Access, but not too much
I’m not having a lot of luck poking holes in the home firewall, so maybe someone else has an idea.
Here’s the new network:
We’re connected to the internet with a Comcast cable modem. Sitting immediately behind the modem is a Linksys BEFSR41 v.2, a four-port ethernet router which was the wonder of its day. It happens that day was seven years ago, but I’ve flashed it with a 2004 firmware upgrade and taken the obvious steps like changing the default password, so it should be perfectly functional. The router accepts an externally-routable IP address from a Comcast DHCP server “outside” and establishes a local network with non-externally-routable addresses “inside.” (As an example, it assigns itself 192.168.1.1 as its LAN address; the 192.168.x.x range is not valid on the wider internet.)
One local ethernet port leads to an Apple Airport base station, the second-generation “snow” version from 2002 or so. (This, also, has had a firmware upgrade in the not-so-distant past.) The Airport has a fixed IP address in the local network, 192.168.1.100, and distributes more local addresses via DHCP in the range 192.168.1.101-150 to a rotating cast of laptops using wifi. (There’s no encryption standard supported by all laptops and this base station, so it’s not possible to password-protect or encrypt the network. Access control is by a list of approved hardware fingerprints, so if you visit us, we’ll need to spend a minute or two determining the MAC address of your laptop’s wireless card and putting it on the list.)
Also on the wired network is the Mini (no up-to-date icon on that one), also holding a fixed IP address of (I think) 192.168.1.107. My current puzzle is this: how do I train the router to allow SSH connections from “outside” to reach that Mini?
I can ping the router itself, and even bring up its management interface, which suggests that Comcast is (for once) not the problem. I have asked the router to forward incoming port-22 connections to that IP address, and I have also tried designating it as the so-called “DMZ” host, which is supposed to expose it completely. Neither one has worked so far. Close reading of the router manual (when in doubt, read the directions) suggests that these don’t work when the router is assigning DHCP addresses, which is why I shifted DHCP duties to the Airport. I wonder if the very fact that the Mini sits in the DHCP address range, even though the router doesn’t assign it, is the current stumbling block?
Update: Moving the static local IP of the Mini helped, but giving it a full set of network information—the address of the router being key—turned out to be the final solution. Hopefully it can run on “full headless mode” now.
![[Swinging off a dragger, Cundy's Harbor, Maine, July 4th, 2003]](/images/cundys_harbor.jpg)