Modem, router & Screens Connect - how does it all work?


#1

Hello,

I have a network problem I am not able to solve (I looked up help sites but don’t understand it on my own). I have a modem (Speedport) and a router (Netgear) which is connected to the modem. The router is configured as an access point. Everything works fine as long as I am at home and in the network.

The problems start when trying to use Screens on my iPad to access the network remotely. It won’t connect. Screens Connect, the little helper tool for the Mac tells me: ‘Port Forwarding failed’ and suggests to solve the problem by following these steps.

Problem is: It is just too complicated for me. Does anyone has the same situation and can explain to me in simple terms what to do?

Thank you! If you need more information I am happy to answer questions regarding the specific situation.


#2

What is the model number of your router?


#3

It is a Telekom Speedport Smart which serves as a modem and a Netgear R6400 I use as the router. I could use only the Speedport and wouldn’t have all the issues but the wifi coverage of the Netgear is way better.


#4

The error message says it all, right? You need to forward the port on your router to get access to your machine. Without port forwarding every application that tries to connect to any of your devices on your home network gets denied access. So Screens won’t be able to connect to your Mac through your router (i.e. from the internet).
The easiest (but less secure!) method is as offered by the help page you mentioned: enable UPnPn on your router. In this case - from what you’re telling - this setting must be made on the Speedport. Not on the Netgear, unless you’re using the Netgear as a router and not just as an access point.

Look for a setting somewhere in your modem/router’s config pages called UPnP and tick the checkbox.


#5

One other important bit is that if this is the case (the Speedport is acting as the router and you’re only using the Netgear for WiFi) the Netgear needs to be configured as just a WiFi access point (sometimes called bridge mode). Otherwise you’ll have what’s called double NAT which is also something that can mess up Screens Connect.


#6

The thing is that if it really is too complicated to deal with, it might be a good idea not to open a port into your network because it will not only get Screens Connect working, but you are opening a door from the internet into your Mac. And it is not only Screens Connect that can walk through this door. Something like that should be monitored.

Several options here:

  1. Enable UPNP on the Netgear router as @vco1 has suggested: https://kb.netgear.com/24306/How-do-I-enable-Universal-Plug-and-Play-on-my-Nighthawk-router
    It will not necessarily work out of the box, but it can work. Disadvantage: With UPNP enabled, every device on your LAN can open doors into your network. If you take this route, you should keep monitoring on the Netgear router, what is being opened and when it is being opened.

  2. Do it the manual route.
    First, you have to find the MAC address of the Mac you want to connect to: http://osxdaily.com/2012/02/28/find-mac-address-mac-os-x/
    Then, you reserve an IP address for this Mac in your router using the MAC address you just found:
    https://kb.netgear.com/25722/How-do-I-reserve-an-IP-address-on-my-NETGEAR-router
    Restart your Mac. It should acquire the new IP address.
    Last step: You have to add the custom port forwarding to the router’s configuration:
    https://kb.netgear.com/24290/How-do-I-add-a-custom-port-forwarding-service-on-my-Nighthawk-router
    Basically, you have to forward the TCP and UDP port 5900 to the Mac’s IP address (see the step above). If you want to use SSH, too, you have to forward one more port: 22. Further instructions can be found on the website you mentioned above. If you do not know what SSH is, you should not forward this port (22).

  3. Have a look at Jump Desktop. This is the utillity I use. It does not need any port forwarding as long as you use their Fluid Remote Desktop connection (which is being used as the default connection). If you have the option to do so, you can test it beforehand with a second Mac or a PC outside of your network before spending the money on the application for iOS. I love Jump Desktop. No need to open ports, it just works (for me, that is). https://jumpdesktop.com


#7

Actually I’m a bit confused on the actual configuration. The original post says “the router is configured as an access point” but a following post says he has “a Netgear R6400 I use as the router.”


#8

The terms “router” and “access point” have become badly conflated in consumer level hardware (and by non-technical folks), probably because most consumer level APs come as part of a router (though that router could be running as a bridge).

As a network guy, I agree with ChrisUpchurch that the first step is to figure out which device is (or which devices are) acting as a router and which one (if any) is acting purely as a bridge. The next step would be to ensure that there is only one router in the network (if both devices are acting as routers), and enable the appropriate port forwarding method on it.

As a security guy, I agree with Christian that if you don’t know what you’re doing, this is an inadvisable thing to do.

Also as a security guy, I think that unless you have a really compelling business/use case, even if you do know what you’re doing this is an inadvisable thing to do :slight_smile:


#9

Agreed. Then, putting aside the security issues for a moment, my approach would be to temporarily turn on UPnP, try it out, and make my final decision accordingly. Under no circumstances would I leave UPnP permanently enabled.


#10

I can understand your confusion as my description was a little unclear. My provider (Telekom) gave me the Speedport but I didn’t like the wifi connection. Therefore, I bought the Netgear. The Netgear has no integrated modem, so I connected it via lan cable with the Speedport. The Netgear is in “access point-mode” (this is what the configuration page says).

But you are probably right… I don’t really understand what the consequences of opening ports and port-forwarding are (of course, I have an idea but no real understanding). Might be the best to just abstain from using Screens.

However, a big thank you to all of you!


#11

Making it a bit more difficult for you…

Does your Telekom modem have a VPN option on it?

You could create a VPN, and “dial in” when you want to use screens.
(and close the VPN again when you’re finished)

I do the same thing, no ports open to the internet, easy configuration on the router and very handy when I do work in a coffee shop or on a public wifi :slight_smile:


#12

No ports open???!!! You definitely have to open a port to VPN into your network. So there’s not much difference with opening a port for a VNC connection. A port is a port and open is open.


#13

okay, I agree with you on that one.
Nevertheless I do think a VPN connection is good option in this case (a better option than opening a port to your internal network).

To illustrate my point:

Quick GRC port scan of my connection, ran them all, no indication of anything present.
(And yes, I do know this is not 100%)


#14

This more than a semantic discussion.

An incoming VPN will be more secure than opening random arbitrary ports that are typically used for port forwarding. Especially if the VPN is terminated by a well-secured VPN endpoint device versus the open ports landing on a regular Mac or PC application.

If you are even concerned about VPN ports, you can use OpenVPN on port 443 - the standard SSL port, and avoid opening even the relatively standard VPN ports used by L2TP or other VPN protocols.

An extra benefit of using VPN tunneling on port 443 is that you will be able to transit across gateways that might otherwise block VPN traffic for their own, usually financially-driven rather than security, reasons.

(They block VPN so you must upgrade to their business-grade service or buy their captive VPN services).


#15

Sorry, but this is complete nonsense. Especially the part about port 443, which is not “the standard SSL port” to start with, but the port used for incoming https requests - something different. An open port is an open port. No matter what service is listening on it.
It’s like running an ssh server on another port than 22. Sounds nice in theory. But in practice the bad guys will just run a port scan and find your ssh server anyway.
The general rule of thumb is to be careful with opening ports on your router if you don’t know what you’re doing.


#16

Yes. This consideration has (so far) dissuaded me from setting up remote access to my home computer or network. While I (sort of) understand your subsequent comments regarding opening ports and port forwarding, I would be uncomfortable doing this from a security standpoint.

Could you expand on this? How does this work?

Would implementing the Fluid Remote Desktop connection reduce the security profile of my computer and network? Do you think this would work with an Eero mesh network?

One last question - how does a VPN figure into this? Does Jump Desktop’s Fluid Remote Desktop connection work as its own VPN? Should I use - or avoid using - a third-party VPN (example - Nord VPN)?


#17

Geez, troll much?

Yeah, port 443 is the standard ssl over http port, otherwise known as https. “Thanks” for the nomenclature lesson - a difference without a distinction.


#18

Could you expand on this? How does this work?

You install Jump Desktop Connect on your Mac. This tool enables the connection via the Jump Desktop Servers to your Mac. It is a concept similar to something like TeamViewer (but with a totally different use case). More details about the connection: https://jumpdesktop.com/connect/

Would implementing the Fluid Remote Desktop connection reduce the security profile of my computer and network?

Any door is a door. But I think this is quite a well-guarded one, if you use a strong password. And you have an easy way to control the access: if you close Jump Desktop Connect on the Mac, nobody can connect. As long as Jump Desktop Connect is running, only the configured user can connect. With Jump Desktop Connect closed, the door is not only shut, but the door is gone completely.

Do you think this would work with an Eero mesh network?

Yes.

One last question - how does a VPN figure into this? Does Jump Desktop’s Fluid Remote Desktop connection work as its own VPN?

I am no network technician, so I do not feel comfortable to say too much on this one to explain the differences. Fluid Remote Desktop uses encryption, TLS in combination with DTLS. The advantage of a VPN is that you do not need Jump Desktop’s servers in order to connect to your Mac. The disadvantage is that you need to setup your own VPN service on your network. The Fluid Desktop connection is a connection that uses encryption from one end to the other, so this is similar to a VPN. But it is not a literal VPN.

Should I use - or avoid using - a third-party VPN (example - Nord VPN)?

If I am not mistaken, a VPN solution like Nord VPN always is a service that enables you to access the internet in a secure way if you are on an untrusted network or if you want to disguise your country of origin in order to access services that are restricted to certain regions. If you want to VPN into YOUR network, you need to have a VPN service on YOUR network, so that the end of the VPN tunnel leads into your network. Some routers have the ability to setup your own VPN service. I just found this article that explains the concept: https://sumac.com/how-to-setup-a-vpn-to-access-your-office-files-remotely/


#19

@Christian - thank you, very helpful.


#20

Wanted to thank you for the suggestion of Jump Desktop. I’ve been a longtime user of Back To My Mac, and then Screens – both flakey, and now I can’t get Screens to work at all. But Jump Desktop seems to have been able to hold on to a connection between home and work. Thanks again!