What Is Port Forwarding?
Port forwarding is an instruction given to your router which tells it what it should do when it receives a packet from the internet addressed to port X, which under normal circumstances would be dropped by the router.
Do I need to port forward?
If you are running an application or device, such as a security camera, that you would like anyone outside of your home or office to access, then yes.
What about for gaming?
Any server based online game wouldn’t require ports to be opened, however, peer-to-peer online gaming would require the host to have forwarded the correct ports to allow connections from other players.
Why do I need to port forward?
When someone needs to access your application, they need to send an Internet Protocol (IP) packet to your public IP address with a destination port of the application they want to access:
In this instance, the router does not have any forwarding rules configured and is not running a mail server so it drops the packet. In order for the router to correctly forward this traffic, we need to tell it which applications should be forwarded to our Local Area Network (LAN) device.
Which ports do I need to forward?
Outside of running an application using well known ports like a web or mail server, it is important to check the documentation for the application you want to run. If the documentation is scant, you can start the application on your server and enter netstat -a (Windows command prompt) or netstat -l (Linux shell). In the example below, you can see that the server is listening for TCP ports 110 & 143.
You’ll also need the LAN IP address of the host your application is running on. You can find this using either ipconfig (Windows command prompt) or ifconfig (Linux shell):
You will also need your public IP address (only if your router requires this as part of the forwarding rule) which you can get by going to this link:
Finally, you will need the Default Gateway and username/password of your router. For your default gateway, you can find this using either ipconfig (Windows command prompt) or route -n (Linux shell):
Checklist
So, before you begin, you need to ensure you have the following:
1. Your public IP address.
2. Your LAN IP address.
3. The ports required by your application.
4. Router IP and login details.
So, how do we port forward?
We can do this two ways. We can add our LAN device running the application you want users to access to a DMZ, or we can create port forward rules on our router.
Log Into Your Router:
Open your favorite web browser and enter your router IP address (default gateway) into the address bar. When prompted, enter your router’s username and password.
Creating A DMZ:
It isn’t possible to show every router model, however, the majority ask you to define the LAN IP of the host you want in the DMZ similar to this:
In this configuration, what we’re basically asking the router to do is forward any traffic inbound to public IP address of your router to the device IP listed above:
Should I Use a DMZ?
If you have a single router, no. When in a DMZ, you are telling the router to forward inbound traffic on all ports to the host in the DMZ. This could allow a remote user to execute an attack using a vulnerable port on the LAN device, and should be avoided. You can use a second router in DMZ mode, but make sure this is behind the internet facing router.
Port Forwarding:
The alternate, and preferred method, is to create a rule for each port you wish to forward. Most home routers come shipped with a number of services pre-configured, however, you may need to create a custom service. In the example below, I have created a new service for SNMP traps:
TCP, UDP or Both?
Only use the transport protocol required for your application. If you’re not sure, check what ports your server is listening on or check the documentation.
Start Port, End Port, and Port Ranges
To define a single port, you simply enter the port number you need as the start and end port.
A port range is an easy way to define a large number of ports, however, you should make sure that your port range is contiguous. For example:
You need to allow ports 5000 to 5500 and 7000 to 8000.
Rather than a single range from 5000 to 8000, you would need to create two separate services:
1. 5000-5500
2. 7000-8000
Next, we need to add this service as an inbound rule to our router:
With this new rule added, this is how the router processes traffic:
That’s it, job done.
Testing and Verification
The absolute best way to test if port forwarding is working is to test the application externally. You can do this by either using the application interface (web browser, FTP client, multiplayer menu, etc.) or by using telnet to connect to the remote port:
In the first telnet test, port 389 isn’t open so we get a Connection refused message. In the second test we can see that port 80 is currently open and we can successfully connect.
You can also use one of the numerous online port testers which can be found after a quick Google search or by clicking here.
Common Problems
You may need to reboot your router after adding any rules or services, so if you run into any problems after creating your forwarding rules, a reboot should be your first port of call.
My ports still aren’t open
1. Check you have forwarded the correct ports for your application.
2. Verify that the firewall on the host system is allowing traffic to the required port.
3. If your router public address is dynamic, check that the address has not recently changed.
4. If your LAN device address is dynamic, check that the address has not changed as it would no longer match the forwarding rule.
5. Check to see if your router firewall is blocking the connection attempt.
FTP Won’t Work
FTP uses either active or passive mode, and it is important to forward the corrects ports based on that behaviour. Normally, FTP uses port 20 as the command port and port 21 as the data port. However, depending on the mode, port 20 is not always used:
Active FTP Ports = TCP port 20 & TCP port 21
Passive FTP ports = TCP port 21 & TCP port range 1024-65535
I’m Behind A Second Router
You can either create a 2nd rule on the router or configure it so your LAN device is in a DMZ.
My Ports Are Open, But I Can’t Connect
Common problems are related to DNS. If you can’t connect using the hostname, try connecting using the IP address only. If this resolves the problem, you have a DNS issue.
My ISP Has Blocked Port X:
It is not uncommon, depending on your country of origin, for an ISP to block a particular application port. So how do we get round this? Using port translation.
Port Translation:
Let’s use an example where our ISP is blocking IMAP (port 143).
In order for us to bypass the restriction, we simply tell users to access our mail server on a different (random) high port which we know will not be blocked by the ISP, and then translate that to the correct port on our LAN.
The majority of routers will ask us to define an external port and internal port. The external port (65532) is the port our users are connecting on, and the internal port (port 143)is the actual port of our application.
Port Translation Notes:
Random High Ports – Ports 1024 – 65,535 is the range we have to choose from and all are highly unlikely to be blocked by the ISP. However, choosing one at random may mean your are unlucky enough to choose one already used by one of your other applications. I would start from 65,535 and work backwards.
© 2016 techsupportforum.com
The post A Guide To Port Forwarding appeared first on Tech Support Forum.