOL functionality
 

Ezra Pound

Well-Known Member
The auto power down after 3 Hours can be turned off with MENU  >> Settings  >> System  >> Power Management >> Setting Automatic Power Down = Off, however it is not recommended to leave the Humax on permanently because problems have been reported, It would be better to decide when you want to communicate with the Humax while away from it and then set a daily reminder on the Humax so it wakes up (without recording) for a set period each day
 

rpb424

Active Member
Martin, thanks for the screen dump, not sure I can see whether 9332 or 22 is being forwarded in the top example, but it's clear you would be using http://x.x.x.x:9332 to remotely SSH to a device at 193.195.132.15 on port 22, I still think that external port 22 is being blocked while internal port 22 is being forwarded but I may be wrong


No, you're right. External port 22 is being blocked since there is no entry for it in the 'External Start Port' column, port 9322 is being forwarded (and simultaneously mapped to internal 22). This is a good thing for increased security, since you are intentionally using the more obscure port 9322 as a substitute for SSH purposes. Using the screenshot as an example with the numbers we've been talking about for the Humax, you would enter the following...

External Start Port 54321
External End Port 54321
Internal Port 80
Internal Host 192.168.2.3 (The Humax)

This one line in the table is therefore achieving the single entity of port forwarding and port mapping that Martin mentioned.
 

Black Hole

May contain traces of nut
From what I have read, the malicious agents on the Internet probe for all ports - so nobody should mistake obscurity for security.
 

MartinLiddle

Super Moderator
Staff member
From what I have read, the malicious agents on the Internet probe for all ports - so nobody should mistake obscurity for security.
Do they? My experience is that most probe only the common ports and having found an open common port will repeatedly try common exploits such as dictionary attacks on ssh. I haven't seen any evidence of this since moving to an uncommon port.
 

ntm1275

Member
It doesn't have to - see Things Every... (click) section 7.

Thanks for correcting me, I just wanted to point out that with all the talk of opening ports etc on the router, no one had mentioned the automatic standby when the Humax is in standard configuration, which most probably are when it come to the 'Automatic Power Down'

As Ezra points out, do you really want to leave it on all the time, one from a security point of view and two, the extra power it will use
The setting up of a particular time to wake up would be better and when finished, use WebIf to go back in to stand by
 
Top