Port Forwarding - A guide

[berrick 28]

Port forwarding; an overview

 

This is an overview not an in depth discussion of IPv4 networking

 

The basic’s

 

IP addresses have to be unique on a network if they are duplicated then data may not be delivered to its intended recipient. You could think of this like a postman delivering mail on your street, if there are two houses numbered 12 then which does he deliver mail addressed for number 12 too, probably the first number 12 they get to.

 

Needing a unique IP address causes a problem. Due to the way IPv4 works there are simply not enough of these addresses available for every one or device in the world to have a unique IP address.

 

To overcome this limitation of IPv4 two mechanism’s are employed

1.       Network Address Translation (NAT). Translates public IP addresses to private ones and vice versa. More info here http://en.wikipedia.org/wiki/Network_address_translation

2.       IPv4 addresses are broken into 2 types, termed

a.       Public, those which can be routed across the internet

b.      Private, those which can’t, your LAN

 

NAT is a form of firewall.

The fact we have to use NAT to overcome the limitations described above when connecting to the internet creates two separate networks, your LAN, which is private and the internet, which is public. This added layer of complexity does offer you a benefit; your first layer of security as nobody outside of your network can access it. Well not without help but that’s another topic.

 

Now NAT is fine if you only need to translate one public IP to private IP address (1 to 1 mapping) or vice versa but what if you have multiple devices on your LAN? You would need one public IP address for each of the devices you needed to access the internet. Fortunately, NAT has another trick up its sleeve in the form of Port Address Translation.

 

Port Address Translation is where a single public IP address, for this discussion, the one assigned by the ISP to your internet (WAN or outside) interface of your router is prefixed with a port number. This means that one public IP address could actually allow 65,536 private devices simultaneously access to the internet.

 

It may simplify things to think of NAT like this. If your computer was out on the street then anyone with a mind too could just walk up to it and start using it. Not very secure.

 

But take this computer and put it in a room with many closed doors (65,536 to be exact, each door individually number) which can only be opened from inside this room (port forwarding) and now you have a more secure computer.

 

Port forwarding

 

Port forwarding = Game & Application sharing  

 

As mentioned above port forwarding is the process of opening up a port (a uniquely numbered door) in your router (the room) to allow traffic to access your private network from the internet.

 

For port forwarding to work you need several bits of information

·         Your WAN or outside IP address. This is the IP address on the connection, connecting your router to the internet.

·         The port number you wish to open

·         The IP address of the device on your network (LAN) which you want to forward traffic from the internet too

 

The way in which you use this information to forward a port is down to the manufacture of your model of router but this site http://portforward.com/english/routers/port_forwarding/routerindex.htm is a good place to start if you aren’t sure. It has guides on how to port forward for many makes of router. Bare in mind these guides aren’t necessarily accurate.

 

Further complications

DHCP. Dynamic Host Configuration Protocol is designed to help us with IP addressing but in the case of port forwarding it can be a hindrance, Why?

 

You set up port forwarding as shown below to map traffic from the internet hitting your outside IP address with destination port number 999 to be forwarded to a device on your network with IP address 192.168.0.1 listening on port 3389.

 

Protocol TCP      Outside Port 999-999      Inside Port 3389-3389     Inside IP 192.168.0.1

 

This works great then suddenly without warning it stops working!

 

The reason. The device on your network with IP address 192.168.0.1 got this address via DHCP. When the DHCP lease is up this device requests another IP address but this time DHCP issues this device 192.168.0.13. Unfortunately, no one told the router of the IP change to 192.168.0.13 so the router is still trying to port forward traffic to IP address 192.168.0.1.

 

To get this working again you would have to change the configuration setup in the router to match this new IP address as the original configuration is no longer correct.

 

Static IP the way to go

Luckily there is something you can do about this. Assign a static IP address to the device you need to port forward traffic to. Static in this context means it won’t automatically change.

 

Now the way you accomplish this will depend on how you have your network setup and the equipment in use and isn’t covered here (in most cases your router will be a DHCP server) but there are two important things to remember when assigning static IP addresses.

1.       Two devices can’t have the same IP address on the same network

2.       When assigning static IP addresses on a network with an active DHCP server remember to configure the DHCP server NOT to use the IP address you have assigned statically. If you don’t you can end up falling foul of point 1

 

It’s round about here you remember your ISP saying something about them using DHCP to dynamically assign your Internet IP address. What’s that all about and won’t that cause the same problem we just discussed above?

 

Again, this is DHCP at work. In the UK all ISP’s I’m aware of will assign a DHCP IP address to the Internet connection (WAN, outside interface) on your router. You can get Static IP’s but they’re not free.

 

Yes, it will cause a similar problem as just discussed and again there are way’s around this, DDNS is one.

 

Dynamic Domain Name Service (DDNS) is a way in which you can access from the internet a device on your network when you have a dynamic IP address on your routers internet connection, using a domain name.

 

Unlike the previous problem with dynamic IP addresses and the issue with port forwarding rules dynamic IP address changes on the internet connection don’t affect the port forwarding rule. They affect the ability to contact your router from the internet.

 

Generally this IP address doesn’t change frequently (unless you have technical issue’s) but it does change and again it won’t tell you. DDNS services (free or paid) work by assigning the IP address issued by your ISP to a domain name automatically. Your router, if it has the functionality or a client app monitors the internet connection for IP address changes. When it sees this change sends an update to your DDNS service so the domain name has the new IP address.

 

This way when you use the domain name instead of an IP address to contact your router it will regardless of the fact your IP address changes.

 

Do I need DDNS?

Nope, but you will still need to know if your internet connection IP address has changed. You would then have to reconfigure any apps you use to use this new information. So it’ll probably easier to use DDNS.

 

How to find my Internet IP address

There are various ways to accomplish this and Google can help but this site is good http://whatsmyip.net/.

 

Example Media browser 3, port forwarding

Hopefully you now have a better understanding of what is needed to get port forwarding to work with your router or a better idea of what to search for on Google to find your answers but just to finish off here are the steps for configuring a widely used router in the UK, a BT home hub 2.

 

1.       Open a web browser and type the IP address of your router. In this case the HH2 default IP 192.168.1.254

2.       Login

3.       You should now be on the home page. Click the Settings tab

4.       Click advanced settings.

5.       Click Continue to advanced settings

6.       Click Application sharing

7.       Click Supported Applications

8.       Now Click Add new game or application

9.       In the Game/Application name field name the rule, MB3 for this example but you are free to choose the name

10.   Choose TCP for the protocol

11.   Some routers like link Linksys have different pages whether you are configuring a single port or a range of ports. HH2 routers use the same page regardless. So just enter the same port number in both of the fields for Port range and Translate To. For MB3 the default port is 8096

12.   Leave the other fields as they are, then Click Add

13.   Click Apply

 

 

That’s it, the port forwarding rule is configured. Now we have to bind the rule to the IP address of the device we want to reach from the internet (our MB3 server).

 

1.       Click Configuration, to the left of Supported Applications

2.       Click the Game or application drop down and find MB3 which we just created

3.       Hop across to the Device drop down and either select your device (the one you want to reach from the internet) from the list or scroll all the way to the bottom and select user defined

4.       A new field will be displayed called Device IP address. Enter the relevant IP address, then Click Add, then Apply

 

That’s it your done configuring, now a basic test.

 

Hang on; what about port 8945?

Yes, I know we have only configured port forwarding for port 8096 and haven’t done the same for port 8945. The reason being is you only need port 8096 to access MB3 from the internet.

 

From a device that is out in the internet (not on the LAN) fire up a browser and enter the following.

If you have a functional DDNS service

http://YourDDNSname:8096/mediabrowser/dashboard/login.html

If not just use your Wan IP address

http://88.123.1.11:8096/mediabrowser/dashboard/index.html

If all is well you should see the MB3 Login page, if not you need to check the steps above and carry out some trouble shooting.

 

Basic trouble shooting

From a device on the internet or ask a friend, get to the command prompt on this computer and issue the following (Telnet is not enabled by default on newer operating systems so you may have to “install” it). Here we will just use the IP address to rule out issues with domain name resolution or DDNS.

 

                telnet YourWanIPAddress 8096

               

then press enter. If you don’t see a blank black screen with a flashing cursor (this means port forwarding is working) or get a message stating “couldn’t open a connection” then port forwarding for some reason is not working. This could be for many reasons such as

·         Windows Firewall

·         AntiVirus software with firewall capabilities

·         Port forwarding incorrectly set up

 

Just whilst you are investigating the problem disable any of the above which may be running on the computer you are trying to reach from the internet and re issue the command above. Once it works you can re enable any of the above one at a time, checking with the above command and dealing with any configuration of these programs

 

Final note

Some routers such as those manufactured by Zyxel require a two stage configuration of port forwarding due to their more sophisticated functionality.

 

The P-660HN-T1A may require you to disable the SPI firewall function under the security tab whilst AMG1202-T10A will require that you also create an IPMacFilter rule, found under filter, which is under the security tab.

 

Another Final note

Way back at the beginning of this long post you mentioned that NAT was a form of security, blocking un invited advances from the internet. Surely leaving ports open is a security risk?

 

Well, yes and no. Whilst it is true that having ports open is a risk, I say no because the open port has to have an active program at the other end (a listener) for any hacker to take advantage of the fact we have opened a port. More than this there has to be known exploits within the program listening on the open port for them to exploit. So, it’s not really the fact the port is open which is the risk.

 

Please remember, it is good practice to have all ports closed by default, only opening those ports which are needed, thereby minimizing the surface area for attack.

 

Finally

Bearing in mind you have now made your media collection available from the internet, by you. Use strong passwords. If you don’t, you may find others accessing you media from the internet too!

Edited November 2, 2013 by CWNashvegas