{"id":9142,"date":"2024-08-06T22:51:11","date_gmt":"2024-08-06T22:51:11","guid":{"rendered":"https:\/\/www.use-snip.com\/kb\/?post_type=ht_kb&p=9142"},"modified":"2024-08-13T18:43:24","modified_gmt":"2024-08-13T18:43:24","slug":"setting-windows-firewall-for-ntrip-use","status":"publish","type":"ht_kb","link":"https:\/\/www.use-snip.com\/kb\/knowledge-base\/setting-windows-firewall-for-ntrip-use\/","title":{"rendered":"Setting Windows Firewall for NTRIP Use"},"content":{"rendered":"

In this article we provide step-by-step<\/em> instructions on how to setup the Windows firewall on your host machine for use with the SNIP<\/strong><\/span> NTRIP Caster. We will be \u201cadding a rule\u201d to the firewall to allow the NTRIP traffic to pass.\u00a0 These instructions are designed for those with little to no familiarly with firewalls and how they operate.\u00a0 [If you are experienced in this area; simply open the ports SNIP<\/strong><\/span> will be listening at (typically 2101 and 2102) for inbound TCP\/IP traffic.]<\/p>\n

Keep in mind there are typically two<\/strong> separate firewalls that this must be dealt with.\u00a0 Here we are adding a rule to the local host machine firewall.\u00a0 Unless your host machine has a direct static IP address on the internet, there will certainly be a 2nd<\/sup> device (a combination router and firewall) that must also be configured to pass in traffic from outside your office environment and hand it to the host machine running SNIP<\/strong><\/span>. Even in the case of a direct static IP, such a router may exist with firewall rules you may need to edit.\u00a0 The setup process for that will vary with the ISP provider you are using but follows somewhat similar rules.<\/p>\n

Hint<\/span>: <\/em><\/strong>You can also test if your SNIP<\/strong><\/span> NTRIP Caster is available to others on the public internet by using our utility tool at http:\/\/monitor.use-SNIP.com<\/a>\u00a0 and entering your IP or URL there.\u00a0 If that tool can obtain your Caster tables, so can any NTRIP Client<\/a> rover devices.<\/p>\n

Background<\/strong><\/h1>\n

Modern firewalls found on Microsoft Windows devices all follow somewhat similar rules of conduct. In general terms, all in-bound<\/em> connections (devices outside of your host machine that may try to connect to you at any time) are blocked<\/strong> by default. In the detailed steps below you will see that there is a bewildering and long list of existing exceptions to this so that various \u201ctrusted\u201d programs can operate.\u00a0 We will add one more rule to this list so that external NTRIP devices can be allowed to reach your Caster.\u00a0\u00a0 In contrast to this, all out-bound<\/em> connections (connection that are started by your host PC to another remote computer) are generally allowed<\/strong> by default.\u00a0 This logic is used on both the home<\/em> and public<\/em> network settings you will find, a difference we will not need to deal with here.<\/p>\n

A common exception to the general allowed<\/em> rule is to detect and trap traffic directed to well-known problem sites. You may find this with \u201cparental control\u201d internet filters or with some corporate firewalls that wish to prevent the use of selected sites or prevent unusual ports from being used.<\/p>\n

Firewalls rules can be made to filter on the IP used at either end, the port used at either end, the application program to be used, the protocol used (TCP or UDP), and on any combination of these elements. New connections that match the defined setting rules can then either be blocked or allowed to flow.<\/p>\n

An interesting detail about TCP\/IP<\/a> connections to know about (which is what NTRIP and other protocols such as HTTP use to transport data) is that there are TWO ports being used at all times. These ports can be any value from 0 to 65535, but some best practices do apply (in other words, regarding well known ports<\/a>). \u00a0In a similar way there are two IPs being used in the connection. And there too some best practices and convention apply.<\/p>\n

Explaining this with a practical example:\u00a0 When you type https:\/\/amazon.com<\/a> into your local web browser, the URL \u201camazon.com\u201d is translated into an IP address using your local DNS<\/a> service.\u00a0 When this was just done here, the value 52.94.236.248 was returned (because of regional load balancing you will likely get a different value).\u00a0 Because the URL has \u201chttps\u201d as the protocol the browser knows to use port 443 (which is the \u2018well known\u2019 secure port).\u00a0 If we had typed http, then port 80 would be used as the \u2018well known\u2019 web port.\u00a0 So under the hood, your browser is connecting to<\/strong> \u201c52.94.236.248:443\u201d to reach amazon.\u00a0 But where is your browser connecting from<\/strong>?\u00a0\u00a0 That\u2019s is the other IP and port.\u00a0 In the case of this machine, its local IP (provided by the office DHCP<\/a> server) is 192.168.2.105 and port to be used is just picked at random from a unused value range, typically a value larger than 32000.\u00a0 In fact every new tab and connection you open will get a different port number each time.\u00a0 So the connection might be from \u201c192.168.2.105: 35000\u201d and to \u201c52.94.236.248:443\u201d and the next page or tab might be \u201c192.168.2.105: 35001\u201d and to \u201c52.94.236.248:443\u201d and so on.\u00a0 The important insight here is that the connecting<\/em> party is using a random port at its end to connect to the \u201cwell known\u201d port at the other end.\u00a0 The same thing occurs with NTRIP Casters!\u00a0 Note that the remote party connecting to your SNIP<\/strong><\/span> Caster used a random port, it did not use port 2101 to reach your Caster that is listening on port 2101.<\/p>\n

One final minor detail is that IPs in the range of 192.168.x.x are not \u201croutable\u201d and are used only for private internal addressing (read: local offices). The range 10.x.x.x is another such example.\u00a0 These ranges are reused by multiple parties without conflicts because when they \u201cgo out to the public internet\u201d a Network Address Translation (NAT<\/a>) process occurs in the router they use.\u00a0 In the case of the machine this article is being written on, 192.168.2.105 is translated to be 23.2×0.2×4.216 and a new port value is used.\u00a0 That is the value of the connecting IP and port that the other<\/em> party will see. In fact it has no insight at all into the original IP and port used to make the request.\u00a0 It is the responsibility of the NAT device to route the traffic between these two endpoints.<\/p>\n

And, just to round out this background; these dynamic and static values will change with time.\u00a0 When we setup firewall rules we want to be secure but also to minimize such routine changes from causing us to revise the firewall.\u00a0\u00a0 So as a rule we do not setup rules that depend on in-bound IPs or on DHCP assigned IP or port values.\u00a0 The exception to this being the IP and port where the SNIP<\/strong><\/span> NTRIP Caster is listening.<\/p>\n

Useful Hint<\/span>:<\/em><\/strong>\u00a0 Want to learn what your public IP is from any device with a browser?\u00a0 Go to this page to get the current value:\u00a0 https:\/\/whatismyipaddress.com\/<\/a><\/p>\n

 <\/p>\n

Launching the Firewall Tool<\/strong><\/h2>\n

With the above background out of the way, we now open the firewall tool and create the new rule.\u00a0 The hardest part of this is finding where, in Microsoft\u2019s market driven wisdom, they have hidden the \u201cAdvanced Firewall\u201d dialog in your copy of MS Windows.\u00a0 It was once easily found in the Control Panel, but after Windows 7 it has increasingly been hidden by \u201chelpful\u201d new dialogs apparently intended to stand between you and being productive.\u00a0 If you can get to \u201cWindows Firewall\u201d you can activate it from the Advanced Setting button along to left side.\u00a0 If you type \u201cAdvanced Firewall\u201d in the search bar for Windows 10 or 11 it will display an option to bring up the Windows Firewall from which you can click on the Advanced Settings<\/strong> button.<\/p>\n

Once you finally have the dialog up and running it will look like this:<\/p>\n

\"\"<\/a><\/p>\n

If you are not familiar with this dialog style, this is the Microsoft Management Console<\/em>, a generic tool used to manage many interesting advanced features of your machine.\u00a0 It is just a container class, and you are expected to learn to resize it to be larger to see all the various columns of data it displays.\u00a0 It is apparently beyond their programing ability to remember what you sized it to the last time and where you placed it, so you will need to do that every time you open it.<\/p>\n

If you click on \u201cInbound Rules\u201d (first item in the tree view along the left side) the center section will show a large set of firewall rules.\u00a0 The green check box indicates a rule is active.\u00a0 An inactive rule is grey, has no icon, or has an X image there.\u00a0 You can sort rules by name etc. by clicking on the heading.\u00a0 Now would be a good time to greatly enlarge the dialog so you can see the many additional headings.<\/p>\n

\"\"<\/a><\/p>\n

<\/h2>\n

Setting up a new Rule for NTRIP<\/strong><\/h2>\n

To create a new rule, first make sure that you are displaying the Inbound rules. If not, select that from the tree view on the left side.\u00a0 Then press \u201cNew Rule\u2026\u201d found under Action along the right side of the dialog.\u00a0 You will be presented with a new empty<\/em> rule as shown below. There are five simple steps to complete this new rule.<\/p>\n

\"\"<\/a><\/p>\n

Step #1, Creating a PORT rule<\/strong><\/h3>\n

Here we will create a Port<\/strong> type rule (not a Program rule).\u00a0 Select Port in the above dialog, then press Next.<\/p>\n

Why not a Program rule?<\/em>\u00a0 Because we want this to work for all editions of the SNIP<\/strong><\/span> Caster, not just the current one.\u00a0 If you were to create a program rule, you then pick the program of interest, Microsoft then does a hash of the program exe file (simpleNTRIP.exe in this case) and stores that value as indicating the \u201cchosen\u201d program.\u00a0 If the program ever changes (such as from one of the SNIP<\/strong><\/span> periodic updates), then this value changes.\u00a0 So any time you updated SNIP<\/strong><\/span>, you would have a problem with such a rule and have to update it. Microsoft\u2019s original intent here is to detect a program that might have been changed by being corrupted or replaced.\u00a0 By choosing a port rule we avoid this problem.<\/p>\n

\"\"<\/a><\/p>\n

Step #2, Set Protocol and Ports<\/strong><\/h3>\n

We next need to set the protocol to use TCP\/IP\u00a0 (not UDP) and we need to set the Specific local ports to be where our copy of the SNIP<\/strong><\/span> NTRIP Caster will be.\u00a0 Set the data as per the below unless your Caster will be on a different port than 2101.<\/p>\n

\"\"<\/a><\/p>\n

Why also port 2102?<\/em><\/strong>\u00a0 Because in the future models of SNIP<\/strong><\/span> (due out Q3 of 2024) all models (Lite<\/strong><\/em><\/span>, Basic<\/strong> <\/em><\/span>and Pro<\/em><\/strong><\/span>) will also support secure Caster connections and 2102 will be the default port used for that.\u00a0 So we are recommending that you set up for that now.<\/p>\n

If you wish to run your Caster on some other port, simply enter that value here.\u00a0 Also see the remarks on AVL servers (a Pro<\/strong> <\/em><\/span>model SNIP<\/strong> <\/span>feature) at the end. You may want to enter that port here as well.\u00a0 Or, you can enter it as its own rule.<\/p>\n

Once this has been entered, press Next<\/strong>.<\/p>\n

Step #3, Set Action<\/strong><\/h3>\n

The default behavior is to allow the connection to occur, so there is nothing to change on this step of the dialog.\u00a0 Simply press Next<\/strong>.<\/p>\n

\"\"<\/a><\/p>\n

Step #4, Domain Profiles<\/strong><\/h3>\n

We wish to enable this rule on all the different domain profiles, so ensure all the checkboxes are checked.\u00a0 Then press Next<\/strong>.<\/p>\n

\"\"<\/a><\/p>\n

Step #5, Name the Rule<\/strong><\/h3>\n

We are nearly done, we simply have to name the rule.\u00a0 You can enter anything you wish here but a name with NTRIP or SNIP<\/strong><\/span> in the title is suggested.\u00a0 We suggest that you use \u201cAllow In-Bound NTRIP on 2101-2102<\/strong>\u201d as it is descriptive but also shows up at the top of the list when the rules are sorted.<\/p>\n

\"\"<\/a><\/p>\n

Press Finish<\/strong> and the rule will be created and shown in the table.<\/p>\n

\"\"<\/a><\/p>\n

That\u2019s is all there is to it!<\/p>\n

Reviewing the rule<\/strong><\/h2>\n

When we created the rule, we used a multiple-step Microsoft wizard to enter the data fields.\u00a0 If we double click on the rule we can see (and edit) this same information in a somewhat different format. \u00a0The same five steps can be seen by clicking on the tabs shown for the rule.\u00a0 For completeness, here is the data shown in each tab.<\/p>\n

The General Tab<\/em>, showing the rule name and action.<\/h4>\n

\"\"<\/a><\/p>\n

The Protocols and Ports Tab.<\/em><\/h4>\n

\"\"<\/a><\/h4>\n

The Scope Tab<\/em>, showing what IPs this rule applies to (all of them).<\/h4>\n

\"\"<\/a><\/h4>\n

The Advanced Tab<\/em>, showing the three profiles the rule applies to (all of them).<\/h4>\n

\"\"<\/a><\/p>\n

The Programs Tab<\/em>, showing that the rule is not attached to a specific program instance.<\/h4>\n

\"\"<\/a><\/p>\n

If your rule looks like the above, you have correctly created it.\u00a0 Keep in mind it is easy to just right-click and remove a rule (or to disable one) when there is need.<\/p>\n

A common mistake, too many rules\u2026<\/strong><\/h3>\n

Below is an example where several \u201cprogram\u201d type rules were created, one every time a new copy of SNIP<\/strong><\/span> was deployed on the host machine.\u00a0 This is not harmful in that it causes no operational problems, but is it wasteful.\u00a0 All of the \u201csimplentrip.exe\u201d and \u201cSNIP NTRIP Caster\u201d rules below can be safely removed as the single rule at the top of the page (\u201cAllow In-bound NTRIP on 2101-2102\u201d) is all that is required.<\/p>\n

\"\"<\/a><\/strong><\/h3>\n

Use with AVL (a feature on SNIP Pro models)<\/strong><\/h3>\n

If you are running an AVL server on your Pro<\/em><\/strong><\/span> copy of SNIP<\/strong><\/span>, you will need to open a firewall rule for that service as well.\u00a0 You may also need to create a similar rule to open the port on the public IP as well (if you allow devices outside of \u00a0your local office to access the AVL data feed). \u00a0See the articles AVL Tab<\/a> and AVL Server<\/a> for more details about this feature.<\/p>\n

 <\/p>\n

Related Articles <\/strong><\/h2>\n

Please see the article Setting IPs for AWS deployments<\/strong><\/a> for similar details targeted for those running a copy of SNIP<\/strong><\/span> on any AWS VM machines.<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

In this article we provide step-by-step instructions on how to setup the Windows firewall on your host machine for use with the SNIP NTRIP Caster. We will be \u201cadding a rule\u201d to the firewall to allow the NTRIP traffic to pass.\u00a0 These instructions are designed for those with little to […]<\/p>\n","protected":false},"author":13,"comment_status":"closed","ping_status":"closed","template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"ht-kb-category":[112],"ht-kb-tag":[515,190],"class_list":["post-9142","ht_kb","type-ht_kb","status-publish","format-standard","hentry","ht_kb_category-general","ht_kb_tag-firewall","ht_kb_tag-setup"],"_links":{"self":[{"href":"https:\/\/www.use-snip.com\/kb\/wp-json\/wp\/v2\/ht-kb\/9142","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.use-snip.com\/kb\/wp-json\/wp\/v2\/ht-kb"}],"about":[{"href":"https:\/\/www.use-snip.com\/kb\/wp-json\/wp\/v2\/types\/ht_kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.use-snip.com\/kb\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.use-snip.com\/kb\/wp-json\/wp\/v2\/comments?post=9142"}],"version-history":[{"count":7,"href":"https:\/\/www.use-snip.com\/kb\/wp-json\/wp\/v2\/ht-kb\/9142\/revisions"}],"predecessor-version":[{"id":9150,"href":"https:\/\/www.use-snip.com\/kb\/wp-json\/wp\/v2\/ht-kb\/9142\/revisions\/9150"}],"wp:attachment":[{"href":"https:\/\/www.use-snip.com\/kb\/wp-json\/wp\/v2\/media?parent=9142"}],"wp:term":[{"taxonomy":"ht_kb_category","embeddable":true,"href":"https:\/\/www.use-snip.com\/kb\/wp-json\/wp\/v2\/ht-kb-category?post=9142"},{"taxonomy":"ht_kb_tag","embeddable":true,"href":"https:\/\/www.use-snip.com\/kb\/wp-json\/wp\/v2\/ht-kb-tag?post=9142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}