Need a Fixed External IP

I am on the board of our local Habitat for Humanity and am trying to get us signed up with a state loan assistance program for our partner families. 

In order to complete the sign-up, I need a fixed external IP for FTP file transfers.  Problem is, we are a small organization with no office network (or as far as that goes office), so I don't have access to a range of external IPs.  If it helps, my home network is behind a DPC3208 Cisco cable modem; the ISP is Spectrum.

Anyone have an idea of how to accomplish this without costing our Habitat a fortune?  VPN to an external service?  Voodoo?

Assistance appreciated.

If your ISP can't offer you any fixed IP options, you could try a VPN with a fixed endpoint, or a get VPS with a fixed IP (I have one that costs about $50/yr).

OK, so they're actually asking for an IP address? Keep in mind that most of the time your IP address - even on non-fixed IP address type connections - doesn't change very often. It might be the same for a year or more at a time, depending on the provider. Can you go back and change the IP address later? If so, maybe you could just give them your current IP address and change it if it does change later.

I must say this is a bizarre requirement for that type of program.

I remember when my kids used to host a Minecraft server, that our IP addy would remain the same for quite a while.  

So, agreeing with dculberson.

In reply to GameboyRMH :

Do you mind letting me know who you are using?

They may be requiring a fixed IP more for security reasons rather than simply allowing access - because FTP is an ancient protocol with crappy security by today's standards, they probably want to make sure that this org and ONLY this org have access via IP whitelisting. I work with systems with similar requirements (except they use actually secure protocols and the IP whitelisting is a second layer of protection).

Spectrum Business does offer a fixed IP option, but not their residential offerings.

But if I'm reading this right, what they really need is a fixed IP for an FTP server, not necessarily for you. Set up a minimum hosting account with someone like Bluehost, pony up for a dedicated IP and run a free FTP plug-in.

CJ said:

In reply to GameboyRMH :

Do you mind letting me know who you are using?

I'll DM you.

They want to hardcode an IP?  Over the internet?  That is amazingly short-sighted.  And when they say FTP, surely they at least mean SFTP, right?

I use Host Gator for very little money a year for my personal stuff.  Webserver, domain hosting, FTP, email, Wordpress, photo gallery, MySQL databases, and whatever other applications I want to spin up.

I know that the external IP on my cable modem rarely changes, so that may be an alternative. 

The local guy at Spectrum was kind of clueless so far as fixed IP, so likely will have to move up the food chain to get more info.

Thanks all

I suspect that they are concerned that financial / payment info is being transmitted and want to be sure who is downloading the info.

So my understanding is I will be using something like FileZilla and they want us to connect to their SFTP server from a fixed IP (or several fixed IPs).  They say they just can't handle dynamic IPs. 

The more I think about it, i think it seems prudent to not have me as the single point of contact, in case I get hit by a beer truck some day.  If I rent a fixed external IP, I could set up a VPN connection to that IP and install FileZilla on several board member's computers, would that work?

CJ said:

The more I think about it, i think it seems prudent to not have me as the single point of contact, in case I get hit by a beer truck some day.  If I rent a fixed external IP, I could set up a VPN connection to that IP and install FileZilla on several board member's computers, would that work?

Yeah that seems like a good plan.

Can you use a domain name instead of an IP address?  There are dynamic domain name services for very little money that will automatically update with your homes dynamic IP.  An agent on your network will detect any time the public IP changes and then update the domain name server record.  For example,  org-name.ddns.com could always point to whatever your ISP assigned your modem at that moment. 

I don't mean to thread derail, but this seemed the most relevant place to ask:

I need to give private remote web access to a personal machine serving as a local web server.

Our autocross T+S software runs as a local web server connected to a dedicated router.  The host machine runs the software and outputs to a router.  Anyone within wireless range of the router can connect to the host's fixed local IP via browser and help administer the information.  That requires physical presence.

We'd like to be able to do the same thing but by granting remote access to specific other people.  I understand how the local network functions, but I have no idea how to make that safely accessible to the internet so we can have people help without being in the same room.

Any "idiot's guide to..." assistance will be appreciated.

In reply to andy_b :

I get what they're trying to do.  It's not about where an external system is connecting to CJ, it's about restricting what systems can connect to the financial system so they're building an ACL as an extra layer of security.  We do that for customer management VPNs and stuff like that now, and it's all based on IP addresses or ranges.  I didn't get it at first, either, but it actually does make good sense but, like pretty much all data security things, it's a bit inconvenient.

In reply to Duke :

Are you talking about a place with a terrestrial internet connection that you have some level of control over or is your internet connection based on a cell hotspot?  I am not aware of a consumer-grade hotspot that will allow inbound IP traffic, although I haven't looked in a while.  I would assume that there are some commercial products that can do that, but my guess is they're a bit spendy.

If you have some sort of connection that doesn't block inbound traffic, you could simply use a dynamic DNS service and forward port 443 on your router to the webserver's IP.  Then anyone who has the DNS name and login credentials for the application could connect.  A little dangerous, but do-able.

The other option - and probably the only option if you're using a hotspot - would be to buy a VPN service.  Probably a "VPN Router".  That way your router would be the termination point for the VPN and if you had a dedicated IP (and likely you'd have to for unfiltered inbound traffic, but I don't know for certain) you could add a DNS entry for that or just have folks hit the IP.  Again, the VPN client would need to forward port 443 to the web server.

If you have an internet connection that does allow inbound traffic, you could use a different type of VPN router - one that provides a VPN as opposed to one that connects through one.  Again with a dynamic DNS service, you could allow certain people to connect to that name with a VPN client and then their computer would be on that local network.  It's a little more secure, but would require unfiltered inbound IP traffic.  A lot of consumer-grade wireless routers have that functionality now - I've got a Netgear router that does that, although I've never used it.

Yes, this would be located in a place with terrestrial internet service; a typical residential connection.

On site is no issue because everybody is either hardwired to the serving router or within (closed, non-discoverable) wifi range, and you can't log in to the administrative tools unless you know what to look for and have the credentials.

The problem is, before and after events, there is a lot of prep work to be done, and some of that is easier with 2 people.  DW and I used to do that work in person together by setting up the host, router, and a second machine at home.  But DD#1 is now the autocross chair and she would like to be able to set it up and then let someone remote in to help her.

Thanks.

I had a legnthy reply typed up and then the power went out...  Sigh.  What you're doing is probably very doable and relatively easy.  What kind of routers are we talking about?  If I have to retype it all, I might as well make it as relevant to you as possible.

In reply to wae :

Damn, I'm sorry that happened.  Thanks anyway for the effort.

The router is a TP-Link Archer C7, I believe.

If they are asking for SFTP for secure file transfers,  look into something like Kiteworks.

Ihttps://www.kiteworks.com/pricing/

In reply to Duke :

Okay, I think I have the right manual here...

Basically, you have two options.  The first is to make your web server available to The Internet as a whole via port-forwarding.  The other option would be to require people to connect to your network via a VPN first and then they could access the application.  The problem with the second option there is that they'd be able to connect to anything in your home network.  If we were talking about a Cisco ASA or something, we could restrict that a little better, but most consumer-grade stuff doesn't support those kinds of ACLs and it doesn't look like this device is an exception to that rule.  If it were me, I would set it up with port forwarding. 

Question number one is if it is using HTTP or HTTPS.  HTTPS could be a problem if you can't generate and install a new certificate for the application web server.  If the certificate is for "192.168.1.42" for when you're using it out on site, then when you try to connect to it with a name of "whatever.mydomain.com", it's going to complain about an invalid certificate.  I'm pretty sure that most browsers can be told to ignore that and connect anyway, but that can be a little annoying, especially for low-tech users. 

Once we know that, we can configure the router.  In the setup, it looks like you can go to "Advanced, network, and dynamic DNS".  From there you can select a provider, register with them, and then define a dynamic name.  That way you'll have a name that you can give people and your router will know when it changes public IPs and will update the DNS servers accordingly.

With that complete, we should configure your application web server such that it gets the same IP address every time.  With the system up and running at home, grab the IP address and MAC address from it.  In the router, go to advance, network, DHCP server and select "add" in the Address Reservation section.  Put in the MAC address and IP address, click the box to enable it, and hit OK.  Now, whenever that system connects at home, it gets the same IP address and the router won't give that address to anything else.

Now, you can go to Advanced, NAT Forwarding, Virtual Servers.  Here, you'll add an entry for HTTP, HTTPS, or both to forward to the IP address that is now assigned to the web server.  Your protocol is TCP, your external and internal ports should match, and if it's HTTP the port is 80, HTTPS is 443.

Once all that's done, anyone should be able to log in to the web server by simply browsing to the name that you created.  But be aware that means that anyone would be able to log in to the web server by simply browsing to the name you created!  And, of course, if they're able to pwn that box, they're now on your local network and can try to pwn anything in your house.  Either keep that thing patched like crazy or (and I am assuming that this is the plan anyway), turn it on when you need to get it prepped and then turn it back off when you're not needing it to limit your exposure.

Hope that helps!

Wow, thanks for the great detail.

I did the router setup in about 2019 but I don't have access to the equipment right now; sorry.  The client machines all connect to the T+S server at a fixed 10.10.10.10 and most have (or had) their own static assigned IPs from the router.  We put new drives and fresh Win10 installations on the clients over the off-season.  I assume their machine IDs survived that and the router is still using the assigned IPs, but they work and I never checked.

Actually, looking at my bookmarks on my phone it appears that the router is using HTTP.

Don't know if that gives you many clues to go with.  Thanks again.

[edit]  I can send you the config .bin file if that helps - I do have access to that.