I haven’t been able to find any answers to this question with the Search, so here goes.
If I am somewhere other than the network by RaspPi receiver is logged on to, what will I be able to view? Will I be able to see the Google map display that shows aircraft being reported to FA from my receiver?
Thanks.
No, for that you need to set up port forwarding on your internet router and preferably dynamic DNS. I also wouldn’t suggest doing that without using something like VirtualRadar server to host the connection as many of us have done. The web browser native on the PiAware was never meant to be internet facing.
You need to port forward port 8080 on your modem.
This opens the map ip address to the internet and will allow remote access from the internet
Then, when you are a distant location, log into your flight aware account.
On your statistics page you will see your 4 segment “Internet IP”
Then to view your live map remotely.
Enter your “Intenet IP” address in the browser address bar followed by “:8080”
If you are using Chrome, just enter the 4 fields followed by :8080, if you are using Internet Explorer you will also have to enter the prefix data Http://
I placed my RPi in my router’s DMZ.
Went to duckdns.org/ and got a free dynamic DNS name.
Set up the DNS update script via their easy to follow setup instruction.
I can now address my device using the duckdns.org address. .duckdns.org
The DMZ opens the RPI up to the public and keeps it from being able to access my internal network in case something were to happen to it. Of course my internal network can still access the device when need be. This is far safer than port forwarding being the public is not accessing the internal network what so ever only the device in the DMZ. If using this method it is a good idea to firewall your device locally using something such as iptables as well.
It used to be that one could crash the little web server that is within dump1090 quite easily. Simply send it an invalid URL. It should return a 404 error, but it crashes instead. So, if you put this in the DMZ all sorts of invalid requests will hit it, and crash it. …simple things like search engines looking for robots.txt will crash it, for example. The solution is to use lighttd, or apache as your web server.
You also expose all the ports on the Pi to the Wild West that is the internet. Ssh is likely running, and possibly other things too. A complex password for ssh will help, but turning off password access and using certificates instead would be highly recommended.
And of course you have the risk of undiscovered and unpatched bugs in all the software you run on the Pi. If you take the port forwarding approach, at least this is restricted to only specific ports and the code listening there.
Anyway, just my two cents worth. Use or ignore as you think best for your own circumstances. …John
Using Lighttpd so not worried about bad requests all that much.
Only two ports are opened 80 for http and 22 for SSH. (iptables does a good job blocking ports)
SSH is opened but public/private password protected key authentication is used.
If I actually cared that much I could lock down SSH to specific IP addresses as well much like the web servers I have to keep track of daily at work but I am not that concerned being it is a RPi running a simple task segregated entirely from my network.
I would be more concerned forwarding ports hoping that an exploit is not found for the software running on said port. Through which if exploited my whole internal network becomes at risk.
Good discussion of various options here:http://discussions.flightaware.com/ads-b-flight-tracking-f21/raspberry-pi-remote-access-what-is-the-best-your-way-t36569.html
Wow, thanks to all for a comprehensive answer to my question.
That is still port forwarding. 
I’ve got my Pi in a DMZ, as well as a reverse proxy in the DMZ with a VirtualRadar server as the only way to view the output across the web. Still technically port forwarding and much safer than just opening the Pi up to external access.
Also, depending on the router, that may be LESS secure for the Pi since it may be port forwarding SSH and other requests, most home routers also use the same interface for the “DMZ host”, that device could be used as a jump off point.
I never recommend using that setting for anything, ever.
I don’t understand what you are getting at here.
Why would the RPi be forwarding SSH and other requests? This should be handled by the router. Also how is the router itself exploitable because you use a DMZ? If it is exploitable and can be used as a jump off point that has nothing to do with the DMZ and your hosed either way. Why would using the same interface be a bad thing. Most networks only have one interface coming in from the Internet even those with multiple Internet addressable IPs. This is why routers exist, to route traffic to and from the proper destinations.
No a DMZ is totally different concept from port forwarding. By “protecting” your Internet facing device by using port forwarding to “firewall” the device you only open your internal network to attack only to save yourself from executing a few commands on the Internet facing device to set up a firewall on it.
Here is a visualization of the two concepts. (Behold my wonderous MS Paint skills!)
The arrows represent the directions in which traffic can go.
First off using port forwarding you allow access in both directions through said port(s) into your internal network. As mentioned if software is left unpatched or a vulnerability is found the device may become open to intrusion. Being the device resides within your internal network your entire network now becomes addressable once said device is owned by the attacker.
https://www.swiftbyte.com/misc/port-forwarding.png
Using a DMZ, which is the proper way to make available devices on your network to the Internet, the device located in the DMZ is able to send and receive inbound and outbound requests to and from the Internet while your internal network only allows outbound requests as it should be. Your public facing device remains on your network and can accept requests from the internal network but cannot send requests into the internal network. This is a far more secure approch from a network security stand point.
https://www.swiftbyte.com/misc/dmz.png
However as pointed out your Internet facing device now presents a larger attack surface. In order to reduce the attack surface you can use iptables and/or ip6tables to set up a firewall on your public facing Linux device. The following commands should accomplish this task by allowing everyone access to port 80 and only the specified IP address, in this case 254.254.254.254, access to port 22 while blocking access to all other ports. (these commands are off the top of my head but should work) 
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -s 254.254.254.254 --dport 22 -j ACCEPT
sudo iptables -I INPUT 1 -i lo -j ACCEPT
sudo iptables -A INPUT -j DROP
If your on a IPv6 network you should run the commands again replacing iptables with ip6tables.
UPDATE: In case anyone is interested in learning more on how to setup iptables check out help.ubuntu.com/community/IptablesHowTo.
Now to save your new iptables rules so they persist through reboots. This is easily accomplished using the iptables-persistent package.
sudo apt-get install iptables-persistent
sudo invoke-rc.d iptables-persistent save
Now sit back and enjoy your Raspberry Pi from anywhere you want and rest assured that your internal network is safe and still totally cut off from external Internet requests.
I don’t understand what you are getting at here.
Why would the RPi be forwarding SSH and other requests? This should be handled by the router. Also how is the router itself exploitable because you use a DMZ? If it is exploitable and can be used as a jump off point that has nothing to do with the DMZ and your hosed either way. Why would using the same interface be a bad thing. Most networks only have one interface coming in from the Internet even those with multiple Internet addressable IPs. This is why routers exist, to route traffic to and from the proper destinations.
You misinterpreted what I said. When the router software says “Make this host a DMZ” it is saying that it will allow traffic on any port/protocol to that device. This isn’t different than port forwarding, it’s just not manually defined port forwarding. Usually home connections only have one IP address and they want to be able to NAT/PAT it to internal hosts, while this can be good, it can also be bad (if the port forwarding is more of a forward all ports as the DMZ option does). The only time this is usually useful is for VPNs since some of the protocols don’t like port forwarding or cannot be forwarded by the low end routers that most people have at home.
Also, I am well aware of what routers exist for, since my job is as a network and security manager for a fairly large organization.
No a DMZ is totally different concept from port forwarding. By “protecting” your Internet facing device by using port forwarding to “firewall” the device you only open your internal network to attack only to save yourself from executing a few commands on the Internet facing device to set up a firewall on it.
No, a DMZ is a segregation zone so that you may separate logically and preferably physically externally accessible devices so that your internal network cannot (in reality it just makes it harder) be infiltrated by someone attacking the server you have in the DMZ. Just because a server is in the DMZ doesn’t even mean it’s accessible, it’s just in a network environment that is limited in access to your internal network.
However as pointed out your Internet facing device now presents a larger attack surface. In order to reduce the attack surface you can use iptables and/or ip6tables to set up a firewall on your public facing Linux device. The following commands should accomplish this task by allowing everyone access to port 80 and only the specified IP address, in this case 254.254.254.254, access to port 22 while blocking access to all other ports. (these commands are off the top of my head but should work)
Very good idea, especially if you’re using the DMZ host option on a home router. A better idea would be to just use a port forward on port 80 from the internet to the host, then you don’t need to use the firewall on the Pi since your router would drop the other traffic since it’s not in the port forward table.
If your IP address on the Pi is the same first 3 octets (unless you’re doing subnetting or supernetting) as your internal computers, then you do not have it in a DMZ. (meaning 192.168.0.x with x being different)
Now sit back and enjoy your Raspberry Pi from anywhere you want and rest assured that your internal network is safe and still totally cut off from external Internet requests.
In reality the ONLY way to think that your internal network is safe and “totally cut off from external internet requests” is to cut all external wires/fiber and disable/physically remove any and all wireless devices from any device in the internal network. Anything less is not secure. Any network security person that says otherwise is lying.
-Robert J, Cisco Certified Network Professional (Routing & Switching), Cisco Certified Network Associate (Security).
This is exactly my point. A DMZ is different from simply forwarding a port into an internal network.
The problem I have with forwarding port 80 into a internal network is God forbid the software running your web server or even any application your web server utilizes or is running or becomes exploitable, which happens more often than people think, and an attacker can gain access to it your entire internal network has instantly been breached. If this happens to a device on a DMZ your internal network depending on the setup, is either totally safe from the exploited device or at worse on a home router somewhat safer from it.
That’s was difference I was trying to state between a DMZ and simply forwarding ports to devices on an internal network.
Guess we will have to agree to disagree here. I still believe even some protection is better than no protection at all.
Just a heads up I am not directing this next comment at you mind you but…
the port forwarding as a firewall because I don’t want to set up a firewall excuse doesn’t fly with me. If someone is too lazy to set up a firewall on an Internet facing device they have no business putting a device on the Internet. This goes for system maintenance such as keeping software up to date as well. We have enough zombies out there as it is…
Truer words were never spoken. I guess I should have worded that last sentence a bit differently.
BTW I don’t doubt your knowledge just did not understand what you were getting at is all. Been working in the field now for 18 years myself.