Getting "wake on lan" to work through the internet

[RadioDan]

I have been trying to setup WOL, so I can boot into my PC from elseware via the internet. I have successfully managed to wake up the system from another computer within the small wired network here, but no joy when trying to do this from "outside"

The router I am using is a Linksys WAG54GX2. I have hunted around online for any articles/tutorials etc and I am told that the router needs to support "Subnet Directed Broadcasts", which i'm not sure the WAG54GX2 does? Another article mentioned forwarding a UDP port to the (static) IP address of the computer in question, however, how can a computer have an IP address when off??

I am using DynDns to keep the outside IP updated and as said before, have no trouble in waking up the computer from any machine (via the DynDns domain) within the network.

Any help will be much appreciated!

[mickevh]

Errr, I'm not sure this is doable.

You'd need to create a port forwarding rule in your router to let traffic in from the Internet (which would allow anyone to wake your PC up) and you'd need a way to persuade your router to "broadcast" the "magic packet" that wakes the target PC up to the whole of your private/internal network, and I'm not sure the router will help you with that. It's more likely to see it as an "attack" and prevent it.

[gary99129]

Quote:

Originally Posted by mickevh

I don't hold out much hope, but you could try the following:

Turn off DHCP (client) on the host you want to WOL then set it's private IP address etc. manually. Check you can still get to the internet.

Register your router with DynDNS so that you can always find the public IP address of your router.

Create a "port forwarding" rule in your router so that any traffic it receives from the Internet to it's public IP address is "forwarded" to the private IP address of the host you want to WOL.

Normally the firewall in home routers doesn't let in any unsolicited traffic from the Intenet. The "port forwarding" rule opens up a hole in this regime (which you'd want to do if - for example - you had a web server at home.) I'd pick a "UDP" port with an "usual" or unpopular port number.

Then test. However, you MUST test from a physically different network to your home network, or you're not testing the traffic through your router and
it's port forwarding rule. If you test from the home network, your source PC and/or router will figure this out and not send traffic "out and back in again" it will send it direct on the LAN and so not prove anything.

Then you've got to figure how to create the correct "magic packet" on the source PC to WOL the target PC and get it into the IP packet you want to send through the Internet.

And in this scenario, anyone on the Internet will be able to WOL your target PC - so would you really want to?

This also may fail if you're router regards your target PC as being "off" when it's in it's quiesced state (ie the router ARP table has aged out.)

Like I said, I don't hold out much hope for this.

Maybe someone else has an easier solution, 'cos this all sounds hard to me.

Sorry guys, that won't work (explanation below - it's probably not 100% correct but near enough). The only way to do it from the Internet would be to use a VPN or a web server on the same 'network' as the PC you are trying to wake. Effectively you connect to the web server, and it in turns sends the WOL data to wake up the PC, one of my colleagues has had this working.

WARNING, this is for IT Techies only, I promise you this will be like a foreign language if you aren't a techie. The reason WOL cannot be done directly from the Internet is that to wake a PC requires broadcasting the MAC address on the Data-Link Layer of the OSI 7 layer model. IP addressing works at layer 3, MAC addresses are at layer 2. Routers will not accept communications on layer 2, so will ignore the WOL data and more importantly routers do not pass broadcasts just like a DHCP request cannot be passed through a router (well there is an easy way around that on decent routers).

[mickevh]

Quote:

Originally Posted by gary99129

...The reason WOL cannot be done directly from the Internet is that to wake a PC requires broadcasting the MAC address on the Data-Link Layer...

Yeah - that's what I figured out when I though about it a bit more.

[RadioDan]

Well, there must be some way of doing it! All the research I've so far indicate that it is possible to do with a router?

Dan

[extremelydodgy]

Not really. You'll need a VPN for this to work. Netgear has a really cheap SSL VPN concentrator (not a recommendation but it seems to be reasonably reviewed) if IPSec seems like too much trouble.

[RadioDan]

ok, this Netgear SSL312 looks exiting. I assume with this I can WOL and remote access any computer on my network - easily using a web brower?

Not to much money either. Anybody used/setup one of these? I gather it will just plug into my wired network and from any computer on the internet, I can do things as if I was on the internal network?

Dan

[extremelydodgy]

The reviews all basically say 'It works' so it seems to be worth a punt. I use a Juniper SA700 at home and a bigger one at work, and for my uses SSL VPN works pretty well for me.


The one variable in your case is a domestic dynamic IP link, but if you self-sign I don't see this having a major issue.


The concentrator will sit behind your primary firewall/router, and you direct port 443 to it. I use external authentication for home and work, but the Netgear box definitely should be able to do its own authentication. I don't know how the Netgear handles certificates, but I'm assuming you'll be able to self-sign certificates.


Basically, what you need to get SSL VPN going is:
- Port 443 going to your concentrator
- A valid certificate, be it self-signed or recognised trusted CA issued (the latter probably won't work with DynDNS)
- Client(s) with the above certificate installed if self-signed (if CA, no need)
- User ID and password registered on the concentrator device


It's fairly straightforward, and I doubt Netgear will make it hard.

[fox uk]

I have actually got this to work, but it is kinda cheating ..... depending on the model of your router, you may be able to upgrade/change the firmware to a hybrid version which allows you to instruct the router to send the WOL magic-packets to the local LAN. Around a year ago I had a Netgear DG834GT which i upgraded the f/ware to the 'uber-firmware' which you can find online (just google it). This adds a number of extra menu-items in the web-gui for the router - one of which is 'wake on lan' and allows you to specify a local host and a MAC address... the router will then send a magic-packet to your local host. Works fine!

Again, this relies on you enabling the option to manage the router via the web (which can have security implications!). But it does mean you can log onto the router from the internet and instruct it to wake a local host.

Unless you have a serious bit of kit (like a hi-end commercial Cisco router for example), your average SOHO router won't accepted directed broadcasts from the internet. It will just discard them.

Hope that helps. Dave

[mattclarkie]

There are websites that allow you to send magic-packets over the net, but by default most routers from Netgear, Linksys, Belkin .etc. block internet traffic on the broadcast address as it is a security threat.


The only way around it is to either use a router that allows it, get a custom firmware, or use a VPN or SSH as others have suggested.

It is probably best leaving the computer on if you really need to access it remotely.


I do use WoL on my home network to wake the NAS when I need it, which works fine because the routers don't block the broadcast address over LAN, just WAN.

[RadioDan]

Having a closer look through my Linksys router, it appears you can setup a VPN on it, there being quite a number of detailed settings. If I can get help to set this up, I gather I will be able to achieve what I want to be able to do? What software would I need to be running on the remote computer?

Many thanks, Dan

[extremelydodgy]

Not too much info I've been able to dig up on a cursory look, but it does appear to support VPN access. So I guess you should give it a try. However, the reason I mentioned SSL is that many people find an IPSEC VPN very hard to configure, since they don't know any of the terminology involved. Most of the setup involved in an SSL VPN is procedural, not technical.

[Rab2]

I had this working fine a while back without VPN or SSL.
At the time I was using a Be router (Thomson speedtouch I think) Unfortunately I'm not using this router anymore so can't verify the config for it.
I'm pretty sure it was only a matter of forwarding traffic on port 7 and/or 9 to the ip of the onboard network card on the pc.

Took me a while to get set up at the time. One thing I found was a lot of the so-called magic packet utilities didn't actually work.. The most reliable site I found was Wake On Lan Used to use this from work all the time and vnc in.

[t72bogie]

Quote:

Originally Posted by RadioDan

ok, this Netgear SSL312 looks exiting. I assume with this I can WOL and remote access any computer on my network - easily using a web brower?

Not to much money either. Anybody used/setup one of these? I gather it will just plug into my wired network and from any computer on the internet, I can do things as if I was on the internal network?

Dan

yeah- exactly that, very easy to set-up and an ideal solution for small business who want secure remote access, it was the first SME class SSL concentrator on the market - good review here

SmallNetBuilder - Small Network Help - Netgear's Breakthrough SSL312 VPN Gateway

[mattclarkie]

I had to build my on WoL client, because all the ones I downloaded didn't work, or expected things that aren't even needed.


There is a French one that claims to be the best, it kept asking for an address of something(no idea what) to send the packet, all it should need is the MAC of the computer, and maybe the broadcast address for the network, but it insisted on something that I don't even think exists, so I said screw that and built one in about 3 minutes. Of course only LAN not WAN.