Port Forwarding

Port Forwarding

Updated: February 25, 2008

So what's the problem?

The puzzle is to allow an external user to access a server behind your firewall. I'm not going to discuss the security dangers involved in this - we'll be here all day and end up arguing. I'm going to discuss how this is possible and you can worry about whether you want to use this for your own purposes.

If you like playing games on the internet this is a 'must have'. This is what enables you to receive data in Microsoft Flight Simulator to enable you to dog fight with another gamer.

And I've got another less fun activity which demands this technology.

I look after several web sites and of course I keep the HTML, CSS, JavaScript and all the rest of the code in a source code management system (SCM). However for some of the web sites, I am not the only web master and it's very desirable to allow external use of the SCM from remote locations. In this way if another web master wishes to update the web site, he can sync with the SCM, carry out his work and submit his changes. And do this safely.

I've considered lots of different approaches.

  1. You might think there must be an ISP who offers SCM on their server.
    Well, I haven't found one.

  2. I could use .Mac (or Windows Live or another WebDav server) to maintain a single remote copy of the code and use rsync (or another synchronizer) to update the local copy.
    .Mac is dead slow. In fact, it might even be dead.
    .Mac doesn't have a windows client.
    Windows Live doesn't appear as a mounted drive on Windows or the Mac.
    Syncing doesn't maintain the version revision history.
    The rsync man page is frightening.
    Syncing is not an SCM! Webmasters can still overwrite each others files and sync the wrong stuff. Changes can be lost forever.
    Horrible approach.

  3. I could use my FTP sync Perl Script
    I haven't written my article about this yet!.
    At least it's platform independant (it's written in Perl and works on Windows and Darwin (Mac Unix).
    This solution suffers from all the syncing issues listed above: It's not SCM. It's not operator proof (syncing errors can obliterate changes).

If you'd prefer to have a single SCM and access it from multiple locations on the internet, then Port Forwarding's the technology for you. Read on.

I had a discussion with 'tinfoil' on winforums about this. I've summarized the conversation below. Here's a thread on WinForums where this matter has been discussed:
WinForums Discussion Threadwww.winforums.com/showthread.php?t=76227
WinForums Discussion Summaryclick here.

Setting up 'Virtual Servers' or 'Port Forwarding' isn't really difficult. However it took me a lot of time and effort to figure out what to do! You have to make a hole in the firewall. By default the firewall is erected between the router and the modem. The modem communicates with the ISP (to the WAN) and the router (to the LAN). The Port Forwarding occurs on the router. Therefore, if the modem is handling the communications to the WAN, you cannot get anything to work!

To over come this, you should put the modem into 'Bridge' mode and get the router to run PPPoE and manage the WAN communications. Now you're in good shape.

There are several other matters you should consider.

  1. How to test this

    In order to test this, you have to test from the WAN, not the LAN.

    I used the port scanner at http://www.t1shopper.com/tools/port-scanner/ to verify that the port was being correctly exposed to the internet. And, if you're exposing an HTTP Server, you can use a proxy such as http://proxy.org/cgi_proxies.shtml. My final check was to go down to the public library with my laptop and test from there.

    I tried unsuccessfully to use dial-up from home. I think dial-up and DSL clobber each other and can't coexist on the network. I'm not sure - I never got it to work!
  2. How to find your server from the LAN
    In order to be useful, a computer on the WAN has to be able to determine the IP address of the router. You can do that in two ways. You can have a DNS name and an static IP address. Most ISPs charge for a fixed IP address and of course you have to maintain your domain name registration. An alternative is to register a domain name with www.dyndns.com. This is a free service (for up to 5 domain names). Many modems provide support for DynDNS.com and will sync your WAN IP address automatically. Alternatively, you may have to install and run a daemon on your server.
  3. Setting up Virtual Hosts in Apache
    If you're setting up one or more web servers, you'll want to use Virtual Hosts on Apache. And you'll probably want to use wildcards on dyndns.com. I've written a separate article about this: Virtual Ports
  4. To use Port Forwarding or DMZ
    You can put your server on the public side of the Firewall. I wouldn't recommend doing this. You'll be bait for hackers. There's also the difficulty that only one machine can be in the DMZ at a time. So if you have multiple services running on different machines, the DMZ is of limited use. So if you wish to offer FTP and HTTP Servers, they have to be on the same machine to live in the DMZ.
    With port forwarding, you cannot forward the same port to multiple servers. So if you want to offer FTP on seversal machines, only one machine can use the default port 21.
    Apache allows you to configure more than one virtual host on a machine and they all share the same port (usually 80)
  5. Enabling and Disabling your Servers
    You should disable your server when you know it's not going to be used. No point in hanging bait to attract the hacking wolves. You can stop the server and leave the port open. Alternatively, it's probably better to close the port on the router when it's not active. How to know when to open/close stop/start your servers and services will depend on the services you wish to offer.
  6. Testing that your dyndns address is OK
    I'm often not too sure what my IP address is and whether it is correctly registered at dyndns.com. Because I'm inside the LAN, I have to use an external web sites to obtain my WAN IP address.

    I use http://whatismyip.com to get my WAN IP address. I use the host command to do a DNS lookup of the network's external name 'clanmills.homedns.org'. These addresses should be identical.

    Then I do similar tests on the LAN (without speaking to an external web site). Curiously (and I don't know why), the LAN ip addresses are identical on Leopard (MacOS 10.5) and different on Tiger (MacOS 10.4). When I ping the external name, Tiger gets the WAN address and Leopard gets the LAN address.
    csh -c 'echo $REMOTEHOST $HOST' > /dev/null
    if ( $status ) then
            echo you must set environment strings REMOTEHOST and HOST
    # define a perl one liner to find and print the first IP address from stdin
    set p='read(STDIN,$h,99999);printf("%-16s",$&)if$h=~m/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/';
    set a="http://whatismyip.com/automation/n09230945NL.asp"
    set e=' => IP address for'
    echo "---  WAN  ---"
    curl "$a"             |& perl -e "$p" && echo "$e" $HOST
    host $REMOTEHOST      |& perl -e "$p" && echo "$e" $REMOTEHOST
    echo "---  LAN  ---"
    ping -c 1 $HOST       |& perl -e "$p" && echo "$e" $HOST
    ping -c 1 $REMOTEHOST |& perl -e "$p" && echo "$e" $REMOTEHOST
    This produces the following output (on a machine called 'striders'):
    90 /Users/rmills/clanmills/articles/portforwarding> setenv REMOTEHOST clanmills.homedns.org
    91 /Users/rmills/clanmills/articles/portforwarding> ip
    ---  WAN  ---    =>  IP for striders    =>  IP for clanmills.homedns.org
    ---  LAN  ---    =>  IP for striders    =>  IP for clanmills.homedns.org
    92 /Users/rmills/clanmills/articles/portforwarding>
    http://whatismyip.com do a great job and return plain text for the IP address (not HTML). If you can suggest improvements, please send me an email.

Discussion with "tinfoil"

I said:

I'm wanting put a port on one of my machines outside the firewall so that I can access a server from anywhere. The Modem and the Router seem to be in a conspiracy to prevent this. The modem's got a 250 page manual - gosh it can do a lot of things, most of which stop the network, then I have to reset it and get it configured again. Very tedious.

I think I simply want the modem to forward all incoming stuff to the router and use the router's port filtering or DMZ, to get the whole thing to work.

Any of our buddies around here know how to do this? I believe this is quite popular with gamers on the internet.

The equipment has been working for 2 or 3 years. My ISP is Earthlink/DSL. I have a ZyXEL P660R-61 Modem. A Belkin F5D7231-4 Wireless Router (with Virtual Servers = port forwarding). It's been working fine for years with the modem doing PPPoE and the router in 'Dynamic' mode to support the network. Switching on Virtual Services (or DMZ) is ineffective. And my conclusion is the modem firewall is blocking.

I put the Modem into Bridge mode and the router into PPPoE. It logs on fine and the connection to the internet works on the home network machines.

However the 'Virtual Servers' (holes in the firewall) still don't work. I can't get DMZ to work either, although I'm uncomfortable with that because of the security implications.

And "tinfoil" said:

You should set your PC to have a static IP address. DMZ isn't ideal.You should set your PC to have a static IP address. DMZ isn't ideal.

Modem in bridge & router in PPPoE. Perfect, you've gotten the big stuff out of the way.

Now, is the client PC using a static IP or is it DHCP assigned by the router? That's another big thing. Virtual Servers will not work well if you are using a regular DHCP (though if you are assigning IP by MAC address, that's fine).

Also, you may have to muck about with the Windows firewall as well.

And I said:

I've got it working!  It's always been working, but I wasn't testing it correctly.. All the machines have static IP addresses on the LAN. Earthlink assign a dynamic WAN address to the PPPoE client (on the router or modem) to forward to the correct machine on the LAN.

When I'm on the LAN, I can't address the servers with their WAN address, probably because the NAT is only applied to external sockets.  Eureka!  I've been using the port scanner at http://www.t1shopper.com/tools/port-scanner/ and of course he really is on the WAN.  Crumbs, I can be really stupid (nothing new).  I thought I'd eliminated that possibility several days ago.

So if I do:

 % curl http://clanmills.homedns.org
from the LAN, this goes to the router (correct).  However on a real external internet connection, the NAT will route it to the virtual server  To use that server from the LAN, I have to use:
 % curl
or more conveniently using its alias in /etc/hosts For example:
 % curl http://striders
or whatever the machine's called locally.

Thanks very much for patient encouragement - you've kept me dogging to the bottom of this.  I'm thrilled.  Thank you very much.


I did disable the DHCP server, although that's not significant.   You can only use port forwarding by IP address, so it makes sense to have fixed IP addresses.  However the DHCP is quite independent of this.


I'm very happy to accept comments, feedback and suggestions for any of my articles. I'm always happy to hear you - especially if you have constructive suggestions. And I'm particularily pleased if you can let me know about corrections.

Home ......... About

Page design © 1996-2008 Robin Mills / webmaster@clanmills.com

Updated Monday February 25, 2008